

Man who hacked Zuckerberg's Facebook account gets cash reward - codegeek
http://www.cnbc.com/id/100976139

======
daeken
Sad. We should not encourage people who violate the sole universal rule of bug
bounty programs: don't mess with other users. Period.

I understand it's frustrating when a bug report goes ignored or dismissed
(still waiting on PayPal to confirm a couple bugs I reported last June or July
(admittedly I haven't tried hard)), but that's part of the process. You work
with them to refine the message until they understand clearly what the problem
is and get it resolved. You don't mess with anyone else's account, under any
circumstances.

This is just not acceptable, and it's sad to see some of the security
community supporting it.

~~~
cheald
The guy was obviously acting in good faith. Sure, he may not have known the
right way to go about doing what he was demonstrating, but that was ignorance,
not malice.

~~~
Amadou
I think this discussion is going to be a regurgitation of everything said in
the original one. So here goes my part:

Facebook's rules were only available in english - despite having a way to
switch most of facebook to arabic, the guy is obviously not a strong english
speaker.

Rules are only guidelines for people who can't (or aren't allowed to) exercise
good judgment. Rules are meant to be black and white, but real life is rarely
so. In this case absolutely no harm was done, or even suggested, by the guy's
actions. Facebook's decision to apply judgment rather than zero-tolerance is
commendable.

EDIT: Facebook is still doing the brainless zero-tolerance thing. Shame on
them. I should have read the article rather than assume the best.

PS the best company I ever worked for had as the first line of their employee
handbook: "Don't do anything stupid just because it is written down in this
book."

~~~
ceejayoz
> Facebook's decision to apply judgment rather than zero-tolerance is
> commendable.

Re-read the article. They didn't.

------
sergiotapia
Shame on Facebook, other pen-testers are now going above and beyond and
raising money for this person. For a person in the 3rd world, $10,000 is a LOT
of money, so the guy must be feeling really happy!

That's about 7 months of salary here in Bolivia for a software developer. I
imagine it's even less where he's from.

~~~
dylangs1030
Those pentesters are wrong for raising money for him. He didn't follow the
rules, that's what he is being rewarded for. It's setting a bad precedent.

~~~
flexd
I do not believe we should always blindly follow the rules.

His intentions were good and it solved a serious problem, is this really
something you do not want to reward?

While it has caused some bad PR for Facebook, I still believe that mainly
happened because of how they reacted and a language barrier.

If did not speak english at all but found a serious bug like this, should he
just not report it or should he use google translate?

------
baby
People are raising money to pay someone to fix bugs on Facebook. This is how I
see it, and it's really really weird.

------
Hammo
Misleading title. He did not hack his account. He bypassed privacy/security
restrictions and was able to post on his wall.

~~~
protopete
Another thing that's misleading, Facebook isn't the one paying out:

> Now, Marc Maiffret, chief technology officer of cybersecurity firm
> BeyondTrust, is trying to mobilize fellow hackers to raise a $10,000 reward
> for Shreateh after Facebook refused to compensate him.

