Hacker News new | past | comments | ask | show | jobs | submit login

That's the first thing I thought, too - sounds like they are trying to spin it as some malicious user "broke in". If a "customer user account" is able to upload a malicious payload and exfiltrate huge amounts of other customers' data, there's a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.



Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit. Some countries will protect whistleblowers, others have to flee and seek asylum abroad.

So don't deny whether or not law and/or contract was broken, instead focus on whether the action was justified. Yes the system was broken and open for exploitation, but the attack was not accidental: they intentionally uploaded a malicious payload, intentionally extracted data, and intentionally uploaded it to the internets.


I wasn't commenting in any way on the legalities. IANAL and, frankly, I just don't think it's germane to my point.

Netsential clearly had a massive security vulnerability in their system that allowed one user to access the data of all other users. That's very much on them.

Consider a company that provides physical storage units and advertises that they are secure and can only be accessed by their owner. Then it turns out that there was a back alleyway running behind all the units that allowed any owner who had access to one unit the ability to access any other unit, without a key. I don't think anyone would suggest that would be anything other than a massive security oversight by the storage company. Yes, what the thief did was illegal and should be dealt with. But you'd have a hard time convincing me that the company itself wasn't primarily at fault for such a huge oversight in the first place. And I certainly would never use them again.


I don't follow.

No attack is accidental. If a vendor fails to follow appropriate operational security, it is certainly the illegal actors fault. But it is also the fault of the vendor's negligence, and might also be the fault of whoever failed to properly vet the vendor. All three are potentially culpable.

Moreover, I took the parent comment to be referring more to customer flight rather than some judiciary judgement. 'I got mugged' is not what you want to hear from the person entrusted with your data security.


Actually this is not whistleblowing. Technically, you need to have legal access to the data to whistleblow. If you have to acquire access to the data illegally to then release it its just illegal.


Worked for the Pentagon papers.


>>Legally speaking, if you find a bug and abuse it (to e.g. extract data), you're breaking the law; I know people don't want to hear it and want to protect whistleblowers, but it's factually illegal to steal data like this.

I dont think anyone is saying it was not illegal are they? but just because it is illegal does not resolve the security issue at the service provider

If I leave my home unlocked it is still illegal for you to steal my TV but you can bet my insurance company is going to give me crap (if not deny my claim out right) due to my negligence for not securing my property

>>That's what whistleblowing is all about though; purposefully breaking the law or a contract (like an NDA) to expose shit.

It can, but not always, and in the case of true whistleblowing there are laws in place that would provide an affirmative defense to otherwise illegal acts (like breaking an NDA). This is akin to self defense. Murder is always illegal but self defense is an affirmative legal defense one can use to justify their action making them "not guilty" of the law under those special circumstances. Whistle blowing as a few of these affirmative defenses as well


Yes but "the law" cuts deals all the time to address bigger crimes. (for example)They let off a small time drug dealer with a couple months in jail for ratting out a hitman for the mafia. I think sometimes it takes lesser crimes to bring justice bigger crimes like police brutality and murders that go unprosecuted because cops/DAs protect one another. I think that might be the case here. Independent hacktivists can now comb through that data and find cops that have lots of repeats offenses that obviously show a pattern of abusing the system and citizens whereas before that couldn't happen because such information was hidden from the public.


Probably just a way to justify a new contract for Netsential. Notice most of the leaked info is damaging to witnesses and victims, not the police.


Big companies don't hire properly for sysadmin/security - you don't think law enforcement knows what they're talking about here, do you?


* Lifelock enters the chat




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: