Hacker News new | comments | show | ask | jobs | submit login

Is it even lawful for them to pay people that knowingly invade other people's accounts?

Why wouldn't it be? At worst, wouldn't facebook be the aggrieved party, and not another user of facebook?

Suppose I hacked into a bank and stole money from some account. Would the person whose account was hacked be able to have some legal recourse against me? I'd imagine it would be the bank.

If this is the case, then surely facebook could just choose not to press charges, and if so, what would be unlawful paying him in that case?

The bank example's a tad off when trying to draw a correlation to this particular case. I do agree with your sentiment though. I would reword it and say: if someone pointed out to a stubborn bank manager who refused to listen that the vault and my h of the bank's money was easily accessible, by taking out afew dollars from the bank & handing it to him. The a very embarrassed manager would be right to reward the person for showing the institutions flaw and not robbing them blind.

They might even throw a little fanfare his/her way to send a message that the bank appreciates being told and not robbed blind. (Especially given that they're a "community bank" built by pioneers and not a monolithic marble statue institution :-P)

Posting something on someones wall isn't so much invading as it is leaving a sticky note on their door. By that metric UPS invades peoples homes quite regularly when they fail to deliver a package. Had he actually accessed any non-public details of a users account that might be one thing, but the only data he was able to view was the post he had created himself. In short, it was his data, from his account, it just happened to be located on someone else's page. Honestly it's not even that bad of a vulnerability, more like a mild nuisance.

They will pay for reporting of the bug. What's with the apparently intentionally inaccurate description of his actions? All he did was post to someone's wall, that's hardly "invading someone's account".

He posted something to them - he didn't access them.

I chose my words carefully.

Invading means to enter, and he didn't enter anything. He posted a link through Facebook's buggy system. The end.

Yeah this sounds like a super productive discussion.

Especially when you start using argument tactics like belittling.

You're right; I am officially derisive of this discussion. You know I'm not making an argument by trying to characterize this person's actions as malicious, but you keep raising that idea as an issue, because you actively don't want to understand what's happening in this situation, but would prefer instead to demonize Facebook's security team.

Demonize the security team? I never implied that anywhere - please don't "put words in my mouth."

I think you are here: https://news.ycombinator.com/item?id=6231466 . And please don't bother defending, just dropping by.

K. I won't point out to you why you're mistaken.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact