While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
1.) There’s nothing wrong with flipping burgers for a living.
2.) It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Have some class.
Sure there is. It's not a job that earns a livable wage. It's a job for teenagers to get experience, and eventually become managers or go elsewhere with experience (or just pay their way through school). If someone is doing it "for a living" then they are most certainly doing it wrong.
> It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Do you have any data to show that they are underpaid in these positions? It seems like there are plenty of these positions, and folks at a company where they are underpaid can go to a different company that pays fair market value. Or are you implying that there is some conspiracy among big-fast-food to pay everyone less than fair market value? Because that would be quite the stretch.
> Have some class.
That seemed ironically unnecessary.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
At least you didn’t find that the bathroom rating tablets had audio as well!
I'm pretty sure someone was willing to pay for this, but at least the researches acted responsibly.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
https://www.darkreading.com/vulnerabilities-threats/dark-rea...
[1] https://www.vice.com/en/article/this-is-the-hacking-investig...
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise. Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
Secretly recording voices is a felony is many places in 'merica.
It's related to wiretapping laws that are very broad.
https://leginfo.legislature.ca.gov/faces/codes_displaySectio....
> A person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication...
How would you reconcile your statement against state laws that require all-party consent for audio recordings? e.g. CISA, or FSCA
I don’t understand the need to insult people who make minimum wage. They had absolutely nothing to do with this breach and this is in incredibly poor taste. Maybe they enjoy their lives, or enjoy their jobs? Or hell, maybe they’re not the typical HN reader and really badly need that job? This elitist shit ruined an otherwise decent article.
So I think it’s more a jab at corporate mandated performative forced happiness for customers then the employees themselves.
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
The hilarious sarcasm throughout was the cherry on top for me.
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
Good news! With AI programming assistance, this invasive technology--with the concomitant terrible security--will be available to even the smallest business so long as nephews "who are good with computers and stuff" exist!
BobDaHacker•2h ago