Since most people are lower income, and therefore a high-market share low unit price gas-station drink company like Monster will by definition have to have its largest customer base be from the largest ie: poorer demographic, the only slightly revelatory information is that the demographic is younger, male, and leans Hispanic.

This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).

Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.

Which part? younger men with lower income who are likely to be Hispanic Caucasian (as opposed to non Caucasian Hispanic)

Which part don't you understand?

It means some people still think there are meaningful racial categories, that people with light skin come from the Caucasus, that speaking Spanish is an "ethnicity" which is orthogonal to "race".

Also Gen X (aged between 44 and 60 at time of writing) are "young".

It means a marketer will know where to deploy capital.

(Gen-Z/Millennial/Gen-X)

This covers like sixty years?

Companies like Monster and Redbull are marketing companies that happen to sell energy drinks.

That is almost certainly not a meaningless demographic they pulled out of thin air. It might not be meaningful to you as a demographic. It might even be offensive to you as a demographic.

But, to the marketing company, that is a concrete “group of humans” that respond well to their product and advertising. It informs how they develop their ads, how they target them, which geographic markets they push hard in, what events they sponsor, etc.

When they define that demographic as the people they’re targeting, and allocate their capital towards targeting them, they see the highest returns they’ve been able to find so far.

So strange, does the author think companies never try to understand their customers?

The picture is a little silly but listing out the demographics of your customer base is like so normal. The marketing for Monster would be quite different if their market was over 65 women.

Although it would be a funny bit to run a monster commercial in the style of something like L'Oreal.

This is from the post:

> "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."

Later in the post:

> The scariest part wasn't the training portal or the questionable customer profiling.

Questionable customer profiling is just basic research about their customers.

Seriously, I wish more companies were honest at least internally who their customers are. A lot of problems could be solved if places like Marvel realized who their core base is, accepted it, and made products for their audience.

He used his "advanced hacking knowledge" to trick himself into participating in corporate training exercises and tear-inducing boredom. This actually made me laugh.

Totally still on Monster even if they contract 101% of their IT.

I first learned of bobdahacker from his post three weeks ago also headlined on HN: https://news.ycombinator.com/item?id=44723773

I wouldn't be surprised if their lack of any response is because they literally have noone to deal with this. They can't seem to fill (or hold) some pretty important IT roles:

https://recruiting2.ultipro.com/MON1009MECY/JobBoard/682eaab...

It's like watching the school bully pants the weird kid who's just really passionate about his interests. It's not tough or cool, really it's just pathetic and sad.

You remember "software is going to eat the world?"

_Everyone_ organisation is a tech organisation.

I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.

That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.

I worked at places with "points" you can give to other coworkers, but no reward. I would love to have traded some of my points for monster merch. This can almost read like an advertisement for working at Monster

Eh, I think part of it is just making a more clickbaity title.

Avatar or persona is a literal fake person. “This Steve Doe. He works in construction and is 29 years old. He is in a lower income bracket and drinks a monster every weekday with lunch”.

The example in the post is a super generic target market.”gen z, lower income”

No need for personal attacks.

> 15-19yrs old

Also would explain their unfamiliarity with what looks to me like totally normal branded corporate training.

The energy feels so high school

Would you like me to give an unsolicited read on what you look like and which developmental disorders you might have also?

They did contact them and there was no response. The only one answering were ClickUp folks.

Presumably redbull, given their avatar https://bobdahacker.com/static/images/bobdahackerReal.png

Nah, fuck that noise. If the company reacts to a responsible disclosure notice that's nice but no one is under any obligation to help out mega corps to secure their shit. And the users aren't put at risk by the people finding the vulnerability but by the company not fixing it.

Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.

It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here.

My understanding is this is the standard SOP for security vulnerabilities: 1. Report the security vulnerabilities to the “victim” 2. Work with the “victim” the schedule for mitigation and publication 3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)

If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.

If the hacker has the emails sent at step 1 he will be fine.

These companies treat fines as the cost of doing business and every time they lose people's personal information, they get slapped on the wrist and laugh it off while the execs get bonuses for having someone write a tearful apology to appear like victims.

I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.

I've seen a documentary on that, they got kicked out ;-)

They have sugar free versions now.

They look like stoners and losers. You should meet healthy people.

Or that they took sufficient care to remain anonymous.

Or Europe. Or the UK. 10+ prison plus civil damages in all three jurisdictions should it be prosecuted for various "Unauthorized computer access" laws. Even just browsing protected endpoints is a criminal violation. Publishing any info is even a bigger crime.

FYI, if you are a hacker:

1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.

2. Document, don’t exploit

3. Report responsibly

4. Do not publish until fixed. Do not publish documents/images without permission.

5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).

Depending on jurisdiction, it can be argued that this is not unauthorized access, as the files and listings do not prevent access to anyone, effectively authorizing anyone who requests a file.

I thought it was the other way around, that the individual mark is interpreted as a 6 so it's 666?

Because you certainly are the right person to pass judgement and destroy someone's life based on reading a few blog posts.

> I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.

Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.

Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.

Ethical hacking requires prior authorization from the organization you’re hacking. This person is a total clown and is absolutely in violation of the law.