Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Let's not attempt to justify profiting from stolen personal data. This isn't a glorious mission to save the world from poor security practices, this is somebody trying to make money selling people's personal information.


You're a brilliant hacker, you lurk on security and blackhat forums, you know exploits inside and out. One day, you decide to check the security of some big consumer websites, and you find a security hole. What do you do (choose your adventure style)?

* You're a white-hat honest hacker, and all you want is for the internet to be a safer place. You decide to report the vulnerability to the company. Unfortunately, after you sent the email to their engineering team, they told you that the security hole you found isn't critical and refuse to award you a bounty. The rest of the emails go unanswered. You try sending emails to some other departments, including customer support, sales, and legal. No response. 2 months after that, when you're taking a dump on the toilet, federal agents burst into your apartment, knock you down and arrest you without even giving you the chance to wipe your ass. You're charged with industrial espionage, breach of security, and conspiracy to defraud. It turns out that someone did read your emails, checked out the logs, found traces of you researching the security hole. Your defense that you were trying to help is summarily dismissed and you rot in jail.

* You think most people are too serious and need to relax. You decide to have some fun. You download tons of embarrassing data from the company website, write them an untraceable email demanding 1000 BTC and public disclosure of your skills. You're pretty sure they will refuse your request, which they soon do. You troll the company by disclosing that they were hacked, and decide to sell the security hole to the highest bidder. You also sell chinks of data to random hackers and credit card scammers. You retire to a tropical island, drink martini and surf all day.


If choice 1 is to supposedly be good and suffer and choice 2 is to be an asshole - there's always choice 3: walk away.


That's a false dichotomy.

Also, pentesting sites without their consent is a poor choice to begin with, which is closely linked to why the "I was just trying to help" defense works so poorly.

Deciding to "have some fun" by exposing people's private information and profiting from that "fun" are pretty terribly hobbies.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: