I don’t understand what Flux hoped to gain in this situation. It seems counterproductive to building a platform for engineers while attacking folks respected by engineers.
They wanted the make sure Adafruit stays silent about the number of active users, and Adafruit gave them some leverage by imo naively reporting a security vulnerability.
What do you mean by "naively"? Reporting a security vulnerability to the vendor is the responsible and ethical thing to do. Suing someone who did you a favor is fucked up behavior and they should be shunned for it.
Wait, you can't really think that it's ethical and in any way a person's responsibility to expose themselves to the CFAA and lawsuits??
Ok, let's go over this again - it is naive because you naively trust the vendor not to report you to the authorities/sue. A side effect is that such companies never get to learn their lesson, thus you naively think that you contribute to overall privacy and security while the effect is opposite - the company got a freebie and won't change security stance, the CFAA gets to stay.
I would argue about the ethical part as well. One way to guarantee ethics is to immediately report to both vendor and respective government body so that any suspicion of blackmail is removed.
Another person's definition of ethical would be to immediately notify all affected users.
My personal stance is that the IT community needs to shut the fuck up until companies start begging for help and the backwards-ass CFAA gets deleted. This is ethical - you didn't get paid for a security audit, then you keep your mouth shut and offer no free work and you don't expose yourself to lawsuits.
How many CFAA cases have to be filed in order for people to stop (gratuitously) reporting security vulnerabilities to corporations? Just stop, you don't owe them that, and it always comes off as an attempt at blackmail. If you care so much about their users, report to security authorities instead.
That of you locate a vulnerability, you should contact the vendor and that "In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability"
I get the weird feeling like you have a dog in this fight
TLDR: Adafruit found out Flux was being dishonest about their user numbers. They also found and responsibly disclosed that they could get their Firebase keys by opening up Chrome's devtools.
I don’t understand what Flux hoped to gain in this situation. It seems counterproductive to building a platform for engineers while attacking folks respected by engineers.
It sounds like the hands of what Ed Zitron calls business idiots are in play.
MBAs
They wanted the make sure Adafruit stays silent about the number of active users, and Adafruit gave them some leverage by imo naively reporting a security vulnerability.
What do you mean by "naively"? Reporting a security vulnerability to the vendor is the responsible and ethical thing to do. Suing someone who did you a favor is fucked up behavior and they should be shunned for it.
Wait, you can't really think that it's ethical and in any way a person's responsibility to expose themselves to the CFAA and lawsuits??
Ok, let's go over this again - it is naive because you naively trust the vendor not to report you to the authorities/sue. A side effect is that such companies never get to learn their lesson, thus you naively think that you contribute to overall privacy and security while the effect is opposite - the company got a freebie and won't change security stance, the CFAA gets to stay.
I would argue about the ethical part as well. One way to guarantee ethics is to immediately report to both vendor and respective government body so that any suspicion of blackmail is removed.
Another person's definition of ethical would be to immediately notify all affected users.
My personal stance is that the IT community needs to shut the fuck up until companies start begging for help and the backwards-ass CFAA gets deleted. This is ethical - you didn't get paid for a security audit, then you keep your mouth shut and offer no free work and you don't expose yourself to lawsuits.
How many CFAA cases have to be filed in order for people to stop (gratuitously) reporting security vulnerabilities to corporations? Just stop, you don't owe them that, and it always comes off as an attempt at blackmail. If you care so much about their users, report to security authorities instead.
The "security authorities"? Who exactly is that? And what action are the expected to take?
Responsible disclosure is not gratuitous, it's not blackmail. It is a standard industry practice. And the entity you notify is the vendor.
See EU CSIRT network, CISA for US unless it got deleted by the current management.
CISA advocates for responsible disclosure an links directly to documents telling you how to do so such as https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_in_...
That of you locate a vulnerability, you should contact the vendor and that "In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability"
I get the weird feeling like you have a dog in this fight
Wtf are "the security authorities"?
See EU CSIRT network, CISA for US unless it got deleted by the current management.
TLDR: Adafruit found out Flux was being dishonest about their user numbers. They also found and responsibly disclosed that they could get their Firebase keys by opening up Chrome's devtools.