> The takeaway, happy or not, is that most companies see no disclosure as the only right disclosure and will punish you beyond reason if you're even connected to something that hurts them a little - even if they're the ones who caused themselves the hurt.

But we don't know this is true for Apple because Weev didn't try to responsibly/ethically disclose his findings. He boasted about it on IRC and then to a reporter.

So maybe Apple would have sued him if he tried to bring it to their attention. Still, he could have disclosed it to them anonymously.

> Because the fastest way to guarantee this stops sooner than later is leak every address publicly with information about every error AT&T made and let civil suits from pissed-off customers fry them.

I don't know whether you're a programmer or not, but one thing you learn very quickly when you are one is that programmers are humans and humans make mistakes. Bugs happen all the time, and no one wants to be on the receiving end of some kid who finds ones and takes rubbing it in your face as his divine mandate. Dumping all the info you pull from a hack is neither responsible nor ethical. Doing so dons you with the blackest of hats and destroys your reputation to all except like-minded sociopaths.

> No, then it'd still be broken and nobody would know.

If it's broken and nobody knows, is it still broken? I do understand where you're coming from though.

> Weev didn't try to responsibly/ethically disclose his findings.

Going to a journalist is the ethical answer.

Sending phishing emails or extorting people would be the unethical answer.

> Bugs happen all the time, and no one wants to be on the receiving end of some kid who finds ones and takes rubbing it in your face as his divine mandate.

Did the customers want their email addresses leaked?

> Dumping all the info you pull from a hack is neither responsible nor ethical.

Bullshit. Depends on the hack. Dump Scientology docs pertaining to harassment of critics, awesome. Dumping private medical records of random people, pretty nasty.

You may notice that email addresses are not considered sensitive information. In fact, I'm sure Apple and AT&T reserve the right to share customer information with "select partners". Leaking customer email addresses doesn't actually hurt the customers, but does hurt the company's reputation for providing a secure service - which is exactly what should happen. Anything less and there's no motivation to change.

> Doing so dons you with the blackest of hats and destroys your reputation to all except like-minded sociopaths.

Oh yeah, the blackest. My kitten-eating hat. The one I wear when I trick people into slavery or prostitution, when I plot to exterminate entire subraces of humanity because of their lack of rhythm. That hat.

Yeah, right. Because only sociopaths think major corporations should have their feet held to the fire and that it's best it happens on a zero-value attack like email addresses rather than anything important.