Hacker News new | past | comments | ask | show | jobs | submit login

"What if doing so killed a person for each ID at showdocument? Ok, that's pretty absurd. What if it wiped out their bank account?"

Shouldn't you hold the people who created that system responsible, rather than the person who used it? If I rig up my cell phone to a gun, so that every time someone calls it it shoots at a crowd of people, should the people who call it go to prison while I walk free?




If they know what happens when they call, yes, they should go to jail too.

He knew what he was doing once he'd pulled down a few records.

Also, yes, ATT should be held responsible for implementing lame security.


I think that the problem with this thinking is:

(a) Even altering a parameter once in the address could be considered illegal under the current laws.

(b) The access of information in and of itself would not be illegal alone. Say I kept a bunch of people's information in paper files in file cabinets. Then I gave you access to retrieve yours from the file drawer yourself. It is sleazy, but not necessarily illegal to look at other files in the drawer, as I have given you access to their container.

(c) Even if you want to make the action in (b) illegal, the reasonable punishment is almost certainly not a double digit prison sentence.


Sure, but my point is that he has no greater responsibility than AT&T does. Why are we acting like AT&T is an innocent victim?


> Why are we acting like AT&T is an innocent victim?

No one here is. I'm not sure why no one has done anything to them, legally. It'd be interesting if someone who actually knows what they're talking about in terms of the legal system about could comment on it.


This analogy has been flawed from the beginning, but to extend it just for the fun of it, that's like pulling the trigger of a gun and then blaming the gun for having the mechanics to turn that trigger pull into a fired bullet that kills someone. The action being done is on your end, and the system, though possibly flawed, is not the cause of the results. It may be a factor and it may enable those results, but the actor is the cause in that situation.

I honestly don't even know where I stand on the actual discussion point, but I do know where I stand in the weird analogy tree we've made.


It is more like blaming the owner of the gun, who loaded the gun, aimed it, set up the shot, and then left it up to the trigger man whether or not to pull the trigger.

Bringing things back to reality here, AT&T was entrusted with personal information but failed to properly secure it. They set up a system that automatically responded to requests for personal information. They gave unauthorized people access to that system. We should be blaming AT&T and making them pay punitive damages for their irresponsible behavior, not whining about how terrible Weev is for using the system they gave him access to. The fact that AT&T can just shrug it off is what allows the sorry state of security to persist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: