'Impossible-to-hack' security turns out to be no security

Original Article ↗ Hacker News Discussion ↗

CEO Response and Public Relations

  • Many commenters see the CEO’s reply to the researcher as hostile, clueless, and self‑sabotaging, especially given the “impossible-to-hack” marketing.
  • Several argue the CEO should have thanked the researcher, taken the issue offline, and asked for time to investigate and notify regulators/customers.
  • Others speculate the CEO may have been misinformed or had the issue downplayed internally, but note this doesn’t justify threats or denial.

Security Practices and Legacy Systems

  • Storing passwords in plaintext is widely condemned, but one thread highlights how legacy, brittle systems, niche databases, and lack of budget/personnel can make remediation “not a near-term option.”
  • This sparks an ethical debate: prioritizing revenue and payroll over fixing known security flaws is framed by some as “sub-criminal negligence”; others say they’re trapped by economic realities and aging codebases.

Legality and Ethics of Accessing Exposed Data

  • Some warn that even accessing unprotected data can be treated as “hacking” under US law, citing past prosecutions and political grandstanding.
  • Others counter that simply viewing publicly served data should not be criminal, but acknowledge the practical risk of being dragged into expensive legal trouble regardless.

Responsible Disclosure vs. Perceived Blackmail

  • One camp sees the researcher’s follow-up (“I will publish; are you notifying regulators/customers?”) as standard responsible disclosure and courtesy, not blackmail.
  • Another camp says smaller companies without security programs may interpret any “I’m going to publish” notice as extortionary, especially when the researcher has a blog/consulting presence.

Tone, Professionalism, and “Naming and Shaming”

  • The article’s sarcastic, confrontational tone divides opinion:
    • Supporters say politeness was tried twice, the CEO responded with accusations and threats, and public shaming is justified and necessary to drive accountability.
    • Critics label the tone “toxic,” “trollish,” or unprofessional, arguing it undermines the message and makes collaboration harder.
  • Multiple people emphasize that researchers have no formal obligation to be “professional,” but professionalism can increase the chance of constructive outcomes.

Chronology and Data Use

  • Some confusion arises over when the researcher accessed which data; the researcher clarifies that all database queries were done while the database was exposed, and later file access used URLs obtained earlier.