Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
The screenshot of the email lacks detail so I don't know what part of the DMCA the author breached here, but this feels a lot like your standard DMCA abuse.
I did not know Cloudflare treats fake DMCAs the same way as Youtube. Since when!?
A4ET8a8uTh0_v2 18 minutes ago [-]
Can we start discussing 'you can run your own website/cloudflare/isp/backbone' conversation all over again instead of addressing some basic level of fair play?
danielheath 12 minutes ago [-]
DMCA penalties are so severe that all parties are incentivised to run/use a parallel scheme.
beanjuiceII 8 hours ago [-]
cloudflare is a crappy company
avs733 24 hours ago [-]
Someone should see if YC will fund an ai-first company to help individuals and companies fight back against DMCA abuse and seek compensation
jagged-chisel 21 hours ago [-]
Interested to hear the financial model for this one.
esseph 21 hours ago [-]
Flat fee, plus percentage of the winnings from damage claims?
avs733 19 hours ago [-]
We’ll use an influencer for example. A false dmca claim has costs for them. Immediate costs in time, demonetizing, and reputation. It also has longer term risks - e.g., copyright strikes become bans. They are incentivized to pushback but have limited tools to do so.
When dealing with a company whose business is filing dmca complaints using an automated system, the business model isn’t a lawsuit - it’s a settlement where the influencer is made whole and you get paid. The risk to the company is existential if you have enough clients using you to push back and risking them getting a platform ban or an injunction against them filing automated dmca complaints. Say they file a thousand complaints a day against a thousand YouTube channels. If even 50 of those channels file a counter claim it’s going to set off alarm bells.
All that being said the most toxic part of this is the company calling itself a cyber security company and trying to obfuscate seemingly pretty responsible disclosures using dmca.
21 hours ago [-]
eduction 7 hours ago [-]
This fits with the complete lack of care for ethics and societal awareness from Gary and Paul on down. They just want companies that can succeed by the usual amoral metrics of Silicon Valley (money). Which is entirely their right, but here is one of the social cost in a form most “hacker” founders can maybe appreciate. (As opposed to a low income resident getting evicted to make way for an illegal Airbnb)
user5994461 21 hours ago [-]
[flagged]
itake 21 hours ago [-]
I still don’t get it. What does copyright have to do with the post?
user5994461 21 hours ago [-]
[flagged]
Vorh 20 hours ago [-]
> Why do you think copyright has anything to do with the post?
Because the Digital Millenium Copyright Act is for copyright. You haven't stated how the blog post infringes upon BK's copyright at all, so... yes, seems like a standard fraudulent DMCA claim.
> First thing first. This is NOT DMCA abuse. The DMCA is the only way to communicate with web companies and take down content. As such, it has become the legitimate way to take down any content that needs to be taken down, in the absence of alternatives.
This assumes that companies should be able to take down any content they do not like. This is very much not the case. The DMCA is very specifically only for copyrighted content.
From copyright.gov[1]:
> To be effective, a notice must contain substantially the following information:
> ...
> (v) a statement that the person sending the notice has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
> (vi) a statement that the information in the notice is accurate, and under penalty of perjury, that the person sending the notice is authorized to act on behalf of the copyright owner .
This is pretty clearly DMCA abuse. TFA isn't using any of BK's copyrighted content, which is what a DMCA claim alleges. Just because people have abused the form... pretty much since inception does not mean that it's not perjury to do so.
If BK wants to press charges for unauthorized usage of computer systems, that's another route. This would involve a police report, not perjury, and would probably not take down the website.
It's DMCA abuse because that process is only legal to use in case of actual copyright infringement, not just any content you might have a moral claim over.
You can see on the email that the "Original work" field is just a link to the BK website.
user5994461 19 hours ago [-]
> It's DMCA abuse because that process is only legal to use in case of actual copyright infringement, not just any content you might have a moral claim over.
I will reply to this comment because it's the easier to address, you're really hitting on the main misconception :D
It is incorrect to think that the DMCA form is only valid for copyright.
You need to contact the other party to start a legal dispute, you can do so by any available communication channels. The website is hidden behind cloudflare which purposefully hides the identity of the author and prevents any contact, except via a DMCA form. Burger King filled the DMCA form to get in touch with the author. It's merely a mean to legally contact the author and start a dispute, in the absence of better options.
It worked, cloudflare forwarded the form to the author (and the author decided to take down the article on their own). I really can't think of any reason why it would not be considered a reasonable and legitimate use of the form. All the better because it's an official legal form.
baobabKoodaa 14 hours ago [-]
> The website is hidden behind cloudflare which purposefully hides the identity of the author and prevents any contact, except via a DMCA form
The blog post says that the author contacted Burger King and they had some sort of communication channel available, Burger King just chose not to use it.
itake 17 hours ago [-]
Can you cite the law where it says DMCA is supposed to be used as a contact form to get ahold of the author?
Another commenter in the thread shared where the laws says the exact opposite (DMCA is only for copyright violations)?
mixdup 19 hours ago [-]
I'm not sure if your posts in this thread is trolling or not, so if it is, good job
If not, why do you think Burger King has a right to have the posts taken down?
rtkwe 20 hours ago [-]
Just because it's the tool they have doesn't legitimize the use of a copyright takedown just to take down information they do not like. DMCA is specific and in theory limited (though many companies abuse it) the proper channel for non infringing content you don't like is the courts.
akerl_ 1 days ago [-]
As a nitpick, you’re describing coordinated disclosure.
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
billy99k 1 days ago [-]
It is irresponsible. It brings attention to an issue that has not yet been resolved, which will likely lead to users getting data stolen/scammed.
Even the most security-aware companies have a process to fix vulnerabilities, which takes time.
I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.
In the case of bobdajrhacker? Both.
siffin 1 days ago [-]
It could never be anywhere near as irresponsible as the original bad security practices, though. At some point, if you wanna make money by handling people's sensitive data, you are the responsible party, not everyone else.
Retric 1 days ago [-]
Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.
kevincox 23 hours ago [-]
Yes, that is why responsible disclosure almost always comes with deadlines. You give the chance for the company to resolve the issue and mitigate user impact. But if they are taking so long that the user impact will be higher than you just disclose.
akerl_ 19 hours ago [-]
What if your assessment is that the user impact is already high enough that the right time to disclose is immediately?
kevincox 11 hours ago [-]
If you assess that the best time to publicly disclose is immediately then disclose immediately.
But I find that this case is rare. Typically it would be something like many of the following being met:
- It is likely to be discovered by an attacker soon.
- History shows that the company is unlikely to fix it soon.
- Users have some way to protect themselves.
- Your disclosure is likely to reach a significant number of users.
akerl_ 10 hours ago [-]
How do you know it hasn’t been discovered by another attacker already?
4ndrewl 14 hours ago [-]
Why do you think this? It clearly says that RBI fixed the issue on the day they it was found and disclosed.
It seems pretty reasonable to publish, given that?
saagarjha 1 days ago [-]
Are you in a position to hire security engineers?
93po 1 days ago [-]
users at large have a right to know if their data is being handled recklessly by any person or group, and just because some entity has arbitrary rules and poor communication/practices on how they want to tell them disclosures, it doesn't in any way make it irresponsible to let the public know: hey, your shit is getting recorded and is available for anyone to download and listen to.
LadyCailin 1 days ago [-]
I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
bobmcnamara 1 days ago [-]
This seems to presume the company is ready and willing to take feedback.
Maybe things are better now.
Years ago the only contact for many companies was through customer service. "What do you mean you're in our computer? You're obviously on the phone!"
bigiain 20 hours ago [-]
> This seems to presume the company is ready and willing to take feedback.
Near the bottom of the blog post it says:
> When | What Happened
> Day 1, same day | RBI fixes everything faster than you can say "code red"
> Credit where it's due – RBI's response time was impressive.
bobmcnamara 6 hours ago [-]
Oops. I mean that generally my experiences have been less good
immibis 1 days ago [-]
Also "Oh, you hacked us? We'll call the police right away. You're going to jail." - followed by you actually going to jail for many years. Sometimes, anonymous, public, uncoordinated disclosure actually leads to the best security outcome in the long run, since security researchers in jail isn't that.
bobmcnamara 1 days ago [-]
Yes. I live in a state where a journalist reported a Department of Education system leaking teacher SSNs and the governor sent state troopers after him.
Doing the right thing can be awfully unpleasant.
dns_snek 1 days ago [-]
You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
bobmcnamara 1 days ago [-]
Agreed.
Cracked a thrift store IoT medical device. Contacted vendor. They sent me a one way NDA. Lol no.
dns_snek 13 hours ago [-]
I've been trapped in a quasi-NDA on bug bounty platforms too. The vendor just refused to make the report public long after the vulnerability had been fixed, likely to cover it up in case of any resulting damages claims (it was a financial platform and the bug affected withdrawals of customer funds).
The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.
akerl_ 1 days ago [-]
What about users who are affected by the vulnerability in the time it takes between reporting to the vendor and remediation?
llbbdd 21 hours ago [-]
That's the tradeoff. If you disclose it broadly without a grace period, someone who didn't even know about the vulnerability before will exploit it faster than even the best postured companies can fix it.
akerl_ 19 hours ago [-]
That seems to depend a lot on the vulnerability, and the company, and the users.
I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".
parineum 1 days ago [-]
What you're describing as branding is actually an opinion. Calling it branding (with it's negative connotations) is putting the thumb on the scale.
akerl_ 1 days ago [-]
I’m saying out loud “I think rebranding coordinated disclosure as responsible disclosure has negative impacts and we shouldn’t do it”.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
BrenBarn 1 days ago [-]
It won't change until there is better regulation with muscular enforcement. Right now the choice is between paying an $X bug bounty and the vague possibility of some problem for not paying a bounty (e.g., someone sues you, or a PR fiasco causes you to lose customers). That basically means a choice between a 100% chance of losing $X right now (to pay the bounty) or an unknown but probably low chance of an unknown but probably high cost later on. Without any specific incentives, most people making decisions at companies will just choose to gamble on the future, hoping that they can somehow dodge the consequences.
To change that calculus, the chance of that future cost needs to go up and the amount of it also needs to go up. If the choice is between a $100k bug bounty now and a $10-million-dollar penalty for a security breach, people will bite the bullet and pay the bounty. If the CEO knows he will lose his house if its discovered that he dismissed the report and benefited financially from doing so, he will pay the bounty.
The consequences need to be shifted to the companies that play fast and loose with customer data.
newman8r 1 days ago [-]
> I’m curious about the legal/reputational implications of this.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
weitendorf 1 days ago [-]
I guess I mean the legal risks to both sides. Security is only a portion of what I do and I only dabble in red teaming (this is the first time I ever tried it on a third party).
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
juujian 1 days ago [-]
I would argue that it is an ethical thing to do so if it sends a signal to pay whitehats appropriately.
akerl_ 1 days ago [-]
Who is getting that signal?
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
chimpanzee 1 days ago [-]
The signal is for the hats. Black hats may be more likely to attack. White hats will find better things to do. Some might even swap hats.
akerl_ 1 days ago [-]
You’ve described a totally different “signal” than the comment I replied to.
chimpanzee 1 days ago [-]
I guess I should have made it clearer by making the implicit explicit:
“The signal isn’t to pay white hats more, instead…”
And perhaps an addendum such as:
“…which will then, indirectly and in the long run, create the signal you were replying to.”
akerl_ 1 days ago [-]
Ah. I don’t have much optimism that companies like Burger King will ever get that 2nd signal (mostly because I don’t think the average consumer-facing business suffers much impact from this kind of incident), but I agree with your premise.
Appreciate your clarification despite the bluntness of my reply.
chimpanzee 1 days ago [-]
And I appreciate your reply. It fixes the tone in our little thread and refocuses it on the topic. Thank you.
Also, you’re probably right, the signal will likely pass right over Burger King’s crown.
juujian 1 days ago [-]
Yeah, the signal is not exclusively to Burger King.
risyachka 1 days ago [-]
This is software.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
Thorrez 8 hours ago [-]
>Does that mean I can make a post like this?
No. Just because there's a blog post about a fixed vulnerability doesn't imply that it's ok to write a blog post about an unfixed vulnerability.
I'm not saying it's wrong to post a blog post about an unfixed vulnerability. I'm just saying that the existence of a blog post about a fixed vulnerability has no impact on whether it's ok or not to post a blog post about an unfixed vulnerability.
hsbauauvhabzb 1 days ago [-]
You should consult a lawyer. The first thing they’ll probably want to see is the terms you agreed to on hackerone.
PaulHoule 1 days ago [-]
I was about to repost that blog post on another site and now it looks like it was taken down.
jongjong 23 hours ago [-]
This sucks. As a developer who puts a lot of effort on security, I hate that companies can get away with such negligence.
I hope people invent AI bots which uncover vulnerabilities and make them available publicly for free, in real-time. This would create the right incentives for companies.
Modern software has become a giant house of cards, under the control of foreign powers who possess asymetric knowledge. This is because our overarching legal system protects mediocrity and this gives nefarious skilled people with a massive upper hand, while hurting well-intentioned skilled people who try to build software the right way.
The nefarious skilled people don't need to ask for permission and don't need to convince anyone to make money from their schemes... Well-intentioned skilled people build products which are impossible to sell or monetize because nobody cares enough about security... Companies mostly externalize the consequences of vulnerabilities to their users and leverage market monopolies to keep them.
beefnugs 1 days ago [-]
They want capitalism, give them capitalism. If you can make more money exploiting it and selling to mafias and gangs and nation states. Do it.
11 hours ago [-]
jrockway 1 days ago [-]
I'm most surprised that they have this whole system for how drive-thru interactions should go. Positive tone. Saying "you rule" like their exceedingly-irritating television commercials. Like... what if you don't? "If you don't follow the four Sales Best Practices, you're gonna be flippin' burgers for a living. Oh. Well. Oh." They're getting paid $6 an hour. The microphone/speaker system can't reproduce audio to an extent where a customer could ever be sure if you said "you rule" or that your tone is positive. They are thrilled if at least a few items they ordered are in the bag they collect. Why write software to micromanage minimum wage employees?
michaelt 1 days ago [-]
> They're getting paid $6 an hour. [...] Why write software to micromanage minimum wage employees?
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
bagacrap 7 hours ago [-]
I think there's a U shaped curve here. Make it all the way to Principal software engineer and you might be expected to work longer hours and bend your personal sense of ethics in service of the company's mission.
parineum 1 days ago [-]
That's a correlation to how easily replaced you are.
MangoToupe 3 hours ago [-]
On the other hand, i can't imagine it's easy to find a legal citizen willing to work for that wage. Especially when school's open.
hluska 1 days ago [-]
[flagged]
thfuran 1 days ago [-]
>There’s nothing wrong with flipping burgers for a living.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
jrockway 1 days ago [-]
I'm not making a value judgement. I'm saying, how are they going to punish you, as a burger flipper, for not saying their TV commercial tagline? Demote you to burger flipper? That's already your job. So why pay people to build a system to track their metrics, when they realistically have no way of making this happen.
Pay people $30/hour and I bet they'll say it every time without software yelling at them. (With the software in place, I have never heard the line "you rule" at Burger King, but I also only go like twice a year. So why write it? It doesn't work.)
stronglikedan 1 days ago [-]
[flagged]
PsylentKnight 23 hours ago [-]
> It's a job for teenagers to get experience
It all makes sense now! So that's why all fast food chains are closed from 9-3 on school days
ssl-3 22 hours ago [-]
[flagged]
ShroudedNight 19 hours ago [-]
I'm not sure that was the God of Abraham, so much as The Great Caucasian God[1]
<< DMCA copyright infringement complaint from Cyble Inc., acting on behalf of Burger King
I am mildly amused, but it only now makes me want to dig through internnet archive ( I believe another poster already helpfully provided ). GL BK. It sounds like Streisand will strike again.
edit: Good read btw. I am curious as to why employees are in that database though.
import 1 days ago [-]
It seems the post is down because of a DMCA complaint made to Cloudflare. I’m curious about the different levels of DMCA complaints. I’m sure hosting companies receive them, but what happens if I’m self-hosting and not using Cloudflare? Will my ISP or domain provider get a DMCA? Especially curious for this case.
jimt1234 1 days ago [-]
How do we know this was because of a DMCA complaint?
Usually yes, it would go to your ISP. And depending on the ISP they’ll forward it to you or not. This was way more prevalent in the era where movie studios were hiring firms to send bulk DMCAs to people downloading torrents.
djfobbz 1 days ago [-]
Back in 2008–2009, we had a lot of bare metal servers at SoftLayer's (Dallas, TX) facility. One of our customers ran a South American music forum, and anytime someone uploaded an MP3, the data center would honor the DMCA request and immediately stop routing traffic to the server until the issue was resolved. Now imagine what tools they might have in their arsenal in 2025.
techjamie 1 days ago [-]
The voice recordings at the drive thru without disclaimers of recording seem like maybe a two party state lawyer's wet dream?
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
nerdsniper 1 days ago [-]
There’s no liability or exposure for recording non-consensually. It’s a public space. There’s not even an edge case. If a random member if the public could walk into the drive-thru (which they can) then anything can be recorded without notification or consent.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
exegete 1 days ago [-]
A restaurant drive thru is private property open to the public. I think there may be a legal difference there.
nerdsniper 23 hours ago [-]
There's generally not been held to be any difference for the purposes of expectation of privacy. If it's open to the public, the expectation is that anyone could overhear you.
flimflamm 12 hours ago [-]
Creating a database of recordings without user being able to know/influence is clearly violation of GDPR IF there is PII. That's going to be costly for BK.
nerdsniper 10 minutes ago [-]
GDPR only exists in Europe. Are they doing this there too?
mixdup 19 hours ago [-]
>There’s no liability or exposure for recording non-consensually. It’s a public space.
That is not how wiretapping laws work in every state.
newhotelowner 1 days ago [-]
Do you need 2 party consent for recording in a public space?
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
wordglyph 6 hours ago [-]
I think the real issue in this case is if they are marrying your voice data (personal preferences) to you. They get your name when you pay with credit card. And they get your license plate. And now with AI are they selling this married information?
techjamie 1 days ago [-]
That's what I'm getting at with the expectation of privacy part. Talking into a drive thru speaker isn't really a private activity since everyone around can kinda hear it, but it'd probably be better to disclaim it anyway since someone attempting to file on you for it still costs money.
ssl-3 24 hours ago [-]
Strolling down the sidewalk at a park with a friend and chatting with them isn't necessarily a private activity either: We're in a very public space. Anyone within earshot can hear whatever we're talking about. If the sounds of our conversation winds up being incidentally in the background of someone filming the squirrels the tree frogs or something, then there's probably nothing to be done about that.
But (in some states), it seems that it would be a very different can of worms if I were to elect to deliberately record the conversation I have with my friend without their consent. Even in a public space, that would appear to run directly afoul of the applicable laws.
thimkerbell 1 days ago [-]
Is there an easy effective way to tell a company not to ask its customers' phone numbers if someone parked nearby can overhear them?
smcin 1 days ago [-]
They steer you towards ordering on the mobile app instead, which typically gives you a 4-6 digit confirmation code which you then use combined with your name, when you pick up. And/or your receipt in the app.
flimflamm 12 hours ago [-]
Depends on the country. In Finland, it's ok to record your own discussions. Whether the recorder is BK (a third party) or the cashier is an interesting question, though.
unyttigfjelltol 1 days ago [-]
You don’t get to secretly record voices in public spaces.
newhotelowner 1 days ago [-]
Yes, You can in America. Video recording is permitted without consent in the public places. Example CCTVs.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
EvanAnderson 1 days ago [-]
I wouldn't chance it. Stick an "audio may be recorded for performance evaluation purposes" on the drive thru kiosk and call it a day. Otherwise you're inviting litigation when something like this happens.
You can want things to be black and white but litigators are going to argue.
1 days ago [-]
firesteelrain 1 days ago [-]
No expectation of privacy in public and video can be taken. For example, security cameras that also happen to capture audio.
fragmede 1 days ago [-]
in which jurisdiction? Just because there's a device that breaks the law doesn't make the law go away.
firesteelrain 1 days ago [-]
Katz v. United States (1967)
Glik v. Cunniffe (1st Cir. 2011)
ssl-3 24 hours ago [-]
I don't see how either of those cases apply to regular people making recordings of regular citizens (in public, or not) using a microphone.
firesteelrain 24 hours ago [-]
I was referring to video with a camera which has a microphone
ssl-3 23 hours ago [-]
As was I.
But to extend the context: I don't see the relationship of either of those cases to anything being discussed here at all.
firesteelrain 23 hours ago [-]
Drive thru conversations are not private under the Katz test, so there is no reasonable expectation of privacy. That makes video or audio recording in that setting lawful.
Katz came about because the FBI recorded a gambler outside the booth with the doors closed. Hence we have the Katz test.
Heck, you can even record someone making a drive thru order yourself and no one can do anything about it
ssl-3 22 hours ago [-]
If the question was about whether a warrant would be required to record a person at a Burger King drive-through, then sure: I'd bite.
But that kind of question does not appear to be related to anything in the context of the discussions here on HN.
You seem to have presented a red herring.
firesteelrain 22 hours ago [-]
Not a red herring. The Katz test defines when a conversation is private, and a drive thru order does not meet that standard, so recording there is lawful even when it is done by a private person and not by law enforcement.
LMYahooTFY 1 days ago [-]
This is not related to public spaces.
bigiain 19 hours ago [-]
In Australia, at least in the late 90s, you were allowed to record voice and video without consent or notification of all parties, but you were not permitted to play/show the recordings to anyone else.
This was well know amongst the sort of people who regularly got harassed by police (in my circle of friends, riders of sportsbikes). There was well known legal advice saying to record every interaction you had with police, and if it turned out badly in any way, as soon as you got home write down the transcript of the conversation as "contemporaneous notes" and email them to your gmail account to establish a timestamp. But the only time you ever even mentioned your recording would be to your lawyer, so that if the cop challenged or contradicted your notes in court, your lawyer could then offer the recording as evidence.
These days, dashcams are pretty ubiquitous, and demonstrate that whatever the legal technicalities are, video recording in public without consent is not only widespread, but bashcam footage is also something police regularly request from the public.
nycpig 1 days ago [-]
That is a farily broad statement.
How would you reconcile your statement against state laws that require all-party consent for audio recordings? e.g. CISA, or FSCA
nerdsniper 1 days ago [-]
Those don’t apply to public spaces in the USA. This is super well-established law. If you needed consent to record in public there would be nearly zero YouTube videos recorded in public. And security cameras would generally not be allowed to record audio. And Tesla’s “Sentry mode” would be illegal.
In the USA, there is no right or legal expectation of privacy in public spaces, which includes fast food restaurants that are open to the public (indoors or outdoors)
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
redserk 1 days ago [-]
Sentry mode doesn’t record audio.
parineum 1 days ago [-]
Audio cannot be recorded without consent in CA. Security cameras have an option to disable audio for this reason. People never do it but it's the case.
It's related to wiretapping laws that are very broad.
JKCalhoun 1 days ago [-]
California or Canada?
natebc 1 days ago [-]
<nerdsniped> and removed so that i don't get sued for gross misinterpretation, ignorance and misinformation spreading.
What was here was a link to a California statute that is apparently misinformation somehow. Who knows, I'm just some igorant redneck apparently.
macintux 1 days ago [-]
> For the purposes of this section, “confidential communication” means any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto, but excludes a communication made in a public gathering or in any legislative, judicial, executive, or administrative proceeding open to the public, or in any other circumstance in which the parties to the communication may reasonably expect that the communication may be overheard or recorded.
This is not confidential communications.
nerdsniper 1 days ago [-]
Did you read that law? It applies to “Confidential communication…carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio”. Conversation in public is by nature not “confidential”. You are grossly misinterpreting this law and (unintentionally/ignorantly) spreading misinformation.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
natebc 1 days ago [-]
Grossly misinterpreting and spreading misinformation? I clarified a location and linked to the relevant statute.
You may have a smudge on your optics, mr. sniper.
lazide 10 hours ago [-]
Only if there is an expectation of privacy.
If there is a big obvious security camera staring at you, in a public place, that is the opposite of an expectation of privacy.
singleshot_ 1 days ago [-]
I've had some challenges recording voices with video, but I salute your efforts.
unyttigfjelltol 1 days ago [-]
Funny, whenever they show the CCTV footage it doesn't seem to have any sound....
Secretly recording voices is a felony is many places in 'merica.
nerdsniper 1 days ago [-]
Please stop spreading misinformation . There are so many court cases about this. A quick google will give you dozens you can read.
Legally there is no “reasonable expectation of privacy” in public spaces and the only limit on that are extreme telephoto lenses looking from public spaces into private spaces.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
unyttigfjelltol 1 days ago [-]
Unfortunately, you are not correct.[1] Recording police in a public place-- sure. Otherwise, eh, at best you're over-extrapolating (and ungenerously!) from your local circumstance.
Okay, wow -- I stand corrected. I will edit my comments. It will take me awhile to wrap my head around Massachusett's-style state-level restrictions. While I wouldn't personally expect this to survive a Supreme Court adjudication, apparently there exists no Supreme Court ruling either upholding or striking down the prohibition on secretly recording oral conversations in public.
lazide 10 hours ago [-]
The key element here that everyone seems to be confused about, is secret vs non-secret.
If you have an obvious security camera, or an obvious camera that normally would record audio, and you’re in public waving it around and it records audio? You are not secretly recording audio.
Same if someone is standing next to a obvious and clearly visible security camera which normally could also record audio, also, not secretly recording audio.
A hidden mic in your jacket, or like in that case, hiding the camera under a jacket? That is hidden recording.
The general rule of thumb is - if everyone can clearly see what you’re doing, it’s not secret.
LadyCailin 1 days ago [-]
Apparently the system was global, and BK has locations in GDPR countries.
pessimizer 1 days ago [-]
> You don’t get to secretly record voices in public spaces.
> Video recording is permitted without consent in the public places.
I have no idea why you would think that these two statements are related, or why people would continue this conversation. Fishing and skateboarding are two other things that are often allowed, but neither are related to recording audio.
And for anyone who thinks this is a nitpick, please look it up.
edit: also, saying that you can record people when you're obviously recording people is also not relevant. The problem is recording people without their knowledge or consent. I cannot put an audio recorder in my pocket in many places (such as Illinois) and record you, whether in a private space or in a public space. If I put my audio recorder on the table, and you can choose whether you want to speak or not, it's legally an entirely different scenario, whether we are in a public space or not.
mrbluecoat 1 days ago [-]
> They emailed us the password in plain text. In 2025. We're not even mad, just impressed by the commitment to terrible security practices.
The hilarious sarcasm throughout was the cherry on top for me.
some_random 1 days ago [-]
Not to nitpick but being emailed a temporary password in cleartext doesn't seem like an issue to me, assuming you're required to change it as soon as you log in.
bigiain 19 hours ago [-]
Especially since that email address presumably is used for the forgot password authentication anyway.
But it is at least the equivalent of a code smell. perhaps a "UX smell"?
A couple of obvious ways it can go bad: An attacker could potentially have access your email (perhaps from a data breach elsewhere or a password stuffing attach) and use the temp password before you do. If the temp password is the one entered by the user during signup, a naive user could sign up using their commonly-reused-password which then sits in cleartext foreven in their email archive.
hvb2 10 hours ago [-]
The way I read it, the password might not have been different for each new user...
But that's negated completely by the next part about there being a sign up without any email verification
lazide 10 hours ago [-]
The fun one for me is when they email you your original password in email. I’ve had that happen twice, and was always an amazing wtf moment.
I think the real issue in this case is if they are marrying your voice data (personal preferences) to you. They get your name when you pay with credit card. And they get your license plate. And now with AI are they selling this married information? Not to mention the ability for AI to clone your voice and selling that.
johnecheck 1 days ago [-]
Wow. That's... impressively bad.
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
rsingel 1 days ago [-]
The blog post got taken down in response to a bullshit DMCA claim filed by a YC-funded company called Cyble
Wtf! I’m certain this entire stack was reviewed by low level outsourced contractors.
To the person below whining that BK should’ve had more time…absolutely not! Users have a right to know. No effort was made to protect the data. None.
Action needs to be taken. The company contracted to build this stack should be replaced asap! Including the CISO.
ghiculescu 13 hours ago [-]
What if it was built in house?
cobbzilla 1 days ago [-]
Honestly wondering if this is a legit use of DMCA. Like, what exact provision of the DMCA is being implicated here?
One should have some reasonable means for challenging this kind of thing. But what do I know.
It’s a scary world when you know a C&D or other legal nastygram is 100% bullshit and want to ignore it, but you’re chained to a vendor that can’t respond with any level of subtlety, just the ban-hammer for everyone
So the C&Ds and nastygrams become increasingly ridiculous, but whatevs, they’re all rubber-stamped so hey corporate just push that red “lawyer” button and make my embarrassment go away real fast, before any Streisand effect can kick in!
kevincox 23 hours ago [-]
IANAL but it absolutely isn't.
DMCA is for copyright violations. They aren't providing any copyright protected information in the post. The nearest thing would probably be screenshots of their internal applications which seems to be to be obviously fair use.
charcircuit 13 hours ago [-]
The article did show images of the internal website including a one showing a photograph. It infringes their copyright, but it would be up to the author to prove that the usage was fair use.
gus_massa 1 days ago [-]
> Rating bathroom experiences: because everything needs a digital feedback loop
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
alanfalcon 1 days ago [-]
Now my local Burger King (in Las Vegas, NV, USA) has a sign at each table telling you that you have 30 minutes to eat your food and get out before you get thrown out for loitering.
MathMonkeyMan 11 hours ago [-]
Well there are some people who seem to live at my local McDonalds.
immibis 23 hours ago [-]
[flagged]
hvb2 10 hours ago [-]
So they did do the work on sentiment analysis and all that, but didn't do any of the security stuff???
So when you're making minimum wage, you can expect every word you say to be analysed and your PII to be unprotected.
I guess security wasn't a feature.
b1c837696ba28b 24 hours ago [-]
40-some years ago in L.A. some guys discovered that a Burger King drive-up kiosk was tied to the restaurant with an RF link. It was a simple matter to determine the frequency and modulation mode and program a hand-held transceiver to use the same link. They set up in an adjacent parking lot with a video camera and set about pranking the customers that drove up. The resulting video, titled "Attack on a Burger King" (these guys were video engineers,) was copied all around town by the same studio rats that shared session outtakes, Red's Tube Bar, etc. It ends with an employee coming out, jogging toward the kiosk, while the hackers convince the customer to flee the angry man approaching them. Dunno if it ever made it to streaming.
kotaKat 22 hours ago [-]
Ah, yes, A lot of old fast food drive-thru headsets were in VHF business band (and similar). The Phone Losers of America were well known for their exploits to that regard.
99.9% of the CTFs have much more difficult questions!
> The password protection? Client-side only. The password? Hardcoded in HTML.
oneturkmen 19 hours ago [-]
Just googling "rbictg bk gb" yields some weird domains, including dev-bk-gb-moonshot (dot) rbictg (dot) com
15 hours ago [-]
1 days ago [-]
zackkatz 1 days ago [-]
Great write-up! I was sorry to see there wasn’t a reward for you reporting this to them.
At least you didn’t find that the bathroom rating tablets had audio as well!
foofoo12 1 days ago [-]
> wasn’t a reward
I'm pretty sure someone was willing to pay for this, but at least the researches acted responsibly.
StrauXX 23 hours ago [-]
Unlikely. If a company does not have a formal BBP, they won't pay 99.99% of the time. Brokers are also not interested in vulnerabilities in companies. They usually only buy vulnerabilities for standard software (components).
fragmede 20 hours ago [-]
foofoo12 is hinting that they could sell the exploit on the black market for money, were they so inclined
StrauXX 16 hours ago [-]
Again, there really isn't a big market for such vulnerabilities. No 0day broker will buy the vulnerabilities listed in the article. They might be able to sell to an initial access broker, but even there rhe kinds of vulnerabilites are not really interesting to them.
ghiculescu 13 hours ago [-]
If that’s the case, then why do companies run bug bounties?
I’m asking earnestly; it seems like if nobody actually cares about these gaps then there shouldn’t be an economic driver to find them, and yet (in many companies, but not Burger King) there is.
Is it all just cargo culting or are there cases where company vulnerabilities would be worth something?
decasia 1 days ago [-]
Remind me to stick to my hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have with them or use any of the other gross surveillance technology that was recorded here.
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
deltarholamda 1 days ago [-]
>hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have
Good news! With AI programming assistance, this invasive technology--with the concomitant terrible security--will be available to even the smallest business so long as nephews "who are good with computers and stuff" exist!
1 days ago [-]
akerl_ 1 days ago [-]
This person seems to be fishing for a CFAA indictment?
Before writing and publishing this did you tell them about the vulnerabilities?
zooi 17 hours ago [-]
This is written like an LLM trying to be witty and it's nearly unbearable.
argiopetech 9 hours ago [-]
Not saying I agree with you, but where do you think the training data came from? The internet is full of socially awkward albeit prolific writers.
18 hours ago [-]
rafram 1 days ago [-]
You need to stop targeting companies without established bug bounties that allow penetration testing, or you’re going to go to jail.
010101010101 1 days ago [-]
I get the sentiment and it’s a wise warning that at some point most people in grey hat spaces end up adhering to, but “do exactly as you’re allowed to do by large corporations” isn’t exactly a hacker ethos.
weitendorf 1 days ago [-]
I don’t think that argument really works in situations like this because hacking Burger King requires a pretty high level of intent + ability and isn’t something that just naturally happens. Like you have to sit down and say “Today I want to try to hack Burger King” and then spend several hours doing just that.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
tyami94 10 hours ago [-]
This is a red herring. They're obviously being silenced because they just obtained evidence that Burger King is recording and algorithmically analyzing every customer interaction to ensure that their wage-slave employees say "You rule!" the correct number of times per order. This is horrifying and dystopic, and it's certainly the bigger story here.
8 hours ago [-]
immibis 23 hours ago [-]
Those people don't announce what they did traceably to their real name and address, because they know if they do, they'll go to jail.
The police and the judge and the jury don't care what colour fabric you put on your head this morning. They (in theory) care if you committed a crime and they can prove it. Which you did and they can, since you confessed. So you go to jail for a long time.
the_arun 1 days ago [-]
But why? Is it because we don’t have consent from companies to try /check whether they are secure? If so who protects customers from weak doors? or shareholders?
Ekaros 1 days ago [-]
Weak doors is fun comparison. Imagine if someone regular found homes locked by Masterlock locks. And then riffled through everything just to see if they are sufficiently secured. Then reported to owners asking for security bounty...
I doubt that would go down very well, neither would it if you did that with businesses instead private home.
kldg 18 hours ago [-]
CEO was once annoyed with me while I worked IT (we handled facilities/security, too; was <100 employees) for testing how the camera worked for detecting human presence inside dev & design's room to unlock the double glass doors (for fire safety reasons, you must allow unrestricted exit). It acted like it was based on size of object in motion; if so many pixels were in motion from last frame, it triggers unlock without any other testing on if that object is a human.
It wasn't enough to just shove a folder through the gap of the doors; you had to ensure the folder opened up as it was falling, changing more of the pixels to get to the trigger threshold. It took me around 5 minutes to get it to consistently trigger. CEO was displeased dev & design team now knew how to bypass the door lock from the outside; he wasn't going to pay to fix it.
Maybe best to internalize Have It Your Way like BK's teams did.
1 days ago [-]
drtgh 1 days ago [-]
They sound like it should be avoided to analyse the river waters next to factories.
rafram 1 days ago [-]
Yes. Talk to your congresspeople.
AndreBaltazar 1 days ago [-]
No bug bounties for this level of sloppiness is the crime itself.
nickthegreek 1 days ago [-]
genuinely interested in the last known story of someone going to prison for this type of pen testing without an established bug bounty.
Oh, this is a rabbit hole. As far as I can tell the pentesters' suit against the sheriff is still ongoing, but back in Iowa courts. The federal court's ruling is ... not good [1]:
1) The court found that the county sheriff had the pentesters arrested and encouraged their prosecution _not_ because he believed there was any crime, but instead that was angry at some state official. (Which, y'know, sounds like a pretty serious civil rights violation.)
2) However, the civil rights / 4th amendment claims were dismissed by the federal court due to "qualified immunity", the doctrine where, in any sufficiently "unique" or "specific" situation, the police have no liability whatsoever for their actions [2].
Agreed, though at the same time, RBI should be rewarding them for reporting this.
syntaxing 1 days ago [-]
Stop targeting anything and just use anything as is! Especially, don't you even dare hit "view source" on a website. Believe it or not, straight to jail. /s
Why and what gives you the right to tell them off?
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise.
Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
rafram 1 days ago [-]
It’s a free country, etc. Obviously I have the “right” to comment a warning on the internet.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
doublerabbit 1 days ago [-]
> It’s a free country, etc.
But it didn't come across a warning. "You need to stop" is a demand not a warning. And I would like to believe they would know this when post online. if not /shrug.
Maybe they're working on behalf of an organization, a country that doesn't follow CFAA; Russia, China? Maybe they're state sponsored or under protection. They're obviously not stupid if they can infiltrate Fast-Food chains and social engineer others but I've been wrong before.
> is a bad idea
I would be surprised if they didn't. If not, okay well if shit hits the fan; no sympathy for me. Unlucky. They're doing it at their own risk.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
A doubled edged sword, I personally wouldn't count them as hackers. They're not hacking, they're penetrating based on T&C of an agreement. Yes, it could be called "ethical hacking" but I still wouldn't call it hacking.
A hacker is one who gains unauthorized access to computer. Hacking isn't such when your granted restricted access on a basis of T&C.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
I don't disagree, if that's your skill then go for it. It's the safest route allowing you to harness your skills, and which may provide future prospects. A dispensary selling drugs is better than the dealer on the corner of the street.
"To hack a bank" is different then to "hack a bank based on some agreement". One carries more weight then the other. Your penetrating a bank on an agreement. Your not hacking.
Bug bounty hunters to have faced jail, lawsuits, or threats — even when acting in good faith, it doesn't make you invulnerable.
I admire the persona of who this is, their acts highlights concern to us who use such conveniences. It exposes truth and tackles the issue at hand where others may exploit you because of. It shows negative light to corporations that many folk who daily.
Their title as on their blog "Ethical Hacker" I would say suitable to describe them as that. It's not like they're siphoning money off folk from ransomware.
> Most of what you’re saying just seems like nostalgia talking.
What I was demonstrating as someone who's been in trouble due to misunderstanding computer mishaps as a teen back when, also to establish my point that I know what I am talking about.
Yeah, it turned in to a nostalgia trip. I'd call myself more of a script kiddie and one who I'd see myself as white-hat.
Black-hat can be interesting however my moral compass has caught up with me and that my life has more worth that it would be jeopardous to do such besides I don't have the time and among other things.
mixdup 19 hours ago [-]
>what gives you the right to tell them off?
The US Constitution? (lot of assumptions of locations here, insert your charter of freedoms/other guarantor of rights here if parent comment OP is not in the US)
6 hours ago [-]
djoldman 1 days ago [-]
Assuming:
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
weitendorf 1 days ago [-]
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
user5994461 20 hours ago [-]
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
You don't publish because you don't want to cause harm and you don't want to be liable for it.
You need to realize that vulnerabilities don't exist in a vacuum. They grant access to computer systems that control the life of people (millions of people) including their personal information, passwords, passport photos, card numbers, jobs, paychecks, transportation, food, etc... which is very likely to cover yourself, your mom, your family, your friends as you deal with larger companies.
When you publish a vulnerability, it will immediately be used by bad actors that intend to cause harm to all these people, including employees and customers.
nycpig 1 days ago [-]
IANAL, but to answer your question, maybe? The CFAA has a fairly broad scope. "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains, information from any protected computer; " 1030(a)(2)(C)
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
immibis 23 hours ago [-]
I suspect the post itself is legal but it's also a confession of highly illegal hacking.
lazide 10 hours ago [-]
Yes. The underlying problem is that knowing about the vulnerability is not an issue. Getting to the point you know about and are sure it’s a vulnerability almost certainly will implicate whoever discovered it in a CFAA crime (and those punishments are ridiculously severe for what counts as committing them in most cases).
Most of these things are best done across non-cooperative international borders, just to reduce the incentive for ‘throw them in jail’ as a easy ass covering measure.
thimkerbell 1 days ago [-]
Blog post not found
igtztorrero 1 days ago [-]
It's incredible that a chain that produces terrible food has such a large surveillance system for underpaid employees.
Surely the IT workers are also underpaid, which is why they left the doors wide open.
That only confirms the subpar quality of the executives, the food, and everything at Burger King.
Fairburn 23 hours ago [-]
Since way back has it, repost that shit. Burger King, get bent.
lysace 1 days ago [-]
The only way this shit show will ever stop is if behavior like this is ultimately rewarded with a corporate death penalty.
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
1 days ago [-]
arcfour 20 hours ago [-]
This [post] is Claude generated, isn't it? Makes it a bit painful to read, to be frank, but nice work. I can't believe people get paid to write this junk (software). It's just...so bad.
hluska 1 days ago [-]
[flagged]
jmkni 1 days ago [-]
I don't think it was a swipe at minimum wage employees at all, more massive corporations like Burger King making their minumum wage employees be "cheerful"
redwall_hp 1 days ago [-]
One of many reasons I despise Trash-Fil-A. They go hard on forcing their employees to sound a certain way, and it's just creepy as well as being abuse of their workers.
Paying someone a pittance, or anything at all, doesn't entitle you to control over their perceived mood or how they speak. You'll have to negotiate with SAG-AFTRA if you want to hire actors.
MBCook 1 days ago [-]
But elsewhere in the article they show that Burger King is using AI to analyze how well the drive-through employees are doing and if they’re being cheerful enough and such.
So I think it’s more a jab at corporate mandated performative forced happiness for customers then the employees themselves.
JKCalhoun 1 days ago [-]
Sure, could have written "hapless Burger King employee…". I suspect they did not realize it might come across the way it did to some.
BobDaHacker 1 days ago [-]
Burger King
grg0 1 days ago [-]
Why is your blog post down?
catsma21 1 days ago [-]
mmph..furger
1 days ago [-]
iqasimov 23 hours ago [-]
i swear god nothing can be cringer and funnier than when wannabe kiddo hackers write writeups. i can assure that they did dirty things for couple months before they actually report that but i can not prove it LMAO. I love this god level smart aleckness and the level of confidence is always ultimate LOL. idk man it is very sweet hahah. 50 grades of gray ahahahahahah
https://web.archive.org/web/20250906150322/https://bobdahack...
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
The screenshot of the email lacks detail so I don't know what part of the DMCA the author breached here, but this feels a lot like your standard DMCA abuse.
This AI generated takedown was funded in part by a Y-Combinator: https://cyble.com/press/cyble-recognized-among-ai-startups-f...
When dealing with a company whose business is filing dmca complaints using an automated system, the business model isn’t a lawsuit - it’s a settlement where the influencer is made whole and you get paid. The risk to the company is existential if you have enough clients using you to push back and risking them getting a platform ban or an injunction against them filing automated dmca complaints. Say they file a thousand complaints a day against a thousand YouTube channels. If even 50 of those channels file a counter claim it’s going to set off alarm bells.
All that being said the most toxic part of this is the company calling itself a cyber security company and trying to obfuscate seemingly pretty responsible disclosures using dmca.
Because the Digital Millenium Copyright Act is for copyright. You haven't stated how the blog post infringes upon BK's copyright at all, so... yes, seems like a standard fraudulent DMCA claim.
> First thing first. This is NOT DMCA abuse. The DMCA is the only way to communicate with web companies and take down content. As such, it has become the legitimate way to take down any content that needs to be taken down, in the absence of alternatives.
This assumes that companies should be able to take down any content they do not like. This is very much not the case. The DMCA is very specifically only for copyrighted content.
From copyright.gov[1]:
> To be effective, a notice must contain substantially the following information:
> ...
> (v) a statement that the person sending the notice has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
> (vi) a statement that the information in the notice is accurate, and under penalty of perjury, that the person sending the notice is authorized to act on behalf of the copyright owner .
This is pretty clearly DMCA abuse. TFA isn't using any of BK's copyrighted content, which is what a DMCA claim alleges. Just because people have abused the form... pretty much since inception does not mean that it's not perjury to do so.
If BK wants to press charges for unauthorized usage of computer systems, that's another route. This would involve a police report, not perjury, and would probably not take down the website.
[1]: https://www.copyright.gov/512/
You can see on the email that the "Original work" field is just a link to the BK website.
I will reply to this comment because it's the easier to address, you're really hitting on the main misconception :D
It is incorrect to think that the DMCA form is only valid for copyright.
You need to contact the other party to start a legal dispute, you can do so by any available communication channels. The website is hidden behind cloudflare which purposefully hides the identity of the author and prevents any contact, except via a DMCA form. Burger King filled the DMCA form to get in touch with the author. It's merely a mean to legally contact the author and start a dispute, in the absence of better options.
It worked, cloudflare forwarded the form to the author (and the author decided to take down the article on their own). I really can't think of any reason why it would not be considered a reasonable and legitimate use of the form. All the better because it's an official legal form.
The blog post says that the author contacted Burger King and they had some sort of communication channel available, Burger King just chose not to use it.
Another commenter in the thread shared where the laws says the exact opposite (DMCA is only for copyright violations)?
If not, why do you think Burger King has a right to have the posts taken down?
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
Even the most security-aware companies have a process to fix vulnerabilities, which takes time.
I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.
In the case of bobdajrhacker? Both.
But I find that this case is rare. Typically it would be something like many of the following being met:
- It is likely to be discovered by an attacker soon.
- History shows that the company is unlikely to fix it soon.
- Users have some way to protect themselves.
- Your disclosure is likely to reach a significant number of users.
It seems pretty reasonable to publish, given that?
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
Maybe things are better now.
Years ago the only contact for many companies was through customer service. "What do you mean you're in our computer? You're obviously on the phone!"
Near the bottom of the blog post it says:
> When | What Happened
> Day 1, same day | RBI fixes everything faster than you can say "code red"
> Credit where it's due – RBI's response time was impressive.
Doing the right thing can be awfully unpleasant.
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
Cracked a thrift store IoT medical device. Contacted vendor. They sent me a one way NDA. Lol no.
The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.
I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
To change that calculus, the chance of that future cost needs to go up and the amount of it also needs to go up. If the choice is between a $100k bug bounty now and a $10-million-dollar penalty for a security breach, people will bite the bullet and pay the bounty. If the CEO knows he will lose his house if its discovered that he dismissed the report and benefited financially from doing so, he will pay the bounty.
The consequences need to be shifted to the companies that play fast and loose with customer data.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
“The signal isn’t to pay white hats more, instead…”
And perhaps an addendum such as:
“…which will then, indirectly and in the long run, create the signal you were replying to.”
Appreciate your clarification despite the bluntness of my reply.
Also, you’re probably right, the signal will likely pass right over Burger King’s crown.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
No. Just because there's a blog post about a fixed vulnerability doesn't imply that it's ok to write a blog post about an unfixed vulnerability.
I'm not saying it's wrong to post a blog post about an unfixed vulnerability. I'm just saying that the existence of a blog post about a fixed vulnerability has no impact on whether it's ok or not to post a blog post about an unfixed vulnerability.
I hope people invent AI bots which uncover vulnerabilities and make them available publicly for free, in real-time. This would create the right incentives for companies.
Modern software has become a giant house of cards, under the control of foreign powers who possess asymetric knowledge. This is because our overarching legal system protects mediocrity and this gives nefarious skilled people with a massive upper hand, while hurting well-intentioned skilled people who try to build software the right way.
The nefarious skilled people don't need to ask for permission and don't need to convince anyone to make money from their schemes... Well-intentioned skilled people build products which are impossible to sell or monetize because nobody cares enough about security... Companies mostly externalize the consequences of vulnerabilities to their users and leverage market monopolies to keep them.
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
Pay people $30/hour and I bet they'll say it every time without software yelling at them. (With the software in place, I have never heard the line "you rule" at Burger King, but I also only go like twice a year. So why write it? It doesn't work.)
It all makes sense now! So that's why all fast food chains are closed from 9-3 on school days
[1] https://youtu.be/RJiwovX3mNA
Additionally: https://open.spotify.com/track/0YoYJw5URPqnGdOSnpeNnT?si=37a...
I am mildly amused, but it only now makes me want to dig through internnet archive ( I believe another poster already helpfully provided ). GL BK. It sounds like Streisand will strike again.
edit: Good read btw. I am curious as to why employees are in that database though.
Edit: Never mind -- > https://infosec.exchange/@bobdahacker/115158347003096276
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
That is not how wiretapping laws work in every state.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
But (in some states), it seems that it would be a very different can of worms if I were to elect to deliberately record the conversation I have with my friend without their consent. Even in a public space, that would appear to run directly afoul of the applicable laws.
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
You can want things to be black and white but litigators are going to argue.
Glik v. Cunniffe (1st Cir. 2011)
But to extend the context: I don't see the relationship of either of those cases to anything being discussed here at all.
Katz came about because the FBI recorded a gambler outside the booth with the doors closed. Hence we have the Katz test.
Heck, you can even record someone making a drive thru order yourself and no one can do anything about it
But that kind of question does not appear to be related to anything in the context of the discussions here on HN.
You seem to have presented a red herring.
This was well know amongst the sort of people who regularly got harassed by police (in my circle of friends, riders of sportsbikes). There was well known legal advice saying to record every interaction you had with police, and if it turned out badly in any way, as soon as you got home write down the transcript of the conversation as "contemporaneous notes" and email them to your gmail account to establish a timestamp. But the only time you ever even mentioned your recording would be to your lawyer, so that if the cop challenged or contradicted your notes in court, your lawyer could then offer the recording as evidence.
These days, dashcams are pretty ubiquitous, and demonstrate that whatever the legal technicalities are, video recording in public without consent is not only widespread, but bashcam footage is also something police regularly request from the public.
How would you reconcile your statement against state laws that require all-party consent for audio recordings? e.g. CISA, or FSCA
In the USA, there is no right or legal expectation of privacy in public spaces, which includes fast food restaurants that are open to the public (indoors or outdoors)
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
It's related to wiretapping laws that are very broad.
What was here was a link to a California statute that is apparently misinformation somehow. Who knows, I'm just some igorant redneck apparently.
This is not confidential communications.
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
You may have a smudge on your optics, mr. sniper.
If there is a big obvious security camera staring at you, in a public place, that is the opposite of an expectation of privacy.
Secretly recording voices is a felony is many places in 'merica.
Legally there is no “reasonable expectation of privacy” in public spaces and the only limit on that are extreme telephoto lenses looking from public spaces into private spaces.
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
[1] https://www.dmlp.org/legal-guide/massachusetts-recording-law
If you have an obvious security camera, or an obvious camera that normally would record audio, and you’re in public waving it around and it records audio? You are not secretly recording audio.
Same if someone is standing next to a obvious and clearly visible security camera which normally could also record audio, also, not secretly recording audio.
A hidden mic in your jacket, or like in that case, hiding the camera under a jacket? That is hidden recording.
The general rule of thumb is - if everyone can clearly see what you’re doing, it’s not secret.
> Video recording is permitted without consent in the public places.
I have no idea why you would think that these two statements are related, or why people would continue this conversation. Fishing and skateboarding are two other things that are often allowed, but neither are related to recording audio.
And for anyone who thinks this is a nitpick, please look it up.
edit: also, saying that you can record people when you're obviously recording people is also not relevant. The problem is recording people without their knowledge or consent. I cannot put an audio recorder in my pocket in many places (such as Illinois) and record you, whether in a private space or in a public space. If I put my audio recorder on the table, and you can choose whether you want to speak or not, it's legally an entirely different scenario, whether we are in a public space or not.
The hilarious sarcasm throughout was the cherry on top for me.
But it is at least the equivalent of a code smell. perhaps a "UX smell"?
A couple of obvious ways it can go bad: An attacker could potentially have access your email (perhaps from a data breach elsewhere or a password stuffing attach) and use the temp password before you do. If the temp password is the one entered by the user during signup, a naive user could sign up using their commonly-reused-password which then sits in cleartext foreven in their email archive.
But that's negated completely by the next part about there being a sign up without any email verification
The DCMA report was actually sent from response@cycle.com, and Cyble [1] appears to be a DCMA-takedown-as-a-service 'solution'.
[1]: https://cyble.com/
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
DMCA screenshot https://infosec.exchange/@bobdahacker/115158347003096276
Cyble announcement of YC funding in 2025 https://cyble.com/press/cyble-recognized-among-ai-startups-f...
To the person below whining that BK should’ve had more time…absolutely not! Users have a right to know. No effort was made to protect the data. None.
Action needs to be taken. The company contracted to build this stack should be replaced asap! Including the CISO.
One should have some reasonable means for challenging this kind of thing. But what do I know.
It’s a scary world when you know a C&D or other legal nastygram is 100% bullshit and want to ignore it, but you’re chained to a vendor that can’t respond with any level of subtlety, just the ban-hammer for everyone
So the C&Ds and nastygrams become increasingly ridiculous, but whatevs, they’re all rubber-stamped so hey corporate just push that red “lawyer” button and make my embarrassment go away real fast, before any Streisand effect can kick in!
DMCA is for copyright violations. They aren't providing any copyright protected information in the post. The nearest thing would probably be screenshots of their internal applications which seems to be to be obviously fair use.
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
So when you're making minimum wage, you can expect every word you say to be analysed and your PII to be unprotected.
I guess security wasn't a feature.
https://www.youtube.com/watch?v=cyLrus1yKvI
"I'm in the freezer at QuikTrip!"
> The password protection? Client-side only. The password? Hardcoded in HTML.
At least you didn’t find that the bathroom rating tablets had audio as well!
I'm pretty sure someone was willing to pay for this, but at least the researches acted responsibly.
I’m asking earnestly; it seems like if nobody actually cares about these gaps then there shouldn’t be an economic driver to find them, and yet (in many companies, but not Burger King) there is.
Is it all just cargo culting or are there cases where company vulnerabilities would be worth something?
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
Good news! With AI programming assistance, this invasive technology--with the concomitant terrible security--will be available to even the smallest business so long as nephews "who are good with computers and stuff" exist!
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
The police and the judge and the jury don't care what colour fabric you put on your head this morning. They (in theory) care if you committed a crime and they can prove it. Which you did and they can, since you confessed. So you go to jail for a long time.
I doubt that would go down very well, neither would it if you did that with businesses instead private home.
It wasn't enough to just shove a folder through the gap of the doors; you had to ensure the folder opened up as it was falling, changing more of the pixels to get to the trigger threshold. It took me around 5 minutes to get it to consistently trigger. CEO was displeased dev & design team now knew how to bypass the door lock from the outside; he wasn't going to pay to fix it.
Maybe best to internalize Have It Your Way like BK's teams did.
https://www.darkreading.com/vulnerabilities-threats/dark-rea...
https://iowacapitaldispatch.com/2023/06/23/lawsuit-over-auth...
1) The court found that the county sheriff had the pentesters arrested and encouraged their prosecution _not_ because he believed there was any crime, but instead that was angry at some state official. (Which, y'know, sounds like a pretty serious civil rights violation.)
2) However, the civil rights / 4th amendment claims were dismissed by the federal court due to "qualified immunity", the doctrine where, in any sufficiently "unique" or "specific" situation, the police have no liability whatsoever for their actions [2].
[1] https://storage.courtlistener.com/recap/gov.uscourts.iasd.84... [2] https://en.wikipedia.org/wiki/Qualified_immunity
Darknet Diaries has an episode on this (#59), with interviews from the parties involved.
https://www.youtube.com/watch?v=Y0AbHKcIQxk
https://darknetdiaries.com/episode/59/
[1] https://www.vice.com/en/article/this-is-the-hacking-investig...
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise. Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
But it didn't come across a warning. "You need to stop" is a demand not a warning. And I would like to believe they would know this when post online. if not /shrug.
Maybe they're working on behalf of an organization, a country that doesn't follow CFAA; Russia, China? Maybe they're state sponsored or under protection. They're obviously not stupid if they can infiltrate Fast-Food chains and social engineer others but I've been wrong before.
> is a bad idea
I would be surprised if they didn't. If not, okay well if shit hits the fan; no sympathy for me. Unlucky. They're doing it at their own risk.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
A doubled edged sword, I personally wouldn't count them as hackers. They're not hacking, they're penetrating based on T&C of an agreement. Yes, it could be called "ethical hacking" but I still wouldn't call it hacking.
A hacker is one who gains unauthorized access to computer. Hacking isn't such when your granted restricted access on a basis of T&C.
> Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
I don't disagree, if that's your skill then go for it. It's the safest route allowing you to harness your skills, and which may provide future prospects. A dispensary selling drugs is better than the dealer on the corner of the street.
"To hack a bank" is different then to "hack a bank based on some agreement". One carries more weight then the other. Your penetrating a bank on an agreement. Your not hacking.
Bug bounty hunters to have faced jail, lawsuits, or threats — even when acting in good faith, it doesn't make you invulnerable.
I admire the persona of who this is, their acts highlights concern to us who use such conveniences. It exposes truth and tackles the issue at hand where others may exploit you because of. It shows negative light to corporations that many folk who daily.
Their title as on their blog "Ethical Hacker" I would say suitable to describe them as that. It's not like they're siphoning money off folk from ransomware.
> Most of what you’re saying just seems like nostalgia talking.
What I was demonstrating as someone who's been in trouble due to misunderstanding computer mishaps as a teen back when, also to establish my point that I know what I am talking about.
Yeah, it turned in to a nostalgia trip. I'd call myself more of a script kiddie and one who I'd see myself as white-hat.
Black-hat can be interesting however my moral compass has caught up with me and that my life has more worth that it would be jeopardous to do such besides I don't have the time and among other things.
The US Constitution? (lot of assumptions of locations here, insert your charter of freedoms/other guarantor of rights here if parent comment OP is not in the US)
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
You don't publish because you don't want to cause harm and you don't want to be liable for it.
You need to realize that vulnerabilities don't exist in a vacuum. They grant access to computer systems that control the life of people (millions of people) including their personal information, passwords, passport photos, card numbers, jobs, paychecks, transportation, food, etc... which is very likely to cover yourself, your mom, your family, your friends as you deal with larger companies.
When you publish a vulnerability, it will immediately be used by bad actors that intend to cause harm to all these people, including employees and customers.
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
Most of these things are best done across non-cooperative international borders, just to reduce the incentive for ‘throw them in jail’ as a easy ass covering measure.
Surely the IT workers are also underpaid, which is why they left the doors wide open.
That only confirms the subpar quality of the executives, the food, and everything at Burger King.
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
Paying someone a pittance, or anything at all, doesn't entitle you to control over their perceived mood or how they speak. You'll have to negotiate with SAG-AFTRA if you want to hire actors.
So I think it’s more a jab at corporate mandated performative forced happiness for customers then the employees themselves.