I Hacked Monster Energy and Uncovered Their Employee Training Material

40 points by jrgn

calpaterson

I really resent this style of security writing. I don’t disagree at all with the material but for me the tone feels unnecessarily unkind

caboteria

I agree that we need more kindness!

When I see a takedown like this, however, I ask myself “Are they punching down, or punching up?” In this case it’s some guy named “Bob” punching up at a multi-million-dollar corporation whose business model is selling caffeine and sugar to people who would be healthier without it. I feel no need to treat such corporations with kindness.
- calpaterson
  
  Kindness not necessary - neutrality would suffice. The decision about whether it’s morally permissible to be outright rude to someone is ofc to personal taste. But public rudeness sours the discourse. It makes everyone feel bad. And, rationally, adds nothing at all
bitfield

Pretty sure this is illegal. Poor security is no defence: even if you leave your front door unlocked, that doesn’t mean it’s okay for me to walk in, help myself to your stuff, and share your private information online. OP could have disclosed these vulnerabilities without showing the results of exploiting them.
- adam_d_ruppe
  
  Meh, there’s nothing particularly juicy in the link. A basic demographic summary of customers is not even really private information and the rest of it is even more generic.
  
  The title got me thinking there might be something surprising or inappropriate in there to blow the whistle on and…. meh.
- rplacy
  
  it is, however public disclosure is a common practice among security researches if owner ignores reports. Nobody asks about bounties, at least basic acknowledgement is enough most of the time
  
  sometimes it goes over board as companies don’t participate in bug bounties, but another side of it - selling this info on dark web
- marsavar
  
  Absolutely. I don’t think this is talked about enough, but reporting this kind of vulnerability to the affected company also doesn’t come without risks.
  
  If, for instance, you discovered a vulnerability in their system and decided to report it, they could potentially sue for unauthorised access of personally identifiable information. It’s always worth checking a company’s responsible disclosure policy before contacting them about any vulnerabilities. You never know how litigious they might be!
  
  Some organisations like CCC in Germany can do this on your behalf so you don’t have to put yourself at risk.
- jrgn
  
  Just to clarify, I am not the author of this post, just found it.
  
  And doesn’t he mention that the security holes have been patched?
  - hobbified
    
    And doesn’t he mention that the security holes have been patched?
    
    In that case it’s even less legit. It’s not exposing their stuff to shame them into fixing something that they left unpatched after notification, or because the barrier to entry is so low that anyone else could have done it — it’s just exposing their stuff “for the lulz”.
- LAC-Tech
  
  I enjoyed it, but clutching pearls over the demographic profile feels very 2020.
  - markerz
    
    Agreed. It’s like they never took a corporate training course before. They’re not to be taken incredibly seriously, but seriously enough to learn the important bits. Otherwise it’s just super boring.
    
    Their demographic metrics match up with what I’ve seen in real life too. -shrug-