Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
akerl_ · 2h ago
As a nitpick, you’re describing coordinated disclosure.
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
LadyCailin · 2h ago
I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
akerl_ · 1h ago
What about users who are affected by the vulnerability in the time it takes between reporting to the vendor and remediation?
dns_snek · 1h ago
You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
parineum · 1h ago
What you're describing as branding is actually an opinion. Calling it branding (with it's negative connotations) is putting the thumb on the scale.
akerl_ · 1h ago
I’m saying out loud “I think rebranding coordinated disclosure as responsible disclosure has negative impacts and we shouldn’t do it”.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
newman8r · 2h ago
> I’m curious about the legal/reputational implications of this.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
weitendorf · 2h ago
I guess I mean the legal risks to both sides. Security is only a portion of what I do and I only dabble in red teaming (this is the first time I ever tried it on a third party).
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
juujian · 1h ago
I would argue that it is an ethical thing to do so if it sends a signal to pay whitehats appropriately.
akerl_ · 1h ago
Who is getting that signal?
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
chimpanzee · 1h ago
The signal is for the hats. Black hats may be more likely to attack. White hats will find better things to do. Some might even swap hats.
akerl_ · 1h ago
You’ve described a totally different “signal” than the comment I replied to.
chimpanzee · 52m ago
I guess I should have made it clearer by making the implicit explicit:
“The signal isn’t to pay white hats more, instead…”
And perhaps an addendum such as:
“…which will then, indirectly and in the long run, create the signal you were replying to.”
akerl_ · 38m ago
Ah. I don’t have much optimism that companies like Burger King will ever get that 2nd signal (mostly because I don’t think the average consumer-facing business suffers much impact from this kind of incident), but I agree with your premise.
Appreciate your clarification despite the bluntness of my reply.
chimpanzee · 27m ago
And I appreciate your reply. It fixes the tone in our little thread and refocuses it on the topic. Thank you.
Also, you’re probably right, the signal will likely pass right over Burger King’s crown.
risyachka · 1h ago
This is software.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
techjamie · 2h ago
The voice recordings at the drive thru without disclaimers of recording seem like maybe a two party state lawyer's wet dream?
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
nerdsniper · 56m ago
There’s no liability or exposure for recording non-consensually. It’s a public space. There’s not even an edge case. If a random member if the public could walk into the drive-thru (which they can) then anything can be recorded without notification or consent.
newhotelowner · 2h ago
Do you need 2 party consent for recording in a public space?
techjamie · 2h ago
That's what I'm getting at with the expectation of privacy part. Talking into a drive thru speaker isn't really a private activity since everyone around can kinda hear it, but it'd probably be better to disclaim it anyway since someone attempting to file on you for it still costs money.
thimkerbell · 23m ago
Is there an easy effective way to tell a company not to ask its customers' phone numbers if someone parked nearby can overhear them?
nerdsniper · 49m ago
No. Legally there’s zero “reasonable expectation of privacy”.
unyttigfjelltol · 2h ago
You don’t get to secretly record voices in public spaces.
newhotelowner · 2h ago
Yes, You can in America. Video recording is permitted without consent in the public places. Example CCTVs.
Thats only for private phone calls not for public spaces.
EvanAnderson · 53m ago
I could easily see a judge regarding the conversation over a drive thru speaker as not a public space and more like a telephone call.
nerdsniper · 47m ago
I don’t know how to put this other than you are terribly wrong. The inside of the restaurant is also a public space. There’s no reasonable expectation of privacy on either side of the conversation.
Nor does there even need to be because anyone can walk into the drive thru and stand next to the speaker and listen to it. It’s not a private space.
EvanAnderson · 44m ago
I wouldn't chance it. Stick an "audio may be recorded for performance evaluation purposes" on the drive thru kiosk and call it a day. Otherwise you're inviting litigation when something like this happens.
You can want things to be black and white but litigators are going to argue.
No comments yet
LMYahooTFY · 55m ago
This is not related to public spaces.
nycpig · 1h ago
That is a farily broad statement.
How would you reconcile your statement against state laws that require all-party consent for audio recordings? e.g. CISA, or FSCA
nerdsniper · 59m ago
Those don’t apply to public spaces in the USA. This is super well-established law. If you needed consent to record in public there would be nearly zero YouTube videos recorded in public. And security cameras would generally not be allowed to record audio. And Tesla’s “Sentry mode” would be illegal.
In the USA, there is no right or legal expectation of privacy in public spaces, which includes fast food restaurants that are open to the public (indoors or outdoors)
redserk · 41m ago
Sentry mode doesn’t record audio.
singleshot_ · 1h ago
I've had some challenges recording voices with video, but I salute your efforts.
pessimizer · 46m ago
> You don’t get to secretly record voices in public spaces.
> Video recording is permitted without consent in the public places.
I have no idea why you would think that these two statements are related, or why people would continue this conversation. Fishing and skateboarding are two other things that are often allowed, but neither are related to recording audio.
And for anyone who thinks this is a nitpick, please look it up.
edit: also, saying that you can record people when you're obviously recording people is also not relevant. The problem is recording people without their knowledge or consent. I cannot put an audio recorder in my pocket in many places (such as Illinois) and record you, whether in a private space or in a public space. If I put my audio recorder on the table, and you can choose whether you want to speak or not, it's legally an entirely different scenario, whether we are in a public space or not.
parineum · 1h ago
Audio cannot be recorded without consent in CA. Security cameras have an option to disable audio for this reason. People never do it but it's the case.
It's related to wiretapping laws that are very broad.
> A person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication...
macintux · 52m ago
> For the purposes of this section, “confidential communication” means any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto, but excludes a communication made in a public gathering or in any legislative, judicial, executive, or administrative proceeding open to the public, or in any other circumstance in which the parties to the communication may reasonably expect that the communication may be overheard or recorded.
This is not confidential communications.
nerdsniper · 52m ago
Did you read that law? It applies to “Confidential communication…carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio”. Conversation in public is by nature not “confidential”. You are grossly misinterpreting this law and (unintentionally/ignorantly) spreading misinformation.
LadyCailin · 2h ago
Apparently the system was global, and BK has locations in GDPR countries.
unyttigfjelltol · 1h ago
Funny, whenever they show the CCTV footage it doesn't seem to have any sound....
Secretly recording voices is a felony is many places in 'merica.
nerdsniper · 53m ago
Please stop spreading misinformation . There are so many court cases about this. A quick google will give you dozens you can read.
Legally there is no “reasonable expectation of privacy” in public spaces and the only limit on that are extreme telephoto lenses looking from public spaces into private spaces.
unyttigfjelltol · 5m ago
Unfortunately, you are not correct.[1] Recording police in a public place-- sure. Otherwise, eh, at best you're over-extrapolating (and ungenerously!) from your local circumstance.
I'm most surprised that they have this whole system for how drive-thru interactions should go. Positive tone. Saying "you rule" like their exceedingly-irritating television commercials. Like... what if you don't? "If you don't follow the four Sales Best Practices, you're gonna be flippin' burgers for a living. Oh. Well. Oh." They're getting paid $6 an hour. The microphone/speaker system can't reproduce audio to an extent where a customer could ever be sure if you said "you rule" or that your tone is positive. They are thrilled if at least a few items they ordered are in the bag they collect. Why write software to micromanage minimum wage employees?
michaelt · 2h ago
> They're getting paid $6 an hour. [...] Why write software to micromanage minimum wage employees?
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
parineum · 1h ago
That's a correlation to how easily replaced you are.
hluska · 2h ago
Two things:
1.) There’s nothing wrong with flipping burgers for a living.
2.) It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Have some class.
thfuran · 2h ago
>There’s nothing wrong with flipping burgers for a living.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
jrockway · 21m ago
I'm not making a value judgement. I'm saying, how are they going to punish you, as a burger flipper, for not saying their TV commercial tagline? Demote you to burger flipper? That's already your job. So why pay people to build a system to track their metrics, when they realistically have no way of making this happen.
Pay people $30/hour and I bet they'll say it every time without software yelling at them. (With the software in place, I have never heard the line "you rule" at Burger King, but I also only go like twice a year. So why write it? It doesn't work.)
stronglikedan · 2h ago
> There’s nothing wrong with flipping burgers for a living.
Sure there is. It's not a job that earns a livable wage. It's a job for teenagers to get experience, and eventually become managers or go elsewhere with experience (or just pay their way through school). If someone is doing it "for a living" then they are most certainly doing it wrong.
> It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Do you have any data to show that they are underpaid in these positions? It seems like there are plenty of these positions, and folks at a company where they are underpaid can go to a different company that pays fair market value. Or are you implying that there is some conspiracy among big-fast-food to pay everyone less than fair market value? Because that would be quite the stretch.
> They emailed us the password in plain text. In 2025. We're not even mad, just impressed by the commitment to terrible security practices.
The hilarious sarcasm throughout was the cherry on top for me.
rafram · 3h ago
You need to stop targeting companies without established bug bounties that allow penetration testing, or you’re going to go to jail.
010101010101 · 2h ago
I get the sentiment and it’s a wise warning that at some point most people in grey hat spaces end up adhering to, but “do exactly as you’re allowed to do by large corporations” isn’t exactly a hacker ethos.
weitendorf · 2h ago
I don’t think that argument really works in situations like this because hacking Burger King requires a pretty high level of intent + ability and isn’t something that just naturally happens. Like you have to sit down and say “Today I want to try to hack Burger King” and then spend several hours doing just that.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
nickthegreek · 2h ago
genuinely interested in the last known story of someone going to prison for this type of pen testing without an established bug bounty.
aspenmayer · 1h ago
This story is a pen test gone wrong, so somewhat different, but illustrates some of the same failure modes.
But why? Is it because we don’t have consent from companies to try /check whether they are secure? If so who protects customers from weak doors? or shareholders?
drtgh · 1h ago
They sound like it should be avoided to analyse the river waters next to factories.
rafram · 1h ago
Yes. Talk to your congresspeople.
AndreBaltazar · 3h ago
No bug bounties for this level of sloppiness is the crime itself.
adzm · 3h ago
Agreed, though at the same time, RBI should be rewarding them for reporting this.
doublerabbit · 2h ago
Why and what gives you the right to tell them off?
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise.
Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
rafram · 1h ago
It’s a free country, etc. Obviously I have the “right” to comment a warning on the internet.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
syntaxing · 2h ago
Stop targeting anything and just use anything as is! Especially, don't you even dare hit "view source" on a website. Believe it or not, straight to jail. /s
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
pvtmert · 27m ago
99.9% of the CTFs have much more difficult questions!
> The password protection? Client-side only. The password? Hardcoded in HTML.
gus_massa · 2h ago
> Rating bathroom experiences: because everything needs a digital feedback loop
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
zackkatz · 3h ago
Great write-up! I was sorry to see there wasn’t a reward for you reporting this to them.
At least you didn’t find that the bathroom rating tablets had audio as well!
foofoo12 · 2h ago
> wasn’t a reward
I'm pretty sure someone was willing to pay for this, but at least the researches acted responsibly.
thimkerbell · 28m ago
Blog post not found
akerl_ · 3h ago
This person seems to be fishing for a CFAA indictment?
decasia · 2h ago
Remind me to stick to my hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have with them or use any of the other gross surveillance technology that was recorded here.
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
deltarholamda · 1h ago
>hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have
Good news! With AI programming assistance, this invasive technology--with the concomitant terrible security--will be available to even the smallest business so long as nephews "who are good with computers and stuff" exist!
crazygringo · 16m ago
> my hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have with them
You really think your local solo owner isn't recording video and audio with cameras inside? Snooping on employees and worse?
I know it's an unpopular opinion here, but often corporate practices prevent unsavory things independent owners would do otherwise.
When everything isn't just at the whim of the local owner, but processes are all highly standardized based on the prior experience with hundreds or thousands of franchisees, it often is actually an improvement. That's a big reason why people trust franchises. For example, they know the oil for fries is changed daily, as opposed to somewhere between monthly and never at your local independently owned diner.
djoldman · 2h ago
Assuming:
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
weitendorf · 2h ago
> Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
nycpig · 2h ago
IANAL, but to answer your question, maybe? The CFAA has a fairly broad scope. "intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains, information from any protected computer; " 1030(a)(2)(C)
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
lysace · 3h ago
The only way this shit show will ever stop is if behavior like this is ultimately rewarded with a corporate death penalty.
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
hluska · 2h ago
> the slightly-too-cheerful burger king employee asking if you want to make it a combo.
I don’t understand the need to insult people who make minimum wage. They had absolutely nothing to do with this breach and this is in incredibly poor taste. Maybe they enjoy their lives, or enjoy their jobs? Or hell, maybe they’re not the typical HN reader and really badly need that job? This elitist shit ruined an otherwise decent article.
jmkni · 2h ago
I don't think it was a swipe at minimum wage employees at all, more massive corporations like Burger King making their minumum wage employees be "cheerful"
MBCook · 2h ago
But elsewhere in the article they show that Burger King is using AI to analyze how well the drive-through employees are doing and if they’re being cheerful enough and such.
So I think it’s more a jab at corporate mandated performative forced happiness for customers then the employees themselves.
JKCalhoun · 1h ago
Sure, could have written "hapless Burger King employee…". I suspect they did not realize it might come across the way it did to some.
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
“The signal isn’t to pay white hats more, instead…”
And perhaps an addendum such as:
“…which will then, indirectly and in the long run, create the signal you were replying to.”
Appreciate your clarification despite the bluntness of my reply.
Also, you’re probably right, the signal will likely pass right over Burger King’s crown.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
Nor does there even need to be because anyone can walk into the drive thru and stand next to the speaker and listen to it. It’s not a private space.
You can want things to be black and white but litigators are going to argue.
No comments yet
How would you reconcile your statement against state laws that require all-party consent for audio recordings? e.g. CISA, or FSCA
In the USA, there is no right or legal expectation of privacy in public spaces, which includes fast food restaurants that are open to the public (indoors or outdoors)
> Video recording is permitted without consent in the public places.
I have no idea why you would think that these two statements are related, or why people would continue this conversation. Fishing and skateboarding are two other things that are often allowed, but neither are related to recording audio.
And for anyone who thinks this is a nitpick, please look it up.
edit: also, saying that you can record people when you're obviously recording people is also not relevant. The problem is recording people without their knowledge or consent. I cannot put an audio recorder in my pocket in many places (such as Illinois) and record you, whether in a private space or in a public space. If I put my audio recorder on the table, and you can choose whether you want to speak or not, it's legally an entirely different scenario, whether we are in a public space or not.
It's related to wiretapping laws that are very broad.
https://leginfo.legislature.ca.gov/faces/codes_displaySectio....
> A person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication...
This is not confidential communications.
Secretly recording voices is a felony is many places in 'merica.
Legally there is no “reasonable expectation of privacy” in public spaces and the only limit on that are extreme telephoto lenses looking from public spaces into private spaces.
[1] https://www.dmlp.org/legal-guide/massachusetts-recording-law
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
1.) There’s nothing wrong with flipping burgers for a living.
2.) It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Have some class.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
Pay people $30/hour and I bet they'll say it every time without software yelling at them. (With the software in place, I have never heard the line "you rule" at Burger King, but I also only go like twice a year. So why write it? It doesn't work.)
Sure there is. It's not a job that earns a livable wage. It's a job for teenagers to get experience, and eventually become managers or go elsewhere with experience (or just pay their way through school). If someone is doing it "for a living" then they are most certainly doing it wrong.
> It’s their job. This is many underpaid people forcing even more underpaid people to do this.
Do you have any data to show that they are underpaid in these positions? It seems like there are plenty of these positions, and folks at a company where they are underpaid can go to a different company that pays fair market value. Or are you implying that there is some conspiracy among big-fast-food to pay everyone less than fair market value? Because that would be quite the stretch.
> Have some class.
That seemed ironically unnecessary.
https://web.archive.org/web/20250906150322/https://bobdahack...
The hilarious sarcasm throughout was the cherry on top for me.
To me it seems like quite a stretch for “don’t hack me” to get framed as “Burger King is leveraging their corporate power to tell me what to do against my will”.
And to be clear I actually do think that it would be better for Burger King to invite and reward responsible disclosure, in the same way that you’d want your bank to have a hotline for people to report problems like doors that won’t lock. But if the bank didn’t have that hotline it wouldn’t excuse breaking in.
https://www.darkreading.com/vulnerabilities-threats/dark-rea...
Hacking is hacking. If they wish to risk it, what's your problem?
They know the risks. Everyone knows hacking is illegal. Same with selling drugs; illegal yet folk do. Same premise. Get caught; no sympathy given.
"People may get hurt"? $country throw folk in to war; it's a harsh world we live in.
Bug bounty's are only the new norm because the younger audience want validation and compensation for their skills or that companies are being cheap to ensure security.
During my era of internet bug bounties were non-existent. You either got hired or you went to jail.
In my case I got fired from a bank accidentally boasting that I could replace printer status messages with "Out of Ink - please insert more blood". Granted I was 17.
Being banned from using any computer at school for discovering a DCOM exploit using Windows 98 Help resulting in being denied from doing my IT GCSE and from two colleges.
Or being doxxed by another hacker group for submitting their botnet to an AntiVirus firm. Good times, a living nightmare for my parents.
The point of bug bounties isn’t “validation” (as if old-school hackers didn’t want validation!), it’s that companies with responsible disclosure programs explicitly allow you to pentest them as long as you follow their guidelines. That removes the CFAA indictment risk. The guidelines generally aren’t much stricter than common sense (don’t publish user data, don’t hurt people, give them time to patch before publishing).
Unfortunately, the existence of bug bounties has made some people forget that hacking a company without an agreement in place is still a crime, and publishing evidence of crimes to a wide audience on the internet is a bad idea.
Most of what you’re saying just seems like nostalgia talking. Isn’t it better that hackers today have a way to find real vulnerabilities without going to jail?
[1] https://www.vice.com/en/article/this-is-the-hacking-investig...
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
> The password protection? Client-side only. The password? Hardcoded in HTML.
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
At least you didn’t find that the bathroom rating tablets had audio as well!
I'm pretty sure someone was willing to pay for this, but at least the researches acted responsibly.
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
Good news! With AI programming assistance, this invasive technology--with the concomitant terrible security--will be available to even the smallest business so long as nephews "who are good with computers and stuff" exist!
You really think your local solo owner isn't recording video and audio with cameras inside? Snooping on employees and worse?
I know it's an unpopular opinion here, but often corporate practices prevent unsavory things independent owners would do otherwise.
When everything isn't just at the whim of the local owner, but processes are all highly standardized based on the prior experience with hundreds or thousands of franchisees, it often is actually an improvement. That's a big reason why people trust franchises. For example, they know the oil for fries is changed daily, as opposed to somewhere between monthly and never at your local independently owned diner.
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
Because if they don’t inform the company and wait for the fix, their disclosure would make it easier for less ethical hackers to abuse the vulnerability and do real material harm to the company’s users/customers/employees. And no company would ever want to collaborate with someone who thinks it’s ok to do that.
It’s not even really a matter of liability IMO, it’s just the right thing to do.
(main exception: if the company refuses to fix the issue or completely ignores it, sometimes researchers will disclose it after a certain period of time because at that point it’s in the public’s best interest to put pressure on the company to fix it even if it becomes easier for it to be exploited)
Sandvig v. Barr tempers that a bit, with the DoJ now offering some guidance around good faith endeavors around security research.
I'd suggest Jane have a good lawyer on retainer, and a few years to spend in the tied up the legal system.
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
I don’t understand the need to insult people who make minimum wage. They had absolutely nothing to do with this breach and this is in incredibly poor taste. Maybe they enjoy their lives, or enjoy their jobs? Or hell, maybe they’re not the typical HN reader and really badly need that job? This elitist shit ruined an otherwise decent article.
So I think it’s more a jab at corporate mandated performative forced happiness for customers then the employees themselves.