Comment by breakingcups 5 days ago
The author seems a bit... immature in their handling of things? Using a friend's login to pentest stuff (causing the friend to get fired, rightfully so), defacing internal applications, creating bogus orders...
They're cocky and they don't fully seem to grasp yet how their behavior works against them.
> Given that the intent of the friend was to help improve McDonalds' security, I'd have to disagree that the firing was rightful.
I’d be inclined to fire someone who shared their credentials with an outsider running an unauthorized security test or discussed unpatched vulnerabilities in detail with outsiders.
An employee poking around and finding stuff on their own and reporting it might be a different story, though the details would still matter a lot.
OP did not use their employee friend's credentials, they created their own account through the registration page.
Unless this becomes news on mainstream media (hint: it won't), nothing happened and nothing will change.
The only thing that will actually make them change how they handle security is an event where their internal system gets hacked in a really bad way, like PSN, potentially affecting restaurant operations and involving customer info. Then executives will start paying attention. Otherwise, this is what it is.
I hate this idea that you always have to be professional when dealing with a corporation and have to follow rules exactly, often rules made up by the corporation. (Laws are just rules too, they are enforced by violence.)
The corporation showed gross incompetence and was punished for it. Sending passwords in plaintext indicates deeper security issues and systemic failures. HN can cry about companies leaking people's personal details but to actually make it affect their bottom line and force them to fix it, it has to affect their bottom line - they must get punished.
Sure, this was not a legal punishment but it was not wrong and it was very minor anyway.
Legality is not morality. Laws are written to protect peace (absence of visible conflict), not to protect justice.
It's pretty standard for the infosec world, it attracts somewhat unusual personalities. This is why it's so important for larger companies to have clearly signposted responsible disclosure channels: if the channels are there, then people like Bob often will use them, even if there's no reward on offer.
> causing the friend to get fired, rightfully so
Given that the intent of the friend was to help improve McDonalds' security, I'd have to disagree that the firing was rightful. However, it is something that probably 90%+ of multinationals would do in this situation.