come home

[Sidoh]

I don't care if it's Canadian, American, or European data - releasing it without the company's knowledge is wrong, both legally and ethically.

And for what it's worth, I've already talked to investigators about the situation. The company in question is taking this very seriously.

I was speaking from a purely legal standpoint, not a moral one. FWIW I agree with you that working with the company to secure their data is more ethical. And makes you more money.

Even legally - if I cause significant financial damage to a company, which this potentially could (especially being the X-mas season), they're going to go after me no matter which country I'm in (provided it isn't an unfriendly one).

Quick!  Move to Iraq!

Isn't Iraq owned by the US now?

Either way, it's not exactly friendly. :)

No, I'm not really sure what gave you that idea.. :P

Why would you be afraid of legal action if you aren't a national of the US? I highly doubt Canada would extradite you like that, if push came to shove.

I mean, assuming you haven't gotten passwords to the NYSE admin accounts or something. If you did that I would bow.

I don't care if it's Canadian, American, or European data - releasing it without the company's knowledge is wrong, both legally and ethically.

And for what it's worth, I've already talked to investigators about the situation. The company in question is taking this very seriously.

Release it anonymously!

I don't think it's unambiguously wrong from a moral standpoint.

[iago]

Release it anonymously!

I don't think it's unambiguously wrong from a moral standpoint.

I think it is. I have 5 million passwords belonging to ~15 million users. I'd be directly harming some proportion of those users. That makes it wrong in my mind.

Additionally, there is some malice at play - somebody stole these, and right now investigators are trying to find that person/people. If I release it with the name of the company in question, those people are going to be tipped off that others know what's going on and will likely be more difficult to find.

[Sidoh]

My suggestions are in jest.

I still don't think it's absolutely wrong, though, even if it does hurt people.

[deadly7]

I still don't think it's absolutely wrong, though, even if it does hurt people.

If a company had amassed data on people illegally, they'd get away with it as long as possible. I agree with your statement that it's not absolutely wrong, just could end up doing lots of damage. I don't know what Gawker is, so I'm talking in general terms of releasing passwords.

[iago]

I still don't think it's absolutely wrong, though, even if it does hurt people.

If a company had amassed data on people illegally, they'd get away with it as long as possible. I agree with your statement that it's not absolutely wrong, just could end up doing lots of damage. I don't know what Gawker is, so I'm talking in general terms of releasing passwords.

This isn't about Gawker - those passwords are out there and everybody has them. And they aren't doing *that much* damage - it isn't that important of a site, most people register with crap passwords to comment.

What we're talking about is a large financial site with 10x as many passwords breached. I have the passwords, but I don't want to name the site or anything until it hits the press on its own. It's being actively investigated. :)

[rabbit]

Tell me the company, website, and number of passwords and I'll go tell Slashdot then everyone can know and then you can do your stuff :D