HackerTrans
TopNewTrendsCommentsPastAskShowJobs

SigmaEpsilonChi

no profile record

comments

SigmaEpsilonChi
·8 bulan yang lalu·discuss
What data was exposed, and to whom? Single records accessed by a white hat to test a vulnerability do not count.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
You nailed it.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
> You've work to do on your communication. This style of communication probably works just fine with teenagers, but it's not going to hold up to scrutiny with adults. > … > It's not a great look for the leader of a children's organization to so blatantly flout that they lack a moral compass.

I'm not the leader of anything, that would be Zach Latta. He's a much better diplomat than I am, but I am doing my honest best to speak plainly and matter-of-factly to you about a complex situation that frankly requires a lot more context to properly understand than I think is possible to acquire from the information you have.

I'm also not trying to absolve our organization of all sins. We mess up all the time. We are working on many fronts to learn from these experiences and make imperfect systems a little better every day. We make mistakes, we apologize, we do our best to make amends, then we move on to the next mistake. It is the nature of doing new, hard things with real stakes.

> You're currently interacting with the public, not the legal system. Sure, whether or not you're legally required to inform your kids is relevant. However, the law is quite literally the bare minimum of what you're obligated to do. > > No-ones reading this thinking. "Oh great, they've done the bare minimum legally required of them." They're thinking, "Wait. Companies notify people of breaches all the time.

This is addressed in the top comment I left. Notifying 5k people about a patched vuln is not "more than the minimum", it's legitimately bad practice. That is not my opinion, it is industry standard practice! Absent any reason to believe there has been a data breach, absent any sort of actionable information, we are not going to send an email to thousands of people.

I call the GDPR thing the crux of the question because probably 80% of the thousands of Slack messages sent on this topic, a solid majority of them were about that question. That was the impasse. Staff considered the issue and concluded that from a moral, legal, and industry standard practice perspective, notifying every user was not the correct decision. Nothing was being hidden, that team logged and discussed the vulnerability publicly within the community from the start. They fixed, disclosed, discussed, learned, and moved on.

> This detracts so much credibility from your communication. There is no lawyer on Earth that will describe this as "not a complicated legal question". No adult that's ever had any communication with a lawyer is going to believe this for a second. Lawyers are notorious for their non-committal attitude toward providing legal advice. Nothing is black and white — it's all grey. So this comes across as: > > a. You've never interacted with a lawyer in your life. Or, b. You're telling porkies, or at the very least, are way too flippant with hyperbole.

I am married to a law professor for whom I lived through 3 years at Yale Law and 3 years of PhD/fellowship, I have about as much exposure to law as you can get without it actually being your job. I assure you, uncomplicated legal questions exist.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
I never said anything was fine. I said it was a serious vuln, and we took it seriously.

We patched the vulnerability, quickly. We addressed it with the engineer and made clear that this is no joke. We have extensive refactoring happening within our infrastructure to move to a model where this information is handled as much as possible through secure, audited, centralized systems. Is there something else we should be doing?

The crux of the question here was about whether GDPR obligates us to email all 5,000 people signed up for this program about this vulnerability. The two lawyers we have consulted on this have both said no. One of them specifically specializes in privacy compliance. It's not a complicated legal question, the answer is just no.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
The short answer is no.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
If nobody reads the data it is not a breach.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
Hello! This is Chris from Hack Club staff (the one cited in the post)

I addressed the post itself in another comment (https://news.ycombinator.com/reply?id=45921428&), so I'll skip that part.

I would really like to know more about these incidents at HC events. We have a lot of very complex tradeoffs within hack club involving security/privacy/safety for exactly the reasons you identified (ie, giving teenagers a very high level of agency/responsibility in running programs). However, staff try to be extremely conscious of these tradeoffs and highly attentive to the realistic risk vectors that come about in our operations.

No teenager will ever (ever!) have anything 'taken out' on them by myself or anyone else that works here. Any time things go wrong or almost go wrong, we just want to know so we can manage that risk in the future. If you are willing to share, please reach out at [email protected]
SigmaEpsilonChi
·8 bulan yang lalu·discuss
Hello, Chris here!

Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).

There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:

- The author found a serious vuln in one of our programs introduced by a junior engineer

- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)

- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR

- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.

- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!

- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.

— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.

Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.
SigmaEpsilonChi
·8 bulan yang lalu·discuss
It would have been stupid if that's what actually happened :)

I am the Chris cited in the piece. We have actual legal counsel that we go to for legal advice! However, that's not what was being sought here. In this conversation, the question on the table was "What is a data breach?" according to common convention (setting aside the more technical question of what it means specifically in the context of GDPR). The author contended that a single address record—her own record, IIRC—retrieved as a test of an unsecured endpoint counts as a data breach, and therefore that we are legally obligated under GDPR to email all 5,000 participants about it. My contention was/is that a data breach implies exfiltration of a meaningful amount of data. This was a vulnerability, which we patched within about a day, but we had no reason to believe there was a breach by any definition. I pointed to a few sources to demonstrate the consensus definition of "data breach", and one of them was Gemini (or "Omniscient Robot God", as I called it in the conversation).

There are real issues touched on in this post, but the author is not a reliable narrator and they are flattening a very complex issue into a narrative that centers themself as the hero. In reality, this user was banned from our community for a long string of conduct violations, culminating in repeated incidents of saying horribly abusive things to other teenagers. They have been pursuing a grudge against the organization ever since.
SigmaEpsilonChi
·10 bulan yang lalu·discuss
Oh hey, that's my game! I am so pleased you are enjoying it. This is a remake of a game I first published way back in 2014. This version was built by team of 22 high-schoolers from around the world, recruited through Hack Club (https://hackclub.com), where I have worked since 2018.

For anyone who just wants a sense of what the game is like without the fuss of playing it, here is the launch trailer: https://www.youtube.com/watch?v=35nDYoIwiA8
SigmaEpsilonChi
·10 bulan yang lalu·discuss
Thank you!! I recommend taking a look at the later levels, it goes beyond a middle-school level of complexity! I have seen everyone from graduate students to tenured math professors to Grant Sanderson get stumped by late-game SineRider. It doesn't really fit neatly into any specific age group or "grade level"

The map should zoom with scroll, is that not working?
SigmaEpsilonChi
·10 bulan yang lalu·discuss
We'll let you know how we like Mattermost once we've had a chance to actually use it :')
SigmaEpsilonChi
·10 bulan yang lalu·discuss
The issue isn't really with being moved to a higher tier of billing. Slack doesn't owe us their service for cheap forever. The problem is that we signed a contract with them earlier this year for our current rate, then suddenly today we were told that we have to pay $50k immediately or all of our 11 years of data will be deleted. That's an absurd demand. It's a shakedown
SigmaEpsilonChi
·10 bulan yang lalu·discuss
I work for this foundation, I can guarantee that nothing has changed about our status or Slack's policies. We qualified before and we qualify today, which is why earlier this year when Slack took us off their free plan the rate they negotiated with us was so low. Slack was extremely reasonable during that process and we have no complaints about them.

The thing that changed is that we aren't dealing with Slack anymore, all of a sudden we're dealing with Salesforce. I can only assume they are shaking the money tree at all levels of the organization since their recent disappointing earnings report (I guess they've had a lot of those lately).

I appreciate the nuanced perspective you're bringing here but it really is as scummy as it's written in the post. They are asking us to pay $50k in the next 5 days, just for the privilege of not having our 11 years of history deleted. They don't owe us continued access to their platform on the cheap, but to demand this much money on that kind of time frame? I don't know what to call that other than extortion.