Use reader mode, block Javascript or whatever it takes. Give the author a break. They're a teenager. What kind of websites were you making as a teenager? I'm sure one of those dark background websites with MARQUEEs and BLINKs with glaring contrast colors! So give them a break. Behind the annoying UX is an article about serious and appalling privacy and security issues.
Like read this:
> i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.
Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure. So I don't 100% agree with the OP but the cavalier attitude towards security coming from the staff of a legitimate organization is appalling.
It's just mind boggling that an organization handling PII data has such appalling privacy and security lapses and they still remain arrogantly indignant about it making bold claims about laws they don't understand, why, because ChatGPT told them so? Cherry on top is they are employing teenagers to answer legal questions! Not kidding! Just read the OP! Unbelievable!
Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).
There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:
- The author found a serious vuln in one of our programs introduced by a junior engineer
- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR
- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.
- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!
- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.
> - We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
What? From the many, many #meta posts and other sources I cannot back this up.
> - The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.
> — They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?
> Nonetheless, privacy/security is something we think about and invest extensively in.
Based on HQ's HCB, #meta, posts in #hq, and more this is not true in the slightest.
> In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault" Bounties were addressed in the article and last thing I heard PII is still massively distributed. If that isn't the case anymore, please actually make a post about it so the community is aware?
> consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world
That's good but again, make an announcement in hackclub?
> The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy!
The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??
> We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated.
I can definitely understand that. I really love hackclub and think the mission is amazing but at the moment I don't feel safe with my data in its hands.
> OP did say some bad stuff, but it wasn't a spree and was an isolated incident. I don't agree with her actions, but I see where she was coming from: she didn't feel heard and just wanted to get back at people she saw as having wronged her. She definitely shouldn't have done what she did but it was an isolated incident or two.
If I remember correctly, she admitted that her ban was justified. But also, she didn't just do "some bad stuff", she did a lot of it - there's even a recent #meta thread referencing this exact post.
> You'll note that in the article that isn't what she portrays herself as and she explicitly bookends the article with paragraphs of text praising the mission and all of the good hackclub has done. Which is it, is she rightfully praising the organization but rightfully getting angry about it or is she wrongfully praising the organization and wrongfully getting angry?
Nuance does exist.
> That's good but again, make an announcement in hackclub?
Zach did.
> The fuck?? No?? if this has happened in the last year, how angry has your lawyer about the numerous vulnerabilities that were pushed, not notified, underpaid bounties, and more? Oh, and don't forget you TAKING DOWN THE GDPR EMAIL AND NOT DELETING DATA??
I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.
I think I've read through the #meta post you're referencing and commented in it and yeah, but it still wasn't a spree. It was not a lot of it? cite your sources as well
> > That's good but again, make an announcement in hackclub? > Zach did.
Where?
> I'm more inclined to trust Chris than an anon account that straight up denies that internal conversations happened. You also seem to be regurgitating posts from earlier without seeing Chris's context.
Well yeah, I'm on a throw away as I don't want to be deanon'd. If you really want to talk contact https://hackclub.slack.com/team/U09Q734PGUU, it's an alt I have. Where did I deny internal conversations as well? And wdym regurgitating posts without Chris' context? I literally broke his reply down point-by-point?