While I'm encouraged by this response, I still feel a sense of fear that this fix is a one off, if you could speak to how this could even happen and how mistakes like these would be prevented in the future I'm sure the community would appreciate it.
I cannot guarantee that we won't make another mistake as we and our customer base grows. We're fallible!
In this particular instance, this was the result of an oversight in our billing process, and we are returning Hack Club to its previous nonprofit pricing. We will be reviewing our billing and communications processes to provide nonprofits clearer guidance and adequate grace periods as they grow.
Out of curiosity, will you be facilitating them exporting their chat history? Like obviously you see that this wasn’t just a billing error, this was extortion under threat of losing eleven years worth of data.
If you see this massive screwup as just a price issue that can be fixed by lowering their bill, you’ve missed what’s happened here. Your company has entirely obliterated any trust here, and the way to fix this is to acknowledge that and do everything necessary to help them migrate their data to a place where you aren’t holding a gun to their heads.
Yeah, I don't care about some non-profit or whatever. I care that the company thinks it's a-okay to demand from their customers 10x their yearly bill on the spot and to commit to 4x that yearly or else their data will be deleted in a few days. That's not an employee acting out of band, it's obviously their modus operandi.
So if they want to export all of their data they might have to pay you more money to do so? How exactly does that seem fair when they don't agree to the existing price increase?
So you have a billing process that includes a step where you extort the customer and demand substantial amounts of money or else you delete the customer's data on very short notice? Because that's one of the "mistakes" that your "billing process" made.
There was no "mistake", this is how you operate, this is what you've already done in the past, and, the only reason you backtracked now is because this one blew up in front of a large enough audience, many of whom are potentially decision makers in their (large) companies.
> So you have a billing process that includes a step where you extort the customer and demand substantial amounts of money or else you delete the customer's data on very short notice
I think this is the most important finding from this story. It's not that someone has mistakenly billed a non-profit, but that this form of "customer relations" is apparently part of the standard billing process for business customers.
They are free to do so of course, but I imagine that this may impact customer retention if the practice continues. This short notice is something that I would have reacted very strongly about if I had integrated Slack so deeply in my business as the OP did. With the push for workflows, agents and additional functionality, it is actually a huge risk to the business if you get a short notice to migrate if the new terms can not be met.
The reason you’re not providing details about the oversight like you should (this should be treated like a data breach, transparency = trust) is because you’d have to admit that this “oversight” was you meant to only exploit smaller companies that can’t cause a media ruckus like this. Prove me wrong.
If you mean there are objects that have physical characteristics that involve pi to infinite precision I think the truth is we have not a darn clue. Take a circle, that would have to be a perfect circle. Even our most accurate and precise physical theories only measure and predict things to 10s of decimal places. We do not possess the technology to verify that it's a real true circle to infinite precision, and many reason to think that such a measurement would be impossible.
Here I'm referring to the cloud of things that Hilbert called "Cantor's Paradise". Basically everything around the notion of cardinality of infinities.
I loosely identify with the schools of intuitinalism/construtivism/finitism. Primary idea is that the Law of the Excluded Middle is not meaningful.
So yes, generally not starting with ZFC.
I can't speak to "truth" in that sense. The skepticism here is skepticism of the utility of the ideas stemming from Cantor's Paradise. It ends up in a very naval-gazing place where you prove obviously false things (like Banach-Tarski) from the axioms but have no way to map these wildly non-constructive ideas back into the real world. Or where you construct a version of the reals where the reals that we can produce via any computation is a set of measure 0 in the reals.
I don't understand why you believe Banach-Tarski to be obviously false. All that BT tells me is that matter is not modeled by a continuum since matter is composed of discrete atoms. This says nothing of the falsity of BT or the continuum.
All that BT tells me is that when I break up a set (sphere) into multiple sets with no defined measure (how the construction works) I shouldn't expect reassemlbing those sets should have the same original measure as the starting set.
Yes, they have measure zero. So the question becomes whether "measure" is a useful concept at all. In my opinion, no, it is not. It's just another artifact of non-constructive and meaningless abstractions. Many modern courses in analysis skip measure theory except as a historical artifact because the gauge integral is more powerful than the Lebesgue integral and doesn't require leaving the bounds of sanity to get there.
I understand the construction and the argument, but personally I find the argument of diagonalization should be criticized for using finities to prove statements about infinities.
You must first accept that an infinity can have any enumeration before proving its enumerations lack the specified enumeration you have constructed.
This always bothers me. "Math is math" speaks little to the "truth" of a statement. Math is less objective as much as it rigorously defines its subjectivities.
> Addressing your issue directly, the Axiom of Choice is actively debated:
The axiom of choice is not required to prove Cantor’s theorem, that any set has strictly smaller cardinality than its powerset.
Actually, I can recount the proof here: Suppose there is an injection f: Powerset(A) ↪ A from the powerset of a set A to the set A. Now consider the set S = {x ∈ A | ∃ s ⊆ A, f(s) = x and x ∉ s}, i.e. the subset of A that is both mapped to by f and not included in the set that maps to it. We know that f(S) ∉ S: suppose f(S) ∈ S, then we would have existence of an s ⊆ A such that f(s) = f(S) and f(S) ∉ s; by injectivity, of course s = S and therefore f(S) ∉ S, which contradicts our premise. However, we can now easily prove that there exists an s ⊆ A satisfying f(s) = f(S) and f(S) ∉ s (of course, by setting s = S), thereby showing that f(S) ∈ S, a contradiction.
Perhaps this is an ignorant question, but wouldn't you need AC to select the s ⊆ A whose existence the contradiction depends on? A constructive proof, at least the ones I'm trying to build in my head, stumbles when needing to produce that s to use in the following arguments.
No, because you only have to choose _one_ s for the proof to work, and a finite number of choices is valid in intuitionistic and constructive mathematics.
The axiom of choice is debated as a matter of if its inclusion into our mathematics produces useful math.
I don't think it's debated on the ground of if it's true or not.
And I was imprecise with language, but by saying "math is math" I meant that there are things that logically follow from the ZFC axioms. That is hard to debate or be skeptical of. The point I was driving was that it's strange to be skeptical of an axiom. You either accept it or not. Same as the parallel postulate in geometry, where you get flat geometry if you take it, and you get other geometries if you don't, like spherical or hyperbolic ones...
To give what I would consider to be a good counterargument, if one could produce an actual inconsistency with ZFC set theory that would be strong evidence that it is "wrong" to accept it.
Skepticism of a ZFC axiom in particular could just be in terms of its standard status. I don't think anyone debates that ZFC in a particular logic doesn't imply this or that, but people can get into philosophical questions about whether it is the right foundation. There are also purely mathematical reasons to care - an extra axiom may allow you to produce more useful math, but it also potentially blocks you from other interesting math by keeping you out of models where, e.g., Choice is false.
Were the current loan (and grant) guarantees perfectly adequate? Citation needed.
In some investors view they were not.
> "The deal certainly has the appearance of the government clawing back the remaining portion of the previous grant, as the government is getting equity not previously contemplated for dollars already committed," Morgan Stanley analysts
"The trade-off, in our view, is that the company will have the flexibility to optimize its own business model without commitment to public service objectives, which may or may not include foundry services at 14A as articulated on the last earnings call
Fair enough. In reality though they have absolutely committed to “public service objectives” which is a weird way to say “doing whatever the administration asks otherwise they rapidly liquidate their stake”
Not sure how many times people will keep repeating this mistake assuming they won’t be hit up for protection money again later…
> Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
I don't know the legal footing these spyware apps stand on, but this blog post seems like exhibit A if Catwatchful ever decided to sue the author, or press criminal charges. Hacking, even for reasons that seem morally justified, is still illegal.
That would be an amusing exercise in self-incrimination & discovery pain for Catwatchful. They would also have to quantify business losses, which requires admitting the value of an illicit enterprise. But YOLO am I right? LFG!
As someone noted, there is the issue of jurisdiction.
But Daigle probably did consider being liable and what would be morally justified.
It must have been tempting to try to use the Catwatchful app to notify the victims that they are being stalked. E.g., by getting phone numbers or social media handles and then SMS/DM the victims (if the app reveals the victims handles in the recorded conversations)
Or getting the IMEI numbers and handing them over to network operators or local authorities who could do the notification.
It would probably help many victims, but it could go wrong in some cases.
Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target. More and more businesses are accepting the help when they are given it, such as their response to put a WAF in place. I do agree you shouldn't use your Christian name in these sorts of situations since priors have not been established with the targetted company; however Catwatchful has no impetuous to pursue meaningless charges for a stalker app as there are most likely no damages unless the service providers actually respond, which they most likely won't.
Nothing ever happens to these people and do you think datacenters/hosts/providers really care about anything other than DMCA complaints?
(report illicit/illegal content to a host provider that isn't copyright protected and wait.. you will be waiting long after your teeth have fallen out)
Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs?
IDK, personally I would avoid the law at all costs if I released something this shady.
> Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target
The never disclosed to the target company (not that I think they should have), this is definitely not white hat. This is essentially the grey-hat version of vigilantism.
They disclosed it to a journalist and now on their blog.
Your theory is that Daigle is at risk of a Canadian prosecutor hauling him into court based on the criminal complaint of a Uruguayan purveyor of stalkerware? That's novel.
I think the theory is that Daigle has publicly professed to committing a crime sharing all their steps and receipts. It'll be unheard of of course if a Uruguayan purveyor of stalkerware take him to court.
However, next time he talks about emulating Nintendo games or whatever, I'm sure Nintendo lawyers would love to bring it up and point "how the defendant brazenly defies law and order with predetermination malice".
Not to begin to even mention now some shady criminal might hold a grudge against Daigle. I hope his security is air tight.
There is a reason these reports are usually anonymous or follow responsible disclosure.
> next time he talks about emulating Nintendo games or whatever
This seems like a straw man, though? What if they just... continue to not do that? (I think this is what the other commenter meant with "concern trolling".)
> Not to begin to even mention now some shady criminal might hold a grudge against Daigle.
This is 1) not a problem a lawyer will help you with and 2) not a practical concern for most people in the US and Canada. For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.
I don't really see a practical reason for this person to avoid putting their name behind this report. The only reason that seems to make sense is if this group is not a criminal enterprise. Then they might be at all inclined to file a lawsuit.
>For example, Brian Krebs continues to (read: he's not dead or otherwise intimidated into silence) put his name behind many similar reports of illegal activity. There is a reason law enforcement investigates and prosecutes violent crime.
Brian Krebs invests a huge amount into keeping his home address a secret and has extensive surveillance at his home to keep intruders out. He was once SWATed and another time someone ordered heroin to his home and called the police to frame him for drug trafficking.[0]
It's a bit of a miracle that Krebs continues his reporting. Krebs' courage and opsec is not very easy to achieve, especially for a 23 year old blogger like OP.
These points are not convincing. That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.
I agree that he’s courageous but only because he receives many threats, not because he faces imminent dangers. His protection comes from the fact that a criminal enterprise will only bring attention to themselves by purchasing his murder, which is true because law enforcement investigates and prosecutes violent crime.
>That paragraph says that he expends effort to keep his home address secret but then admits that those efforts are in vain because he’s been mailed things maliciously (to his home address) and SWATed (at his home address). It’s also not likely that surveillance will keep intruders out; it would help the criminal investigation after his house is burned down, except that hasn’t happened.
The article says that he moved to a new home because of these incidents and now takes extreme measures to keep his address a secret.
I don't understand how you can make the argument that retribution from criminals is "not a practical concern" because Krebs still does his reporting in spite of the risks. SWATing and attempts to frame him for a serious crime aren't just threats - they occurred. He could have died or been imprisoned.
Hey, that's my server, and is totally 100% legit. I was unaware that I was pwnd and someone was using it as a C&C server. I'm now suing you for hacking my server, as you could be the person that installed the C&C server. After all, you are an admitted hacker.
I'm interested people are talking about suing, unauthorised access of a computer system is usually illegal, you don't need to rely on tort. States like to be in control of who is allowed to access computer systems; a key component of projection of power.
About half of hacking articles are just fake things people claim to have done but didn’t actually happen and no one checks on it, and conveniently by the time they publish the exploit was “fixed”. So you can’t verify for yourself anyway.
Without hard proof that the author did what they said they did, you have no real case. This particular story already sounds far fetched but makes good fantasy.
Instead means "this isn't our bug, it's the underlying library."
The libraries you rely on are part of your product. You own the issues that bubble up from them.
A much much better reply for the maintainer would've been: "The root cause looks to be X, I'll submit a ticket and make sure a fix makes it into our build."
