I didn't have the same impression though. He intentionally kept his mouth shut about him because the kid's life is none of anybody's business. I felt what he said (which is as little as possible to still be able to get the story across) was being very respectful of the kid's privacy. He seemed genuinely angry that the kid got felony conviction.

Tricking the kid(adult) into revealing his IP? Are you serious? I'm probably as anti-corporate as you can get, but their investigation was staggeringly above-board. This was handled ALMOST EXACTLY as it should have been, and it is disgusting that the ignorant have so-far gotten their way. P.S. Companies don't get to decide anything. They are nothing but a chemical reaction that burns people for profit. The PEOPLE are responsible for their own ethics. Which is exactly what was on show here.

yeah the whole "yeah i attribute, ergo violate their right to anonimity, because that time it was a kid and we wrote to his mom" makes no sense. Very Batman of him.

@@gigiopincio5006 There is no "right" to anonymously commit crimes. Anonymity and privacy are a right during NORMAL life. They should be respected, sometimes over other rights, but they aren't the UNTIMATE right. It is the job of Parents, adults, and society to encourage the good behavior in the young. Are you seriously suggesting that the better solution would be to throw a kid(barely an adult) to the wolves, rather than learn about them and bring them into the fold? You two seem to be hyper focused on your own idea of "attribution" (which was perfectly acceptable in this case) rather than how well this situation was handled. Attribution and Doxing are not the same thing. Attributing an action to an individual is necessary and good. Further, Punishment serves little good. It is a poor teacher. It breeds discord. It keeps people separate. It grows resentment. Teaching and rehabilitation are the only true way to resolve an issue. Show "The Other" what you have in common and you can learn to work together.

Their effort and ability to dox Brandon to reach out to him offering both training on bug bounty programs (how to properly turn the bug he found into cash without coming across as extortion) and a job, and that the data never appeared on the dark web/for sale were both their biggest evidence in support of the argument that they authorized that kind of access to the data. It was also the thing that screwed them when the now Brandon was charged with a felony, as they had identified the person who could be charged/convicted of a felony which Joe could be charged with attempting to conceal. He appears to have acted in the interest of his company, the users, and researchers. I'm interested in how his and Brandon's appeal will go, as I could see a competent argument being made that the law was misinterpreted as applied here.

@@Tawnos_ I agree, the jury asking the question they did means the defense did a bad job not addresssing the interpretation of the law and making the argument that 'forgiveness' can be given even after the event. Hopefully it gets overturned, but it may not and laws need to change to fix the misunderstanding anyway. The country has such a severe aversion to changing laws it's bizarre. We elect such lazy politicians who never do work, we end up making people spend millions and years in courts squeezing tiny bits of nuance out of laws slapped together in a hurry before an election or whatever, rather than make modifications to the laws to repair or clarify when they are not working. Also, I was implying that in this case I think Joe should have created a legal document to waive the rights of the company to participate in prosecution against the kid for the process of discovering the bug. That would have been the 'right' way to show he meant the kid no harm. Instead he thought if he found him and showed him he meant no harm then the kid would trust him more and cooperate. But the fact he is trying to convince the kid to trust him is the problem - just remove the need to 'trust'. And if he couldn't get the legal authorization of the company to sign away its rights, that just cements that they should not be trusted. Think of it this way. When you start working for a company and they ask you to sign an NDA you don't break into their office, steal some IP and then go back to them and say "see bro, I don't need to sign this NDA, you can just trust me". But that is exactly what he did to the kid. That should not be how these interactions happen. The only reason they do is because this country has a garbage legal system that is inaccessible to nornal people and extremely helpful to large corporations.

The shareholders need to learn to embrace disappointment because they leech from society.

I doubt there will ever be anything written in stone that actually works in a general sense. As the speaker pointed out, there is far too much gray area to write anything super well-defined in law. Any laws will probably just be written in a way that makes it a case-by-case basis, which puts us back at square one. The best solution IMO, especially given the massive difference in data-sensitivity between industries, should be for corporate legal teams to come up with well-defined scopes that work best for their own company. I really don't see there being a one-size-fits-all solution that the federal government could provide. Companies like Raytheon would probably be better off taking the harder stance of "if you stumble on it by accident, that's still prosecutable" given the literally classified nature of much of their work. On the other hand, a smaller financial institution in which most people in the company have access to the same types of sensitive information as anyone else (e.g. addresses, SSNs, EIDs, etc) would probably take a more lenient approach. It wouldn't make sense to prosecute an accountant that stumbled across some financial documents they weren't supposed to see (e.g. internal finances only meant for C-level eyes) when they see the same type of information as part of their daily job.

​@@TheMohawkNinja We have plenty of "Good Samaritan" laws. They are always a bit too vague, but they are still there. "In stone" means it would be difficult to simply ignore or do something else. It means not having to rely on the "charity" of a corporate entity that exists exclusively to protect it's own interests, meaning profit. We have countless example of corporate overreach when dealing with researchers, because they get to make their own rules about what is "okay". I'm saying the corporations don't GET to decide what is okay. That is for society, and it's elected representatives. I'm tired of gag-orders and legal bulling from entities that have been given months or years to resolve problems that exist, and are being exploited in the wild.

@Prophes0r Call me paranoid, but between the last few years of government overreach and PACs/lobbys/other forms of corporate control in government, I really don't believe that the government is going to do much good nowadays, even if in theory it could.

@@TheMohawkNinja Not to be too much of a flagellant, but we allow it to happen. All we can do is help make the changes we want to see, and hold those accountable when they do us wrong. Criticism is useful. Cynicism only holds us back.

Or alternatively you could get over it like a grown up