Hacker News new | past | comments | ask | show | jobs | submit login

It becomes unethical as soon as you discover the vulnerability and refuse to disclose it.

It's like if you have a key to an apartment and you move out without the landlord asking for it back. It's not unethical if you then discover that the key still works. It becomes unethical when you do not disclose this fact. Worse still if you start making copies of the key and selling it to people who intend to break into that apartment.




I think the ethics depend heavily on when a flaw was discovered.

If this person knew of a flaw when at Apple, and did not disclose it to Apple (his employer), but instead left to go exploit it--that would be clearly unethical and possibly even illegal.

But if they left, and then, as an ex-employee of Apple, discovered a new flaw in Apple's security... how are they any different from a random person who never worked at Apple?

Do security researchers have a general ethical obligation to disclose a product's security flaws to the company who created it? I think most security researchers would say no... the obligation is more rightly put on the company itself to produce secure products.

Company managers don't generally have an ethical obligation to their ex-employees after the employment period ends. It doesn't seem fair to say that ex-employees should be obligated toward their former employer. The exception would be if they acted unethically while employed there and then reaped the benefits later.

Or look at it this way--imagine an employee of GrayKey went to Apple, and then learned how Apple is defeating GrayKey. Does that employee have an ethical obligation to tell GrayKey about that? If ethics don't work the same in both directions, they're probably not strong ethics.

That is, unless there is some higher moral at stake, like "breaking security is always wrong." But even that is problematic because if you never try to break security, it never gets better.


I think the ethics depend heavily on when a flaw was discovered. If this person knew of a flaw when at Apple, and did not disclose it to Apple (his employer), but instead left to go exploit it--that would be clearly unethical and possibly even illegal. But if they left, and then, as an ex-employee of Apple, discovered a new flaw in Apple's security... how are they any different from a random person who never worked at Apple?

They are still different from the average person on the street. Security is more than just the binary flaw/no flaw distinction. Perhaps while working at Apple the researcher knew about some old libraries that were still in production release but had not been worked on, let alone updated in years? That sort of insider knowledge could help them find exploits the average person wouldn't think of.

GrayKey is a completely unethical company. They are selling unauthorized access to people's devices. The fact that their main clients are law enforcement officers is irrelevant.

I can't believe you'd suggest that Apple is in the wrong for hindering GrayKey's efforts. Am I in the wrong for changing the locks on my door to hinder burglars?

Security flaws are ticking time bombs that threaten all of society. Discovering them and exploiting them rather than helping to fix them is ethically akin to discovering chemical or biological weapons and helping to put them into use.


> GrayKey is a completely unethical company. They are selling unauthorized access to people's devices. The fact that their main clients are law enforcement officers is irrelevant.

I'd say this is an example of a higher ethic or moral at stake. Not everyone agrees with you that law enforcement access to a device is always unethical. It certainly can be, if the police are acting unethically (which some do). But if they are properly investigating a crime and get a warrant, that's going to cross into the OK zone for a lot of people.

> I can't believe you'd suggest that Apple is in the wrong for hindering GrayKey's efforts.

I did not suggest that and I don't believe that. I think it's great that Apple is fixing their device security.


I'd say this is an example of a higher ethic or moral at stake. Not everyone agrees with you that law enforcement access to a device is always unethical. It certainly can be, if the police are acting unethically (which some do). But if they are properly investigating a crime and get a warrant, that's going to cross into the OK zone for a lot of people.

Not for me. There's nothing sacred about the police. They spend a heck of a lot of time and effort acting as foot soldiers in a class war against the impoverished. They engage in widespread legalized highway robbery in the form of civil forfeiture. And if you want to include customs and border patrol (I do) they also spend a ton of time breaking up desperate families and conducting dragnet surveillance against innocent travellers. And their effectiveness in all these endeavours? Abysmal, if you take their stated aims at face value.


Why are you accusing the parent of suggesting Apple is in the wrong for hindering GrayKey's efforts? They didn't say that. The question is whether an employee has an ethical obligation to their former employer to disclose security vulnerabilities discovered after their employment was terminated. I agree with the parent; once your employment has terminated, you do not have any moral obligation to disclose information gained after the termination. I would argue you do have an obligation to disclose security vulnerabilities discovered while still an employee, or at least refuse to exploit those security vulnerabilities, as knowledge of them is essentially privileged information that belongs to your former employer. But any knowledge gained after termination is fair game.


Agree its unethical to not disclose but if thats your business model I guess you don't care.

In the landlord example my argument is that the landlord is being unethical, locks should be changed.


Maybe the landlord usually changes the locks but forgot this time? Heck, think about a quiet suburban neighbourhood. If someone forgets to lock their doors at night and they get robbed, it's still the burglar's fault for committing the crime.

One of the guiding principles of ethics I follow is Kant's "ought implies can" [1]. If you make a mistake and forget to do something, that's not the same as deliberately choosing not to do it. All humans make mistakes of this kind. To imply otherwise is to imply that a person could rise above all of humanity. That is asking far too much.

[1] https://en.wikipedia.org/wiki/Ought_implies_can




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: