I am a lawyer and my field do cross this area which the events have transpired.
First, yes, everyone should acknowledge that this matter has been handled poorly by their corporate in-house and external lawyers. These should not have happened. The company should face consequences. I advise my data controller corporate clients to reach out to the reporter/whistleblower immediately and have the IT team collaborate, at the very least talk to the person to effectively replicate the exploit so it can be thoroughly fixed. There should even be procedures on how this should be handled. I understand from the article that this is not how it's so done.
However, I feel obligated to note some different aspects, all of which are absolutely not intended to condone how this company handled the situation. I want to re-iterate; they should have handled it better.
Things to note;
1. They might have already reached out to the data privacy board. The data privacy boards, especially in Europe are very involved in the reporting procedures and in my experience, their experts are very reluctant about public disclosures if the breach/data leak is caused by an exploit. They (sometimes rightfully) do not trust to the private sector's biased explanation that this vulnerabililty has been "fixed" and sometimes effectively prevent public disclosures about the event, allowing only the affected data subjects to be informed about the event. The potential danger of re-exploitation and protection of the public far outweighs the public's (that is persons who are not affected by this breach) right to be informed of such event. Affected persons should be notified. You might not have been aware that these happened. It is their legal obligation to notify the affected data subjects but it is not their legal obligation to notify the reporter that the notifications to the data subjects are made.
2. You did the right thing reaching out to the company and upon some radio silence, contacting the competent authority. But sadly, your duties as a citizen end there. You played your part and did all you could have done if not more. Contacting the company again was not really required. If you found yourself losing sleep, you could have re-contacted the authorities with a data subject request or a right to be informed request. They are legally obligated (under GDPR) to respond to you.
3. Sadly, your e-mail, especially the line below is actually a threat that is actionable under many EU juristictions;
I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure.
You cannot disclose this to public. Even with good intentions. This might enable the exploit to actually be exploited by ill-faithed persons and would cause more damage. The company is responsible for this vulnerability and they should face counsequences for their actions or the lack thereof, but going public about an exploit is absolutely ill-advised, even if this is intended to coerce the company into action.
Nevertheless, I wanted to re-iterate that this is not intended to condone the company's behaviors in any way. You did the right thing warning them and the authorities but further action might have caused more damage. It is always best to attend to this situations with the guidance of a data privacy legal consultant.
> You cannot disclose this to public. Even with good intentions.
Bullshit, NIS 2 article 12 specifically says CSIRTs must coordinate the negotiation of a disclosure timeline between reporter and provider. I'd say offering a 30 day embargo while CC'ing the relevant CSIRT is the start of such negotiation from the reporter.
My biggest doubt about this story, LLM writing aside, is the lack of mention of a CSIRT follow up.
Just to be clear, the computers onboard the spacecraft are programmed in assembly language--3 types of computers on each spacecraft, so 3 assembly languages.
The original ground system was mostly written in Fortran. Mission control (i.e., the thing you see on TV!) ran on IBM 360 mainframes. Offline analysis/design/development activities (e.g., developing observation sequences for planetary encounters) ran on Univac 1108 mainframes. Circa 1990, after Voyager 2's flyby of Neptune, the project began moving off the mainframes onto Unix workstations and the original Fortran software was largely replaced by new software written in C and other languages.
Made me remember the quote by Reinhold Niebuhr: "Frantic orthodoxy is never rooted in faith but in doubt. It is when we are unsure that we are doubly sure."
Lawyer here. Just very quickly, (i) a CEO's blog post itself is not legally binding on the company by nature, but it is a reflection of a corporate decision (typically the Board of Directors)behind the post. An action of this nature can only be challenged in court by the shareholders or dissenting board members in certain cases. (ii) a legal patent holder has every right of disposal over the patent, including the act of revoking it. (iii)I did not look for precedents for this but if a different company would re-issue Tesla's designs on their own name and tried to sue Tesla (i.e. trolling), I have serious doubts concerning not only on whether such revoked patents can be re-issued in somebody elses name but also, assuming thats possible, any judge or court would award any penalties to the original patent author in such lawsuit.
the link seemed to work when I pasted it. I originally oasted the link you shared, but HN immediately pronounced it as [dead]. The below seems to be working for me. Sorry for the fuss.
Indeed. It's more like..."You know those two things you know about? I've combined them into a third thing that will tickle your recognition engine with the absolute minimum effort on my part!"
It's kind of like those "parody" movies that satirize pop culture, except they don't really, they just...present it. And expect you to laugh, because Hey! I recognize that!
And yes, each one of these was a big setback for democracy. It was not my claim that military coups are good for democracy.
But which would you rather have, a big setback and then a chance to rebuild a democracy, or a takeover by a party bent on eliminating democracy and the multiparty system, and turning the country into a permanent, hereditary, sham "democracy" in the style of Syria?
Not only is that hacking, it is also witchcraft, which is punishable by being burnt on a stake. Not to mention the heresy calling for immediate excommunication, the hacker at hand here should be ashamed of him/herself for the ever terrible deed that (s)he had committed.
First, yes, everyone should acknowledge that this matter has been handled poorly by their corporate in-house and external lawyers. These should not have happened. The company should face consequences. I advise my data controller corporate clients to reach out to the reporter/whistleblower immediately and have the IT team collaborate, at the very least talk to the person to effectively replicate the exploit so it can be thoroughly fixed. There should even be procedures on how this should be handled. I understand from the article that this is not how it's so done.
However, I feel obligated to note some different aspects, all of which are absolutely not intended to condone how this company handled the situation. I want to re-iterate; they should have handled it better.
Things to note;
1. They might have already reached out to the data privacy board. The data privacy boards, especially in Europe are very involved in the reporting procedures and in my experience, their experts are very reluctant about public disclosures if the breach/data leak is caused by an exploit. They (sometimes rightfully) do not trust to the private sector's biased explanation that this vulnerabililty has been "fixed" and sometimes effectively prevent public disclosures about the event, allowing only the affected data subjects to be informed about the event. The potential danger of re-exploitation and protection of the public far outweighs the public's (that is persons who are not affected by this breach) right to be informed of such event. Affected persons should be notified. You might not have been aware that these happened. It is their legal obligation to notify the affected data subjects but it is not their legal obligation to notify the reporter that the notifications to the data subjects are made.
2. You did the right thing reaching out to the company and upon some radio silence, contacting the competent authority. But sadly, your duties as a citizen end there. You played your part and did all you could have done if not more. Contacting the company again was not really required. If you found yourself losing sleep, you could have re-contacted the authorities with a data subject request or a right to be informed request. They are legally obligated (under GDPR) to respond to you.
3. Sadly, your e-mail, especially the line below is actually a threat that is actionable under many EU juristictions;
You cannot disclose this to public. Even with good intentions. This might enable the exploit to actually be exploited by ill-faithed persons and would cause more damage. The company is responsible for this vulnerability and they should face counsequences for their actions or the lack thereof, but going public about an exploit is absolutely ill-advised, even if this is intended to coerce the company into action.Nevertheless, I wanted to re-iterate that this is not intended to condone the company's behaviors in any way. You did the right thing warning them and the authorities but further action might have caused more damage. It is always best to attend to this situations with the guidance of a data privacy legal consultant.