I do dev & IT for a <25 person company in ecommerce. If we had even half of the issues that were pointed out in this post, I'd be telling the owner that he should be looking to replace me. I get that they're not a software company, but these are super basic issues. These issues, coupled with no response to the reported issues, leads me to suspect that the c-suite deprioritized IT to the point that it's a skeleton staff and they can't hire or retain anyone that's even halfway competent. You don't end up with these kind of issues, as a company of their size, unless there are serious management problems. They are big enough that they should definitely have the budget to do basic stuff like auth properly, or at least not make so many 101-level errors.

That said, the author also comes across as a complete d-bag as well. I have about as much love for marketing people as the average software developer, but their description of their average consumer was pretty normal. The author got super-catty about what's a fairly basic description of their average consumer and a stock photo. They aren't saying the only people who drink monster are young white males, just that that is their largest market and the consumer group they are targeting. It does make sense for them to say internally "hey, FYI this is the group of consumers we intend to target with our marketing efforts", and I've definitely read very similar stuff in every marketing proposal I've read, just with different groups.

I wouldn't be surprised if their lack of any response is because they literally have noone to deal with this. They can't seem to fill (or hold) some pretty important IT roles:

https://recruiting2.ultipro.com/MON1009MECY/JobBoard/682eaab...

You remember "software is going to eat the world?"

_Everyone_ organisation is a tech organisation.

Totally still on Monster even if they contract 101% of their IT.

It's like watching the school bully pants the weird kid who's just really passionate about his interests. It's not tough or cool, really it's just pathetic and sad.

This is what happens when you contract out your development. Huge companies are going to FAFO as they continue to do pursue this foolishness.

I first learned of bobdahacker from his post three weeks ago also headlined on HN: https://news.ycombinator.com/item?id=44723773

Or Europe. Or the UK. 10+ prison plus civil damages in all three jurisdictions should it be prosecuted for various "Unauthorized computer access" laws. Even just browsing protected endpoints is a criminal violation. Publishing any info is even a bigger crime.

FYI, if you are a hacker:

1. Stop immediately after discovery and don’t go further than the minimal step that proves the vulnerability exists.

2. Document, don’t exploit

3. Report responsibly

4. Do not publish until fixed. Do not publish documents/images without permission.

5. Intent doesn’t erase liability: even “just poking around” can be charged under CFAA (US) or CMA (UK).

Or that they took sufficient care to remain anonymous.

And regardless, I would tend to believe that a highly successful, very pervasive consumer product has at least some fucking clue who their customers are, unlike the random dude hacking their site who appears to think he’s an expert in everything because he understands some tech.

Not that HN would know anything about that.

Since most people are lower income, and therefore a high-market share low unit price gas-station drink company like Monster will by definition have to have its largest customer base be from the largest ie: poorer demographic, the only slightly revelatory information is that the demographic is younger, male, and leans Hispanic.

This doesn't imply that people in higher income brackets don't drink it, even most of them (though probably untrue).

Also pertinent is that the data is specified for Monster Green, which is their full sugar product. Monster Zero is a pretty big product as well, and could have a slightly differing customer base.

Ethical hacking requires prior authorization from the organization you’re hacking. This person is a total clown and is absolutely in violation of the law.

It is common practice to give the company sufficient time and communicate, and then release the details once the vulnerability is patched. But it’s also common in practice to disclose the vulnerability after a set period of time if the company does not engage in any form of communication and refuses to patch the vulnerability. In this case they didn’t engage in any form of communication and then partially patched the problems. Nothing out of the ordinary here.

My understanding is this is the standard SOP for security vulnerabilities: 1. Report the security vulnerabilities to the “victim” 2. Work with the “victim” the schedule for mitigation and publication 3. Publicize the vulnerabilities (the security researcher wants his findings to be publicly recognized)

If the victim does not acknowledge this issue it is impossible to execute step 2. So then the security researcher goes to step 3.

If the hacker has the emails sent at step 1 he will be fine.

These companies treat fines as the cost of doing business and every time they lose people's personal information, they get slapped on the wrist and laugh it off while the execs get bonuses for having someone write a tearful apology to appear like victims.

I am happy every time somebody makes enough noise to make them notice and fix it because being polite and legal clearly is not working.

Nah, fuck that noise. If the company reacts to a responsible disclosure notice that's nice but no one is under any obligation to help out mega corps to secure their shit. And the users aren't put at risk by the people finding the vulnerability but by the company not fixing it.

Fuck Responsible disclosure, companies should have to bid on 0 days like everyone else.

They did contact them and there was no response. The only one answering were ClickUp folks.

disclosure is also a crime, but anyway

> I'm tempted to just find the person that owns this blog and make sure they aren't hired int the security industry. We don't need people like this around.

Sorry, being the one to "make sure" someone doesn't get hired makes you the person whom I'd never hire in my eyes. Hopefully in all the potential employers' whom you go crying trying to sabotage this guy's career also.

Everyone was an eager junior once. If you weren't, it's your problem, not this guy's.

alternatively:

the security guard of the local mall left the door unlocked when the mall was actually closed, and i saw the mall hours that it was closed, but i went in anyway out of curiosity since i was already there

Because you certainly are the right person to pass judgement and destroy someone's life based on reading a few blog posts.

Come on, what security doesn't need is this attitude.

I worked at places with "points" you can give to other coworkers, but no reward. I would love to have traded some of my points for monster merch. This can almost read like an advertisement for working at Monster

I thought it was the other way around, that the individual mark is interpreted as a 6 so it's 666?

They have sugar free versions now.

There might be a bit of history involved. I'm GenX - very early GenX, at that. I discovered Monster in 2002 IIRC, back when energy drinks really started to take off. (Red Bull is the only one I remember seeing much before that, unless you also count Jolt, and even then it was nowhere near the pervasive thing it has become today.) I tried everything I could find, and Monster was the only one that didn't taste like absolute crap. I think the siberian ginseng is the key BTW, to complement caffeine's characteristic flavor.

So, back then, most consumers would have been GenX. Millennials would have been between 6yo and 21yo with only the very oldest likely to be buying such things. GenZ wasn't part of any market segment, and Alpha didn't even exist yet. Some of us GenXers stuck with it; at 60yo I still drink a can instead of coffee every day and none of my labs show any ill effects. Maybe we're not the primary demographic any more, but we're certainly still in there.

So ... which of us speaks for all GenX males in the world? ;)

Avatar or persona is a literal fake person. “This Steve Doe. He works in construction and is 29 years old. He is in a lower income bracket and drinks a monster every weekday with lunch”.

The example in the post is a super generic target market.”gen z, lower income”

Yes, or pointing out anti-phishing training like it's anything special. The entire post is cringe imo.

Eh, I think part of it is just making a more clickbaity title.

Presumably redbull, given their avatar https://bobdahacker.com/static/images/bobdahackerReal.png

Companies like Monster and Redbull are marketing companies that happen to sell energy drinks.

That is almost certainly not a meaningless demographic they pulled out of thin air. It might not be meaningful to you as a demographic. It might even be offensive to you as a demographic.

But, to the marketing company, that is a concrete “group of humans” that respond well to their product and advertising. It informs how they develop their ads, how they target them, which geographic markets they push hard in, what events they sponsor, etc.

When they define that demographic as the people they’re targeting, and allocate their capital towards targeting them, they see the highest returns they’ve been able to find so far.

Which part don't you understand?

(Gen-Z/Millennial/Gen-X)

This covers like sixty years?

It means a marketer will know where to deploy capital.

Which part? younger men with lower income who are likely to be Hispanic Caucasian (as opposed to non Caucasian Hispanic)

It means some people still think there are meaningful racial categories, that people with light skin come from the Caucasus, that speaking Spanish is an "ethnicity" which is orthogonal to "race".

Also Gen X (aged between 44 and 60 at time of writing) are "young".

> 15-19yrs old

Also would explain their unfamiliarity with what looks to me like totally normal branded corporate training.

Would you like me to give an unsolicited read on what you look like and which developmental disorders you might have also?

The energy feels so high school

No need for personal attacks.

I've seen a documentary on that, they got kicked out ;-)

[flagged]

This is from the post:

> "Monster Green shoppers are likely younger (Gen-Z/Millennial/Gen-X) male, lower income & Caucasian (skews Hispanic)."

Later in the post:

> The scariest part wasn't the training portal or the questionable customer profiling.

Questionable customer profiling is just basic research about their customers.

Seriously, I wish more companies were honest at least internally who their customers are. A lot of problems could be solved if places like Marvel realized who their core base is, accepted it, and made products for their audience.

He used his "advanced hacking knowledge" to trick himself into participating in corporate training exercises and tear-inducing boredom. This actually made me laugh.

The picture is a little silly but listing out the demographics of your customer base is like so normal. The marketing for Monster would be quite different if their market was over 65 women.

Although it would be a funny bit to run a monster commercial in the style of something like L'Oreal.

So strange, does the author think companies never try to understand their customers?

[dead]

Depending on jurisdiction, it can be argued that this is not unauthorized access, as the files and listings do not prevent access to anyone, effectively authorizing anyone who requests a file.

We detached this subthread from https://news.ycombinator.com/item?id=44997698.

Their bio says

> am nonbinary leaning fem and use she/they/he pronouns.

So while they prefer feminine, they explicitly list masculine as okay to use.