Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ctoth 3 days ago

A lot of us are missing what actually happened here.

Some random person downloaded Huntress to try it out. Not a company. Not through IT. Just clicked "start trial" like you might with any software. Were they trying to figure out how to get around it? We have no idea!

Huntress employees then decided - based on a hostname that matched something in their private database - to watch everything this person did for three months. Their browser history, their work patterns, what tools they used, when they took breaks.

Then they published it.

The "but EDR needs these permissions!" comments are completely missing the point. Yeah, we know EDR is basically spyware. The issue is that Huntress engineers personally have access to trial user data and apparently just... browse it when they feel like it? Based on hostname matches???

Think about what they're saying: they run every trial signup against their threat intel database. If you match their criteria - which could be as weak as a hostname collision - their engineers start watching you. No warrant. No customer requesting it. No notification. Just "this looks interesting, let's see what they're up to."

Their ToS probably says something vague about "security monitoring" but I doubt it says "we reserve the right to extensively surveil individual trial users for months and publish the results if we think you're suspicious." And even if it did, that doesn't make it right or legal.

They got lucky this time - caught an actual attacker. But what about next time? What about the security researcher whose hostname happens to match? The pentester evaluating their product? Hell, what about corporate users whose hostname accidentally matches something in their database?

The fact that they thought publishing this was a good idea tells you a lot. This isn't some one-off investigation. This is apparently? how they operate.

wvenable 3 days ago | parent | next [-]

> caught an actual attacker. But what about next time?

What about the time before this where it wasn't an attacker, so they didn't write an article about it, and so we never found out about it?

raptor99 2 days ago | parent | prev [-]

Why would they NOT do this? They are a fucking cyber security company. It should be no surprise to anyone that a company that specializes in endpoint security software would be analyzing this shit non-stop, even for trial versions that users run. That's how their software works!

ctoth 2 days ago | parent [-]

"Why wouldn't a locksmith make copies of all their customers' keys? They're a fucking locksmith company!"

Having technical capability doesn't create ethical permission.

The distinction between "can" and "should" is fundamental to data governance - a concept that exists precisely because unrestricted access to customer data, even for security purposes, creates massive ethical and legal problems.

Huntress didn't monitor a contracted customer's systems for that customer's benefit. They surveilled a trial user for three months based on a hostname match, then published the results. That's not "how their software works" - that's a choice about how to use the access their software provides.

If you genuinely can't see the difference between contracted security monitoring and opportunistic surveillance of trial users, you shouldn't be commenting on security practices at all, let alone so confidently.