Why should they? If I was hiring an employee I’d want to know they will follow directions given to them and not argue as to whether something is legal or not. That’d make me worry how cooperative they’d be as an employe.
No, it’s a completely different company in a different industry. Nothing in their writings indicate any relationship with them.
No, I’m not insulted.
I guess there are many layers and shades of what “hacking” is. True, I am not making fake credentials or accessing data that I could not get through their regular UI.
To me, it all comes down to private property. If you own the private property (the server) then you get to determine how people access it. They have a for profit business that depends on people using their interface. Yes, they have a free service, but by bypassing their UI, I’m also bypassing their branding and advertising - something that they depend on me seeing. But ultimately it is their property. I know we live in a world that doesn’t think of digital property as “real” property and that whatever you can take are sneak around is fair. I’m an old fashioned guy.
The point was made that ultimately it is my data and the analogy was made of a kid going into a neighbors yard to retrieve a baseball. Yes, I know we can create a chauvinistic analogy, conjuring a bucolic scene. But that is a flawed anology, IMHO. Children are children, accidents are accidents, neighbors are people we know, and yards are yards.
I think a better analogy (certainly in this case) would be of a storage company, offering free storage for small boxes and charging for larger or more complex storage (climate control, etc.) Now as owners of the property, they have the right to set policies and hours. I cannot break into the facility at 4am to get my baseball card collection back. It doesn’t matter that it is my collection. It doesn’t matter if I’ve cleverly found a backdoor and figured out how to defeat the lock. I may not be a thief, but it is still breaking and entering and trespassing.
I’m always amazed how people are willing to aggressively attenuate their sense of propriety when their online. I try to use the same standard for right and wrong that I do in the online and offline words.
I know I’m old fashioned. I know I’m on the loosing side of history here. I’ve watched digital hacking destroy the recorded music business. It’s doing a lot of damage to the video industry. People seem to think that everything should be free and boundaries mean nothing.
But that depends on them thinking of this as a crime or not. Again, I think that increasingly people rationalize digital trespassing. If you can get at it and get away with it, then it’s fine.
Was it a moral test? I doubt it. I’d had a long phone interview with them and this was the coding challenge they sent. It is impossible to complete without that first step. I don’t think it was a ruse - it would have had to have been a pretty elaborate one. I think they just think it’s know big deal to (mis)use someone else’s backend for this test. I can see why this is an interesting test (it certainly should be some weaknesses in my understanding of how HTTP and RESTful APIs work - I intend to do some more work on this so at least I’ll understand what’s going on better.) I just wish they’d created their own API and had me “hack” that.
Well, if they want people that will break the law without questions, then I’m not the guy for them. I’ve never been a big fan of the “I was just following order”, Nuremberg defense.
It sounds like you’re definitely uncomfortable with this task, so I say don’t do it. The exercise doesn’t do any real harm (you are probably spending more time on their web page and getting their ads while trying to understand their API than you otherwise would), but the tools that you create could be used to do harm in the same way that ad blockers and user bots do. If you don’t feel good about creating something like that, then it’s perfectly reasonable to stick to your guns.
Not look at a coding perspective, one of the first things I learned in my high school’s business class is to follow your manager’s orders enthusiastically - without question or hesitation - and to be cooperative.
I read more of this thread and it’s unusual they want you to use someone else’s API without permission. If it’s a public API though I don’t see the issue, as long as you aren’t abusing it.
Again, for me it all comes down to property rights. If someone wants to pay for a server, set up an API and say, “OK, anyone can access this anyway they see fit”, then I have no problem with that. It is their property. But I don’t think it’s right for people to claim they have the right to use another person’s property just because they can get away with it.
If I’m out for a run on a hot day and see a house with a nice pool, I can’t just go for a dip. It doesn’t matter if no one is home. It doesn’t matter if I won’t do any damage and won’t cost them anything - they won’t even know I’m there. It doesn’t matter that there is no fence. It doesn’t matter that they didn’t post a “keep out” sign. The fact is that it is their property and I cannot use it without their permission and could only use it by their rules. Even if they give me permission to use the garden path to get to the pool and take a little dip (as the site in question grants me access through their UI) that doesn’t give me permission to come in through the window and take a nap on the couch. It is still their property and they reserve all rights to tell me how I can use it.
I will never understand people’s lack of respect for property and boundaries that seems to infect the modern world. My property, my rules. Their property, their rules.
2 Likes
If you don’t want others using your API follow industry standards and require an API key.
Yes, putting up a locked fence is a great way to keep people out of my yard. But if I don’t put up a fence, does that mean that everyone has the right to enter whenever they want?
Again, I don’t understand why we need different standards for the real world and the digital one. Yes, security is always a good idea, but a lack of security (or inadequate) does not entitle everyone to do whatever they want.
1 Like
Why do you lock your door at night? The law already prevents people from entering. It’s to stop criminals. The same applies to a private API. If you haven’t locked it down you are begging for abuse.
I’m not arguing against locking the door. But there is no such thing as a perfect lock. I don’t like shifting the blame on the victim.
If I leave my door unlocked, then that is bad judgement on my part. But it does not excuse the trespasser. And if we go down the road of evaluating the responsibility based on my security precautions, then that is a slippery slope. There is no lock or security system that cannot be defeated. Even if I leave my door wide open, 100% of the blame lies with the trespasser.
If you haven’t locked it down you are begging for abuse.
I don’t like you’re use of the word “begging” here. To me it’s blaming the victim. Having bad judgement is not the same as having culpability in your victimization.
1 Like
I’ll admit my wording may of been a bit too harsh, my apologies.
If you leave your door unlocked criminals are going to come in at some point. It’s not a matter of if, but when. You need to do your part in keeping your data safe.
Your style of thinking shouldn’t be will my security be enough, it shouldn’t be my security isn’t good enough, how can I prolong my security solution’s effects.
Indeed it does, doesn’t change the fact your data was compromised and likely sold on cybercriminal markets to the highest bidder. The damage has been done - depending on how negligent you were and the industry you are in - you may, even as the victim, be held liable and have to pay a fine.
Law enforcement cannot protect those who don’t make an effort to protect themselves. Security works by everyone working together if one person stops the chain is broken and the crooks get in.
That’s… so problematic. It’s one thing if you’re hired as a hacker to hack /their own/ systems, as a part of security. It’s completely unethical to expect people to not only hack other companies illegally, but to do so without question. The employer isn’t the only one at stake there, and I sure as hell am not going to risk my freedom and clean record for my employer.
1 Like
A few things:
- We don’t know if this isn’t some made up company they setup for the coding challenge.
- From what I understand all they wanted you to do build an alternate API interface. That’s not hacking nor is it illegal. This is similar to the current case with LinkedIn whether scraping public data is illegal.
- I speak purely from a business perspective on that one. Maybe I’m entirely wrong and in a tech job it’s normal to argue with your boss all day long but I find that doubtful.
Just to clarify (I don’t want to use names here) …
We don’t know if this isn’t some made up company they setup for the coding challenge.
It was not a made up company. If it were their own made up company and API, I’d have not problem. I had interviewed for company A, a startup. After a good phone interview, they sent me coding challenge which involved me trying to figure out how to access the private API of company B, a for profit company in a different sector. Company B is an established web services company (7 years old) doing business and making money. It’s a significant company, connected with a major player, one of the largest web companies there is.
True, these two companies are in the same city. But this is the San Francisco, Bay Area so that is not a stretch. It is possible that these guys know each other, but I think they would have at least mentioned that. If I told someone to go to an address and take a swim in the pool there, I would add, “Oh, it’s cool, the guy and I went to college together.” I’ve reread the challenge and there is nothing to indicate any connection. A quick search of Company A’s LinkedIn page showed no direct connection to Company B.
From what I understand all they wanted you to do build an alternate API interface. That’s not hacking nor is it illegal. This is similar to the current case with LinkedIn whether scraping public data is illegal.
I am not a lawyer so I can’s speak to illegal. I will say that the modern generation, when it comes to digital property rights, seems to have taken the stance of “if I want it and I can get away with it, it’s not illegal”.
Is it hacking? Well as discussed, there are several shades of what is called “hacking” and this clearly meets a few of them. I agree that it is not black hat hacking because there is nothing truly malicious intended here, but it is clearly going against the intent and against the interests of the people that paid for the server. The hacking is being done not for their benefit or even their knowledge so it isn’t white hat hacking either.
I do have the opinion that it is at least unethical to access someones server (for which they are paying to maintain for the purpose of a running a business, not for my amusement). True, I am using their free tier of service, but by bypassing their API, I am bypassing their advertising, essentially the cost of their free service. That is theft of service, quite clearly, and is usually considered illegal. True, I’m not trying to do anything malicious, but a lot of bad things happen when people don’t mean to cause problems but are doing something unauthorized.
And again, private property, private property, private property. If you want to pay for a server farm and tell the world they can do their worst, go for it. But you don’t get to decide that for other people.
Again, I think part of the difference is generational. I didn’t grow up in a digital world where everything could be had for free if you were sneaky enough. I grew up in a world where property and boundaries were clear and respected.
If someone was a good lock picker and could sneak into your place and take a nap on your couch when you’re not there, is it OK as long as they don’t intend to do any damage? Is it your fault for not having a better lock?
I speak purely from a business perspective on that one. Maybe I’m entirely wrong and in a tech job it’s normal to argue with your boss all day long but I find that doubtful.
No one said “all day”. And from a legal standpoint, you have an obligation to speak up if you feel something is illegal. “My boss told me to do it” is not a legal defense. It didn’t work in Nuremberg and it doesn’t work in US courts either. Employees are 100% responsible for their own actions. And a boss cannot fire you for refusing to commit a crime.
Again, I don’t think what they were asking me to do was some horrendous crime, but it wasn’t completely innocent either.
I feel you still have a choice … while you should have done it at the interview when given the coding challenge, its perfectly understandable that you didn’t as you weren’t sure about what they wanted you to do and only later you started thinking is this right … Get in contact with them and ask them to clarify exactly what they want you to do. Maybe your worrying over nothing and they way the put the task to you has you wondering is it wrong. Worst case scenario is they do want you to do something thats in the grey area and you can then decide yes or no, all you loose is a opportunity to work there which if you decided what they want you to do is against your views is no loss.
100% agree … plus while we hope all employers are ethical and would not have employees do unethical things i think we can safely say thats just not the case.
You wouldnt hire me then lol
Seriously … without question or hesitation …
Interesting topic. I understand the trespassing analogy but I’m not sure that it is fully analogous for this scenario, if the application that I will expose the api for was like say a bank account for example then that would be analogous to private property or my home , then that would be like picking the lock to a home or just opening it even it was unlocked, and completely unethical . However, if it is a business open to the public, let say a small shop in a mall, then I can walk in without knocking or giving any kind of notice and look around as much as I want, I also can do as much research as I want to inform myself of the product’s value (or lack thereof) before I make a decision to purchase. To me, company B is more analogous to a shop in a mall and their api would just be the raw data that is available on the client side before rendering , and if it is readily exposed to the public already then the architect of the shop must have done so intentionally.
2 Likes
This reply really puts things into perspective of the actual request. You provided a good analogy and it supports many of the things I have attempted to explains.
Yes I’m serious on that one.
Perhaps not. Good thing I’m not interested in an HR Role 
If you think a company is breaking the law don’t work for them. But don’t refuse to do the requested task and still expect a job.
Some companies will ask you to do bad things and you should not do them:
Business Insider article on programmers confessing poor ethics and illegalities
1 Like
But that’s where your analogy fails. A business can still restrict access. They can enforce certain hours. They can have certain restrictions (e.g., no shirts, no service or no one under 21). They can require an entrance fee (in the site’s case, it is being exposed to their advertising.) If a store wanted they could restrict it to people only hopping on one foot. Clearly that would be a bad business practice but it would be their right. It is their property and they have the right to define how people access it. You don’t get to take away the right just because you want to.
What’s being said here is that if a business exists, then any way people can gain access is fair game and it is the stores fault for not providing 24-hour armed security. That would be ludicrous in the real world.
Yes, I know hackers can construct chauvinistic, flawed analogies to defend doing what they wanted to do in the first place. They’re really good at that. Like I said, every software or movie pirate I’ve met thinks that the are warriors for freedom or some BS.
I don’t want to paint anyone here with that brush, it is clear that some people just want an excuse to do whatever they want. People have always done that. And it’s clear that some people get enamored of that counter-cultural, anarchistic, stick-it-to-the-man way of thinking.
I think if you owned a business that spent a lot of money to set up a server, where running a for profit business, that was no loosing ad revenue (fundamental to your business model) because hackers were bypassing your UI to use your server for “free”. It’s easy to think property rights don’t matter when it’s someone else’s property.
Santayana once said, “Few revolutionists would be such if they were heirs to a baronetcy.” Maybe it’s a product of our dwindling economy that so many people are looking for transparent justification to ignore other people’s property rights. But if you work hard enough, there may come a day when you regret being so callous with other people’s property as you see the next generation laugh at your rights and find paper thin justifications to do whatever they want.
1 Like
In that case everyone who uses Adblock is criminal and is unethical?