Wow! Just wow! Just as I think the situation cannot get any worse, the OP reveals even worse things going on. I know the UX of this blog and the lack of capitalization is going to turn many people off! But I urge you to power through and read the whole OP anyway.
Use reader mode, block Javascript or whatever it takes. Give the author a break. They're a teenager. What kind of websites were you making as a teenager? I'm sure one of those dark background websites with MARQUEEs and BLINKs with glaring contrast colors! So give them a break. Behind the annoying UX is an article about serious and appalling privacy and security issues.
Like read this:
> i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.
Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure. So I don't 100% agree with the OP but the cavalier attitude towards security coming from the staff of a legitimate organization is appalling.
It's just mind boggling that an organization handling PII data has such appalling privacy and security lapses and they still remain arrogantly indignant about it making bold claims about laws they don't understand, why, because ChatGPT told them so? Cherry on top is they are employing teenagers to answer legal questions! Not kidding! Just read the OP! Unbelievable!
Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).
There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:
- The author found a serious vuln in one of our programs introduced by a junior engineer
- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR
- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.
- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!
- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.
My child has been involved in Hack Club for a number of years, and I support their mission. However, HC do seem to be lacking in "adult supervision", and I understand that is kind of their approach: having the kids figure stuff out on their own. However, there are things that kids, due to lack of experience, just can't figure out for themselves. For example, the reliance on ChatGPT and reluctance to use professional SMEs is a very "immature" attitude.
This sort of cavalier attitude is going to get them in trouble; I'm honestly surprised that this hasn't already gotten them into trouble. Hack Club has enough money that they can easily be a worthwhile target if any of their decisions turns out badly.
I'm going to be a bit oblique here because I don't want HC to take this out on my child, but at one of the HC events, the "figure it out for yourselves" lead to our child making decisions and taking actions that could have very easily turned into life threatening. Another situation led to our child being "ditched" in a foreign city and unsure how to get ahold of anyone on the ground to help.
Hack Club is a great idea, and I'm glad it exists, but I do think that the way it is currently organized is going to end badly.
I would really like to know more about these incidents at HC events. We have a lot of very complex tradeoffs within hack club involving security/privacy/safety for exactly the reasons you identified (ie, giving teenagers a very high level of agency/responsibility in running programs). However, staff try to be extremely conscious of these tradeoffs and highly attentive to the realistic risk vectors that come about in our operations.
No teenager will ever (ever!) have anything 'taken out' on them by myself or anyone else that works here. Any time things go wrong or almost go wrong, we just want to know so we can manage that risk in the future. If you are willing to share, please reach out at [email protected]
> the "figure it out for yourselves" lead to our child making decisions and taking actions that could have very easily turned into life threatening
I haven't heard about Hack Club until this very story, so forgive my ignorance, but what exactly happened here? According to their website, it seems to be about a community for teenage programmers, who build open source projects together, sometimes during events. Looking around at the types of events they host, nothing really looks life threatening at all? I'm not doubting your experience, just curious how a bunch of programmers could end up in a life threatening situation during those sort of events.
As someone who is part of the Hack Club community, I would urge caution before blindly trusting this account.
- This person has also used their access to attempt to extort the admins and their Airtable data, demanding a bounty payment for access they were previously given.
- In her arguments about the program leads earning higher bounties, they had said that they both did bounties for Coinbase and Google, neither of which being non-profits
- Many of her arguments are flawed in other ways.
Theo (yes the ffmpeg guy) also commented on it in a livestream, and I would just point to that:
> This feels really in the weeds of something we are not supposed to see externally. It is a lot of writing for what seems like clueless people doing backend
They created a new website just for this topic, and named it "kill yourself LLC". Not something you'd do if you wanted to be taken seriously, just IMO. Smells more like a KiwiFarms user.
However there's still no excuse for these problems if they are describing it correctly. When you're storing the home address of thousands of users, (1) you shouldn't do that at all for this type of organisation and (2) you should be very careful to protect it and (3) the first several times it gets stolen, you should think harder about whether your protection is working and there should never be a several+1th time.
As someone who is/was also a part of the hack club community, this article is mostly correct. I've seen most of these events occur second hand as well in real time and can mostly corroborate with the accuracy of the article, except the minors in legal roles part. The community is severely mismanaged, data leaks happen often in very predicable ways and it does seem as if much of it is symptoms of vibe coding.
It's a really long article so he only seemed to read a few paragraphs about the security vulnerability and then said the line while scrolling too fast to read all of the other points. Can't blame him, not going to lie.
Companies should quickly realize that ChatGPT can go both ways - it can turn a "script-kiddie" into fully fledged hacker if vulnerabilities continue to be this sloppy. I am fairly certain that low-skill hacker sweatshops already heavily rely on LLMs to quickly exploit trivial vulnerabilities like these.
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
It's an article by a teenager. We weren't making any great websites as teenagers either. I remember websites with glaring contrast and moving marquees and blinks everywhere. At least the author here writes full words without abbreviating every word. So the author is already writing better than what I wrote as a teenager.
May I suggest you use reader mode to remove the annoying flashing background? If you can get past the annoying UX of the article, it has interesting stories about serious issues.
I just wanted to jump in as Hack Club cofounder and say Hack Club acknowledges this post-- it’s written by a young person we are familiar with: they were banned from Hack Club for harassing transgender kids, and they then recently tried to extort Hack Club for money, threatening to create problems and drama like this after we refused.
This post should not be taken seriously because the implication is wrong: Hack Club is compliant with data protection rules and is very careful with student data; Unlike almost every where else teenagers hang out on the internet, Hack Club does NOT monetize or sell student data or allow advertising to young people.
During one of our many summer programs, we had a situation where some students’ info was accessible publicly by mistake, and as soon as it was reported, we fixed it. No one accessed it and we apologized. You GOT us, ok? It happens and the young programmer responsible feels really badly about the fact that it keeps getting brought up in new and twisted ways.
We work around the clock with a fully trained staff to make sure that there won’t be any problems and to address them immediately if they come up. As I’ve stated in the past, this original post is from a disgruntled student was banned for really ugly behavior and yet they continue and it's sad to see it getting amplified here.
For all of you discussing the chatgpt, this was after borderline harassing an intern who quoted ChatGPT as a joke in her DMs. There was no legal advice. There used to be a previous version with receipts and screenshots if I remember correctly, with very, very extensive discussions within Hack Club (to the order of thousands of messages of critical discussion).
Please take what's said here with a grain of salt. This is the same person who attempted to extort Hack Club out of thousands by using an airtable token they previously had (all tokens have since been examined as to whether they are truly necessary).
> another asked: "if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"
> the answer from most people was a resounding no.
Popular request is for the program to be expanded. I don't know about the "resounding no".
> teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.
It isn't a full-time job.
> email compliance failures
Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
I could keep going, but the raw truth is that this misses a lot of context for independent observers.
> This is the same person who attempted to extort Hack Club out of thousands by using an airtable token they previously had (all tokens have since been examined as to whether they are truly necessary).
I could be wrong, but I don't think that was OP.
> Popular request is for the program to be expanded. I don't know about the "resounding no".
Do a poll then. I for one agree with that and don't think that most people would report it.
> > teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.
>
> It isn't a full-time job.
It quite literally is?
> Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
That I'll give you. They did recently revamp that and make it be functional.
> Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
Not true. Thread locks are often for 6 months to a year and the posts often aren't even inflammatory, just anti-HQ.
I would highly suggest to block JS while you're only browsing. It loads fast, most trackers won't load and better security as most browser exploits leverage JS all the time
I have a RTX Pro 6000 as my main GPU currently, and this website pins it to ~40% utilization! Never seen a website do that before, some sort of kudos to the webmaster is deserved.
It still renders smoothly though and doesn't go above 40C so I guess it could have been worse.
As someone who has co-founded and co-organized a leaderful non-hierarchical community that has lasted 10 years of weekly hacknights (we've literally never missed a week) and many generations of stewards... I've done reflection on the value of messiness/disorder and "aggressively relaxed" constraints. I sometimes tongue-in-cheek describe myself as having some meagre expertise in "operationalising anarchy", which is only half a joke :)
I suspect the things this author is critiquing and the internal resistance to it is DIRECTLY related to the wonderful things this org can do and how it operates.
I'm of the belief that you can't truly love a thing without loving its mother. This applies to orgs as it does all creatures undergoing evolutionary processes. If you do straddle this belief tension, you perhaps love something other than the thing you thought you loved. And this other thing you love will eventually take shape under your care and watch. Which is nice, that "what we put our attention on grows".[1]
So obviously, you are permitted to love a thing and take issue with its incubating process/culture, but I would suggest you're the site of contradiction that has some explaining to do. If you win and change the process of the thing you love, the thing you love is on a new path toward being something else. And maybe that's fine. A new seed will grow in the empty space. People probably need to have a thing to love that looks like the thing you loved. It will be back.
But there's some other healthy dissonance here that the author isn't grasping. I would say this to them: You are the bringer of the end of what you love, not its saviour. It's all good -- these transitions happen, and in a more zen sense, it can come to pass without [my] judgement. But just please understand your role. You're not a hero, you're a death. Maybe a healthy one, but a death all the same. The thing you love perhaps won't survive your care.
To be clear, I have very mixed feelings. The critiques are valid, but I wish I could acknowledge them without compulsion to demand an action. I think orgs that work like this need to stay small, only scale horizontally (inspiring/supporting other sister orgs to grow), and resist any central/vertical scaling that brings you under the rules and norms that they are desperately trying to steer clear of, but are now accountable to (according to our shared societal values).
I appreciate techspymax for making me realise the truth to a certified hacker who knows a lot about what his doing. I strongly recommend you hire him because his the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphones cloning ,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker. Thank me later. Contact him here.Techspymax@ gm ail c o m
I participated in a few hackathons early in my career. I quickly realized that I wasn't benefitting at all from participating in them. In fact, they were a great way to fall behind in the work I actually needed to get done. Those organizing the hackathons on the other hand...
I'm not at all surprised that people are trying to program young teenage minds to think hackathons are a good pathway to advancing one's tech skills / career. Nor am I surprised to hear all of the sketchy behavior surrounding this organization and their leadership. It all fits very nicely together.
Hackathons can be fun. And I think that people should try and do one or two when they are in college (ideally run by a university, not a shady 3rd party). The microsoft puzzle challenge (idk if that still exists) is also great. These are fun, give you a bit of networking, probably wont get you a job. Your university work gets you a job.
I'm not going to pretend this is an easy read. So I wouldn't blame you if you stopped early. However, there's a section titled "the surveillance infrastructure (orpheus engine)" which claims that children's private information is being distributed to third-parties without consent.
I expected this to happen. I knew people who were involved in the organization who were unnecessarily chummy to TPOT/Postrat/FTX culture before it blew up.
No idea why this was flagged. This is a really good article in terms of both form and content and I was very surprised to learn that the author is actually also a teenager.
I get it, some people dislike the appearance but c'mon, this is HN. If we can use vi(1) on a 80 column terminal, reading an html page is not an impossible task.
> Hack Club has been handling children's data for 4 years without a privacy policy
The title doesn't make is sound bad.
I mean, besides lawyers, who cares if some legal document is missing. You can respect privacy without a privacy policy, plenty of people do.
Here, it seems the actual problem is that there is no adult in the room, literally. Just kids that are completely clueless about how to care about personal data. Here, "no privacy policy" doesn't just mean "we dislike paperwork", it means "we are letting kids play with personal data without adult supervision".
If they're ignoring GDPR because they're in the US, you can potentially flag these as COPPA violations. COPPA is serious stuff. Courts can fine over $50k for each violation, where each individual impacted can be considered a unique violation. COPPA applies to under 13s, I'm not sure if there are age restrictions in place to join Hack Club, but if there isn't even a privacy policy, I doubt age restrictions are properly enforced.
It would have been stupid if that's what actually happened :)
I am the Chris cited in the piece. We have actual legal counsel that we go to for legal advice! However, that's not what was being sought here. In this conversation, the question on the table was "What is a data breach?" according to common convention (setting aside the more technical question of what it means specifically in the context of GDPR). The author contended that a single address record—her own record, IIRC—retrieved as a test of an unsecured endpoint counts as a data breach, and therefore that we are legally obligated under GDPR to email all 5,000 participants about it. My contention was/is that a data breach implies exfiltration of a meaningful amount of data. This was a vulnerability, which we patched within about a day, but we had no reason to believe there was a breach by any definition. I pointed to a few sources to demonstrate the consensus definition of "data breach", and one of them was Gemini (or "Omniscient Robot God", as I called it in the conversation).
There are real issues touched on in this post, but the author is not a reliable narrator and they are flattening a very complex issue into a narrative that centers themself as the hero. In reality, this user was banned from our community for a long string of conduct violations, culminating in repeated incidents of saying horribly abusive things to other teenagers. They have been pursuing a grudge against the organization ever since.
[+] [-] blenderob|4 months ago|reply
Use reader mode, block Javascript or whatever it takes. Give the author a break. They're a teenager. What kind of websites were you making as a teenager? I'm sure one of those dark background websites with MARQUEEs and BLINKs with glaring contrast colors! So give them a break. Behind the annoying UX is an article about serious and appalling privacy and security issues.
Like read this:
> i raised this with chris, who's a full-time staff member (not a teenager), and he insisted that exposing physical addresses and sensitive info was "just a vuln" not a breach. said he's "never heard the term 'data breach' used that way" and... also relied on chatgpt instead of actual legal advice.
Actually this Chris guy has a point. I don't call it breach either. It's PII data exposure but it is a serious exposure. So I don't 100% agree with the OP but the cavalier attitude towards security coming from the staff of a legitimate organization is appalling.
It's just mind boggling that an organization handling PII data has such appalling privacy and security lapses and they still remain arrogantly indignant about it making bold claims about laws they don't understand, why, because ChatGPT told them so? Cherry on top is they are employing teenagers to answer legal questions! Not kidding! Just read the OP! Unbelievable!
[+] [-] hrimfaxi|4 months ago|reply
At least California defines it as
> unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
https://oag.ca.gov/privacy/databreach/reporting
[+] [-] SigmaEpsilonChi|4 months ago|reply
Nobody—certainly not any adult staff—at Hack Club relied on ChatGPT for legal advice. Nor do we employ teenagers to answer legal questions, we have actual legal counsel for that! Or in my personal case I ask my wife, who is a law professor, and then she asks ChatGPT (just kidding).
There is too much nonsense in this post to rebut line by line, and these conversations have all been had to death within Hack Club (we put a lot of time into transparently and publicly discussing our programs, problems, and decisions). Here's the short version of this saga:
- The author found a serious vuln in one of our programs introduced by a junior engineer
- We take vulns seriously—especially the serious ones! It was fixed immediately by a senior engineer upon report (within a day?)
- The author insisted that their test of the vuln to access their own address was a data breach, therefore obligating us to notify all 5,000 participants of this "breach" as per GDPR
- We judged this to be Prima Facie incorrect. A lawyer has since confirmed this judgment.
- It is, in fact, bad practice to notify users for every vulnerability. If this were the norm, you would inundated with notices from practically every software product you interact with. Almost all of these notices would be virtually non-actionable by the user, and they would wash out the few notices of breaches which are actionable. There is a good reason why the GDPR does not demand notice for vulns; mass notices are reserved for incidents where there is a known exfiltration of a meaningful amount of user data!
- The author was ultimately banned from the community not for their opinions on this matter, but because of a long streak of unrelated conduct issues that culminated in a spree of saying horribly abusive things to multiple other members of the community.
— They have been pursuing a grudge against the organization ever since. They are not a reliable narrator, this post is a fantasy version of events that casts them as a martyred hero.
Hack Club is an oddly-shaped organization with operations that often raise very real security concerns, but these are wrapped up in a complex web of tradeoffs that are very much still evolving as we refine and expand our core infrastructure. We are not Google, and it is a mistake to import reasoning from that kind of environment when analyzing our security/threat model. Nonetheless, privacy/security is something we think about and invest extensively in. In the past year we have started an organization-wide bounty system, moved all PII storage into a central "identity vault", and consulted extensively with a very fancy lawyer who specializes in corporate compliance with the growing raft of online privacy laws around the world. The good news is, according to that lawyer we already do almost everything we need to be compliant; we just need to publish a privacy policy! We are actively iterating on a mostly-finished draft of this document with our counsel, but it is taking time because, well, this stuff is very complicated. We serve or have served teenagers in almost every country, and GDPR is just the most prominent of many laws that are now on the books worldwide.
[+] [-] rsynnott|4 months ago|reply
[deleted]
[+] [-] linsomniac|4 months ago|reply
This sort of cavalier attitude is going to get them in trouble; I'm honestly surprised that this hasn't already gotten them into trouble. Hack Club has enough money that they can easily be a worthwhile target if any of their decisions turns out badly.
I'm going to be a bit oblique here because I don't want HC to take this out on my child, but at one of the HC events, the "figure it out for yourselves" lead to our child making decisions and taking actions that could have very easily turned into life threatening. Another situation led to our child being "ditched" in a foreign city and unsure how to get ahold of anyone on the ground to help.
Hack Club is a great idea, and I'm glad it exists, but I do think that the way it is currently organized is going to end badly.
[+] [-] SigmaEpsilonChi|4 months ago|reply
I addressed the post itself in another comment (https://news.ycombinator.com/reply?id=45921428&), so I'll skip that part.
I would really like to know more about these incidents at HC events. We have a lot of very complex tradeoffs within hack club involving security/privacy/safety for exactly the reasons you identified (ie, giving teenagers a very high level of agency/responsibility in running programs). However, staff try to be extremely conscious of these tradeoffs and highly attentive to the realistic risk vectors that come about in our operations.
No teenager will ever (ever!) have anything 'taken out' on them by myself or anyone else that works here. Any time things go wrong or almost go wrong, we just want to know so we can manage that risk in the future. If you are willing to share, please reach out at [email protected]
[+] [-] embedding-shape|4 months ago|reply
I haven't heard about Hack Club until this very story, so forgive my ignorance, but what exactly happened here? According to their website, it seems to be about a community for teenage programmers, who build open source projects together, sometimes during events. Looking around at the types of events they host, nothing really looks life threatening at all? I'm not doubting your experience, just curious how a bunch of programmers could end up in a life threatening situation during those sort of events.
[+] [-] Agreed3750|4 months ago|reply
- This person has also used their access to attempt to extort the admins and their Airtable data, demanding a bounty payment for access they were previously given. - In her arguments about the program leads earning higher bounties, they had said that they both did bounties for Coinbase and Google, neither of which being non-profits - Many of her arguments are flawed in other ways.
Theo (yes the ffmpeg guy) also commented on it in a livestream, and I would just point to that:
> This feels really in the weeds of something we are not supposed to see externally. It is a lot of writing for what seems like clueless people doing backend
[+] [-] linsomniac|4 months ago|reply
As the parent of a Hack Clubber, a lot of what is said here rings true to our experience with the Hack Club leadership.
[+] [-] immibis|4 months ago|reply
However there's still no excuse for these problems if they are describing it correctly. When you're storing the home address of thousands of users, (1) you shouldn't do that at all for this type of organisation and (2) you should be very careful to protect it and (3) the first several times it gets stolen, you should think harder about whether your protection is working and there should never be a several+1th time.
[+] [-] rlmineing_dead|4 months ago|reply
[+] [-] Diaphragmwp|4 months ago|reply
It's a really long article so he only seemed to read a few paragraphs about the security vulnerability and then said the line while scrolling too fast to read all of the other points. Can't blame him, not going to lie.
[+] [-] tomalaci|4 months ago|reply
Like it or not but I feel like account logins, PII and payment stuff will have to be handled by central big orgs. Ideally, I would like that to be a competent open-source government service. For now it is big companies like Google that can shove its SSO around in accessible manner to other sites.
[+] [-] prodigycorp|4 months ago|reply
[+] [-] blenderob|4 months ago|reply
May I suggest you use reader mode to remove the annoying flashing background? If you can get past the annoying UX of the article, it has interesting stories about serious issues.
[+] [-] casq|4 months ago|reply
This post should not be taken seriously because the implication is wrong: Hack Club is compliant with data protection rules and is very careful with student data; Unlike almost every where else teenagers hang out on the internet, Hack Club does NOT monetize or sell student data or allow advertising to young people.
During one of our many summer programs, we had a situation where some students’ info was accessible publicly by mistake, and as soon as it was reported, we fixed it. No one accessed it and we apologized. You GOT us, ok? It happens and the young programmer responsible feels really badly about the fact that it keeps getting brought up in new and twisted ways.
We work around the clock with a fully trained staff to make sure that there won’t be any problems and to address them immediately if they come up. As I’ve stated in the past, this original post is from a disgruntled student was banned for really ugly behavior and yet they continue and it's sad to see it getting amplified here.
[+] [-] mathiasdpx|4 months ago|reply
[+] [-] 5012345678903|4 months ago|reply
[+] [-] sadeshmukh|4 months ago|reply
Please take what's said here with a grain of salt. This is the same person who attempted to extort Hack Club out of thousands by using an airtable token they previously had (all tokens have since been examined as to whether they are truly necessary).
> another asked: "if you found a security vulnerability within hackclub, severe or major, given how they have currently handled reports so far, would YOU report it and go through the same process and payouts that previous people have experienced?"
> the answer from most people was a resounding no.
Popular request is for the program to be expanded. I don't know about the "resounding no".
> teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity.
It isn't a full-time job.
> email compliance failures
Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
I could keep going, but the raw truth is that this misses a lot of context for independent observers.
[+] [-] VEBee|4 months ago|reply
I could be wrong, but I don't think that was OP.
> Popular request is for the program to be expanded. I don't know about the "resounding no".
Do a poll then. I for one agree with that and don't think that most people would report it.
> > teenagers are positioned as "independent contractors" to avoid employment protections, holiday pay, and wage floors. this isn't "scrappy nonprofit" energy - it's child exploitation dressed up as opportunity. > > It isn't a full-time job.
It quite literally is?
> Recently, email sending has been revamped, and there are tools to subscribe to individual mailing lists.
That I'll give you. They did recently revamp that and make it be functional.
> Criticism isn't ever censored - there's anonymous reporting, a public forum channel for feedback (which only has temporary threadlocks upon very inflammatory or irrelevant discussion), and you can discuss it anywhere else within the Slack.
Not true. Thread locks are often for 6 months to a year and the posts often aren't even inflammatory, just anti-HQ.
If you do want to actually talk more, contact me on my alt at https://hackclub.slack.com/team/U09Q734PGUU.
[+] [-] 1a527dd5|4 months ago|reply
[+] [-] udev4096|4 months ago|reply
[+] [-] mid-kid|4 months ago|reply
[+] [-] embedding-shape|4 months ago|reply
It still renders smoothly though and doesn't go above 40C so I guess it could have been worse.
[+] [-] PhilipRoman|4 months ago|reply
[+] [-] GaryBluto|4 months ago|reply
[+] [-] johnisgood|4 months ago|reply
[+] [-] NSPG911|4 months ago|reply
[+] [-] aavshr|4 months ago|reply
[+] [-] Elfener|4 months ago|reply
Oh wait, it's because it is too old to have WebGL support so the background crashed and thus consumed no processing power.
[+] [-] patcon|4 months ago|reply
I suspect the things this author is critiquing and the internal resistance to it is DIRECTLY related to the wonderful things this org can do and how it operates.
I'm of the belief that you can't truly love a thing without loving its mother. This applies to orgs as it does all creatures undergoing evolutionary processes. If you do straddle this belief tension, you perhaps love something other than the thing you thought you loved. And this other thing you love will eventually take shape under your care and watch. Which is nice, that "what we put our attention on grows".[1]
So obviously, you are permitted to love a thing and take issue with its incubating process/culture, but I would suggest you're the site of contradiction that has some explaining to do. If you win and change the process of the thing you love, the thing you love is on a new path toward being something else. And maybe that's fine. A new seed will grow in the empty space. People probably need to have a thing to love that looks like the thing you loved. It will be back.
But there's some other healthy dissonance here that the author isn't grasping. I would say this to them: You are the bringer of the end of what you love, not its saviour. It's all good -- these transitions happen, and in a more zen sense, it can come to pass without [my] judgement. But just please understand your role. You're not a hero, you're a death. Maybe a healthy one, but a death all the same. The thing you love perhaps won't survive your care.
To be clear, I have very mixed feelings. The critiques are valid, but I wish I could acknowledge them without compulsion to demand an action. I think orgs that work like this need to stay small, only scale horizontally (inspiring/supporting other sister orgs to grow), and resist any central/vertical scaling that brings you under the rules and norms that they are desperately trying to steer clear of, but are now accountable to (according to our shared societal values).
[1]: http://adriennemareebrown.net/2012/08/09/giftingmyattention/
[+] [-] SigmaEpsilonChi|4 months ago|reply
[+] [-] luna11|4 months ago|reply
[+] [-] tinfoilhatter|4 months ago|reply
I'm not at all surprised that people are trying to program young teenage minds to think hackathons are a good pathway to advancing one's tech skills / career. Nor am I surprised to hear all of the sketchy behavior surrounding this organization and their leadership. It all fits very nicely together.
[+] [-] ecshafer|4 months ago|reply
[+] [-] josefritzishere|4 months ago|reply
[+] [-] ForHackernews|4 months ago|reply
Headline really buries the lede: this is the issue, not some missing ToS boilerplate.
The map is not the territory, the security policy is not the security.
[+] [-] Benjamin_Dobell|4 months ago|reply
[+] [-] CactusBlue|4 months ago|reply
[+] [-] PhilipRoman|4 months ago|reply
I get it, some people dislike the appearance but c'mon, this is HN. If we can use vi(1) on a 80 column terminal, reading an html page is not an impossible task.
[+] [-] korse|4 months ago|reply
[+] [-] 1317|4 months ago|reply
[+] [-] GuB-42|4 months ago|reply
The title doesn't make is sound bad.
I mean, besides lawyers, who cares if some legal document is missing. You can respect privacy without a privacy policy, plenty of people do.
Here, it seems the actual problem is that there is no adult in the room, literally. Just kids that are completely clueless about how to care about personal data. Here, "no privacy policy" doesn't just mean "we dislike paperwork", it means "we are letting kids play with personal data without adult supervision".
[+] [-] Benjamin_Dobell|4 months ago|reply
[+] [-] lefrogman|4 months ago|reply
[+] [-] josefritzishere|4 months ago|reply
[+] [-] SigmaEpsilonChi|4 months ago|reply
I am the Chris cited in the piece. We have actual legal counsel that we go to for legal advice! However, that's not what was being sought here. In this conversation, the question on the table was "What is a data breach?" according to common convention (setting aside the more technical question of what it means specifically in the context of GDPR). The author contended that a single address record—her own record, IIRC—retrieved as a test of an unsecured endpoint counts as a data breach, and therefore that we are legally obligated under GDPR to email all 5,000 participants about it. My contention was/is that a data breach implies exfiltration of a meaningful amount of data. This was a vulnerability, which we patched within about a day, but we had no reason to believe there was a breach by any definition. I pointed to a few sources to demonstrate the consensus definition of "data breach", and one of them was Gemini (or "Omniscient Robot God", as I called it in the conversation).
There are real issues touched on in this post, but the author is not a reliable narrator and they are flattening a very complex issue into a narrative that centers themself as the hero. In reality, this user was banned from our community for a long string of conduct violations, culminating in repeated incidents of saying horribly abusive things to other teenagers. They have been pursuing a grudge against the organization ever since.