My understand was that you just threaten to do those things but don't actually follow through on those threats. Then it's grey hat and ethical but still not legal. If they actually pay the bitcoins and don't fix the issue then you despair and go on with your life. It's hard to spend the bitcoins without deanonymising yourself, but you can try to give them to charity or something.

No, simply making that threat ("send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database") is very definitely a crime (and black hat, and unethical) even without any followup.

That's as classic as it can be, there's nothing new or technology related about this - for example, sending an anonymous message "Send cash or I'll burn your house" is a crime (and unethical) even if you don't burn anything. It is a crime (and unethical) even if you're just making an empty threat and never intend to burn anything, it still is extortion.

Arson is one crime, and extortion is a separate crime punishable by itself. If you don't attempt to delete their data then you (obviously) don't get charged with deleting their data, but making threats like that is not acceptable in any way (legal or ethical) whatsoever. Once you press "send" on a message like that, you've crossed a very serious line.

Like I said above, it is a crime. But it's ethical because it's intended to force them to fix their system before someone does something much worse.

Do you believe that you have a moral right to force them to do anything?

Is there a moral imperative that they are morally required to secure their systems and that others should/could demand that they must do so? It definitely could be in certain cases (for example, a hospital storing confidential data of their customers), but in the usual situation where it's just their data and their money, isn't that their moral right to decide how high a fence (if any!) they want to build around their property?

Telling someone "hey, you forgot to lock your door" is a good thing, but ultimately IMHO it's their decision if they want to lock the door or accept those risks.

Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk.

Okay, if private data of the company's customers is at risk, then it is a reason to push for some action, but it matters how you do it. In this case I don't see a big need for reinventing the wheel - this is a common issue for which all the options, pros, cons and risks have already been discussed and there is a somewhat clear consensus (with some debate about nuances) on the expected ethical action, and that is https://en.wikipedia.org/wiki/Responsible_disclosure or http://www.cert.org/vulnerability-analysis/vul-disclosure.cf...? . Many nations have some more specific guidelines issued by e.g. their local CERT that are adapted to their local legal situation.

The process works reasonably well even if the vendor is not cooperative. In that case it is somewhat similar to the message proposed above, but substantially different - first, the threat is not that you'll destroy or publish their data (which is extortion) but that you'll publish your description of the vulnerability (which generally is not); second, the threat is not that you might consider damaging the data (i.e. stating that you'd be willing to do an immoral thing) instead that some other immoral people might damage the data; and third, the disclosure is not conditional on receiving money from them.

I can see that the proposed threat was meant in the same direction, and is somewhat similar to the "threat" implied in general responsible disclosure, i.e., if you don't fix it in 45 days then we'll publish info that most likely will mean that you'll get hacked. But it's substantially different, the details are quite important, and you'd need a good reason to deviate from the standard responsible disclosure guidelines.

I mean, what do you do when after sending a message "I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention." you see that they have not fixed the issue but have transferred the requested Bitcoins? It'd be a possible direct result of your actions. Is that a desirable outcome? Is that an ethical outcome?

I really can't see how this is unethical or immoral in any way.

You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"? It's obviously a crime.

> You don't see anything unethical or immoral about telling a company "I hacked your systems, send me money or I'll delete all your data"?

I do, however loup-vaillant's post also contained the following, which makes it not immoral nor unethical:

> accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time>

Also, you need to panic them, you do not necessarily need to delete or copy their data (but even if you did, I see nothing evil in it. They are the ones that refused to fix it within the time given after all).

> It's obviously a crime.

Doesn't mean that it's immoral or unethical.

If you point out that my front door is unlocked, and I decide to keep it unlocked forever (i.e. refuse to fix it), then it doesn't mean that it somehow becomes ethical to enter my house and take my stuff. It might be stupid on my part to keep it unlocked, but a thief is still ethically a thief even if I carelessly kept it unlocked forever. My "door" might as well be a line in sand or a sign "don't enter" on a pathway - not a security measure at all, just an indication where the boundary is, but still unethical to cross it. Much more so would be sending a note "lock your door, send me money or I'll take or damage your stuff", as in the original example.

Threatening to harm someone unless they do what you say is immoral even if you don't harm them; it's not ethically acceptable to threaten others.

If you had classified information behind your open door, you could be sued if anyone stole it (or worse, depending on the level of classification). Sometimes, one is legally required to take appropriate steps not to unwillingly disclose information. I believe users' personal information should fall under this category. (I believe it does in some cases.)

If your leaving the door open leaves not only you, but others, vulnerable, the discoverer of the broken lock may very well have a moral obligation to protect those innocent people, by whatever means appropriate.

What is appropriate depends on the situation. I expect in most cases, just telling you the door is open may be enough. But if you are being particularly obnoxious, threats may be the only way. In some extreme cases, burning the house down to avoid the disclosure of the sensitive information that would harm countless innocents may be the best course of action.

The legal system even have analogous situations, where a judge can order the orderly destruction of some unsafe building. The only (yet crucial) difference is, judges aren't vigilantes. But this is fixable: one could have the law allow the vigilante to send a cease & desist letter saying "fix your door or I'll have a judge burn your house down".