4 Comments
Sep 7, 2022Liked by The Underdog

Well this is upsetting. Having been a member since the first month it was active and definitely logging in probably once a month at least I have no doubt my email.... which is literally my name... was leaked (rethinking that choice now obviously.)

I’m pissed he didn’t notify us. I’m tempted to drop a few super chats in his livestream tonight and be like, “wtf mate?”

Expand full comment
author

I knew another paying subscriber, who tried a similar approach but it got drowned out in the sea of other comments. It's worth trying if you want to go for it.

Expand full comment
Sep 7, 2022Liked by The Underdog

Lmao what a idiot, is it intentional?

Expand full comment
author

It is very difficult to infer intent of a person, and very easy to skewer information one way or another to frame them in one light or another.

In my personal opinion - but I could be wrong - is it was incompetence and laziness on the part of the website developer. Was Tim Pool the developer? I don't know, but he does have an obligation to his reputation and the security of his site and others to ensure it is up to scratch security wise.

If it was malice, we would have expected something a bit stealthier, kinda like the Chinese router backdoors that require at least a password to gain entry.

What tips me off it is incompetence is the fact it uses an easily fixable debug mode, and the obviously incomplete privacy policy section which was lazily cobbled together in a half-finished state. A malicious actor would have either not bothered, or would have bothered to at least finish the section (even if they had no intents of complying with it).

I'm confident that they also ignore any feedback submitted via the form (another sign of laziness/incompetence), any information via direct email, and certainly there was no guarantees Tim even bothers to check his Gab account.

The part that becomes malicious to me was, if they had received the information and read it, failing to patch the issue, and, after finally patching the issue with threat of it becoming public knowledge if it didn't, failing to notify the users of the breach.

So it might have started off as a case of incompetence and laziness, but the end handling leans towards a suggestion of malice, given they're actively in breach of privacy breach notification laws.

Rather than doing what is right by their subscribers and notifying them, they'd rather keep the embarrassing debacle quiet.

Expand full comment