Even if you could somehow tie work stress to causing his illness, it seems unfair to place the blame on you. If it was killing him, why didn't he have the agency to find another job? Why didn't your manager find a way to prevent those conflicts in the first place?
They have to convince themselves that OP is lucky/lying/their idea couldn't work, otherwise they're forced to confront the fact that they wasted their life working at megacorp when they could've done something else.
People that are wildly successful are lucky. They may have "made their own luck" by working hard, being smart, etc., but those factors are at most prerequisites, not predictors of success.
The people wasting their lives at megacorps, were they to quit and follow their dreams, would overwhelmingly be worse off objectively (one can debate whether they are richer in spirit).
I think that they've all confronted the fact that they are unwilling to risk a great deal at a small chance of success. I applaud those that risk like this and win, as well as those that fail. But let's not pretend that greatness is guaranteed by hard work or intelligence.
The problem with using “lucky” as a single term is it loses all nuance.
If I am a successful entrepreneur, it is likely I have been lucky. But the luck factor is less than a trust funder, born to rich parents. Or someone who won the lottery. And the lottery winner is less lucky than someone who didn’t buy a lotto ticket but won publishers clearinghouse (ie they had to at least buy the ticket)
The worlds rewards depend heavily on luck, but all too often I see things decried as “lucky” when that was only one piece of the equation. If we reduce luck to a binary, we may as well just do nothing and wait for good fortune.
If you find a security vulnerability, I don't think the right course of action is to spend thousands of dollars of GPU time to determine as many IPs as you possibly can, then write an economics paper about it.
The whole point is they aren't security researchers - they were doing research on the nature of posts on this forum. They worked out that they could do that, and so did - for the paper they wanted to publish having that information was the goal, and the way they did that was essentially in the methods section.
Certainly the attack itself is not worth publishing: it's not in any way novel or interesting, the "anonymization" ejmr did was fundamentally broken from presumably day 1. Nothing the authors did here was new, novel, or complex - the only change is that what the cost of reversing has dropped from "a large organisation" to "a single PI's budget for a single paper" over 12 years.
We need to be very clear here: there is no part of the ejmr "anonymization" scheme that was correct for what they were trying to do. They did not salt the hash, the hash algorithm they used was considered deprecated a decade prior to ejmr existing, even the hash family they used is inappropriate for this purpose.
The reason for public disclosure of vulnerabilities is that the victims of those vulnerabilities need to know that they have been victims, and they need to know what information has been leaked by ejmr. Based on the actions ejmr took to change their hashing schema, it's fairly clear ejmr found out about the vulnerability (maybe the researchers told them, maybe the researchers were not unique in discovering this). But we also know that ejmr did not inform any of its users that ejmr had been leaking information about them for 12 years.
Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users, and as the HN and similar comments indicate, plenty of people would believe that breaking ejmr's system was too hard for anyone else to do.
I'm tired of repeating this: ejmr was not anonymous, their attempt at anonymization was trivially broken from day 1, and defeating the anonymization is absolutely trivial and is not remotely challenging - literally the only difficulty is how long vs how much money to spend.
> They worked out that they could do that, and so did - for the paper they wanted to publish having that information was the goal
My claim is that they shouldn't have.
>Which is why it is necessary to publish this information - if this paper did not detail how terrible ejmr's "anonymization" was, it's pretty clear ejmr would not have told its users
I agree it's necessary to disclose the vulnerability to the victims (especially if ejmr wouldn't have), but it wasn't necessary collect as much data as possible themselves and write a paper about it for their own gain.
Studying the disposition and demographics of forum posters is not new, nor is this a unique example. The only issue here is the forum posters believe, based on incorrect claims from the forum, that they were anonymous. But their posts were not, and this is the first time it came up publicly, because this is the first time someone looked at this particular forum, in the context of "I want to publish a paper about the demographics of this forum".
The forum users have the right to feel angry that their posts were not anonymous, but that anger should be directed at ejmr, not the academic that made it clear their posts were not.
The posts on ejmr were not fully anonymous, and nothing can change that - there are more than 10 years of posts, all of which are public, none of which are [fully] anonymous. It does not matter whether this academic collected any of the information, because in a hypothetical world where they don't and simply disclosed that none of the last decade+ forum posts are anonymous, anyone else could do exactly the same thing. This is assuming of course no one has done this in the past.
> I agree it's necessary to disclose the vulnerability to the victims (especially if ejmr wouldn't have), but it wasn't necessary collect as much data as possible themselves and write a paper about it for their own gain.
What harm do you think writing a paper on forum demographics did? I am genuinely curious, because this seems like you're still just trying to find ways to blame the gross negligence of the ejmr folk on the authors of this paper.
Someone else is going to do it anyway. And you need a proof of concept. If you write "N thousand users may be exposed", perhaps you will include some proof of that.
Saying they "realized you could identify the location of many posts and wrote a paper" is downplaying the situation. The authors essentially ran a lookup table attack, computing over 3 quadrillion hashes to crack the IPs. The website owner incorrectly thought and claimed this would protect IPs, which are PII.
