• dang 8 days ago

    See also https://www.justice.gov/usao-ndca/pr/three-individuals-charg...

    (via https://news.ycombinator.com/item?id=24012968, but we merged the threads)

    Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:


    • Taek 8 days ago

      Hitting a 17yo with 30 felony charges feels a bit steep to me.

      Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

      If a 17yo could do it, I'm sure a nation state could do it.

      • slg 8 days ago

        The age of the attacker is irrelevant to Twitter's role in this story. However your underlying point still stands. If we want these types of attacks to stop, we can't just let all these companies off with a public embarrassment being the primary punishment. At a certain point we have to start calling it negligence when companies fall for these attacks and fail to have proper precautions in place to prevent them.

        • nickff 8 days ago

          From memory, I recall the FBI did a study, and found that half of their employees would plug in a USB drive that they found on the ground in the parking lot. After training, that number was reduced to a quarter. If a security-focused government police agency is so vulnerable, it is unreasonable to expect perfection from a (less paranoid) company.

          • slg 8 days ago

            Then you need processes in place to make sure a single person being careless cant do this much damage. There are low tech solutions that would greatly improve security[1], however the overhead this introduces is hard to justify in a world in which these breaches aren't that damaging to a company. We need to change incentives for companies by either mandating these security practices or implementing harmful repercussions for choosing a less secure approach.

            [1] - https://en.wikipedia.org/wiki/Two-man_rule

            • nickff 8 days ago

              I agree that better security practices are advisable, but you're victim-blaming.

              Twitter wasn't 'asking for it', and neither were the individuals who lost bitcoins; the 'hackers' intentionally perpetrated deceptions, misrepresentations, and fraud against both Twitter and the general public. If you compare what these three did to a white-collar crime, the dollar amount was small, but the behavior was egregious.

              • slg 8 days ago

                The push against "victim blaming" is not about removing any possible role a victim would have in their victimhood. It is about destigmatizing victimhood and not blaming victims for things that are out of their control or that any other reasonable person would do.

                Let's imagine a situation in which someone breaks into my house and steals my TV. I deserve a decent amount of blame if I left my front door wide open before it happened. I deserve much less blame, but still some blame if I left my front door unlocked. I don't deserve any blame if someone broke down my front door to do it.

                In this situation, Twitter left their front door unlocked.

                Furthermore, Twitter is not even the primary victim here. The biggest victims are the people whose accounts were stolen and the people who were tricked into losing their bitcoin.

                • bryanrasmussen 7 days ago

                  No one deserves any blame for being burgled when leaving their front door opened - however if a bank leaves the vault open they deserve blame because what's in the vault is not just theirs. Twitter left the vault open.

                  • kelnos 7 days ago

                    That's absurd. If someone does something risky, and gets burned,they share some of the blame for it. Even if they accidentally left their front door open, that's still on them.

                    Certainly the burglar deserves the lion's share of the blame for what happened, but there's plenty to spread around.

                    My view is that if a reasonable person would have taken actions that would have avoided the issue in the first place, a person not taking those actions shares in the blame.

                    My bicycle got stolen from my garage a couple weeks ago. The garage was closed and locked, but someone forced the door at 4am and stole my bike. My bike was not locked to anything. My neighbor's bike was locked to a railing a few feet away from my bike, and did not get stolen. I share some of the blame here because if I had locked my bike up -- an entirely reasonable and prudent thing to do -- my bike would likely not have gotten stolen.

                    I think maybe the issue is because people are conflating blame with shame. No one should be shamed for stuff like this; it's a learning opportunity. I accept blame and responsibility for my part in my bike's theft, and if/when I get a new bike, I'll take better care to secure it, even when it's indoors.

                    • watwut 7 days ago

                      Leaving the door open is risky only because there are people who steal around. Not because leaving the door would be risky no matter where you live and who is around.

                      If people locked bikes in garages, people eager to steal bikes would have tools to cut chains in garages. So while it is safer to lock the bike, the blame for stealing goes to whoever stole it.

                      • JoshuaDavid 7 days ago

                        The internet is a place where everyone, everywhere is "around". You can talk about who to blame all you want, but blaming the attackers just means that you'll be attacked by people who don't care if you blame them. It's not an effective way of solving the problem.

                        And remember that "the problem" is that the attackers hijacked the accounts of people using twitter. Twitter had a duty to take adequate measures to protect those accounts, and failed to do so. The victims are the people whose accounts were stolen, and the people who were defrauded by the hijacked accounts.

                    • drivingmenuts 7 days ago

                      When did a pie on a windowsill become a free pie?

                      That’s hobo mentality.

                      It’s not your pie. Keep your goddamn hands off the fucking pie.

                      • TheOtherHobbes 7 days ago

                        If hobos are a known problem, you have no right to be shocked when one steals a pie.

                        If hackers are a known problem, a huge company like Twitter has no right to claim it was completely blindsided when it gets hacked.

                        Twitter is a multinational corporation with access to the personal data of hundreds of millions of users.

                        It has a duty of care to those users, and at a minimum it should have a dedicated team with security policies and recovery plans.

                        Aside from the reputational damage, an aggressive and ambitious lawyer could make a good case for a very expensive class action if those plans turn out be defective and/or inadequate.

                      • tomp 7 days ago

                        They absolutely deserve the blame. At least if I was an insurance company, I’d definitely put that in my contract.

                        • bryanrasmussen 7 days ago

                          Ok well, according to this https://www.awinins.ca/blog/am-i-covered-if-i-leave-my-front...

                          "As long as it can be established that your possessions have been taken without your permission most policies will pay out on a claim even if your front door was unlocked or your window open."

                          so - as it says later "Familiarise yourself with the terms of your policy" which I guess would lead me not to buying insurance from your company.

                          Aside from that allowing insurance companies to determine who 'deserves blame' seems to run counter to the common perception regarding the moral worth of insurance companies.

                          • skinnymuch 7 days ago

                            The OP was making a point. Not actually getting into what legal (not relating to ethics) mechanisms there are for insurance.

                      • briandear 7 days ago

                        No. Theft is still theft. The door could be wide open and someone that chooses to go on and steal is just as much a thief as the door breaker.

                        Should we blame women for dressing provocatively if they are raped? Should a murder victim be afforded less justice if they were walking around in a bad neighborhood? A crime isn’t a crime if the potential criminal chooses not to act. The ease of committing the crime should have no relevance. Someone doesn’t just accidentally walk into your unlocked house and steal a TV. It’s a choice and blaming the victim is simply wrong.

                        • orestarod 7 days ago

                          It depends on the situation. Blaming for negligence does not wash the criminal off their crime. Going alone and naked in front of a pride of lions will get you killed. The lions will do the killing, sure. But you placed yourself in a powerless position against predators, and you were at their mercy, and there lies your blame. You can be preemptive and kill the lions beforehand, or tame them. Maybe you are not able to do that at all at this time - and that was true until we made good enough weapons. But until measures are taken, and if you know the dangers, avoid them.

                          A woman that goes in a bad neighborhood dressed provocatively and that eventually gets raped, made the mistake of going there in the first place - and honestly speaking, the dress makes no difference. She placed herself in a situation where she is powerless against potential predators, and thus she will go by the predator's rules - because she is forced to do so. That does not mean we should not change this. We should do everything in our power to protect women, and make sure there ARE no such places dangerous for women. Until that happens, to avoid the danger wherever it is is better than rightfully punishing the criminals after the crime happens.

                          That is not a sexist matter, that goes for countless situations in this world. Women and men alike, or whole other groups are powerless against other people, depending on the situation, and it IS wise to avoid the danger, until we fight to eradicate this powerlessness on each occasion. You can go on despite the dangers to make a statement or in order to contribute to eradicate them, but you know what you are getting into.

                        • saurik 8 days ago

                          > I don't deserve any blame if someone broke down my front door to do it.

                          I mean, you could have gotten a more sturdy door... drawing the boundary between someone opening an unlocked door and breaking down the door is hard; so I'd agree with "even less blame", but if we believe you are ever at blame here, there isn't anything magical about the lock that shifts you from having blame to being blameless.

                          • slg 8 days ago

                            To repeat myself, the opposition to victim blaming is about "not blaming victims for things that are out of their control or that any other reasonable person would do." I acknowledged that a standard lock is generally not going to stop many determined criminals, but it is an acceptable baseline that all reasonable people can be expected to meet in order to help prevent their home from being burgled. You can of course go above and beyond that, but I think anyone who meets that baseline standard doesn't deserve blame.

                            Back on topic, I think lots of people would agree that allowing low level employees the ability to completely hijack the accounts of some of the most prominent people on the planet with zero oversight is not a reasonable level of security.

                            • saurik 8 days ago

                              Well, I think "the problem with victim blaming" is that it implies that there is something "a reasonable person" has to do in order to not get attacked: a woman should be able to walk around naked, for example, without being raped, and we shouldn't say "well any reasonable person would have at least worn clothes".

                              In fact, I would then claim pretty forcibly that a lock strong enough that someone has to break your door is absolutely not the thing reasonable people should have to do to prevent theft (assuming one believes in the idea that people own things, of course ;P).

                              Like maybe a chain lock should be good? I remember a glorious scene of some cartoon which was like "you know what this chain lock says? it means you aren't getting in here... unless you push with your hands". Closing your door is really not good enough? Having an exposed area with a door--even if open--that looks like a door of a household and not a business?

                              Look: I appreciate and even agree with the idea that Twitter should have blame here in some very real sense, in that someone always could have done better to protect you if they take responsibility for something about you, particularly if they don't really leave you much choice in how they do it: you friend who borrows your car and leaves it unlocked with its windows down is being negligent; and Twitter here looks like they didn't even try hard to protect anything.

                              But the reality is that we shouldn't think there is some magic level of "responsible" below which there is blame and above which there is no blame... in this kind of tug of war either we are working in the philosophical regime that you are ever to blame--in which case we can talk about matters of degree--or you are never to blame, but drawing some arbitrary line about "well the data storage was technically X3 7066 compliant, so this is on the other party" is actually an extremely dangerous thought process as it sets us up for companies putting in place minimum security theatre provisions that they know don't work but which they know technically absolves them of blame as it is reasonable (which is a thought process that crops up constantly).

                              (And seriously: is using a large, centralized social networking site and not expecting your data and accounts to be hacked every now and then reasonable? All of them get hacked. Thereby why are we stopping the blame at Twitter? If we are going into the philosophical regime of truly assigning blame, users should "know better by now" and stop using systems with centralized databases, right? I work in the field of decentralized systems and I absolutely am confused as to why people think their data in the "cloud" is secure and absolutely do not consider their usage "reasonable".)

                              (And like, to explain that context: this is all coming from someone in the field of hacking and security research who is also in progressive politics and thinks throwing the book at this kid with 30 felonies is ridiculous and maybe he should get some community service at best for what he did, and that we should be regulating big tech more to increase their liability as if we don't then it is essentially giving "moral subsidies" to centralized systems and making it harder for distributed, self sovereign, and end-to-end encrypted systems to compete. I actually agreed with your original comment, but in your defense against an accusation of "victim blaming" you actually do seem to have an inconsistency in your mental model and it is the same one we have to push back against in arguments about victim blaming for sexual assault: the lack of any specific protection doesn't mean you have something to blame for someone assaulting you. The argument for regulating against Twitter and holding them accountable has to come from somewhere different.)

                              • Fnoord 7 days ago

                                In The Netherlands we have law to protect the youth against smart, sophisticated hacks (we're not talking about (D)DoS here). These people are then taught lessons about ethics an how they can apply their knowledge for Good.

                                As such, my proposal of punishment would be to give this fellow an unpaid, mandatory internship at Twitter. This teaches them to learn their victim, and Twitter can teach the perpetrator the proper way to handle a company's problems. Show him how fun red teaming or blue teaming or pentesting can be.

                        • kelnos 7 days ago

                          > you're victim-blaming.

                          Twitter is not the victim here; the users who had their accounts taken over are. Twitter did not lose anything, except an entirely reasonable loss of reputation, because they could have taken measures to prevent this sort of thing from happening, but did not.

                          Companies need to be held accountable for their breaches. Sure, sometimes a company did do everything they could to prevent a breach, and took steps to mitigate the damage in the event of a breach, and they still happen. But that is vanishingly rare. The main thing I've learned from all the breach disclosures (at least where companies are truthful and forthcoming about what happened) is that security practices are lax and insufficient pretty much everywhere.

                          That's not ok, and we need to do something to incentivize these companies to properly protect our data, before we all become victims. If financial sanctions and public shaming is the best way to do that, so be it.

                          • ksm1717 8 days ago

                            While the words do sound like victim blaming, id argue that sweeping conclusions that sound like the common rhetoric like “victims can do no wrong” deserve both careful consideration and some wiggle room. Not to mention that it’s a completely different situation than the usual instances where victim blaming is both toxic and common. The only egregious victim blaming that I can think of would be saying “those whose accounts were hacked were asking for it by being on twitter”. And I hope nobody is saying that.

                            I have a feeling that a vast majority would agree that choosing to send your money to a celebrity’s (apparent) bitcoin wallet for any reason will be tough to feel victim-sympathy for, and possibly asking to never see that money again given all of the well regulated systems and norms of money transfer that we have used for decades to centuries. But I understand that they were still taken advantage of and agree that they are victims.

                            Twitter is to blame here. The only thing they are a victim of is failing to protect their users (whom they have the obligation to protect) in a game where they have the ability to be solely the masters of their own security destiny.

                            • ramblerman 7 days ago

                              > but you're victim-blaming. Twitter wasn't 'asking for it'

                              It's a bit pathetic to extend this rape analogy to a business. We don't hold individuals and corporations to the same legal, and/or quality standards.

                              So, hopefully we can discuss these important policy issues without worrying if "twitters" feelings get hurt.

                              • rschneid 8 days ago

                                Twitter is a platform used widely by some of the most powerful people in the world and in the US government. As a result, there is plenty of justification and precedent for said gov't to regulate their security practices and procedures. To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http.

                                Now, I don't think the government is prepared to do this proactively and effectively, but the idea of a telco that advertises resilience to hacks (whether through social engineering or technical incompetence) sounds like it would be quite appealing to a growing segment of the connected world and whatever such promises that find success in the marketplace might be used to inform legislation or regulation, eventually...

                                • saghm 8 days ago

                                  > To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http

                                  This is probably off-topic, but companies shouldn't even be sending the passwords over HTTPS; passwords should be hashed client-side and then the hash should be sent to the server (preferably over HTTPS).

                                  • Wouldn't that allow for a compromised database to leak the information a nefarious user needs to log into accounts? Compared to needing to find a collision if a database of hashes leaked?

                                    • nicoburns 8 days ago

                                      I think client-side password hashing is generally in addition to server-side hashing. Not instead of it.

                                    • helsinkiandrew 8 days ago

                                      Can you elaborate on how this makes things more secure (assuming HTTPS)

                                      Surely if the server accepts a client side hash of a password, then the hash has become the password

                                      • namibj 8 days ago

                                        At that point you can do key derivation to get an ed25519 private key from the password and a server-supplied salt (specific to that user), after which the client signs a challenge the server supplied with that private key. When the password was set/changed, the corresponding public key was stored on the server.

                                        • mewpmewp2 7 days ago

                                          Off the top of my mind. Maybe it could be something like that:

                                          1. Api gives user a fixed salt.

                                          2. User types password into input.

                                          3. Client hashes and sends hash to server.

                                          4. Server has another salt and uses the client sent hash to hash it again.

                                          5. This final hash is compared what is in the database.

                                          This way server never has knowledge of the original PW and it's never sent over the network. This reduces for instance the chance of password getting logged in the service etc.

                                          • helsinkiandrew 7 days ago

                                            But in that case the hash sent to the server in stage 3 is always the same and behaves like a password - capture it and you can use it again elsewhere.

                                    • Green_man 8 days ago

                                      Twitter controls a platform that they profit from. They have a clear responsibility to make their platform harder to abuse. We can't simplify the "victim" as simply Twitter itself, we must (as you did) consider the other victims: the owners of the accounts that were hacked, the narrow user base of twitter that was conned, or the general user base that have lost trust in the platform. These users could have great security discipline on their own accounts, but they couldn't do anything about holes in Twitter's backend. Other comments have mentioned front door locks for the metaphor of reasonable responsibility, but in the perspective of the Twitter users themselves, the broken lock was one they didn't control. Twitter must do better in the future, and whether or not legislation is passed to pass culpability, the general public will respond to future lapses in security.

                                      • madaxe_again 7 days ago

                                        No, twitter is the perpetrator here, by having woefully inadequate systems. The kid is the victim, of his own hubris, and of twitter freely leaking customer information to anyone who asks for it.

                                        I used to be CTO of an ecommerce platform - small fry, barely £1bn in annual transactions - but it was always absolutely clear in my mind that any breach would be my fault through negligence.

                                        • senorjazz 7 days ago

                                          > victim-blaming.

                                          sometimes the victim deserves some blame.Or at least their actions analysed to see where blame lays

                                          • partyboat1586 7 days ago

                                            Victim blaming is for when people have been psychology abused. It doesn't apply here.

                                            • edf13 7 days ago

                                              It isn’t victim-blaming, it’s expecting Twitter to have relative safeguards in place and not have relative open doors to allow one person access to world leading accounts!

                                              • TwoBit 7 days ago

                                                The fact that Twitter had a system in which any of thousands of employees at all levels could single-handedly with no oversight alter any of the information in any account shows this was absolutely Twitter's fault.

                                            • addicted 7 days ago

                                              Did anyone in the FBI get fired for plugging in a USB drive into their computers?

                                              If they did I bet those numbers would change pretty quickly.

                                              Similarly, if Equifax had been shut down under the mountain of lawsuits they should have had for losing people’s data, I bet security would become a much bigger concern for everybody.

                                              The FBI study basically shows that consequences are important.

                                              • varenc 8 days ago

                                                An acquaintance of mine worked at the NSA and they also deal with this.

                                                He said during his first week he made the mistake of putting a CD-ROM with some official training materials into his work system. Within 10 minute two people showed up to stop him and investigate what was going on with his computer. It was fine in the end but he was seriously reprimanded by his boss.

                                                When you can’t trust users, the answer isn’t just to give up! It’s to acknowledge their fallibility and create a system that doesn’t rely on 100% compliance. In this case that means having software that instantly reports when any external media is connected.

                                                • i1856511 8 days ago

                                                  This seems silly. Network admins can determine he inserted a CD and respond immediately in person - but nonetheless issue PCs with CD-ROMs and the ability to interact with removable media?

                                                  • stqism 8 days ago

                                                    If it’s anything like the DoD does, the reason USB ports and CD drives aren’t physically disabled is because sometimes using authorized devices and media is required to perform your official duties.

                                                  • solipsism 8 days ago

                                                    And the same acquaintance described those NSA security protocols to you, who are now talking about them in a public forum. If your acquaintance actually did work for the NSA (God help us), he probably shouldn't have.

                                                  • Swizec 8 days ago

                                                    I remember an article a few years ago saying that large % of office employees would trade their password for chocolate.

                                                    Ah yes here we go, large scale study, 43% of participants gave away their password when bribed with a chocolate bar. People just don't realize how valuable passwords are.


                                                    • davinic 8 days ago

                                                      > If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords.

                                                      Nearly 30% of people just gave out their password and didn't even know they were getting chocolate! They gave it away for literally nothing.

                                                      • manquer 8 days ago

                                                        the study says 29% gave the password without chocolate as well .

                                                        Some where given chocolate before and after , nowhere it says chocolate was offered as payment for sharing the password. Small gifts could have been inducement to establish relationship and trust not the same as a bribe as you characterises it

                                                        I find it hard to believe 25 /40 % plus people readily share their password to total strangers , without knowing more details it seems unrealistic

                                                        Social engineering is still a problem but am not sure bribes are the real concern . And to insinuate the cost of bribing is as low as candy for significant chunk of the population is just wrong

                                                        • transitionnel 8 days ago

                                                          What kind of mindset would lead to this behavior?? Maybe it doesn't matter. It feels -to me- like simply being exposed to people who say things like: "What?-- no, that's not good" while remaining professional, respectful, and humorous, is a vaccine against not wanting to seem jerky, yet staying secure.

                                                          • manquer 8 days ago

                                                            Perhaps it did not come out as I hoped, if it was offensive I appolgize

                                                            The premise that integrity of most people is bribed by few bars of candy was offensive to me I hope it is to you as well. The sensationalist headline basically claimed that, the abstract was a very different statement.

                                                            I am tired of studies that are constantly being cited these days: readers, journalists and even the principals invariably sensationalize the headlines.

                                                            It is a losing battle to get anyone to critically analyse information presented to them, sooner or later you are going to snap. Whether it is alternate medicine, creationism, or conspiracy theories there is a real damage out there everyday , few people ( Jon Stewart? ) are articulate despite being frustrated and are able to civil engage in discussion.

                                                            Even if the study actually claimed what the headline said, the bar to peer reviewed respected research in much of psychology and social sciences seems so low that just getting some correlation between two parameters is good enough. Raw data is rarely shared, and statistical methods used are superficially understood and discussed, half the analysis's are just putting data into a tool like SPSS with the whatever defaults IBM puts in these days. There is not much scope for replication of a finding, a core principle of the scientific method.

                                                            • nicoburns 8 days ago

                                                              To take your question literally: a trusting mindset. Many people default to assuming that people they meet mean them no harm

                                                        • Veserv 8 days ago

                                                          Except this is not expecting perfection, it is expecting a level of security that can prevent children, literal children, from walking right through it. Which would not even be a problem except for the fact that this is far, far less than what Twitter has led their average user and stockholder to believe. To illustrate my point, if Twitter told the truth in big bold print at the top of every page so every user knows: "Determined teenagers can take over your account at any time." do you think this might outrage their users or harm their stock price? Did Twitter at any point say anything that might indicate that this is the truth of the matter and that would not be easily misconstrued by users? The evidence indicates yes, they would be outraged, and no, they at no point ever said anything that would lead anybody to believe that this was possible and hilariously easy. So, it hardly matters that maybe they or anybody else (say the FBI) can not provide a high level of security, what matters is that they committed material fraud in egregiously misrepresenting their product security to their users and stockholders.

                                                          • davinic 8 days ago

                                                            Exactly. At least one of these kids used their personal gmail account on the hacking forum. These are not advanced hackers.

                                                            • ta17711771 8 days ago

                                                              They've done more than you, and majority of others, though.

                                                              • CydeWeys 8 days ago

                                                                And robbers have done more robbing than me too. It's not a competition I'm interested in entering.

                                                            • ISL 8 days ago

                                                              One underestimates the capability of determined teenagers at one's peril.

                                                              • TheSpiceIsLife 8 days ago

                                                                And many of them live in what amounts to a serviced apartment above a restaurant.

                                                                Idle hands.

                                                              • dllthomas 8 days ago

                                                                > expecting a level of security that can prevent children, literal children, from walking right through it

                                                                Well, that's your problem.

                                                                • Veserv 8 days ago

                                                                  Oh believe me, I am under no illusion about that fact. My point is that the average user is completely unaware of it and Twitter, like most other companies, has gone to great lengths to obscure this material fact from their users and stockholders. If they told their users and stockholders, in no uncertain terms, the level of security they actually provide, which is massively different than what the users and stockholders believe, then I would not fault them for upholding their promises even if they are lackluster.

                                                                  The problem is that they have not revealed the massive discrepancy between the common expectation and the truth which I, and I suspect most people, would consider to be fraud. Some might argue that they did not guarantee the common expectation and therefore it is the consumers problem for engaging in wishful thinking, but that is frankly a ridiculous argument. We generally expect, and the law codifies, certain requirements on the consumer-business relationship which effectively amount to: "Consumers have certain reasonable expectations based on common sense, you can't just willy-nilly toss those in a contract and blame the consumer for not reading a 100 page contract where you get to sacrifice their first born in fine-print every time they buy bananas." I do not believe the law exactly codifies this form of fraud, but I think most would agree that a massive discrepancy between consumer expectation and the truth should be clearly communicated (the larger the discrepancy the more clearly/loudly) and acting otherwise should be at the least in the general vicinity of fraud.

                                                                  In my opinion, the discrepancy is sufficiently large that it should constitute either criminal fraud or gross negligence depending on how aware Twitter was as to their own internal security. If they were aware, they engaged in fraud given they made no effort to properly inform anyone of their security. If they were not aware, they are grossly negligent in that they could not observe such a massive discrepancy between their beliefs and the truth. To anybody who reads this and says that this is a "heads I win, tails you lose" situation, I say that this is a result of the ridiculous discrepancy. If it were less ridiculous, like say a small group of organized hackers or a top-flight hacker, it would probably not qualify as gross negligence in Twitter's case if they were unaware, though it might still be fraud depending on the expectations laid out.

                                                                  Incidentally, this reasoning scales to other cases people have mentioned like nuclear power plants or banks where people have certain expectations on their security which are likely different and more stringent than Twitter. The important thing is not that they all have the same high level of security, it is that the expectation matches reality and the reality is properly communicated.

                                                                  • dllthomas 8 days ago

                                                                    My point was that there is no such level of security. It was a joke.

                                                                • pcmoney 8 days ago

                                                                  I mean determined teenagers created FB so...

                                                                • devin 8 days ago

                                                                  1. When was this study conducted? I remember a story like this from somewhere around 2008. A lot has changed since then. In fact, I recall that during my onboarding at a medium size tech company, it was an explicit part of the company's security training curriculum.

                                                                  2. I think you may actually have it backwards. I would imagine the engineering group at Twitter (the people who have important credentials) is in some ways more paranoid, or at least more technically savvy and therefore more aware than many of the people at the FBI.

                                                                  • ketzu 7 days ago

                                                                    Comparatively, Cern does a phishing study from time to time [1] and the campaigns are in line with current expectations: People fall for phising, and security training has only a short term effect on phising. Unfortunately I can't find the real results right now.

                                                                    We once had a bachelors thesis comparing the results over multiple years, and the results were mostly stable. (Years are mid 2010s).

                                                                    [1] https://home.cern/news/news/computing/computer-security-cern...

                                                                  • gav 8 days ago

                                                                    Security training improves security but it doesn't get close to stopping 100% of attacks.

                                                                    I know it's obvious, but it feels like it's only obvious to those that think about security. It's the same reason that putting your developers through a yearly OWASP Top 10 secure coding course isn't going to get you to 100% secure code.

                                                                    Locking down systems seems draconian, but it's the only way:

                                                                    - Disabling USB storage

                                                                    - Moving away from passwords to hardware authentication

                                                                    - Strong controls on internet access

                                                                    - Stop incoming calls from reaching most employees. Better: take away phones altogether

                                                                    And so on.

                                                                    • manquer 8 days ago

                                                                      in a remote only or remote first working environment, many of these policies are not feasible , ultimately employees have to be able work somewhat productively .

                                                                      Such clean room requirements could perhaps work when the threat model include nation state actors or your are handling sensitive financial applications.

                                                                      Most companies are not defence contractors or banks the security levels you propose won’t be worth the cost to a typical internet tech company .

                                                                      • lobster45 8 days ago

                                                                        Anytime there are humans involved, there is no way to 100% secure it

                                                                      • JetSpiegel 2 days ago

                                                                        > half of their employees would plug in a USB drive that they found on the ground in the parking lot

                                                                        If that didn't work, StuxNet wouldn't have gone anywhere either.

                                                                        Sometimes the right hand requires the left hand to fuck up.

                                                                        • qppo 8 days ago

                                                                          Isn't that how they got Stuxnet into the Iranian nuclear facilities?

                                                                          • boogies 8 days ago

                                                                            Something like that (USB exploit of Windows zero days, breaching an airgap). (Edit: though not by leaving flash drives outside of the facilities, by infecting some with a virus that spread from Windows PC to Windows PC around the world.)

                                                                          • cosmodisk 8 days ago

                                                                            Someone successfully gained access to colleague's email account using a phishing technique. I Inform the senior management team not to open any emails just to get a message 2 min later that one of them entered email credentials after opening a link...

                                                                            • hguant 8 days ago

                                                                              I wonder what sort of machine those folks were plugging it into? If it's their general purpose work issued machine, shame on them, but I can't believe the FBI doesn't have a high and low side networks. How many plugged into the high side? How many plugged into the "this is my email and timecard" computer?

                                                                              I have a Chromebook running arch[0] that has a borked network adapter than I use to plug weird things into/use as an airgapped box I can reset in about 5 minutes. I'd have no qualms about plugging anything into that

                                                                              [0] BTW I run Arch

                                                                              • theelous3 8 days ago

                                                                                Nice I run arch too. I like the way it is, and isn't.

                                                                                As an aside to that important point, it seems like the solution here is to just remove all random device access points and drives before giving a system to some luddite with no security awareness.

                                                                              • agumonkey 7 days ago


                                                                                working at a court room I was bemused by the security talks about usb keys, yet the OS setup still allows usb driver installs automatically (granted their local presence). I know because I brought a keyboard to replace the busted one they had in-house and windows gladly set up everything plug`n`play.

                                                                                I wonder if OSes have actual rules for this, and if there are secure corporate usb keys

                                                                              • enraged_camel 8 days ago

                                                                                >>If a security-focused government police agency is so vulnerable

                                                                                I think calling FBI "security-focused" is a bit too generous. They are essentially glorified police detectives, with greater authority and jurisdiction. I don't believe the average FBI agent is particularly competent, in terms of technical (i.e. computer) skill or knowledge.

                                                                                • nickff 8 days ago

                                                                                  The FBI literally performs the background checks for security clearances. Like any other organization it has less security focused divisions, but insofar as any organization is security focused, the FBI is.

                                                                                  • enraged_camel 8 days ago

                                                                                    Like I said, none of this translates to computer literacy.

                                                                                • pfranz 7 days ago

                                                                                  Why are random users allowed to attach USB drives? Is that normal? I would think any data going in or out should go through some centralized process? Sure, the Internet can be a loophole, but locking down physical access seems like an easy and obvious win.

                                                                                  • hindsightbias 8 days ago

                                                                                    A criminal mastermind would leave a stick behind to infect those investigating.

                                                                                    • LeifCarrotson 8 days ago

                                                                                      I would be surprised if the average FBI agent was less likely to plug in an unknown USB drive than the average Twitter engineer.

                                                                                      • Nuzzerino 8 days ago

                                                                                        What makes you say that?

                                                                                        • theelous3 8 days ago

                                                                                          Software engineers are much more aware and focused on the problem of technical attacks. An fbi agent has no innate reason to distrust usb sticks. After all, they're just for "moving files" or whatever other basic tasks they use them for.

                                                                                          • TheSpiceIsLife 8 days ago

                                                                                            > Software engineers are much more aware and focused on the problem of technical attacks.

                                                                                            We’re constantly presented with evidence to the contrary.

                                                                                            • mewpmewp2 7 days ago

                                                                                              The point was "less likely", not that all engineers would not do that.

                                                                                            • mejtro 7 days ago

                                                                                              With a corrupted USB drive, the FBI Agent may as well be drawring bleedn ded

                                                                                        • sashwatp 8 days ago

                                                                                          This reminds me of Mr.Robot. :)

                                                                                        • Sebb767 8 days ago

                                                                                          > The age of the attacker is irrelevant to Twitter's role in this story.

                                                                                          I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.

                                                                                          • joering2 8 days ago

                                                                                            Of course its steep. But he’s just a pawn. He is irrelevant. The bigger picture is that one of the largest tech companies with stock traded publicly got caught with pants down and revealed that their staff is not properly trained and vulnerable to social hacking. As a result millions of dollars invested in the stock were lost. Some angry billionaires who happen to write fat checks to politicians placed few very harsh phonecalls and then these politicians placed ten times more angry calls to the next in line, until they reached DOJ. That’s all it is. Now DOJ has last chance to look all serious and harsh before they turn the light off.

                                                                                            • raverbashing 8 days ago

                                                                                              Yes. But at the same time, it's easy to get into "blame the victim" mode

                                                                                              Having full blown security could mean nothing is done easily anymore

                                                                                              Prosecuting is important

                                                                                              • sakisv 8 days ago

                                                                                                Depends on how you define the victim.

                                                                                                One could argue that the victims in this case are the people whose profiles had been hacked.

                                                                                                As for having full blown security getting in the way of getting stuff done, try replacing "Twitter" with "Equifax", a company that handles arguably more sensitive data and should have the "full blown security" you mentioned.

                                                                                                Did they suffer any tangible consequences?

                                                                                                • BbzzbB 8 days ago

                                                                                                  The stock when down for a couple of days, that should teach them. On a serious and besides note, it's such a clash between company and user-experience (i.e. every NA citizen) incentives that credit scores companies have a stock in the first place.

                                                                                                • sgustard 8 days ago

                                                                                                  Prosecuting is mostly irrelevant. A lot of attacks come from countries outside the reach of US law enforcement.

                                                                                                • Datsundere 8 days ago

                                                                                                  What about when NSA wants to build a backdoor in encryption standards? Who is at fault then?

                                                                                                • DubiousPusher 8 days ago

                                                                                                  Overcharging has become the norm. Not just in high profile cases but in everyday ones as well. It's an effective leveraging tool used to get the accused to accept the actual charge in a plea bargain.

                                                                                                  Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.

                                                                                                  • 29083011397778 8 days ago

                                                                                                    > Overcharging has become the norm

                                                                                                    With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.

                                                                                                    • BoorishBears 7 days ago

                                                                                                      What does this pointless nitpicking even supposed mean?

                                                                                                      Modern legal frameworks have roots hundreds of years old, this habit is a recent development of the last few decades.

                                                                                                      So why are you trying to browbeat this person over correctly referring to it as a recent trend, using a recent example to do so?

                                                                                                      Reminder that every field is tech, churning through the framework of the week like it's going out of fashion...

                                                                                                      • DubiousPusher 7 days ago

                                                                                                        Yes, my apologies. I have become so ensured to history lately. I mean in the last 40-60 years or so. Essentially since defendants have made themselves peaky with the consequences of Gideon v. Wainwright the legal recourse has been to combine several tools to prevent trials.

                                                                                                        Justice is expensive and Americans just don't have a taste for it.

                                                                                                    • VWWHFSfQ 8 days ago

                                                                                                      > Hitting a 17yo with 30 felony charges feels a bit steep to me.

                                                                                                      Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.

                                                                                                      But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.

                                                                                                      Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?

                                                                                                      • reitzensteinm 8 days ago

                                                                                                        The sentences should run concurrently.

                                                                                                        4 years for setting a car on fire is not unreasonable, although maybe a little harsh depending on priors. It's a dangerous thing to do.

                                                                                                        But setting five cars on fire is not particularly worse than setting one car on fire.

                                                                                                        • tikwidd 8 days ago

                                                                                                          Maiming peaceful protesters with mace and rubber bullets is a dangerous thing to do.

                                                                                                        • antihero 7 days ago

                                                                                                          Four years of someone's life for damaging an inanimate object? Absolutely absurd. Did people get hurt? No. Fuck that. I often wonder if the "justice" system is a worse thing than criminals some of the time.

                                                                                                          • mewpmewp2 7 days ago

                                                                                                            What about murdering 5 people vs 1 person?

                                                                                                            Although I would agree in this case and the rationale would be that it probably would take not much more amount of time to adjust behaviour of someone who did 5 vehicles vs 1. But maybe something like 7 years instead.

                                                                                                            • ulisesrmzroche 7 days ago

                                                                                                              Life vs Items is a totally different thing. Not comparable whatsoever

                                                                                                              • reitzensteinm 7 days ago

                                                                                                                I'm certainly not arguing all sentences should be concurrent. Most are, and I believe it's appropriate in this case.

                                                                                                              • kijin 7 days ago

                                                                                                                O(log n) or O(sqrt(n)) might be a reasonable compromise between concurrent and consecutive sentences.

                                                                                                                • VWWHFSfQ 8 days ago

                                                                                                                  Setting five police cars on fire is an act of domestic terrorism. That's not in any way a normal protest action.. That's what the prosecutor will argue.

                                                                                                                  • dragonwriter 8 days ago

                                                                                                                    > Setting five police cars on fire is an act of domestic terrorism

                                                                                                                    No, it's not.

                                                                                                                    > That's not in any way a normal protest action.

                                                                                                                    Well, yeah, that’s why it's prosecutable as a crime at all rather than protected first amendment speech.

                                                                                                                    • The Boston Tea Party was an act of domestic terrorism. It's hard to determine whether an act is right or wrong without a good duration of hindsight.

                                                                                                                      • remarkEon 8 days ago

                                                                                                                        The only reason that we look at the Boston Tea Party as a "good" thing that happened is because that side ended up winning a war. If the British had won that conflict it would be a footnote in history, noting that some hooligans destroyed some property.

                                                                                                                        • dragonwriter 8 days ago

                                                                                                                          > The only reason that we look at the Boston Tea Party as a "good" thing that happened is because that side ended up winning a war.

                                                                                                                          No, it's because they ended up winning a war and became us. If it has been a group that went on to win war of national liberation against us, we probably wouldn't too kindly on it.

                                                                                                                          • remarkEon 8 days ago

                                                                                                                            Sure, but the point remains. We remember the Boston Tea Party as a good thing only because the victors of that war celebrate it.

                                                                                                                        • VWWHFSfQ 8 days ago

                                                                                                                          Yep and maybe she'll be vindicated by future historians. But right now she's going to do 20 years.

                                                                                                                        • tomc1985 8 days ago

                                                                                                                          Was it? Which part of it caused terror?

                                                                                                                          I mean, unless you're trying to be funny.

                                                                                                                          • frank2 7 days ago

                                                                                                                            Sure, but no one would argue, I hope, that British society would have been improved if the British government had changed their laws so that the Tea Party would no longer be a crime.

                                                                                                                          • tomc1985 8 days ago

                                                                                                                            Setting five police cars on fire is punk rock, not "domestic terrorism"

                                                                                                                            Setting cars on fire is not an act of spreading terror. It is an act of defiance

                                                                                                                            • VWWHFSfQ 7 days ago

                                                                                                                              Your Honor, I firebombed those police cars because I'm PUNK ROCK!

                                                                                                                              do you see how you sound

                                                                                                                              • tomc1985 7 days ago

                                                                                                                                Again, you are misunderstanding the intention. 9/11 was an act of terrorism. Setting police cars on fire is vandalism, destruction of government property, maybe something for endangering police officers or something. All things condoned by your local friendly "anarchists".

                                                                                                                                What it isn't is terrorism.

                                                                                                                                Now go and listen to some Rage Against the Machine. Are they terrorists?

                                                                                                                                • darkerside 7 days ago

                                                                                                                                  Is lighting crosses on fire terrorism?

                                                                                                                                  • tomc1985 7 days ago

                                                                                                                                    Yes, because the whole point of that act is to terrify whoever lives on the property of the cross you're burning

                                                                                                                                    • darkerside 6 days ago

                                                                                                                                      Why are people lighting cop cars on fire? Please don't say it's to make an intelligent and nuanced political statement.

                                                                                                                                      • tomc1985 5 days ago

                                                                                                                                        Because they want to destroy the government. Or their frustrated. Or mad. Or feeling mischevious.

                                                                                                                                        None of those things are terrorism

                                                                                                                                • skinnymuch 7 days ago

                                                                                                                                  Calling lighting some cars on fire terrorism sounds more frightening than anything else. I feel terrorized just by that.

                                                                                                                                  • blue52 7 days ago

                                                                                                                                    Everything is "terrorism" these days if the gov't doesn't like the thought/action/person/group.

                                                                                                                              • reitzensteinm 8 days ago

                                                                                                                                I agree the crime is serious. But that she did it more than once doesn't make it proportionally more serious, and certainly should not make the sentence proportionally longer.

                                                                                                                                • bobmaxup 8 days ago

                                                                                                                                  Why doesn't it make it proportionally more serious?

                                                                                                                                  • riquito 8 days ago

                                                                                                                                    Ehm, seriously? 10 machine 40 years? 20 machine 80 years? There's no correlation with the concept of reforming that person after a while

                                                                                                                              • entropea 7 days ago

                                                                                                                                I remember when terrorism was blowing up a building injuring almost 1000 people and killing countless more, or crashing airplanes into two buildings, killing 3000 and injuring countless more. Burning police cars that ended in not even an injury is a felony, but terrorism? No way.

                                                                                                                                I really wish people would stop lowering the bar for what's called terrorism. It's a very dangerous slope.

                                                                                                                                • skinnymuch 7 days ago

                                                                                                                                  It feels terrorizing to call lighting cars on fire terrorism.

                                                                                                                              • m463 7 days ago

                                                                                                                                I think physical violence is (and should be) treated more harshly.

                                                                                                                                • z3ncyberpunk 8 days ago

                                                                                                                                  Except that cyber crime laws are horrible written, outdated, and flat out wrong. I guess we should just blindly follow the law, like when it said slavery was all good!

                                                                                                                                • libraryatnight 8 days ago

                                                                                                                                  I felt a sting reading that too. He hit the idiot computer kid jackpot and did idiot computer kid things with it. Not saying no consequences, but damn.

                                                                                                                                  • tedunangst 8 days ago

                                                                                                                                    Idiot kid things would be having Obama tweet "I think @Kelly2003 should go to the prom with Clark". If you're old enough to run a send back scam, you should know it's wrong.

                                                                                                                                    • unethical_ban 7 days ago

                                                                                                                                      I think the friction of an act contributes to the analysis. It isn't hard to get a bitcoin account. It's a number. With other fake numbers assigned to it. Get people to send fake numbers to your fake number.

                                                                                                                                      Should a 17 year old lose prime years of his life? Is there a better way to educate/reform the person?

                                                                                                                                      If you say "Well in this other instance, the book got thrown at so-and-so". To this, I would ask, does that make it right?

                                                                                                                                      • maerF0x0 8 days ago

                                                                                                                                        One thing I think we ought to give credit to is that as Infosec becomes higher profile and more public, the sophistification of kids will rise with it.

                                                                                                                                        For example many of the techniques that are basically public info on youtube[1] nowadays was hidden in some "darkweb" forum not many years back.

                                                                                                                                        [1]: https://www.youtube.com/c/STOKfredrik/videos

                                                                                                                                    • Nasrudith 8 days ago

                                                                                                                                      Adding repercussions to the targets would be a mistake in my opinion - that would be very antitransparency as they would be encouraged to be willfully blind to cover their own asses. "Look it is clearly just the fault that these dumbass rich people didn't secure their passwords properly. Password reset logs? Why on earth would we keep those?"

                                                                                                                                      Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure. It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.

                                                                                                                                      • dividedbyzero 7 days ago

                                                                                                                                        I kind of like that idea, but defining the rules and boundaries would be really hard, and I'm not sure if the cure wouldn't be much worse than the disease, overall, for just blanket legalizing hacking.

                                                                                                                                        Like, how far am I allowed to go?

                                                                                                                                        Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?

                                                                                                                                        Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?

                                                                                                                                        Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?

                                                                                                                                        Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?

                                                                                                                                        Can I attack healthcare providers? Can I attack banks?

                                                                                                                                        Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?

                                                                                                                                        I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.

                                                                                                                                        That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?

                                                                                                                                      • nordsieck 8 days ago

                                                                                                                                        > Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

                                                                                                                                        200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.

                                                                                                                                        • gregschlom 8 days ago

                                                                                                                                          That is not the point that the parent comment is making, though.

                                                                                                                                          It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.

                                                                                                                                          • nordsieck 8 days ago

                                                                                                                                            > It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.

                                                                                                                                            That is exactly my point.

                                                                                                                                            There are tons of crimes that basically anyone can do. If you said instead: people whose houses are set on fire by an arsonist should be liable for poor security, at the very least you'd not be taken very seriously.

                                                                                                                                            There is a duty to not commit crime. There is no duty to avoid being the victim of a crime.

                                                                                                                                            On top of that, there is broad industry consensus that it is largely impossible to write bug free software - certainly at the scale of Twitter. To suggest that they have the duty perform the impossible strikes me as deeply irresponsible if not simply malicious.

                                                                                                                                            • etrabroline 8 days ago

                                                                                                                                              >There is no duty to avoid being the victim of a crime

                                                                                                                                              If you entrust a bank with 10 thousand dollars, and the bank puts your money in a paper bag and leaves it in the lobby, they are going to be held liable if someone walks away with it. Twitter letting teenagers steal people's data is approaching that level of negligence for a mutli-billion dollar company.

                                                                                                                                              • bobmaxup 8 days ago

                                                                                                                                                I don't think the fact that the person is a teenager really bears any significance as to how negligent a company is. Historically teenagers have done massive damage as sole actors in numerous roles.

                                                                                                                                                • Google234 8 days ago

                                                                                                                                                  The only thing between the inside of a home and the outside is a thin layer of glass. Should we hold home owners responsible for people breaking in and stealing? Lots of things are fragile, we have a laws to act as a deterrent to violations

                                                                                                                                                  • tgsovlerkhgsel 7 days ago

                                                                                                                                                    We do in some cases.

                                                                                                                                                    Someone breaks in and steals your stuff? We generally don't care, because its solely your problem.

                                                                                                                                                    Someone breaks in and steals other people's stuff that you held, or stuff that's dangerous to others? Depending on what it was, you may be held liable if you didn't take appropriate measures.

                                                                                                                                                    If the stolen stuff was, for example, sensitive private information, and you didn't have it in at least a locked cabinet, you may be liable. If it was a gun, in many jurisdictions, you're liable. Your car gets stolen _because you didn't secure it correctly?_ In Germany, you're liable for the damage caused with it!

                                                                                                                                                • tgsovlerkhgsel 7 days ago

                                                                                                                                                  > There is no duty to avoid being the victim of a crime.

                                                                                                                                                  In Germany (and likely also other jurisdictions), if your car gets stolen because you left the door open and the keys in the ignition, you will be held liable for it to some extent: As the owner of a dangerous machine, you're responsible to reasonably secure it even against illegal acts. [1]

                                                                                                                                                  I don't see why this would be different if your machine is a lot bigger, and as a result arguably a lot more dangerous than a single car (imagine tweets trying to trigger violent mobs).

                                                                                                                                                  [1] https://dejure.org/gesetze/StVG/7.html subsection 3

                                                                                                                                                  • unethical_ban 7 days ago

                                                                                                                                                    You are incorrect - there is a legal concept known as strict liability that defines an instance where one party is completely liable for damages to a party, regardless of the negligence of any other party. I am sure Twitter didn't run afoul of that concept here, but the question is, "should they?" Presumably, a skilled person with only a few years' experience was able to find a flaw in their system so severe, that multiple political and business leaders' accounts were manipulated. It's a dangerous embarrassment.

                                                                                                                                                  • baddox 8 days ago

                                                                                                                                                    That was the other commenter's point: a 17 year old can hurt people with a car just as easily as a 40 year old. The age of the attacker has no relevance on how liable the recipient of the attack is for their security practices.

                                                                                                                                                    • user5994461 8 days ago

                                                                                                                                                      The same point stands with the car, any 17 year old could borrow their parents car and drive into a crowd. It's not the fault of the car owner for not securing their car.

                                                                                                                                                      Security is not preventing people from doing things, it's having some limitations so it's not too easily too quickly (cars are protected by keys, accounts by passwords). Anybody motivated can and will bypass security easily.

                                                                                                                                                      • mehrdadn 8 days ago

                                                                                                                                                        > It's not the fault of the car owner for not securing their car.

                                                                                                                                                        Securing their car against... their children? Or distributing the car's keys to 2,000 people?

                                                                                                                                                      • kodt 8 days ago

                                                                                                                                                        Is a 17 year old hacking them really proof of worse security than say a 30 year old?

                                                                                                                                                        • Nasrudith 8 days ago

                                                                                                                                                          Well the age implicitly assumes potential levels of education and sophistication. Few would be surprised to hear a 30 year old engineer designed a novel world class chip - they could easily have a PhD at that point to have the sophistication capable. For a 17 year old that would be pretty damn extraordinary. Now hacking is less than thar even to laymen who don't know how simple some holes are but 17 implies a lack of great sophistication.

                                                                                                                                                          The whole thing is an ageist rough proxy anyway - a developmentally disabled 30 year old hacking it would be more shameful than a 17 year old college graduate.

                                                                                                                                                        • refurb 8 days ago

                                                                                                                                                          I put a cheap lock on my door and someone breaks in and steals everything.

                                                                                                                                                          Should I be held liable for my poor security practices?

                                                                                                                                                          • 7786655 8 days ago

                                                                                                                                                            If you were responsible for securing my stuff, and you put a cheap lock on your door protecting my stuff, and someone breaks in and steals all my stuff, then yes, you should be held liable for your poor security practices.

                                                                                                                                                            • refurb 8 days ago

                                                                                                                                                              But that's not actually the law, is it? You could certainly bring a civil lawsuit (and so could Twitter users), but I haven't committed a crime.

                                                                                                                                                              • MisterPea 8 days ago

                                                                                                                                                                True, but I think this case opens up doors on regulation of tech companies for security, or at least new laws for security negligence. The power that Twitter has due to its highest-profile users is immense, however, this hack made them look incredibly stupid.

                                                                                                                                                                • refurb 8 days ago

                                                                                                                                                                  I don't disagree, it's pretty damn embarrassing someone can get the keys to the kingdom through some social engineering.

                                                                                                                                                                  My only concern is what happened with Equifax - some punishment is put on the company and it's only a token amount and nothing changes.

                                                                                                                                                          • shadowgovt 8 days ago

                                                                                                                                                            We generally handle that liability free-market style, i.e. "Why the hell would I sign up for a Twitter account? Their security is so lousy some 17-year-old could be speaking as me."

                                                                                                                                                          • sheeshkebab 8 days ago

                                                                                                                                                            Twitter is a meme service with a bunch of self absorbed individuals talking over each other... just FYI in case you lived under the rock for last 10 years.

                                                                                                                                                            • hw8kw13 8 days ago

                                                                                                                                                              Well, maybe it was until a certain individual started using it to conduct matters of foreign and domestic policy.

                                                                                                                                                              • Nasrudith 8 days ago

                                                                                                                                                                I think that is just further proof.

                                                                                                                                                          • tedunangst 8 days ago

                                                                                                                                                            Previous settlement regarding twitter security: https://www.ftc.gov/news-events/press-releases/2011/03/ftc-a...

                                                                                                                                                            • robomartin 8 days ago

                                                                                                                                                              This is a tough topic. If we take the approach of effectively turning this kind of crime into job interviews and a way to enter life-long careers we would create a positive feedback loop. Punishment, on the other hand, creates a negative feedback loop. We can discuss the degree of punishment, but it is clear that humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.

                                                                                                                                                              The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.

                                                                                                                                                              Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.

                                                                                                                                                              • nicoburns 8 days ago

                                                                                                                                                                > humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.

                                                                                                                                                                I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.

                                                                                                                                                                That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.

                                                                                                                                                              • SahAssar 8 days ago

                                                                                                                                                                Having bad security is not criminal. If it was we wouldn't have a voting village at defcon cracked by pre-teens and there would be a lot more irresponsible CEO's in prison (so probably a better world).

                                                                                                                                                                • paulpauper 8 days ago

                                                                                                                                                                  agree. twitter is under no obligation to provide secret service level security on its platform because some high profile people use it. IF the government deems such security measures so important, they should pay twitter to implement them,

                                                                                                                                                                  • eschaton 8 days ago

                                                                                                                                                                    Negligence is actionable regardless of whether it’s criminal. And whether it’s criminal depends on the duty of care that can be reasonably expected from the negligent party.

                                                                                                                                                                    In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.

                                                                                                                                                                    • ozim 7 days ago

                                                                                                                                                                      Did you read the report? This hack involved spear phishing multiple employees who also had 2FA turned on. Good practices were in place. This was not some admin panel left open to the internet, that would be negligence.

                                                                                                                                                                    • shadowgovt 8 days ago

                                                                                                                                                                      Usually, the counterweight to bad security is the extremely-practical "Pests, assholes, or criminals ownz you."

                                                                                                                                                                      Which works on average.

                                                                                                                                                                      • SahAssar 8 days ago

                                                                                                                                                                        I disagree. For every Mossack Fonseca, Mernis, Equifax, Twitter, LinkedIn, Ashley Madison we get public hacks from I think we have many more that see it as "the cost of doing business" and keep bad practices around.

                                                                                                                                                                        In many types of businesses the cost of a security breach is "priced in" or not considered at all and they are gambling on it happening to their competitors (or not at all) instead of to them.

                                                                                                                                                                        • shadowgovt 8 days ago

                                                                                                                                                                          I think we are in agreement on mechanism. I meant "works on average" in the sense of "Keeps fraud and breaches to a level consumers are comfortable with." Nobody imagines breaches can be driven to zero; we seem to be comfortable as a society with the overall rate and severity of breaches (demonstrably, since people keep signing up for these rando online services willy-nilly with nary a care to who holds their data).

                                                                                                                                                                      • pps43 8 days ago

                                                                                                                                                                        Is bad security ok for, say, a bank or a nuclear power plant?

                                                                                                                                                                        • SahAssar 8 days ago

                                                                                                                                                                          No, and that's why we (basically all nations that have banks or nuclear power plants) have specific laws governing them.

                                                                                                                                                                          Look, if you want to pass a law saying all internet business having X personal data needs to prove Y security, then I'd probably be for it (depending on X and Y). We already have PCI-DSS and similar today for payment providers. I'm just saying that there is nothing like that today, and if there was we'd have a lot more irresponsible people in prison.

                                                                                                                                                                          • pps43 8 days ago

                                                                                                                                                                            In "2020 Commission Report" by Jeffrey Lewis, North Korea nukes the US because of one twit. This looks very plausible to me.

                                                                                                                                                                            • SahAssar 8 days ago

                                                                                                                                                                              Are you arguing against something I've said? Because if so I don't understand what or how.

                                                                                                                                                                              • pps43 8 days ago

                                                                                                                                                                                I'm arguing that Twitter is now critical infrastructure, like banking or power grid, and needs to take security seriously. If they don't do it themselves, they'll get regulation like HIPAA.

                                                                                                                                                                                • SahAssar 8 days ago

                                                                                                                                                                                  Then you need to find someone else to argue with. All I said was that bad security is not criminal currently.

                                                                                                                                                                          • 6dEOWVt4WN 7 days ago

                                                                                                                                                                            A nuclear power plant, no. Because, its most likely public property and so govt should have a say in its security. Even if it was a privately owned nuclear power plant, a breach would catastrophically and directly affect people who are not just its customers.

                                                                                                                                                                            But, a bank, which is a privately owned entity. I think yes. If I own a bank and have bad security practices, and a breach impacts only my customers. I think the customers have the right to sue the bank but its up to me to decide what security I use, and if its not good the customers are free to choose to do business with another bank. But I don't think the govt should decide what level of security is sufficient?

                                                                                                                                                                            Think of it this way, does this imply if my house is robbed I could be held liable because I chose to use locks on my house that were non compliant to govt regulation?

                                                                                                                                                                            • pps43 7 days ago

                                                                                                                                                                              Large banks are designated as SIFI (systemically important financial institutions, aka "too big to fail"). When they screw up, the government steps in and props them up with taxpayer's money. To those banks losses from lax security are externality.

                                                                                                                                                                              In that sense they are not very different from nuclear power plants. Indian Point is owned by Entergy and it gets the money when everything works fine, but the risks are covered by the government through Price-Anderson Nuclear Industries Indemnity Act.

                                                                                                                                                                              If your house is robbed, it's your problem. But if you store personally identifiable information for everyone and it gets stolen, now it's everyone's problem.

                                                                                                                                                                        • badrabbit 8 days ago

                                                                                                                                                                          It's not steep, this is one of the many cruelties and abhorrent failures of the US justice system. They do this to force you to enter a plea bargain deal even if you are innocent.

                                                                                                                                                                          • stefap2 8 days ago

                                                                                                                                                                            A year or two and return the money. It's not like he tried to break into a nuclear plant. It is a messaging app, mostly nonsense.

                                                                                                                                                                            • ChrisLomont 8 days ago

                                                                                                                                                                              ... with the ability to move trillion dollar markets and potentially start riots or wars.

                                                                                                                                                                              • cutemonster 8 days ago

                                                                                                                                                                                Lots of people have the ability to do bad things.

                                                                                                                                                                                Seems you believe they should therefore all go to prison,

                                                                                                                                                                                also if they didn't actually do those particular things

                                                                                                                                                                                • unethical_ban 7 days ago

                                                                                                                                                                                  Then we should regulate Twitter's security controls like we do banks? A breach like this at a bank would get them investigated and fined by multiple state and federal agencies.

                                                                                                                                                                                  • BlahGod420 8 days ago

                                                                                                                                                                                    Their intentions will matter a lot. Are they just collecting accounts or was there intention to move trillion dollar markets/start riots or wars/etc.

                                                                                                                                                                                • vsareto 8 days ago

                                                                                                                                                                                  > Hitting a 17yo with 30 felony charges feels a bit steep to me.

                                                                                                                                                                                  Someone's gonna talk if they haven't already?

                                                                                                                                                                                  • tptacek 8 days ago

                                                                                                                                                                                    Does it really change much about the sentence he'll face? Felony charges usually group.

                                                                                                                                                                                    • threatofrain 8 days ago

                                                                                                                                                                                      > Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

                                                                                                                                                                                      Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.

                                                                                                                                                                                      • bcohen5055 8 days ago

                                                                                                                                                                                        Not a home but if you were a bank and a 17 year old walked into the bank, talked to someone and was able to walk out with a fat stack of cash i think the insurance company would have to reconsider your policy.

                                                                                                                                                                                        • user5994461 8 days ago

                                                                                                                                                                                          Absolutely any 17 year old can walk into a bank/shop and get out with cash. Preferably armed and not alone.

                                                                                                                                                                                          The challenge is to get out and never be caught.

                                                                                                                                                                                          • Talanes 8 days ago

                                                                                                                                                                                            According to a family friend who used to work bank robberies for the FBI, it's very easy to get away with one bank robbery. It's the compounding evidence when you commit more that gets you. Of course, that was a couple decades ago. I'm sure better surveillance technology has shifted that balance some.

                                                                                                                                                                                        • TallGuyShort 8 days ago

                                                                                                                                                                                          Not home security, but I'm of the opinion this should apply for businesses and public places in some case. For instance, I usually carry a gun on me. If I go into the court house or a concert venue I'm prohibited from doing that. IMO they have now assumed a level of liability to provide a reasonable level of effective security and they're negligent if they don't and I'm injured or kill because of a mass shooting anyway because they didn't enforce their own policies.

                                                                                                                                                                                          Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.

                                                                                                                                                                                          • nicoburns 8 days ago

                                                                                                                                                                                            I find it odd that you think a gun protects you in public. Its always seemed to me like you are more likely to be shot if you're carrying a gun, because an armed criminal now has to shoot you first if they want to ensure that they are not shot themselves. If you are unarmed they can simply threaten to shoot you and need not actually shoot.

                                                                                                                                                                                            I guess in the US thee are so many guns that perhaps criminals will just assume that you're armed anyway. But IMO that only makes the case for gun control stronger. Because the most effective way to change that attitude would be to dramtically decrease the number of guns in circulation.

                                                                                                                                                                                            • TallGuyShort 7 days ago

                                                                                                                                                                                              The gun is well concealed and I'm an accomplished competitive shooter - no I'm not concerned about that.

                                                                                                                                                                                          • nick0garvey 8 days ago

                                                                                                                                                                                            It isn't fair to compare to home security. If someone breaks into my home, only my belongings are lost.

                                                                                                                                                                                            If someone breaks into Twitter, user data is compromised. It's not just the business that pays a price.

                                                                                                                                                                                          • nmarks122 8 days ago

                                                                                                                                                                                            Governments are touchy about propaganda channels, even (or especially?) when they are lower in quality than the Sun or the Daily Mirror.

                                                                                                                                                                                            • >>* Hitting a 17yo with 30 felony charges feels a bit steep to me.*

                                                                                                                                                                                              what charge should they leave out? Also he will not serve, say 15 years X 30 charges, if found guilty.

                                                                                                                                                                                              Now they are dealing with him, what happens to Twitter, if anything, is a different story. 17 years old or 19...he knew what he did

                                                                                                                                                                                              • rwbhn 8 days ago

                                                                                                                                                                                                Source for those charges? Article this currently points to says "The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. "

                                                                                                                                                                                                • JKCalhoun 8 days ago

                                                                                                                                                                                                  I think the fact that "a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world" does pretty serious damage to their reputation — that is in itself a repercussion.

                                                                                                                                                                                                  • Sebb767 8 days ago

                                                                                                                                                                                                    You'd think so, but the history shows that this will only be a footnote in Twitters history. See Equifax; they have lost the personal finance data of basically everyone in the US and they're doing fine. Twitter is not going to suffer anything other than a few bad jokes at its expense.

                                                                                                                                                                                                  • clairity 7 days ago

                                                                                                                                                                                                    that makes me so mad, not just for 17 year olds, but everyone subject to the whims of the criminal justice system.

                                                                                                                                                                                                    for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.

                                                                                                                                                                                                    we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.

                                                                                                                                                                                                    • 29athrowaway 7 days ago

                                                                                                                                                                                                      He pissed off the wrong people.

                                                                                                                                                                                                      • Jabbles 8 days ago

                                                                                                                                                                                                        Standard disclaimer for headline sentence lengths:


                                                                                                                                                                                                        • ponker 8 days ago

                                                                                                                                                                                                          What does the 17yo have to do with it? Would it be different for an 18yo?

                                                                                                                                                                                                          • trimbo 8 days ago

                                                                                                                                                                                                            In the United States, we generally consider minors who commit crimes to be a different class of criminal than people above 18. We do this because (AFAICT), there's a sort of societal agreement that wisdom/maturity is a logarithmic curve that begins to flatten in the late teens and 18 was picked as a legal threshold.

                                                                                                                                                                                                            So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.

                                                                                                                                                                                                            • shadowgovt 8 days ago

                                                                                                                                                                                                              FWIW, don't imagine that there was anything as elegant as "logarithmic curve analysis" used to decide that the age of majority is 18.

                                                                                                                                                                                                              It's an age that was settled upon by common-sense consensus over a grand function of "Well, most Americans (descended from Europeans) thought it should be around 21," and that's probably because 21 is a nice, round number. Then the draft age got pushed to 18 because we needed more bodies for the meat-grinder in World War II, and the voting age followed around Vietnam when too many people asked "Wait, in what way is it just or fair we can force people to fight and die in a war who can't even vote?"

                                                                                                                                                                                                              There isn't a lot of hard science (beyond the most ancient human science of all: observation across millions of data-points loosely confederated into "common sense") underpinning the age of majority.

                                                                                                                                                                                                              • gus_massa 8 days ago

                                                                                                                                                                                                                But they still can not drink alcohol...

                                                                                                                                                                                                                • shadowgovt 7 days ago

                                                                                                                                                                                                                  It's true. Apparently, that's because mothers against drunk driving campaigned hard to have the drinking age re-raised to 21 after they got their hands on some evidence suggesting that it cut down on deaths due to car accidents.

                                                                                                                                                                                                            • dboreham 8 days ago

                                                                                                                                                                                                              As a society we generally make some allowance for a perpetrator's mental capacity. One aspect to that is we generally accept that teenage brains are not quite the same as adults.

                                                                                                                                                                                                              • wil421 8 days ago

                                                                                                                                                                                                                I believe most states will charge a 17yo as and adult. Not sure what the feds would do.

                                                                                                                                                                                                                • mikeshank 8 days ago

                                                                                                                                                                                                                  First they need to determine his political leanings, then they'll have a good idea of how to move forward.

                                                                                                                                                                                                                  • paulpauper 8 days ago

                                                                                                                                                                                                                    i could see this possibly be challenged by courts , possibly up to the supreme court

                                                                                                                                                                                                                    • wil421 5 days ago

                                                                                                                                                                                                                      I looked it up and it’s only 3 states that do it. My state, Georgia, is trying to end it.

                                                                                                                                                                                                                  • zenta 8 days ago

                                                                                                                                                                                                                    Conversely, would it be different for a 16yo? What about 15yo? Or 12yo?

                                                                                                                                                                                                                  • snarf21 8 days ago

                                                                                                                                                                                                                    Since the President makes all his official statements via Twitter, one could argue this is a matter of national security.

                                                                                                                                                                                                                    Also, Twitter is just a collection of people and a single person is trivial to exploit.

                                                                                                                                                                                                                    • m463 7 days ago

                                                                                                                                                                                                                      A nation state would more likely facilitate a 17yo doing it.

                                                                                                                                                                                                                      Do you really think Lee Harvey Oswald acted alone?


                                                                                                                                                                                                                      • jamisteven 7 days ago

                                                                                                                                                                                                                        Just because he is 17 doesnt mean he didnt understand the repurcutions of his actions. That said, Twitter should be facing fines as well for not protecting their platform. I mean seriously what if someone gets hold of a say, Putin or Trump's account and starts stating they are launching strikes on XYZ country within the hour, what happens then? With great power comes great responsibility and these platforms of communication are no exception.

                                                                                                                                                                                                                        • ibejoeb 8 days ago

                                                                                                                                                                                                                          Nothing in the complaint (well, for the two others, since his is sealed) says that a state-level actor wasn't involved. Could be the tip of the iceberg. I find it hard to believe that this was prank hacking for about $150,000. You could sell Obama's handle for more, surely.

                                                                                                                                                                                                                          • brokencode 8 days ago

                                                                                                                                                                                                                            Do you know anybody willing to pay over $150,000 for temporary access to Obama’s twitter account? I find this type of comment kind of naive and poorly thought out.

                                                                                                                                                                                                                            Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.

                                                                                                                                                                                                                            To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.

                                                                                                                                                                                                                            • rootsudo 8 days ago

                                                                                                                                                                                                                              Cue the entire movie "Burn after reading."

                                                                                                                                                                                                                              Kid had the whole attention of the world for a few minutes, could've walked away a billionaire, start WW3, casino royale stock trading - everything, anything - CREATIVELY there's so much that could've been done and it all fell down to a bitcoin scam that netted less that 150K (wallet shows about 128k.)

                                                                                                                                                                                                                              That's a yearly salary of a help desk engineer on the west coast.

                                                                                                                                                                                                                              --I'm not sure which video to link of "Burn after reading" but the entire movie is how this was handled.

                                                                                                                                                                                                                              • Kaveren 8 days ago

                                                                                                                                                                                                                                you cannot start world war 3 or become a billionaire through some tweets, this is not a movie.

                                                                                                                                                                                                                                • robbiep 8 days ago

                                                                                                                                                                                                                                  I feel like it would have been relatively trivial to make decent 7-9 figures depending on your initial leverage just by manipulating some key accounts. Ie: short Tesla, musks account says solar roof delays, firmware error has started bricking cars, self driving is 10 years away, delivery numbers going to fall well short

                                                                                                                                                                                                                                  Trump (surprised they didn’t hit that) - no new stimulus for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple small cap companies that are going to receive massive boosts like the Kodak thing.

                                                                                                                                                                                                                                  Tim Cook: Apple sales flagging, iPhone production issues due to supply chain issues

                                                                                                                                                                                                                                  Take a bit of timing to get it right and be able to walk away from the markets relatively untraced (market trade interrogation is a useful way to trace inside information so hard to do in a way that leaves no trace but if you know you can perform your hack at leisure you can set up the initial trades well forward, wait for the market and some other external condition to walk into your ambush and then pounce

                                                                                                                                                                                                                                  • tempestn 8 days ago

                                                                                                                                                                                                                                    Even setting up your trades in advance, there's no way you're going to make a billion dollars doing that kind of thing without being noticed. Millions, maybe (although maybe not), but certainly not hundreds of millions. Unless you already have hundreds of millions to work with, but then you're probably not a 17-year-old hacker.

                                                                                                                                                                                                                                    Best case he'd probably have a few tens of thousands in capital, and he gets one shot at it. In order to get the kind of leverage needed, he'd need to use short term options and/or move penny stocks. Either one of those would paint a giant target on him.

                                                                                                                                                                                                                            • shadowgovt 8 days ago

                                                                                                                                                                                                                              Personally, I find "it was a prank" extremely easy to believe. It's the simplest answer to the question "Wait, if someone compromised Twitter so badly they could tweet anything from any account, why didn't they try to move the whole stock market or start World War III?"

                                                                                                                                                                                                                              "Because they're young punks and didn't think of that" is a reasonable answer.

                                                                                                                                                                                                                              • Nasrudith 8 days ago

                                                                                                                                                                                                                                Prank hacking would fit with the monetization when combined with statements of "who would be dumb enough" that underestimates stupidity like the whole charge your iPhone in the microwave or Soupy Sales' "send in all of the green paper in your parents wallets" not thinking people would actually do it. Plenty of precedent but easy to see why they would feel no responsibility for anyone mindbogglingly stupid enough to do so.

                                                                                                                                                                                                                                • DudeInBasement 8 days ago

                                                                                                                                                                                                                                  I guess he gets a hard lesson on how dumb people are on Twitter

                                                                                                                                                                                                                                • paulpauper 8 days ago

                                                                                                                                                                                                                                  yeah cuz a trillion dollar state entity is so strapped for cash it needs to steal 150k of bitcoin too, drawing attention to the scheme.

                                                                                                                                                                                                                                  • ibejoeb 8 days ago

                                                                                                                                                                                                                                    Well, of course that wouldn't be the move. The move would be to coerce the naive but capable hackers into doing this, and once the payload was delivered, burn them. I don't know what happened, but it's kinda a waste of a huge position, so I don't think it's that far-fetched.

                                                                                                                                                                                                                                • bravoetch 8 days ago

                                                                                                                                                                                                                                  > some of the most important individuals in the world

                                                                                                                                                                                                                                  I have bad news, there are no important individuals. Sorry.

                                                                                                                                                                                                                                  • pyuser583 8 days ago

                                                                                                                                                                                                                                    He’s being treated a lot better than the adult defendants.

                                                                                                                                                                                                                                    He’s being charged in state court - specifically the state he resides in.

                                                                                                                                                                                                                                    The charges are being brought in San Francisco - which is thousands of miles from the where the other suspects live.

                                                                                                                                                                                                                                    Relative to the other defendants, he’s getting it easy.

                                                                                                                                                                                                                                    Yes, he’s technically facing life in prison. But it’s a prison near his home.

                                                                                                                                                                                                                                    He probably won’t get life in prison, but at least he’ll be able to get family visits, etc.

                                                                                                                                                                                                                                    • dragonwriter 8 days ago

                                                                                                                                                                                                                                      > He’s being charged in state court

                                                                                                                                                                                                                                      The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)

                                                                                                                                                                                                                                  • kolbe 8 days ago

                                                                                                                                                                                                                                    I agree this bothers me to my core. Even the 22 year old hasn't developed a fully functional neocortex. I know it seems a little hypocritical of me for getting sad when this happens to a young programmer and not an inner city gang member, but it does.

                                                                                                                                                                                                                                    To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.

                                                                                                                                                                                                                                    • camjohnson26 8 days ago

                                                                                                                                                                                                                                      That attitude is exactly the problem though. These kids getting hit with a 30 year sentence bothers those of us who relate, when the same thing happens to young black inner city kids every day. Plenty of them are just as intelligent, risky, and bold as these kids but we throw them in prison for the best parts of their life without a second thought.

                                                                                                                                                                                                                                      • ryanlol 7 days ago

                                                                                                                                                                                                                                        > These kids getting hit with a 30 year sentence

                                                                                                                                                                                                                                        They will not get hit with a 30 year sentence.

                                                                                                                                                                                                                                        • lopmotr 8 days ago

                                                                                                                                                                                                                                          That's violent crime though, which is more obviously bad, even to a teenager. If you're 17 and intentionally kill someone then your brain is broken and you should be kept away from innocent people forever unless you really have some delayed development that comes later.

                                                                                                                                                                                                                                          • eschaton 8 days ago

                                                                                                                                                                                                                                            Why do you assume black kids are being put away for violent crimes? Mostly it’s drug possession, and they get hit with years while a white kid caught for exactly the same drug and amount gets off with a warning “to avoid ruining his future.”

                                                                                                                                                                                                                                            • scollet 8 days ago

                                                                                                                                                                                                                                              Where did GP mention violent crime or killing people?

                                                                                                                                                                                                                                          • newacct583 8 days ago

                                                                                                                                                                                                                                            > To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't

                                                                                                                                                                                                                                            They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.

                                                                                                                                                                                                                                            You want those people LEADING us "into the future of science"?

                                                                                                                                                                                                                                            • shadowgovt 8 days ago

                                                                                                                                                                                                                                              > they tried to fool the world into sending them money

                                                                                                                                                                                                                                              Their mistake was they failed to call it a "series A funding round."

                                                                                                                                                                                                                                        • montenegrohugo 8 days ago

                                                                                                                                                                                                                                          If this turns out to be true, then we can conclude two things:

                                                                                                                                                                                                                                          1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.

                                                                                                                                                                                                                                          2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.

                                                                                                                                                                                                                                          • happytoexplain 8 days ago

                                                                                                                                                                                                                                            Frankly, I don't take "a teenager did it" as an extra mark against hacked systems any more. It's the details that matter - the difference between one teenager and multiple adults being able to hack something is not large unless the context is government hacking.

                                                                                                                                                                                                                                            • lima 8 days ago

                                                                                                                                                                                                                                              Maybe in terms of raw skills, but adults are likely to have more experience, better judgement and better opsec.

                                                                                                                                                                                                                                              • cle 8 days ago

                                                                                                                                                                                                                                                This works against them in many ways. They're also more likely to say "that wouldn't work", and to be otherwise biased by their prior experience.

                                                                                                                                                                                                                                                • tornato7 8 days ago

                                                                                                                                                                                                                                                  Yes, a teenager, especially one stuck at home and not going to school, might just spend weeks and weeks poking around to see what he can hack, and is much less afraid of the consequences

                                                                                                                                                                                                                                                  • jayrice257 8 days ago

                                                                                                                                                                                                                                                    But having no experience also can work against you in giant ways like leading to dead ends and hurdles you don't know how to overcome.

                                                                                                                                                                                                                                                    Overall there's not a good argument that it's a better position for an individual to be in for success.

                                                                                                                                                                                                                                                  • dagmx 8 days ago

                                                                                                                                                                                                                                                    Not to mention likely have better access to hardware and other resources

                                                                                                                                                                                                                                                • ggggtez 8 days ago

                                                                                                                                                                                                                                                  The Krebs article says that prior to the bitcoin hack, they were selling accounts such as @6 for $2000. They probably had a rapidly shrinking window and the bitcoin scam was the last ditch effort before whatever admin account they hijacked got discovered.

                                                                                                                                                                                                                                                  • dehrmann 8 days ago

                                                                                                                                                                                                                                                    > 1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.

                                                                                                                                                                                                                                                    Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.

                                                                                                                                                                                                                                                    You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.

                                                                                                                                                                                                                                                    • hentrep 8 days ago

                                                                                                                                                                                                                                                      My initial thought was that the bitcoin move was a red herring. DMs associated with the compromised accounts could be very well worth much more than $100k.

                                                                                                                                                                                                                                                    • imgabe 8 days ago

                                                                                                                                                                                                                                                      People did say things like you could have made a fortune shorting stock by tweeting something insane from Elon Musks account. I don't buy that as necessarily better than a Bitcoin account. Stock transactions are heavily regulated and monitored. You'd leave a pretty large paper trail of any stock manipulation you hoped to profit from.

                                                                                                                                                                                                                                                      Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?

                                                                                                                                                                                                                                                      • dkersten 8 days ago

                                                                                                                                                                                                                                                        The stock idea is dumb, in my opinion, because there were safer (no SEC) ways that required less capital and didn't require fancy trade accounts.

                                                                                                                                                                                                                                                        For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.

                                                                                                                                                                                                                                                        Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.

                                                                                                                                                                                                                                                        The nice thing is, they could do one or even multiple of these and still do the scam.

                                                                                                                                                                                                                                                        • jb775 8 days ago

                                                                                                                                                                                                                                                          How exactly do you short a specific cryptocurrency?

                                                                                                                                                                                                                                                          • dkersten 7 days ago

                                                                                                                                                                                                                                                            You go on Binance, BitMEX, Bybit, FTX, Phemex or any other exchange that offers futures or perpetual swaps that track the bitcoin (or whatever) price. This is basic stuff. You can create a BitMEX account in minutes, load some bitcoin in and short with 100x leverage with minimal time or effort, just need a small amount of bitcoin to trade with.

                                                                                                                                                                                                                                                            He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam

                                                                                                                                                                                                                                                            • flingo 7 days ago

                                                                                                                                                                                                                                                              > load some bitcoin in and short with 100x leverage

                                                                                                                                                                                                                                                              Sounds like a great way to have a crooked exchange make you insolvent very quickly. Be very careful using any kind of leverage.

                                                                                                                                                                                                                                                              • dkersten 7 days ago

                                                                                                                                                                                                                                                                If you don’t trust your exchange not to commit that kind of fraud, then you shouldn’t trade on it at all, as there are many ways they could defraud you even if you trade at 1x. There are plenty of. reasons why I wouldn’t recommend trading at 100x, but “the exchange might commit fraud” isn’t at the top.

                                                                                                                                                                                                                                                                Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.

                                                                                                                                                                                                                                                                • jb775 6 days ago

                                                                                                                                                                                                                                                                  Are any of those exchanges based out of the USA? And do any of them not allow USA based customers? My concern is if I made a great trade at 100x and then go to transfer bitcoin and they freeze my account saying I need to provide proof of residency or some BS.

                                                                                                                                                                                                                                                                  • dkersten 6 days ago

                                                                                                                                                                                                                                                                    Most do not allow US customers, but even BitMEX gives you a few days to withdraw your funds after freezing your account if found the be in the US (I’ve been told by people who had their accounts frozen). Some have KYC, sure, but in my experience, many do not and let you withdraw without issue. A lot of people (stupidly, IMHO, but that’s besides the point) trade 100x, its part of many of these exchanges selling points.

                                                                                                                                                                                                                                                                    But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.

                                                                                                                                                                                                                                                          • DabbyDabberson 8 days ago

                                                                                                                                                                                                                                                            if you're someone whose regularly traded 10s of thousands of certain stocks over the last few years, it would be nearly impossible for them to detect a $100k profit from stock manipulation. especially a high volume stock like TSLA

                                                                                                                                                                                                                                                            • dkersten 7 days ago

                                                                                                                                                                                                                                                              If you’re someone who regularly trades you already have money and are unlikely to be hacking twitter accounts. Certainly a 17 year old isn’t going to be in that category.

                                                                                                                                                                                                                                                              • janmo 8 days ago

                                                                                                                                                                                                                                                                Especially that Tesla is shorted so much. That said, shorting even with leverage requires you to have some money to invest. If you are 17 you are most likely broke.

                                                                                                                                                                                                                                                                • DabbyDabberson 4 days ago

                                                                                                                                                                                                                                                                  But the fact that _I_, could have made a higher return still holds. If I was 17 and broke, yeah the whole stock manipulation thing wouldn't be my first choice.

                                                                                                                                                                                                                                                            • woutr_be 8 days ago

                                                                                                                                                                                                                                                              If they knew up front they would be doing this, they could’ve shorted Tesla in smaller positions, over multiple accounts. There’s tons of people shorting Tesla, would it really be traceable to any of those?

                                                                                                                                                                                                                                                              • vkou 8 days ago

                                                                                                                                                                                                                                                                Yes, because the SEC isn't stupid, and would trawl through the data, until they found:

                                                                                                                                                                                                                                                                * A set of freshly opened accounts.

                                                                                                                                                                                                                                                                * That only shorted a single stock.

                                                                                                                                                                                                                                                                * Right before a major hack.

                                                                                                                                                                                                                                                                * That cashed out all at once.

                                                                                                                                                                                                                                                                * That never traded again.

                                                                                                                                                                                                                                                                And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.

                                                                                                                                                                                                                                                                The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.

                                                                                                                                                                                                                                                                This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short[1] on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.

                                                                                                                                                                                                                                                                [1] If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.

                                                                                                                                                                                                                                                                • jessaustin 8 days ago

                                                                                                                                                                                                                                                                  It would be nice if SEC were this dogged in its pursuit of actual insider trading.

                                                                                                                                                                                                                                                                  • vkou 8 days ago

                                                                                                                                                                                                                                                                    It is.

                                                                                                                                                                                                                                                                    Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.

                                                                                                                                                                                                                                                                    None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.

                                                                                                                                                                                                                                                                    • jessaustin 7 days ago

                                                                                                                                                                                                                                                                      Most "insider trading" is done by senior executives. As you observe, only non-connected "idiots" are ever prosecuted for insider trading. This "crime" is merely a way for corporate insiders to enforce penalties against those who defect from their conspiracy against the investing public. Non-insiders who trade on "inside" information release that information to the public, to the public's benefit, before the actual insiders are ready to profit at the public's expense.

                                                                                                                                                                                                                                                                      • kortilla 8 days ago

                                                                                                                                                                                                                                                                        Providing lots of examples of prosecutions does nothing to prove they catch even the majority of insider trades because there is no ground truth to work with here.

                                                                                                                                                                                                                                                                        Maybe the SEC is just good at catching people who don’t think through the paper trail.

                                                                                                                                                                                                                                                                      • arthurcolle 8 days ago

                                                                                                                                                                                                                                                                        Haha, that's a good one.

                                                                                                                                                                                                                                                                • 2OEH8eoCRo0 8 days ago

                                                                                                                                                                                                                                                                  Wasn't social engineering involved? It could simply be a numbers game. Twitter is no doubt probed daily by attackers and one managed to get through.

                                                                                                                                                                                                                                                                  • syshum 8 days ago

                                                                                                                                                                                                                                                                    I would add 3. People need to stop using "Trust <<insert large company>> instead of self hosting because they have teams of security "experts" and will have far better security than you ever could on your own"

                                                                                                                                                                                                                                                                    • nonsapreiche1 8 days ago

                                                                                                                                                                                                                                                                      never underestimate the intelligence of a teenager!

                                                                                                                                                                                                                                                                      • chasd00 8 days ago

                                                                                                                                                                                                                                                                        Never overestimate the intelligence of teenager either.

                                                                                                                                                                                                                                                                        I say this as a former teenager

                                                                                                                                                                                                                                                                        • unishark 7 days ago

                                                                                                                                                                                                                                                                          How are we supposed to get an exact estimate of their intelligence then?

                                                                                                                                                                                                                                                                        • pcunite 8 days ago

                                                                                                                                                                                                                                                                          Imagine what a russian could do.

                                                                                                                                                                                                                                                                          • Ericson2314 8 days ago

                                                                                                                                                                                                                                                                            nyt 2025: Chinese-russian teenager gets donald trump elected in every single country using birth certificate 2fa

                                                                                                                                                                                                                                                                            • logicslave 8 days ago

                                                                                                                                                                                                                                                                              That you nancy pelosi?

                                                                                                                                                                                                                                                                          • ehsankia 8 days ago

                                                                                                                                                                                                                                                                            Wasn't there one more person involve (Kirk#5270) who apparently did most of the work and let these kids do the work? Sounds like a MafiaBoy situation, where more experienced hackers did the work and let younger script kiddies take the fall for it.

                                                                                                                                                                                                                                                                            • dyslexit 7 days ago

                                                                                                                                                                                                                                                                              It's implied that the 17 year old is kirk

                                                                                                                                                                                                                                                                            • peroporque 7 days ago


                                                                                                                                                                                                                                                                              3) if a teen can do it, then so can every intelligence service in the world. Just that they would probably stay quiet for years and years and gather data of "interesting" people.

                                                                                                                                                                                                                                                                              • YinglingLight 8 days ago

                                                                                                                                                                                                                                                                                What does the hack provide? Credible deniability for all VIPs involved for all DM's they've ever made. "I was hacked back in July 2020!"

                                                                                                                                                                                                                                                                              • indigochill 8 days ago

                                                                                                                                                                                                                                                                                I have an unrealistic idea (more of a thought experiment) that companies should face equal culpability to criminal hackers in attacks. After all, technically the way the hackers use systems /is/ authorized in a sense, even if the method of obtaining authorization is unconventional. Maybe this would get companies to pay more attention to securing their systems.

                                                                                                                                                                                                                                                                                From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).

                                                                                                                                                                                                                                                                                And yes, the charge count is insane but the US loves holding a bit of life-ruining theater when they catch hackers threatening commercial interests. e.g. Aaron Swartz's conviction: https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...

                                                                                                                                                                                                                                                                                • bioipbiop 8 days ago

                                                                                                                                                                                                                                                                                  I disagree, no system created by humans is going it be without flaws. I think it should be possible to sue a company if a victim can show that the company was negligent in its actions. Damages should be apportioned between the scammers and the company on the basis of their contributions to the act.

                                                                                                                                                                                                                                                                                  • I'm not sure I would call this "authorized in a sense" since social engineering, in order to gain access to an internal tool, was the method.

                                                                                                                                                                                                                                                                                    Social engineering most often involves impersonation, so the person getting access was not really the intended party.

                                                                                                                                                                                                                                                                                    • dahfizz 8 days ago

                                                                                                                                                                                                                                                                                      > companies should face equal culpability to criminal hackers in attacks.

                                                                                                                                                                                                                                                                                      That's an interesting idea, and I think I agree with you in spirit. But don't most hacking-related criminal charges boil down to "unauthorized access to a computer"? It would be hard to argue that the company that owns the computers has unauthorized access.

                                                                                                                                                                                                                                                                                      Maybe a better phraseology would be to say that the company is an accomplice to the hacker. For that to really hold up, I think you would need to show that the company was negligent or not keeping up with security best practices.

                                                                                                                                                                                                                                                                                      • indigochill 8 days ago

                                                                                                                                                                                                                                                                                        > It would be hard to argue that the company that owns the computers has unauthorized access.

                                                                                                                                                                                                                                                                                        That's not the way I'd argue. I'd say the company has authorized access and they then gave access to fraudsters who should not have been given access to the system, which is where they were aiding the fraud.

                                                                                                                                                                                                                                                                                        So they aren't the principal offender, but they did aid in the offence which is what I'm suggesting makes them an accomplice (although as another paulpauper points out, an accomplice has to be aware they're aiding a crime - being duped isn't a crime).

                                                                                                                                                                                                                                                                                      • paulpauper 8 days ago

                                                                                                                                                                                                                                                                                        accomplice means they knowingly aided in the fraud or profited from it. Being caught off guard is not a crime. The culpability is the reputation damage from being hacked.

                                                                                                                                                                                                                                                                                        • tantalor 8 days ago

                                                                                                                                                                                                                                                                                          >Being caught off guard is not a crime

                                                                                                                                                                                                                                                                                          It can be. Twitter could be found criminally negligent if they knew the risk of this type of attack (or it was obvious) but chose to ignore it.

                                                                                                                                                                                                                                                                                        • ChrisLomont 8 days ago

                                                                                                                                                                                                                                                                                          Should we make homeowners equally criminally liable when burglars break in? Certainly if the homeowner had been less lax or obtained more security, that burglary could have been prevented.

                                                                                                                                                                                                                                                                                          • Sebb767 8 days ago

                                                                                                                                                                                                                                                                                            > Should we make homeowners equally criminally liable when burglars break in?

                                                                                                                                                                                                                                                                                            Aren't they? I've seen a lot of insurance cases being denied due to negligence. This might even happen if you let your bag lie around openly in your locked car.

                                                                                                                                                                                                                                                                                            Also, burglar victims tend not to cause further damage. And, if they do, the victims will be in trouble as well. At least in Germany, a stolen gun will cause you a lot of problems, unless you can prove that you stored it securely according to the national guidelines.

                                                                                                                                                                                                                                                                                            • nkrisc 8 days ago

                                                                                                                                                                                                                                                                                              Like most things in life: it depends.

                                                                                                                                                                                                                                                                                              Your home was broken into and your jewelry stolen? No, you're not criminally liable for anything, you were the only victim.

                                                                                                                                                                                                                                                                                              Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?

                                                                                                                                                                                                                                                                                              It doesn't have to be a binary thing either, there's nuance to it. A hacker steals unencrypted personal information off a server you didn't even password protect? You're more liable than a company that lost personal information that was strongly encrypted.

                                                                                                                                                                                                                                                                                              • nexuist 8 days ago

                                                                                                                                                                                                                                                                                                > Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?

                                                                                                                                                                                                                                                                                                This is one of those ideas that seems to be made in good faith but ultimately harms the competition far more than it harms the industry leaders. Twitter can afford cameras and alarm systems for its data centers; I can’t. Twitter can afford to hire armed guards; I can’t.

                                                                                                                                                                                                                                                                                                The ultimate end result of a policy like this is that people will simply kill anyone trespassing on their property; after all, who knows what documents they may have seen or confidential records they may have exfiltrated. It’s way too heavy handed.

                                                                                                                                                                                                                                                                                                • nkrisc 7 days ago

                                                                                                                                                                                                                                                                                                  > The ultimate end result of a policy like this is that people will simply kill anyone trespassing on their property;

                                                                                                                                                                                                                                                                                                  That will probably get you more jail time than whatever other liabilities you might have had, which realistically maybe would have just been civil anyway, were some policy like this to become real.

                                                                                                                                                                                                                                                                                                  But put another way, in context of business collecting personal user data: if you can't secure it, don't collect it. If your business isn't viable then, well, tough shit.

                                                                                                                                                                                                                                                                                                  • tgsovlerkhgsel 7 days ago

                                                                                                                                                                                                                                                                                                    > Twitter can afford cameras and alarm systems for its data centers; I can’t.

                                                                                                                                                                                                                                                                                                    Twitter is also a much bigger target, and it makes sense to apply very different standards to what "reasonable" security is.

                                                                                                                                                                                                                                                                                                • tantalor 8 days ago

                                                                                                                                                                                                                                                                                                  Bad analogy: the only victim of a home invasion is the home owner.

                                                                                                                                                                                                                                                                                                  In the Twitter case, the victim were the users.

                                                                                                                                                                                                                                                                                                  • Your comment just sparked an weird thought for me. We're all familiar with the adage that if a product is free, you're not the customer you're the product. In this Twitter breach, Twitter's customers were not harmed. However, the product was harmed.

                                                                                                                                                                                                                                                                                                  • sneak 8 days ago

                                                                                                                                                                                                                                                                                                    Breaking and entering requires breaking.

                                                                                                                                                                                                                                                                                                    Sending packets is peaceful speech.

                                                                                                                                                                                                                                                                                                    • nickff 8 days ago

                                                                                                                                                                                                                                                                                                      Sending these particular packets was more akin to fraud. Should fraud be legalized?

                                                                                                                                                                                                                                                                                              • ziddoap 8 days ago

                                                                                                                                                                                                                                                                                                I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.

                                                                                                                                                                                                                                                                                                Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.

                                                                                                                                                                                                                                                                                                • henryfjordan 8 days ago

                                                                                                                                                                                                                                                                                                  Florida has some of the most permissive laws about mugshots and criminal info.

                                                                                                                                                                                                                                                                                                  The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.

                                                                                                                                                                                                                                                                                                  • ipsin 8 days ago

                                                                                                                                                                                                                                                                                                    The story below the linked one is how a man rammed his way into a gated community, beat two people to death with a baseball bath, and then the police found the suspect unconscious after he drank some bleach.

                                                                                                                                                                                                                                                                                                    That seems more weird than my local news, by a bit.

                                                                                                                                                                                                                                                                                                    • jdmichal 8 days ago

                                                                                                                                                                                                                                                                                                      Maybe it's weirder than your local news, because your local news never finds out about those weird police calls like they do in Florida?

                                                                                                                                                                                                                                                                                                      • perl4ever 8 days ago

                                                                                                                                                                                                                                                                                                        It's my opinion that Florida is weirder, because driving around, the weird signs of weird people (roadside, or on their vehicles for instance) are weirder and more common than up north. Not an airtight proof, but an independent datum not biased for the same reasons as the news.

                                                                                                                                                                                                                                                                                                      • bdamm 8 days ago

                                                                                                                                                                                                                                                                                                        This is a demonstration of selection bias.

                                                                                                                                                                                                                                                                                                        • rriepe 8 days ago

                                                                                                                                                                                                                                                                                                          That's still downstream of Florida's sunshine laws. If that happens in your state, there's a chance the media doesn't hear about it, or hears about it too late.

                                                                                                                                                                                                                                                                                                          In Florida, the media hears about anything that involves an arrest because it's all published for public inspection. It's not just mugshots but other records too.

                                                                                                                                                                                                                                                                                                          The smallest community newspapers in Florida will have a section about who got arrested.

                                                                                                                                                                                                                                                                                                          • ogre_codes 8 days ago

                                                                                                                                                                                                                                                                                                            > That seems more weird than my local news, by a bit.

                                                                                                                                                                                                                                                                                                            Come to Oregon and we can talk weird.

                                                                                                                                                                                                                                                                                                          • js2 8 days ago
                                                                                                                                                                                                                                                                                                            • wahern 8 days ago

                                                                                                                                                                                                                                                                                                              Those aren't particularly weird. People chopping off their limbs in copy-cat insurance scams is weird: https://en.wikipedia.org/wiki/Vernon,_Florida

                                                                                                                                                                                                                                                                                                              For over a hundred years kooks and scammers from the Northeast and Midwest have made their way down to Florida. It's a weird place because weird and disreputable people move there. (Source: I grew up in the panhandle, and also inherited some "beach front" property in the middle of the woods that an uncle bought in the 1960s from a Chicago developer front running a classic Florida real estate racket. Also, see "Oh, Florida!: How America's Weirdest State Influences the Rest of the Country".)

                                                                                                                                                                                                                                                                                                            • pchristensen 8 days ago

                                                                                                                                                                                                                                                                                                              Seconded, grew up in Tampa. Florida is weird, just not quite as weird as "Florida Man" makes it look.

                                                                                                                                                                                                                                                                                                            • Jestar342 8 days ago

                                                                                                                                                                                                                                                                                                              I always thought this was for precisely the oppposite - i.e. that news headlines (edit: I mean whole articles) were more often "A Florida Man has been arrested" because they were not allowed/didn't have the names.

                                                                                                                                                                                                                                                                                                              • henryfjordan 8 days ago

                                                                                                                                                                                                                                                                                                                I think using the term "Florida Man" is a meme now and probably carries more weight than using the accused's actual name.

                                                                                                                                                                                                                                                                                                                From the wikipedia article:

                                                                                                                                                                                                                                                                                                                > Miami New Times claimed that freedom of information laws in Florida make it easier for journalists to obtain information about arrests from the police than in other states and that this is responsible for the large number of news articles


                                                                                                                                                                                                                                                                                                                • Jestar342 8 days ago

                                                                                                                                                                                                                                                                                                                  I understand now, the headline reads "Florida Man arrested" and then the article will have "Bob Bobbinson was arrested today for ..."

                                                                                                                                                                                                                                                                                                                • J5892 8 days ago

                                                                                                                                                                                                                                                                                                                  How many headlines about non-public figures have you seen that include someone's name?

                                                                                                                                                                                                                                                                                                                  "Tim Jones has been arrested" isn't exactly an informative headline.

                                                                                                                                                                                                                                                                                                                  • Jestar342 8 days ago

                                                                                                                                                                                                                                                                                                                    Well that's just taking things too literally. I meant the whole article would use "Florida man" instead of a name.

                                                                                                                                                                                                                                                                                                                    • kgwxd 8 days ago

                                                                                                                                                                                                                                                                                                                      I Googled the name hoping to prove that wrong, I wish I hadn't.

                                                                                                                                                                                                                                                                                                                    • kube-system 8 days ago

                                                                                                                                                                                                                                                                                                                      The headline is usually "A Florida Man has been arrested" because news stations all around the country dig through Florida public records to fill space when their local news is slow. It says "Florida" because it is not local to the outlet that is publishing it. Local news usually says "local man" or specifies a locality.

                                                                                                                                                                                                                                                                                                                    • ABoldGambit 8 days ago

                                                                                                                                                                                                                                                                                                                      If anyone's interested in an in depth dive into the "Florida Man" meme, the podcast Citations Needed did a great (imo) episode on it: https://soundcloud.com/citationsneeded/episode-75-florida-ma...

                                                                                                                                                                                                                                                                                                                  • otterley 8 days ago

                                                                                                                                                                                                                                                                                                                    It has been a journalistic tradition done out of good faith not to print the names of accused minors. This has largely been done industry-wide under an implicit "gentleman's agreement." Similar traditions include not printing the names of victims of alleged rape victims or other sexual crimes.

                                                                                                                                                                                                                                                                                                                    But there's no law against it that I am aware of.

                                                                                                                                                                                                                                                                                                                    • otterley 8 days ago

                                                                                                                                                                                                                                                                                                                      Update: 18 USC Section 5038 (Juvenile Justice Act) generally prohibits the publication of juvenile delinquency records, including the identity of the accused: https://www.law.cornell.edu/uscode/text/18/5038

                                                                                                                                                                                                                                                                                                                      Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.

                                                                                                                                                                                                                                                                                                                    • abhorrence 8 days ago

                                                                                                                                                                                                                                                                                                                      There actually are very few legal restrictions on naming minors. There is substantially more scrutiny applied to false reporting when it involves accusing a minor of a crime. Most of the time when publications refuse to name a minor it’s because they promised not to while obtaining the minor’s name.

                                                                                                                                                                                                                                                                                                                      • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                        There are lots of restrictions on identifying minors charged with crimes, but they apply to court documents, not to the media.

                                                                                                                                                                                                                                                                                                                      • danso 8 days ago

                                                                                                                                                                                                                                                                                                                        The courts have historically ruled on the press's right to name accused minors:


                                                                                                                                                                                                                                                                                                                        • rcoveson 8 days ago

                                                                                                                                                                                                                                                                                                                          Maybe some other news outlet named him first and they updated their own article to include that tidbit as well, so as not to be outdone?

                                                                                                                                                                                                                                                                                                                          • cookiecaper 8 days ago

                                                                                                                                                                                                                                                                                                                            My guess would be that he is being tried as an adult and thus not eligible for the protections afforded to juveniles.

                                                                                                                                                                                                                                                                                                                            • ProAm 8 days ago

                                                                                                                                                                                                                                                                                                                              Tried as an adult for a hack on a social media site?

                                                                                                                                                                                                                                                                                                                              • jessaustin 8 days ago

                                                                                                                                                                                                                                                                                                                                Don't expect reason or a sense of proportionality from USA "justice system". Prosecuting a social media hack will get a lot more attention than prosecuting e.g. some common crime of violence. Prosecutors are basically the worst people in USA. (In case you're wondering, yes they are worse than police.)

                                                                                                                                                                                                                                                                                                                          • pojntfx 8 days ago

                                                                                                                                                                                                                                                                                                                            "Our European visitors are important to us.

                                                                                                                                                                                                                                                                                                                            This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."


                                                                                                                                                                                                                                                                                                                            • nightcracker 8 days ago

                                                                                                                                                                                                                                                                                                                              Why do all these prompts use doublespeak so blatantly? It's actually insane.

                                                                                                                                                                                                                                                                                                                              "Your privacy matters to us." -> Then why are you asking me to give it up? If my privacy mattered to you you wouldn't even ask to install tracking cookies and gather my data.

                                                                                                                                                                                                                                                                                                                              • _jjkk 8 days ago

                                                                                                                                                                                                                                                                                                                                It's not doublespeak. What would you have the message say?

                                                                                                                                                                                                                                                                                                                                It's a legacy site and they haven't finished implementing out-out-only / data-deletion / etc... I wouldn't assume malicious intent.

                                                                                                                                                                                                                                                                                                                                • function_seven 8 days ago

                                                                                                                                                                                                                                                                                                                                  It's been quite awhile now since the GDRP protections have been around. If they haven't finished removing tracking by now, then they're lying when they say "your privacy matters to us".

                                                                                                                                                                                                                                                                                                                                  No, it doesn't. If it mattered, then you would act like it.

                                                                                                                                                                                                                                                                                                                                  • SpicyLemonZest 8 days ago

                                                                                                                                                                                                                                                                                                                                    This isn't the New York Times. I don't think it's reasonable to expect the local news for a mid-sized American city to prioritize implementation of the EU's data rules.

                                                                                                                                                                                                                                                                                                                                    • function_seven 8 days ago

                                                                                                                                                                                                                                                                                                                                      Sure, but it's plenty of time to just remove tracking cookies altogether. Which would have been easier to implement than what they're doing now (geolocating visitors, serving custom messages depending on jurisdiction, etc.)

                                                                                                                                                                                                                                                                                                                                      I mean, if my privacy matters to them.

                                                                                                                                                                                                                                                                                                                                      I know the online news business is difficult to monetize. Only a handful of major news orgs can put paywalls up and charge subscribers directly. I get that.

                                                                                                                                                                                                                                                                                                                                      So, what they do instead is use 3rd party ad networks and analytics, and traffic in my personal data, while telling me that my privacy matters.

                                                                                                                                                                                                                                                                                                                                      That's why this is doublespeak. They're saying one thing (my privacy matters) while doing another (funding their operations in part on my personal data).

                                                                                                                                                                                                                                                                                                                                      Is it the only viable model for them? Maybe. That's not really relevant, though.

                                                                                                                                                                                                                                                                                                                                      • rtx 8 days ago

                                                                                                                                                                                                                                                                                                                                        Your privacy matters, only if you pay. I don't click on content site links where I am not a customer.

                                                                                                                                                                                                                                                                                                                                      • ryandrake 8 days ago

                                                                                                                                                                                                                                                                                                                                        They seem to have the technical wherewithal and motivation to prioritize all that tracking in the first place, though...

                                                                                                                                                                                                                                                                                                                                    • EE84M3i 7 days ago


                                                                                                                                                                                                                                                                                                                                      What is "out-out-only"? My google fu is failing me.

                                                                                                                                                                                                                                                                                                                                    • Nasrudith 8 days ago

                                                                                                                                                                                                                                                                                                                                      It is true though. It matters to them in the same way virginity matters to someone trying to seduce someone. It is an absolute binary status that maintaining gets in the way of what they want.

                                                                                                                                                                                                                                                                                                                                      • dustingetz 8 days ago

                                                                                                                                                                                                                                                                                                                                        it has evolved

                                                                                                                                                                                                                                                                                                                                      • kube-system 8 days ago

                                                                                                                                                                                                                                                                                                                                        [cost of compliance] > [revenue from EU visitors]

                                                                                                                                                                                                                                                                                                                                        • georgiecasey 8 days ago

                                                                                                                                                                                                                                                                                                                                          And I don't blame the site at all. Another stupid rule from the EU preventing me from reading articles.

                                                                                                                                                                                                                                                                                                                                          • twhb 8 days ago

                                                                                                                                                                                                                                                                                                                                            A man has a hotdog stand that he never cleans. One day, a health inspector comes by and tells him that unless he cleans his grill every day, he can’t keep selling hotdogs. The man shouts “I’ve never cleaned the grill in my life! It’s impossible, nobody does it! And who’s going to pay for the cleaner and the five minutes every day, me? No, I’ll just go sell my hotdogs somewhere else.” And he leaves. Later a regular comes by, sees the missing hotdog stand, hears it happened as a result of the health inspector’s visit, sees that other people are now eating the man’s hotdogs while he can’t, and thinks “Man I’m hungry. Screw health inspectors.”

                                                                                                                                                                                                                                                                                                                                            Taking care of people can be a thankless job.

                                                                                                                                                                                                                                                                                                                                            Here are a dozen healthier options: https://duckduckgo.com/?q=graham+clark&t=osx&iar=news&ia=new...

                                                                                                                                                                                                                                                                                                                                            • georgiecasey 8 days ago

                                                                                                                                                                                                                                                                                                                                              See it's all a matter of opinion. I personally don't really care about online privacy and GDPR just gets in my way. I know that's not a very popular opinion on this site but it's the way I feel.

                                                                                                                                                                                                                                                                                                                                              • dane-pgp 8 days ago

                                                                                                                                                                                                                                                                                                                                                "Those who don’t care much about privacy might say that they have nothing to hide. Those who do worry about it might say that keeping their personal data safe protects them from being harmed by hackers or unscrupulous companies. Both positions assume that caring about and protecting one’s privacy is a personal matter. This is a common misunderstanding."


                                                                                                                                                                                                                                                                                                                                                • Camas 8 days ago

                                                                                                                                                                                                                                                                                                                                                  "We have to put an accept button on every new website you visit or democracy will end"

                                                                                                                                                                                                                                                                                                                                                  • dane-pgp 7 days ago

                                                                                                                                                                                                                                                                                                                                                    "Any government regulation is literally fascism/communism and will inevitably lead to the deaths of millions of people."

                                                                                                                                                                                                                                                                                                                                                    Do you see why straw man arguments aren't helpful?

                                                                                                                                                                                                                                                                                                                                          • Akronymus 8 days ago


                                                                                                                                                                                                                                                                                                                                            You may find this site helpful

                                                                                                                                                                                                                                                                                                                                          • segfaultbuserr 8 days ago
                                                                                                                                                                                                                                                                                                                                            • giomasce 8 days ago

                                                                                                                                                                                                                                                                                                                                              The rule is not preventing anything. The website is redirecting your requests on a static page.

                                                                                                                                                                                                                                                                                                                                          • searchableguy 8 days ago
                                                                                                                                                                                                                                                                                                                                            • biermic 8 days ago

                                                                                                                                                                                                                                                                                                                                              Does this mean the US visitors data is not protected? Or no resources to add a cookie banner?

                                                                                                                                                                                                                                                                                                                                              • ceejayoz 8 days ago

                                                                                                                                                                                                                                                                                                                                                It means they're tracking US visitors in ways intrusive enough to be illegal in Europe, yes.

                                                                                                                                                                                                                                                                                                                                                • superkuh 8 days ago

                                                                                                                                                                                                                                                                                                                                                  Only if you enable javascript. This is exactly equivalent to opening every email attachment you receive. It's absurd this is considered the norm.

                                                                                                                                                                                                                                                                                                                                                  You can take individual responsibility and disable JS by default. Also, don't visit sites that you disagree with. This is much more ethical than the European choice to bring in people with guns to coerce sites into behaving how they want. It's easy to understand why international sites block European visitors to avoid that violence-backed coercion.

                                                                                                                                                                                                                                                                                                                                                  • ceejayoz 8 days ago

                                                                                                                                                                                                                                                                                                                                                    > You can take individual responsibility and disable JS by default.

                                                                                                                                                                                                                                                                                                                                                    Sure, you try explaining that to the general public, and why most of the sites they visit don't work anymore. It's hard enough to manage as a techie. This is the same argument snake oil purveyors use to complain about health and safety regulations, and it's silly for the same reasons.

                                                                                                                                                                                                                                                                                                                                                    > This is much more ethical than the European choice to bring in people with guns to coerce sites into behaving how they want.

                                                                                                                                                                                                                                                                                                                                                    Which GDPR violations have been met with armed agents?

                                                                                                                                                                                                                                                                                                                                                    • superkuh 8 days ago

                                                                                                                                                                                                                                                                                                                                                      I don't know about the public. That is many people I don't have control of. I do know that I can do it myself and it works fine and I can work around things.

                                                                                                                                                                                                                                                                                                                                                      I think this is true for many technical people. And I think doing this would encourage many of us to think of better ways to design and implement no-JS fallback functionality when making things for the public to use.

                                                                                                                                                                                                                                                                                                                                                      • ceejayoz 8 days ago

                                                                                                                                                                                                                                                                                                                                                        > I don't know about the public.

                                                                                                                                                                                                                                                                                                                                                        The EU is tasked with protecting their public in a way that you are not.

                                                                                                                                                                                                                                                                                                                                                        • superkuh 8 days ago

                                                                                                                                                                                                                                                                                                                                                          Just to refresh, the context of this sub-thread is about what people outside of the EU should do. Those living in the EU already subscribe to social policies based on positive liberty and can ignore discussions about individual responsibility for their behavior.

                                                                                                                                                                                                                                                                                                                                                    • freehunter 8 days ago

                                                                                                                                                                                                                                                                                                                                                      People really need to stop suggesting disabling Javascript as a solution. It’s not a solution.

                                                                                                                                                                                                                                                                                                                                                      First, it puts the blame on the victim. “Oh you got hacked? Should have turned off Javascript.” Stop blaming the victim. Browsers come with Javascript turned on by default and many sites expect Javascript will work, so it’s a reasonable expectation that users leave Javascript enabled.

                                                                                                                                                                                                                                                                                                                                                      Secondly there are a lot of devices that people access the web from. It’s not possible or easy to turn off Javascript on all platforms. If I ran my iPhone with Javascript disabled, every site I visited that needed Javascript would make me stop, go to Settings, scroll down to find Safari, scroll all the way to the bottom to find Advanced, then toggle the Javascript button. Then go back to Safari, view the site I wanted to see, then do it all over again to disable Javascript again. That’s not a reasonable workflow to even suggest.

                                                                                                                                                                                                                                                                                                                                                      Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing GDPR with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.

                                                                                                                                                                                                                                                                                                                                                      • superkuh 7 days ago

                                                                                                                                                                                                                                                                                                                                                        I'm reposting this reply to you because it makes my argument well. The other guy's "new" account got wiped out by it's new status and was easily downvoted away from people that can't read "dead" posts. Anyway, here it is:

                                                                                                                                                                                                                                                                                                                                                        People really need to stop suggesting using condoms as a solution. It’s not a solution.

                                                                                                                                                                                                                                                                                                                                                        First, it puts the blame on the victim. “Oh you got an STD? Should have used a condom.” Stop blaming the victim. Birthday suits don't come with condoms by default and many people expect unprotected sex, so it’s a reasonable expectation that people don't wear condoms.

                                                                                                                                                                                                                                                                                                                                                        Secondly there are a lot of places that people have SEX (Software EXchange). It’s not convenient to put on condoms in all places. If I used condoms when going to the local glory hole, every dick I sucked that needed a condom would make me stop, go to my bag, find my box of condoms, open one, and put it on him. Then go back to sucking dicks, bust this guy's nut, then go through the hassle of taking the condom off. That’s not a reasonable workflow to even suggest.

                                                                                                                                                                                                                                                                                                                                                        Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing sex-after-marriage with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.

                                                                                                                                                                                                                                                                                                                                                        • wickedwideweb 8 days ago

                                                                                                                                                                                                                                                                                                                                                          People really need to stop suggesting using condoms as a solution. It’s not a solution.

                                                                                                                                                                                                                                                                                                                                                          First, it puts the blame on the victim. “Oh you got an STD? Should have used a condom.” Stop blaming the victim. Birthday suits don't come with condoms by default and many people expect unprotected sex, so it’s a reasonable expectation that people don't wear condoms.

                                                                                                                                                                                                                                                                                                                                                          Secondly there are a lot of places that people have SEX (Software EXchange). It’s not convenient to put on condoms in all places. If I used condoms when going to the local glory hole, every dick I sucked that needed a condom would make me stop, go to my bag, find my box of condoms, open one, and put it on him. Then go back to sucking dicks, bust this guy's nut, then go through the hassle of taking the condom off. That’s not a reasonable workflow to even suggest.

                                                                                                                                                                                                                                                                                                                                                          Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing sex-after-marriage with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.

                                                                                                                                                                                                                                                                                                                                                        • anoa_ 8 days ago

                                                                                                                                                                                                                                                                                                                                                          I would say it's equivalent to opening all email attachments in a VM, as there is a sandbox these things run in. That's security-wise though.

                                                                                                                                                                                                                                                                                                                                                          Privacy-wise there's certainly more fingerprintable data available to the program than what you would get in a typical VM.

                                                                                                                                                                                                                                                                                                                                                      • jcims 8 days ago

                                                                                                                                                                                                                                                                                                                                                        Maybe. Maybe not. Regulatory compliance is orthogonal to security and privacy. Just ask PCI folks.

                                                                                                                                                                                                                                                                                                                                                        • It means they're not complying with European Union laws. Whether you think complying with a law is synonymous with protection, or security or privacy is up to your experience and worldview.

                                                                                                                                                                                                                                                                                                                                                          • ben_w 8 days ago

                                                                                                                                                                                                                                                                                                                                                            Or that they don’t know if they are complying.

                                                                                                                                                                                                                                                                                                                                                        • bartread 8 days ago

                                                                                                                                                                                                                                                                                                                                                          "Our European visitors are important to us."

                                                                                                                                                                                                                                                                                                                                                          Yes, quite. I won't repeat the phrase that immediately came to mind when I read that, but I will say it ended with, "you News Channel 8!"

                                                                                                                                                                                                                                                                                                                                                          • paulcole 8 days ago

                                                                                                                                                                                                                                                                                                                                                            It's a GDPR compliant site.

                                                                                                                                                                                                                                                                                                                                                            Europeans should be impressed that American sites were so quick to comply with their well thought out and reasonable regulations.

                                                                                                                                                                                                                                                                                                                                                          • aerovistae 8 days ago

                                                                                                                                                                                                                                                                                                                                                            It's sad to me how the authorities are bragging about how quickly they caught them and how effective they are at solving this type of crime.

                                                                                                                                                                                                                                                                                                                                                            The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.

                                                                                                                                                                                                                                                                                                                                                            I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.

                                                                                                                                                                                                                                                                                                                                                            So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.

                                                                                                                                                                                                                                                                                                                                                            • bmitc 8 days ago

                                                                                                                                                                                                                                                                                                                                                              It's also just another case where those not in power who attacked those in power are swiftly and promptly dealt with versus those in power perpetuating the same attacks go free. I would rather see them gloat over putting people with real power and influence with their attacks in jail versus bragging about locking up teenagers and people in their early twenties.

                                                                                                                                                                                                                                                                                                                                                              There's a quote in the article, "There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence", which just reiterates this perception of the justice system being "hard" on crime. Yet it conveniently ignores being soft on crime if you're rich or in power.

                                                                                                                                                                                                                                                                                                                                                              • apengwin 8 days ago

                                                                                                                                                                                                                                                                                                                                                                I don't think they're bragging. They're trying to dissuade the next attacker.

                                                                                                                                                                                                                                                                                                                                                              • bilbopotter 8 days ago

                                                                                                                                                                                                                                                                                                                                                                Obviously what they did is wrong but the kid is 17. To me this is a prime example of where a short sentence or community service should be used. Don't ruin his life - he could be a useful employee for a tech company.

                                                                                                                                                                                                                                                                                                                                                                • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                  It drives me a little nuts when people say stuff like this (they said it about Reiser, too) --- because you can say the same thing about tens of thousands of young offenders imprisoned for crimes we don't have a rooting interest in.

                                                                                                                                                                                                                                                                                                                                                                  We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.

                                                                                                                                                                                                                                                                                                                                                                  At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.

                                                                                                                                                                                                                                                                                                                                                                  • teruakohatu 8 days ago

                                                                                                                                                                                                                                                                                                                                                                    > But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.

                                                                                                                                                                                                                                                                                                                                                                    You don't just disagree, but actually believe people asking for leniency are outright behaving immorally. You can disagree without calling someone immoral.

                                                                                                                                                                                                                                                                                                                                                                    Sending a 17 year old to prison for a non violent crime for 2-4x as long as a murderer would get in my country seems criminal in itself (but I don't think you are immoral for advocating for it).

                                                                                                                                                                                                                                                                                                                                                                    Reiser was a murderer. An equivalent to this crime would be a 17 Yr old who managed to pick the lock of Fort Knox with a toothpick and walk out with a 1kg gold bar.

                                                                                                                                                                                                                                                                                                                                                                    • ryanlol 7 days ago

                                                                                                                                                                                                                                                                                                                                                                      > At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.

                                                                                                                                                                                                                                                                                                                                                                      I wouldn’t be so sure. Look at Paras Jha, Zachary Buchta and Mir Islam.

                                                                                                                                                                                                                                                                                                                                                                      All engaged in similar high profile crimes, all monetized. I think only Mir spent a little bit of time in prison.

                                                                                                                                                                                                                                                                                                                                                                      I have a hard time thinking of any young, high profile offenders that were handed severe punishments for cybercrimes by federal courts in the past decade.

                                                                                                                                                                                                                                                                                                                                                                    • Waterluvian 8 days ago

                                                                                                                                                                                                                                                                                                                                                                      American justice is rarely about rehabilitating the perpetrator. It’s about ensanguinating the bloodthirsty and making the fearful feel safe.

                                                                                                                                                                                                                                                                                                                                                                      • hirundo 8 days ago

                                                                                                                                                                                                                                                                                                                                                                        > It’s about ensanguinating the bloodthirsty

                                                                                                                                                                                                                                                                                                                                                                        So, like Twitter.

                                                                                                                                                                                                                                                                                                                                                                        • TeeMassive 8 days ago

                                                                                                                                                                                                                                                                                                                                                                          And enriching the private prisons owners, who then lobby both parties for harsher sentences and this is why the US, a free democracy, has the highest incarceration rate in the World.

                                                                                                                                                                                                                                                                                                                                                                          • kingbirdy 8 days ago

                                                                                                                                                                                                                                                                                                                                                                            Private prisons represent only ~8% of the US state & federal prison population[0]. Private prisons, while bad, are a distraction from the larger issues of policing and incarceration in the US and aren't the reason why we have so many people locked up. Almost half of all federally incarcerated people in the US are there for drug-related offenses[1] thanks to the "War on Drugs", that's where you want to be focusing your efforts on change.

                                                                                                                                                                                                                                                                                                                                                                            [0]: https://www.sentencingproject.org/publications/private-priso....

                                                                                                                                                                                                                                                                                                                                                                            [1]: https://www.bop.gov/about/statistics/statistics_inmate_offen...

                                                                                                                                                                                                                                                                                                                                                                            • bmitc 8 days ago

                                                                                                                                                                                                                                                                                                                                                                              While that percentage is low, it doesn't tell the whole story. Private prisons are certainly a major symptom of the problem with our prisons. The U.S. has the largest private prison population in the world, and you'll note from your own link that the private prison population from 2000 to 2019 increased by 39%. Also, for federal prisons, the percentage of inmates in private prisons is 19.1%. These are definitely problems and discussing them also helps discuss the big issues such as why in the hell we're incarcerating so many people.


                                                                                                                                                                                                                                                                                                                                                                              • kristofferR 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                And private prisons create an insane incentive to increase incarceration in order to increase profits.

                                                                                                                                                                                                                                                                                                                                                                          • supergirl 8 days ago

                                                                                                                                                                                                                                                                                                                                                                            and making the plebs fearful

                                                                                                                                                                                                                                                                                                                                                                          • abarwick 8 days ago

                                                                                                                                                                                                                                                                                                                                                                            If he had gotten into twitter to make some funny status's then sure, community service makes sense. But this kid scammed a lot of money from a lot of people, severe criminal charges are appropriate.

                                                                                                                                                                                                                                                                                                                                                                            • meddlepal 8 days ago

                                                                                                                                                                                                                                                                                                                                                                              And this is where the distinction between minor and adult breaks down. He's 17, he's going to be an adult within 365 days.

                                                                                                                                                                                                                                                                                                                                                                              I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?

                                                                                                                                                                                                                                                                                                                                                                              I think he gets tried as an adult. He just yeeted his life.

                                                                                                                                                                                                                                                                                                                                                                              • Judgmentality 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                Honestly the fact that an adult would get such a harsh sentence seems pretty dumb too.

                                                                                                                                                                                                                                                                                                                                                                                • weare138 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                  True he did commit a serious crime, but it's a non-violent crime. The kid obviously has some skill and potential in life. Sending young, misguided amateur criminals to prison just creates professional criminals. A crapton of strict probation and community service would be more appropriate than prison in my opinion.

                                                                                                                                                                                                                                                                                                                                                                                • willio58 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                  Agreed that he should not face prison time for this. I would agree with a fine on the order that he is estimated to have scammed from people.

                                                                                                                                                                                                                                                                                                                                                                                  • bradly 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                    Depends on your views of the justice system. Is it prevent person from committing the crime again? Is it punish the person for the crime regardless of whether or not the punishment prevents future crimes by the person? Or is it to punish the person so others will be fearful of similar consequences?

                                                                                                                                                                                                                                                                                                                                                                                    • kbradero 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                      100% the first, always the first. Other than that justice will become just a political tool.

                                                                                                                                                                                                                                                                                                                                                                                    • axaxs 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                      Hard disagree. Beyond the 'hacking', if that's what you can even call it, he knowingly scammed people. That's not kids being kids, that's some inherent mental state. Throw the book at him.

                                                                                                                                                                                                                                                                                                                                                                                      • est31 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                        IIRC in the past, cyber criminals in similar situations were made to help federal cyber crime investigations, not sure whether through community service or a form of prison labor. The price tag for talented people is high so it's a win-win situation compared to wasting their talent by making them do low skilled labor.

                                                                                                                                                                                                                                                                                                                                                                                        • weaksauce 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                          he socially engineered his way into twitter... that's not exactly what those units are looking for.

                                                                                                                                                                                                                                                                                                                                                                                          • cryptoz 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                            Didn't the FBI hire Frank Abagnale Jr for like 30 years specifically for those exact skills?

                                                                                                                                                                                                                                                                                                                                                                                            • weaksauce 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                              More for his check fraud stuff I thought.

                                                                                                                                                                                                                                                                                                                                                                                        • mychael 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                          It doesn't matter what skills he has if he is morally bankrupt.

                                                                                                                                                                                                                                                                                                                                                                                          • warent 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                            Sure, it's a crime and he knew that. That being said, let's not pretend like this is a fully developed adult human who has committed murder. This is a child (legally) who committed fraud. The brain of a 17 year old is still physically developing; the prefrontal cortex isn't fully formed. I can't fathom how you would expect them to have the capacity to fully grasp the consequences of their actions with an issue as complex as this one.

                                                                                                                                                                                                                                                                                                                                                                                        • ggggtez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                          Imagine a 17 year old robs a bank and steal 100k from the savings accounts of random people.

                                                                                                                                                                                                                                                                                                                                                                                          Or a 17 year old steals a couple of cars from random people off the street...

                                                                                                                                                                                                                                                                                                                                                                                          The crime is not breaking into Twitter. The crime is theft. Twitter didn't steal that money, this guy did. Let's not pretend the internet is a magical land without consequences.

                                                                                                                                                                                                                                                                                                                                                                                          • Taek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                            > Imagine a 17 year old robs a bank and steal 100k from the savings accounts of random people.

                                                                                                                                                                                                                                                                                                                                                                                            I think that's a great comparison. But it's not an armed robbery, it's a break-and-enter where no property gets destroyed.

                                                                                                                                                                                                                                                                                                                                                                                            How many felonies does the robber get after being caught? I don't actually know but I'm guessing 1-3? Certainly stealing $100k is a deserving felony. But 30 felonies seems a bit steep.

                                                                                                                                                                                                                                                                                                                                                                                            • user5994461 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                              The guys have a very long history of scams, with $700 000 seized before this twitter thing it seems.

                                                                                                                                                                                                                                                                                                                                                                                              That money is very much destroyed for the people whom it was stolen from.

                                                                                                                                                                                                                                                                                                                                                                                              • cutemonster 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                > a great comparison


                                                                                                                                                                                                                                                                                                                                                                                                It's more as if he, once in the bank, added a poster:

                                                                                                                                                                                                                                                                                                                                                                                                "mail money to street 123 city Abcde, and we'll mail you twice back"

                                                                                                                                                                                                                                                                                                                                                                                                • ChrisLomont 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                  It depends on how many laws with felony consequences each broke.

                                                                                                                                                                                                                                                                                                                                                                                                  If a robber hacks a computer (a felony), impersonates law enforcement (a felony), uses that to commit fraud (a felony), then transfers stolen money across state lines (a felony), then tries to launder it (a felony).....

                                                                                                                                                                                                                                                                                                                                                                                                  You can see how such things can stack up.

                                                                                                                                                                                                                                                                                                                                                                                                  • ehsankia 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                    They technically also violated every single person they hacked, which includes the previous president of the united states, large company such as apple, and the upcoming presidential candidate.

                                                                                                                                                                                                                                                                                                                                                                                                    Now imagine not only the 17yo stole 100k from the bank, but also entered the houses of people such as Obama and Biden, and potentially stole documents from their desks.

                                                                                                                                                                                                                                                                                                                                                                                                  • burntbridge 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                    Using your analogy imagine the bank had kept the client's money in a cardboard box in a shed out the back. They did this because they didn't want to pay for a safe. The thieves should prosecuted but so should the bank.

                                                                                                                                                                                                                                                                                                                                                                                                    • paulpauper 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                      technically he did not take the money but rather ppl gave it to him under a false pretense. It is close enough but one can imagine a jury being harder one someone who stole vs exploited his victim's greed and gullibility.

                                                                                                                                                                                                                                                                                                                                                                                                      • ehsankia 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                        In the US, scams are still "conspiracy to commit money laundering", which is what the kid was charged with. Also wire fraud.

                                                                                                                                                                                                                                                                                                                                                                                                      • tazedsoul 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                        If a 17 year-old gains access temporarily to a bank vault, while they’re in there it’s not possible they could also cause a nuclear war. The crimes are similar at face value but meaningfully different.

                                                                                                                                                                                                                                                                                                                                                                                                      • dshep 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                        Trying to paint this 17-year old kid as a criminal mastermind strikes me as rather gross. I can see it as a kid doing it to see if he could, and using an obviously meme-worthy fake post that got out of hand. I think everyone has done some dumb things at this age without thinking about the consequences. If that is the case here, I hope this doesn't ruin the guys life.

                                                                                                                                                                                                                                                                                                                                                                                                        • This kind of feels like "privilege" of the sort where you can kind of identify with this kid (he's a hacker, into computers) so you're excusing his actions.

                                                                                                                                                                                                                                                                                                                                                                                                          Yes, everyone has done some dumb things at this age, but the consequences of this were pretty severe, and he certainly knew what he was doing. Just calling this a "meme-worthy fake post" is minimizing what he did.

                                                                                                                                                                                                                                                                                                                                                                                                          • totony 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                            >but the consequences of this were pretty severe

                                                                                                                                                                                                                                                                                                                                                                                                            Can you elaborate on this? The consequences were mild at best, with people easily duped being duped and twitter having a (understandably) worse reputation.

                                                                                                                                                                                                                                                                                                                                                                                                            • ImaCake 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                              Think of what this teenager could have done if he had hacked Trump's twitter, or any other current head of state. The best case scenario then is a diplomatic incident, the worst is war or genocide.

                                                                                                                                                                                                                                                                                                                                                                                                              • Biganon 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                But then again he hasn't, so what's your point?

                                                                                                                                                                                                                                                                                                                                                                                                                • ImaCake 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                  But the potential was there. I was providing an all to likely possibility of someone hacking twitter in the way that happened here. Not sure why I have been downvoted for stating something sensible to the question that was asked.

                                                                                                                                                                                                                                                                                                                                                                                                                  • totony 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                    It's the context of the answer; you stated possibilities, but, when considering consequences of actions, possibilities don't matter.

                                                                                                                                                                                                                                                                                                                                                                                                          • justchilly 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                            Would that apply to criminals of all ages, based on their intelligence / mental maturity? Plenty of incarcerated 18+ adults with less brainpower than this guy were deemed responsible for their actions.

                                                                                                                                                                                                                                                                                                                                                                                                            • webkike 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                              I think there are some arguments here to be made about the development of the prefrontal cortex. You may not be as “intelligent” as someone who is 17, but if you’re over the age of 25 your decision making capabilities are likely much much better.

                                                                                                                                                                                                                                                                                                                                                                                                              There’s a lot of evidence to support this. I will present my own anecdotal evidence because hacker news loves that stuff. I acutely felt my decision making improve a few months before I turned twenty five. It hit me like a wave, and reflecting on my past decisions felt like looking at the actions of a completely different person. If I were in different, more difficult positions when I was younger, it is unlikely that my decisions would be as rationally thought out as they would be now.

                                                                                                                                                                                                                                                                                                                                                                                                              • chrononaut 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                > I acutely felt my decision making improve a few months before I turned twenty five. It hit me like a wave, and reflecting on my past decisions felt like looking at the actions of a completely different person.

                                                                                                                                                                                                                                                                                                                                                                                                                I don't know if this actually exists, but I experienced something similar: Starting at around 17 I decided to ask myself at every birthday whether I thought I was more mature as a person than the year before, which I think relates to proper and holistic decision making. I kept saying "yes" to this question until I was 24.

                                                                                                                                                                                                                                                                                                                                                                                                              • Judgmentality 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                It's not like our (the United States) justice system is something to be upheld as an exemplary model, honestly it could probably be viewed as one of the worst in the world in many respects.

                                                                                                                                                                                                                                                                                                                                                                                                                • hnuser123456 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                  So what do you think is an appropriate sentence for him?

                                                                                                                                                                                                                                                                                                                                                                                                                  • cutemonster 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                    Paying back x2 to the ones that got scammed.

                                                                                                                                                                                                                                                                                                                                                                                                                    And forcing Twitter to pay part of it, for their lousy "security".

                                                                                                                                                                                                                                                                                                                                                                                                                    Plus three months working in a shelter for homeless people

                                                                                                                                                                                                                                                                                                                                                                                                                • paulcole 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                  This isn't grabbing a 10 year old kid pocketing a candy bar at the grocery store.

                                                                                                                                                                                                                                                                                                                                                                                                                  17 year olds understand the consequences of stealing $100,000 (and honestly they were probably very disappointed with how little they got).

                                                                                                                                                                                                                                                                                                                                                                                                                  Agree that his life shouldn't be "ruined" because of this, but he's committed a serious crime that was obviously a serious crime.

                                                                                                                                                                                                                                                                                                                                                                                                                  • ggggtez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                    > dumb things

                                                                                                                                                                                                                                                                                                                                                                                                                    I never stole $100,000 when I was a kid. Sometimes 17-year olds murder other people too. Society can't ignore it just because he's a minor. If he had posted memes, that would be one thing. But instead he decided to use this hack to commit grand theft.

                                                                                                                                                                                                                                                                                                                                                                                                                    Any leniency due to his age will come from the Judge.

                                                                                                                                                                                                                                                                                                                                                                                                                    • esoterica 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                      Would you advocate leniency this forcefully for a 17 year old teenager of color who was charged with committing hundreds of thousands of dollars worth of property theft (e.g. stealing expensive cars)? Or do you want this kid to receive special treatment just because you identify with his demographic? Presumably you were also once a tech-savvy teenage hacker at some point.

                                                                                                                                                                                                                                                                                                                                                                                                                      People with your mindset are responsible for a lot of the inequity in the criminal justice system. Upper middle class suburban white kids (e.g. Brock Turner) get away with slaps on the wrist all the time for the same crimes that poor and minority teenagers get sent to prison for years over, because judges (who were almost all previously upper middle class white suburban kids themselves) feel sorry for them and chalk their crimes down to kids being kids.

                                                                                                                                                                                                                                                                                                                                                                                                                    • donarb 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                      The story has been updated, three people have now been charged, the teen, a man from Orlando and a man from the UK.


                                                                                                                                                                                                                                                                                                                                                                                                                      • pier25 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                        > Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log

                                                                                                                                                                                                                                                                                                                                                                                                                        So these guys were able to get into Twitter but they chatted freely on Discord without considering everything would be recorded?

                                                                                                                                                                                                                                                                                                                                                                                                                        And then they make one of the most public hacks in recent history without considering someone would go through all the logs with all the noise they made?

                                                                                                                                                                                                                                                                                                                                                                                                                        • lomoeffect 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                          > Sheppard had used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin.

                                                                                                                                                                                                                                                                                                                                                                                                                          Didn't even layer the Bitcoin through an anonymiser like Monero and extra Bitcoin wallets. Just sent and received BTC directly to an account linked with photo ID on multiple exchanges. Incredible really!

                                                                                                                                                                                                                                                                                                                                                                                                                          • manjalyc 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                            If anything I'm amazed at this level of technical incompetence (or is ignorance a better word) from a group of people that hacked twitter...

                                                                                                                                                                                                                                                                                                                                                                                                                            • pier25 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                              It's like robbing a bank and then making sure everyone knows you put the money in your personal bank account. If you spend 5 minutes reading about anonymizing Bitcoins you'll find plenty of ways to do it (tumblers, etc).

                                                                                                                                                                                                                                                                                                                                                                                                                              How can you do a hack that will certainly get you in jail for several years and not even research the most basic techniques to protect yourself? It just doesn't make sense.

                                                                                                                                                                                                                                                                                                                                                                                                                            • ggggtez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                              There is a reason you don't see this type of attack more often, and it's not because it's difficult to do.

                                                                                                                                                                                                                                                                                                                                                                                                                              It's because social engineering attacks are noisy as heck. Within 30 minutes of them posting these tweets, you can bet the FBI was already on the line with Twitter's security team.

                                                                                                                                                                                                                                                                                                                                                                                                                              The fact that they chose to do this attack at all demonstrates how amateur they were.

                                                                                                                                                                                                                                                                                                                                                                                                                              • TwoBit 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                Criminals are greet examples of the Dunning-Kruger effect.

                                                                                                                                                                                                                                                                                                                                                                                                                            • bawolff 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                              I'm not really surprised.

                                                                                                                                                                                                                                                                                                                                                                                                                              * the attacker (allegedly) bragged to the press * the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)

                                                                                                                                                                                                                                                                                                                                                                                                                              Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.

                                                                                                                                                                                                                                                                                                                                                                                                                              Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.

                                                                                                                                                                                                                                                                                                                                                                                                                              • tantalor 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                > Its not... coercing employees

                                                                                                                                                                                                                                                                                                                                                                                                                                How do you know? Coercion is a type of social engineering.

                                                                                                                                                                                                                                                                                                                                                                                                                                • bawolff 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                  All i know is that nobody has yet to claim that. I suspect he would be charged with something related to that if he did, but you're right we dont know the details of what he did precisely.

                                                                                                                                                                                                                                                                                                                                                                                                                              • par 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                > Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity

                                                                                                                                                                                                                                                                                                                                                                                                                                Anyone know what the loose end was that got these guys busted?

                                                                                                                                                                                                                                                                                                                                                                                                                                • ACS_Solver 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                  I just read one of the complaints, against the 22 year old "Rolex". It's not so much loose ends as loose everything.

                                                                                                                                                                                                                                                                                                                                                                                                                                  He didn't use a VPN or anything to mask his home IP, he discussed the hack on Discord, an unencrypted third-party platform, and reused a gmail address for the hack that he also used for a Coinbase account. Said Coinbase account being verified with his driver's license...

                                                                                                                                                                                                                                                                                                                                                                                                                                  I shouldn't be too surprised, but I still am. I would have expected, at the very least, all discussion being handled on Signal or similar, all access to involved accounts to be exclusively via a regular VPN or Tor, and only using a brand-new fastmail email for anything to do with the hack. Those are the very basic precautions.

                                                                                                                                                                                                                                                                                                                                                                                                                                  Curious aside: there's a bug in the complaint document. The affidavit is by a Special Agent with the US Secret Service, but the title page lists him as "Special Agent, FBI".

                                                                                                                                                                                                                                                                                                                                                                                                                                  • I don't know, tbh I'm still surprised.

                                                                                                                                                                                                                                                                                                                                                                                                                                    The Discord connection was known early on. I was really surprised anyone would do something like this and communicate over Discord about it.

                                                                                                                                                                                                                                                                                                                                                                                                                                    The fact that no VPN/Tor were involved, the fact that Gmail was involved... that's really crazy. It's hard to tell when being dumb ends and being self destructive begins?

                                                                                                                                                                                                                                                                                                                                                                                                                                    Is it possible to be this ignorant about the Internet while perpetrating something so big?

                                                                                                                                                                                                                                                                                                                                                                                                                                    • rootsudo 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                      Yes, many people consider facebook and Twitter "The Internet." and while they are just two giant tech companies publishing web apps.

                                                                                                                                                                                                                                                                                                                                                                                                                                      Networking Layer is invisible to 99% of users nowadays. "it just works."

                                                                                                                                                                                                                                                                                                                                                                                                                                      • Sebb767 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                        > Networking Layer is invisible to 99% of users nowadays. "it just works."

                                                                                                                                                                                                                                                                                                                                                                                                                                        Yes, but the problem is that it didn't take someone who knows better to hack what is (used as) an official government communication platform. Or one of the largest social networks, or a company with thousands of engineers - take your pick; it's hard to put this in a good light.

                                                                                                                                                                                                                                                                                                                                                                                                                                  • libraryatnight 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                    If there was any merit to the articles where people in the media were put in contact with people involved (and it seems so, now) then they left tracks all over the place. A) reaching out to the media at all. B) sharing screens of the OGUsername boards they hung out on C) Bragging.

                                                                                                                                                                                                                                                                                                                                                                                                                                    • coldpie 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                      Yeah, as soon as that Vice article came out it was clear they were toast. You don't brag like that and get away with it.

                                                                                                                                                                                                                                                                                                                                                                                                                                    • koolba 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                      If they were dumb enough to waste such a high value target on a small scale bitcoin scam then I wouldn’t be surprised if they were dumb enough to perform the malicious actions from their home IP address.

                                                                                                                                                                                                                                                                                                                                                                                                                                      • focus2020 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                        What else could have been done other than crypto scam to get away without being caught ?

                                                                                                                                                                                                                                                                                                                                                                                                                                        • SV_BubbleTime 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                          Didn’t the hack need internal access? VPN maybe?

                                                                                                                                                                                                                                                                                                                                                                                                                                          • function_seven 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                            Sure, but if they connected to the VPN from their own IP, then that's not going to hide anything.

                                                                                                                                                                                                                                                                                                                                                                                                                                            • thinkloop 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                              Is connecting to a VPN through another secure VPN doable/benefit?

                                                                                                                                                                                                                                                                                                                                                                                                                                              • Nacraile 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                Doable, although annoying to configure correctly. Beneficial if you want to obscure your identity from the second VPN server (i.e. Twitter's, in this case, which ought to be logging connections)

                                                                                                                                                                                                                                                                                                                                                                                                                                          • ehsankia 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                            Really seems like a modern day MafiaBoy.

                                                                                                                                                                                                                                                                                                                                                                                                                                          • josu 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                            It seems that they mixed the stolen bitcoins with bitcoins that they withdrew from Coinbase. So law enforcement probably knew who they were from day 1. I feel that this is the time it took them to put together a case.


                                                                                                                                                                                                                                                                                                                                                                                                                                            • subculture 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                              Reading the two complaints, it seems that they basically obtained Discord chat records and tied those usernames to an OGUsers db that was hacked & leaked in April.

                                                                                                                                                                                                                                                                                                                                                                                                                                              Seems like the OGUsers database was the key piece of info, but it was 'a rival criminal hacking forum' that actually got the db and the FBI 'obtained' a copy of it.

                                                                                                                                                                                                                                                                                                                                                                                                                                              • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                Didn't Krebs run a story about these people a week or so ago? It looks like it was 100% loose ends.

                                                                                                                                                                                                                                                                                                                                                                                                                                                • elmo2you 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                  I don't remember if he was reporting on any of these 3 guys. But I do remember that a huge media outlet/conglomerate was quick to accuse Krebs of wrongfully accusing somebody (no idea how they got that, behind a paywall) and how he had previously wrongfully accused people.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Felt a lot like a hit piece to me, at the time. It would be interesting to know if Krebs turned out to be right. That could say a thing or two about that news paper.

                                                                                                                                                                                                                                                                                                                                                                                                                                              • sepulchers 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                > In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.

                                                                                                                                                                                                                                                                                                                                                                                                                                                - Brian Krebs [https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...]

                                                                                                                                                                                                                                                                                                                                                                                                                                              • athyuttamre 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                • > On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Seems very convenient. Parallel construction?

                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ramimac 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                    What about this implies parallel construction to you? The OGUsers databases (well, actually a couple, they've been hacked multiple times) has been publicly available for a while. Also, the discord chats and Vice article include details on selling accounts with desirable names - even if not explicitly linked to OGUsers (I don't recall off the top of my head if it was called out), you could track hacked accounts, see they were sold or discussed on OGUsers, and then give a look at the DB. That seems an obvious route of investigation to me?

                                                                                                                                                                                                                                                                                                                                                                                                                                                • jeherr 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                  I thought I read a blog post detailing a link to the OGUsername discord.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Shared404 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                    > > Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity


                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'd love to know as well.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • waihtis 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                      Guess is there was some opsec failures, and this is typical scaremongering with intent to deter future to-be-hackers

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • qppo 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                      They should have just scammed old people with spoofed phone numbers, then the government would never have caught them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                      • throw_m239339 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                        Well their biggest mistake was to live in US and be US citizens. Most of the people operating high scale phone scams live abroad, India, Africa, South East Asia...

                                                                                                                                                                                                                                                                                                                                                                                                                                                        Don't do that though, don't scam people.

                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jermier 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                        Probably could have earned a lot more from his exploits if he went the formal route and directly confronted Twitter. But then who even knows if Twitter are a good 'first responder' when it comes to high-profile exploits of their system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        [0] https://www.hackerone.com/

                                                                                                                                                                                                                                                                                                                                                                                                                                                        • bawolff 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                          He allegedly social engineered access. The vast majority of bug bounties i have seen consider this out of scope.

                                                                                                                                                                                                                                                                                                                                                                                                                                                          Also do x or i release the sploit could be considered extortion if you word it wrong, and then you are in all sorts of additional trouble

                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Kalium 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                            > It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            If you don't think you'll get caught, why would you take the $40k instead of tripling that?

                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                              The opposite thing is true; people have wildly inflated expectations of how much money marginal bugs like XSS can earn, or even game-over bugs in marginally important applications. And if you're doing the financial comparison, as you note, you have to do it risk-weighted. Your intuitions about the risk of exploiting a vulnerability are likely heavily biased by the fact that most exploitation, or at least most of the exploitation you hear about, is non-monetary. Monetizing an exploit ratchets the risk up significantly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Kalium 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                I remember being 17. I was spectacularly bad at evaluating risks.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                You're right - a lot of people who want to file bug bounties overestimate how much marginal ones are worth. At the same time, this scenario suggests to me that bug bounties aren't currently doing a good job of incentivizing people away from attempting to monetize significant exploits and towards more responsible security practices. If we have to depend on the risk analyses of teenagers, we may be in trouble.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Which is to say I suspect we have both problems.

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • thaumasiotes 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                > Some estimates put this particular breach at having netted upwards of $120k.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                > I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                You're not paying attention.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Kalium 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Thank you! That's absolutely amazing reading.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Have any of those $250k bounties been paid out? The $40k figure was something I found from a bounty that's actually been paid, rather than a hypothetical one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • gruez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                does hackerone cover social engineering exploits? I doubt it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • btx 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
                                                                                                                                                                                                                                                                                                                                                                                                                                                                     - Social engineering of Twitter staff or contractors

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Pretty standard for most if not all of the program rules I have come across.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jermier 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Not sure, but I hope they do, as it's an often forgotten avenue for exploitation. You can't deny the human factor in a lot of these instances. Humans are humans. Also see: https://en.wikipedia.org/wiki/Human_intelligence_(intelligen...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • MattGaiser 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      They should. You should get $200 if you can get an employee's password.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dane-pgp 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I'm wondering what the objection is against this. There might be a conflict of interest in allowing an employee to share a bounty with a friend by giving the friend their password, but the rules of the bounty (and the employment contract) should be able to prevent that scenario.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In theory, any sensitive operation (such as changing the email address of a verified account) could be made to require approval from a second (randomly chosen) employee, and that second employee should see a log of recent actions taken by the first employee. An attacker may still manage to avoid raising suspicion for the first few targets, though.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • thaumasiotes 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > You should get $200 if you can get an employee's password.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's never going to fly; all Twitter bounties are multiples of $140.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • tptacek 8 days ago


                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ggggtez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It's evident that it wasn't an exploit. It was just a stolen password of an employee.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dig1 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "Someone has to go to prison, Ben" - quoting Harvey Keitel from National Treasure movie (1:50) [1]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [1] https://www.youtube.com/watch?v=co4EsnwAM1Q

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • bluedevil2k 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > the scheme reaped more than $100,000 in Bitcoin in just one day

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • ideals 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            All of the popular crypto currency exchanges blocked the btc address. The same one was used on all accounts. They acted faster than Twitter in mitigating this issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • slezyr 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Bitcoin has pretty steep curve for most of those people.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • js2 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              When I was a teen I made long distance phone calls using calling card numbers that were not my own, obtained through a war dialer. I'm pretty sure I never would've gone as far as this kid did, but who knows. I hope this doesn't ruin his life.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • psanford 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Kevin Mitnick seems to be doing just fine now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • stevievee 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The announcement video is quite intense and feels odd for some reason. Maybe it's the aspect ratio or cold intro - not sure. https://youtu.be/z80K3-q3Kqg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • korethr 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Interesting to see that he's being charged in Florida, instead of federally. I mean yes, normally, when one commits a crime in a particular area, they're charged in that area. But my understanding is that once stuff crosses state lines, it becomes a federal issue, and this is part of why its usually the FBI that comes knocking.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ja27 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Anything involving a computer connected to the internet (even firewalled or rarely connected) is considered to be a "protected computer" since it is involved in interstate commerce or communication and thus open to federal charges under 1030 (a).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • korethr 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Exactly. Thus why I am somewhat surprised to see that he's being charged in Florida. By the letter of the law, this is an issue for the feds to handle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Edit: Another post on HN[1] covers the federal charges. So, it sounds like this kid is being charged by both the state and the feds. I don't envy him.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1. https://news.ycombinator.com/item?id=24012968

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • hughw 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I would think federal charges will follow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • amrrs 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    No where in the article it mentions how did they nail him or how did he do. With Twitter saying that this entire process was done by social engineering some employee and then gaining system access of others by monitoring the process - this seems to have been done by someone with Corporate process understanding and hard to believe it could be a 18 yold.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Teenagers broke into phone switches through social engineering for sport in the 1990s.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • brudgers 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Seems to me that a person sophisticated enough to social engineer Twitter employees is probably sophisticated enough to social engineer a Tampa teen into place for taking a fall. To me state level targets suggest state level actors and Twitter has been mucking about with state level political operations since at least the Arab Spring almost a decade ago.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Twitter has a lot of powerful people and organizations who have suffered discomfort at its hands. It is hard to swallow the thesis that a Tampa teen succeeded where intelligence agencies have failed despite years of efforts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dylan604 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Teenagers social engineer their parents and teachers on a daily basis. Their success rate is higher than either parents or teachers would like to admit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • ceejayoz 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Social engineering is well within the capabilities of many 18 year olds, and plenty of them will have experience with corporate-style processes at school.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • otterley 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Law enforcement rarely advertises investigative techniques and sources, even in open court. Some amount of evidence they do have was already presented to a grand jury, and will be brought to bear at trial if the defendant doesn't plead out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jacquesm 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If you are not 100% perfect in your opsec as a wannabe hacker you will get caught. It takes just one small slip-up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • pier25 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Totally, but opening a bitcoin account with your license driver and moving stolen bitcoins there without any anonymization is another thing altogether.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jacquesm 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It may be a surprise to you but criminals are usually stupid. If they were smart you wouldn't realize they are there at all. Think about it: this idiot had access at a level that nation states secret services can only dream of and went for $100K in lousy bitcoins.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • pier25 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I know, which is why it doesn't make sense.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If you're so stupid how can you social engineer your way into Twitter?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jacquesm 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Because at Twitter a couple of people did not pay attention. Social engineering is the very low hanging fruit of hacking. People are so much more vulnerable than well designed systems, this has been proven over and over again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • YinglingLight 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yep. This isn't Fake News. It's Misinformation for reasons we can only speculate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • devenblake 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It's doubtful that he actually did it. Probably just a teen groomed by a cracking group; the group gets away with the deed by leaving a paper trail pointing to the teen (that will get a reduced prison sentence) and the teen gets PR which will inevitably lead to a well-paying job.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • bdamm 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm with you on this, he's probably a fall guy who's "caught" because he "confessed" or something like that. Two reasons for this; one, Twitter isn't exactly the kind of joint you stroll into and take over, it's not really an amateur operation and people are attacking it all the time. Second, coordinating all this work is not a simple one-person job. The timing of the attack suggests lots of coordination, practice, or both. Could one kid do it? Maybe, but highly improbable. And if it turns out this kid did do it, the CIA is going to find a way to own his ass basically forever.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dredmorbius 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • syspec 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > According to federal agents, Sheppard was found out partly because he used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin. Fazeli also used a driver’s license to verify with Coinbase, where accounts controlled by “Rolex” allegedly received payments in exchange for stolen Twitter usernames.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That is such a simple mistake to make, wow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • MattGaiser 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Given how many of these attacks have been social engineering ones, companies might benefit from having bug bounties for employees who get fooled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Yes, this will initially be very expensive as there will be thousands of payouts, but eventually the employees will learn.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Offer $200 if you can get an employee's password.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • nicyl 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I’m very uncomfortable about the fact a very young person (only 17 years old) has had his identity released like this... where was his fair trial first?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Regardless if he was behind the hack or not, this is not the way forward to a decent society.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • cellis 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I actually think this kid has a bright future. My prediction: 1 year jail time, 5-10years probation. Will get hired as a security consultant.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • fortran77 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I wouldn't hire him. It's not like he _programmed_ his way in. And he didn't just post tweets saying "Twitter's security is bad." He actively tried to scam people. So he wasn't trying to accomplish anything good.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • almost_usual 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Programming is a waste of time if you don’t need a program.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Biganon 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            True, but what tech company would benefit from the social engineering skills of a young man with dubious morality? If at least he had proven to be the new Mitnick, but he hasn't.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • pengaru 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It may make sense if you consider it more as a marketing hire. Such a person at least has potential for future interviews and talks one could leverage for increasing company visibility.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • ashleyn 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            He's being charged with 30 felonies but at the same time exposed how woefully inadequate Twitter is at securing the accounts of high-profile people, some of which with control of apocalyptic weapons. I predict he'll plea out to doing a few years of free work for the government.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • trollied 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You might like the Darknet Diaries podcast (if you don't already subscribe).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Often interviews reformed "hackers" who have turned their lives around.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Romanulus 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unless he's ordered to stay away from computers for that time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dlhavema 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  And then he'll join up with Acid Burn to take down some skateboarding CEO...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • claydavisss 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Or government work, he's already passed the entrance exam for the CIA!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • hentrep 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Off topic, but the linked WFLA video highlights how factual reporting takes a backseat to an insidious "breaking news", headlines-first approach. Twice we hear Mr. Buinno misstate the Twitter attack as occurring "a few months ago" before being corrected by his colleague after the second instance. I realize this is a trivial criticism, but it makes one question their general preparation and fact-checking processes. Is it too much to expect alignment on the basic details of a story before broadcasting it to hundreds of thousands of people?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • amrrs 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    > Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of Bitcoins transaction?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    >Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This reads like an Ad copy of a company that's against perceived anonymity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • tibbar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Bitcoin transactions take place between addresses, which are hashes of public keys. It's actually better to call bitcoin "pseudonymous", since the addresses are pseudonyms that may or may not be tied to an irl identity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      So if you, a hacker, tell someone to submit Bitcoin to an address, that address is only really "anonymous" until you use your private keys to reroute the money to other addresses. As soon as the graph of transactions touches some known node (perhaps at the edges of the Bitcoin network that interact with the monetary system), you can trace back to figure out who might have controlled the original address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It's very silly to try to cash in on ill-gotten bitcoin...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • catacombs 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > It's very silly to try to cash in on ill-gotten bitcoin...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        What's the alternative? Sit on the coins or use them for purchases?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • rocqua 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Launder them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Possibilities are endless. Coolest thing I heard was use the bitcoin to rent bitcoin miners. Then spend the resultant cleanly mined coins.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dragonwriter 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of Bitcoins transaction?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Since Bitcoin is not anonymous but pseudonymous, it can be as simple as finding one or more transactions that link a wallet to a real identity (such as one tied to purchase of physical goods with an identified recipient and shipping information) and from there tieing every other transactions from.that wallet to the same identity. I would guess in practice it often involves more steps of connection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > This reads like an Ad copy of a company that's against perceived anonymity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The DoJ isn't a company, but it is very much against perceived lack of accountability, which is one of the reasons people choose systems that offer perceived anonymity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dumbfoundded 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Bitcoin is anonymous until you tie it to something that requires a real identity. For most people, it's probably tied to an exchange that has their real identity, credit card info, and maybe bank account info.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          What they should've done is generate a new wallet with no previous transactions and just used that to buy things.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • dhosek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            But wouldn't the purchase transactions be able to be connected to the perpetrators?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • dumbfoundded 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It depends on what you buy. The best thing to buy would be a currency like Monero where you're actually anonymous.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • rodiger 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Dump it through some mixers and it becomes a lot harder to tell who is who.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • This is what bugs me the most about the bitcoin pushers (like Max Keiser)... they completely ignore the fact that bitcoin is not anonymous, and why even though I was in on bitcoin in the earliest days, I abandoned it. My conclusion was that the government loves btc because it's so easily traceable. Another reason is that, like tor, it is vulnerable to %50 attacks. If the central banks wanted to take over btc they could, and I posit they may have already positioned themselves as such. (thats my almost a bitcoin millionaire story...)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The closest to an anonymous coin afaik is monero or zcash, but in general I think wasting electricity and cpu cycles on arbitrary math is a bad path to go down. If we could tie a coin to some productive math like protein folding or seti, etc, that still has the same attributes as cash (which btc does not) then we might have a true potential dollar replacement digital coin, but I digress.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • varenc 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > "Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • zionic 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Should have used Monero lol

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Shared404 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Got to love government knowledge of tech.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This is the set of people that legislators listen to. I think we may be screwed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • shadowgovt 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'm not sure what your criticism of the quote means here. The biggest weakness of BTC for criminal enterprise is the fact that every transaction must be logged to a global public ledger. The hard part is aligning the public keys with private keys, but if you have enough additional information (such as, say, the private keys' owners sitting in a prison cell and the private keys themselves flayed out of their unencrypted hard drives), it's trivial to prove the money flowed from one user to another.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The quote seems accurate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Shared404 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I know the quote was accurate. I thought it was common knowledge that bitcoin is not anonymous, therefore making "de-anonymized the bitcoin transactions" a bit of an overstatement.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • shadowgovt 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Ah, now I follow. I assume they intended "de-anonymized" to mean "tied the public keys to identifiable human beings IRL."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Shared404 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          No hard feelings.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's certainly an understandable take, and I'm probably just overly pessimistic.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • tolbish 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It is and it isn't. Hacker News is anonymous until someone ties your username to your identity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • totetsu 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Florida Man masterminds twitter attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • rdiddly 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Florida Man Seeks Publicity, Charges Teen Locally

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      - Uses Words Like "Mastermind" and "Massive Fraud"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • bluedevil2k 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Man = kid. He's only 17. I'm not a lawyer, but I thought it was illegal to put the names of minors in public for committing crimes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • 27182818284 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Well apropos the grand-parent comment using "Florida Man" We hear about "Florida Man" more often because, yeah, maybe there is a lot more partying in Florida, but also because Florida has some of the most open public record laws. I've read that unlike other places where you have to bother the police for reports, in Florida you can get yourself added to a daily email blast of reports.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • joveian 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Not in the US, unfortunately. Some news media have a policy not to publish that information.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • NoNotTheDuo 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              They've updated the article in the last 5 minutes. The original article I read said something like "we're not releasing his name because he's under 18 years old" and now his name is fully out there. Crazy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • fernandotakai 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                the verge is reporting that he's being tried as an adult, so maybe that's the reasoning.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                >He’s being charged as an adult, and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been — not just the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • pageandrew 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  What's the point of having different sentencing for minors if you can just try them as an adult if they're "bad enough"?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • cowboysauce 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I always thought that was exactly the point, an acknowledgment that children and teenagers sometimes do stupid things, but there’s a big difference between doing some graffiti vs raping and murdering someone when you’re 15.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • pageandrew 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yeah I could agree with that for violent/depraved crimes, but for hacking? I don't see why they're charging him as an adult.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Hacking into Twitter accounts isn't a depraved, violent crime. I could see that as the immaturity or lack of foresight of a smart teenager. Yes, they're prominent people. Doesn't really change it IMO.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • knolax 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Can't even buy a cigarette but he's being charged as an adult. The court system needs reform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • nathan_f77 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I hope they will provide some more details about how they got caught. If this person can hack Twitter and they know about Bitcoin, then I'd be very surprised if they didn't take some basic steps to hide their tracks. E.g. Tor, VPN, cafe wifi, etc. I heard that some social engineering was involved, so maybe they called someone and their phone number was traced.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I would be interested to know if they forgot about one small detail. I think the FBI / NSA probably has full visibility into the Tor network and can easily deanonymise any users. Or it could be like the Harvard bomb hoax in 2013 [1]. (They used Tor, but they were also the only person using Tor at the time.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              [1] https://www.theverge.com/2013/12/18/5224130/fbi-agents-track...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • sna1l 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                From the Verge[1] article it seems like there was someone else providing access to the accounts? So was it social engineering or not?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an unknown individual” with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems. It’s not clear if the Tampa teen is Kirk#5270, though it sounds like that’s possible. The Sheppard complaint is dated July 22nd, and the Tampa teen wasn’t arrested until today. Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                [1]: https://www.theverge.com/2020/7/31/21349920/twitter-hack-arr...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • junar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It seems like "Kirk" is believed to be some other individual. From the complaint against Sheppard:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > On July 21, 2020, federal agents executed a search warrant authorized by U.S. Magistrate Judge Alex G. Tse at a residence in the Northern District of California. Among the occupants of the home was a juvenile (“Juvenile 1”). ““Juvenile 1” was believed to be a Discord user identified in chats as an individual who assisted “Kirk#5270” and “Chaewon” in selling access to Twitter accounts. Upon execution of the search warrant, “Juvenile 1” agreed to be interviewed. “Juvenile 1” admitted to law enforcement agents that he/she was the Discord user who was identified in chats as assisting “Kirk#5270” and that he/she participated in the sale of illegal Twitter access. “Juvenile 1” admitted that he/she worked with “Chaewon” to sell Twitter account access. According to “Juvenile 1,” his/her knowledge of “Chaewon” was that “Chaewon” lived in the United Kingdom and “Juvenile 1” knew “Chaewon” by the name “Mason.” According to “Juvenile 1,” he/she and “Chaewon” had discussed turning themselves in to law enforcement after the Twitter hack became publicly known.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • MiroF 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What I heard was that one of the hackers managed to get access to Twitter's internal Slack, and that hacker was the one posing as having a Twitter employee friend. Don't know if that's true though.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ehsankia 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Damn, did these kids really get MafiaBoy'd?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Yeah no surprise there. The second Discord logs of the scam being planned started circulating around Twitter I knew it'd be a matter of weeks before these guys were caught. Absolutely unreal that one of them was dumb enough to not only post chatlog screenshots on Twitter with their usernames uncensored, but to use something like Discord to plan this in the first place.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Since the crimes were financially-motivated all of them get upgraded to felonies. I have sympathy for people who get fucked by the US' dumb CJ system, but uh... touching a Presidential candidate's Twitter account was whose idea, exactly? What did they expect would happen? I have a hard time believing the "for the lulz" defense some people are making for these people when the whole thing was clearly financially motivated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Kaveren 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        i was assured by the cybersecurity experts of hacker news that REALLY this was all a mastermind ploy to steal and sell twitter DMs. who would they sell them to? doesn't matter! what information of actual value is sent through twitter DMs? doesn't matter! we did it, hacker news.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • alexander1100 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I personally lost $6000 dollars, is there any way I could prove that I was a victim and get my crypto back?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • creato 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You sent $6k in bitcoin to Elon Musk because you thought he'd give you $12k back?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Assuming this isn't a joke, consider that $6k a lesson to not be such a gullible mark.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If you want legal recourse and refunds why would you use a currency that explicitly does not allow for those?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Seriously, if you want the protections of the legal system, then use currency controlled by the legal system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • shuntress 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Bitcoin is actually explicitly designed to enable recourse and refunds. Every single transaction is permanently and immutable tied to a verifiable identity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Through common practice, these identities are treated as disposable and therefor generally ignored. But stating that the currency is explicitly designed to disallow accountability is not an accurate representation of reality.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Edit to add a practical example for clarification because this is being downvoted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If the FBI conducts an effective warranted search + seizure of a mob safehouse, seizes a large safe, opens it up, and finds either:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              A) Gold bricks


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              B) Bitcoin wallet private keys

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              In case (A), they can maybe correlate records, reports, statements, and other evidence to possibly determine the rightful owner of the gold or goods laundered for gold.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              In case (B), they can check the BTC ledger against fraud reports that contain bitcoin wallet public keys, then publish a public statement asking people to prove they own any matching public keys -- because bitcoin, by it's fundamental nature, is more accountable in a way that enables recourse and refunds.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Transactions are not reversible by legal authority in bitcoin, only by the receiving party willingly doing the transaction in reverse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                What you are talking about is establishing reputability, not about refund-ability or the ability of authorities to reverse illicit transactions. You can see that as a feature of bitcoin or not, but if you want protections from a system you need to act within that system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • alexander1100 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I am saying I know I made a mistake and if they truly caught those who are responsible, then I don't see why they won't be able to get access to the stolen funds. My eth is in that collection of stolen funds. I'd rather prove it's mine and have the government return it to me vs them auctioning it off.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I understand what you are saying, and I'm sorry you are in this situation. But I can also see that because you acted outside of the reach of the legal system then there is less chance of it being able to help you.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Sorry if I'm being heartless here but I'd also argue that the funds were not stolen, they were given in a system that provides almost no legal recourse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • wmf 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Cryptocurrency is not outside of the reach of the legal system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "the United States District Court for the Eastern District of Texas ... ordered Trendon Shavers to pay more than $40 million in disgorgement and prejudgment interest, and a civil penalty of $150,000 related to [Bitcoin scam] BCS&T." https://www.justice.gov/usao-sdny/pr/texas-man-sentenced-ope...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Right, when the person is identifiable and within that jurisdiction. I'm saying that if I pay X bitcoin to someone on the internet for a service I have less change of recourse within the law if I don't get that service (in this case a back payment of x*2). If it was a normal digital/creditcard/whatever transaction it'd be easier to reverse and deal with.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • shuntress 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This is like saying that gold coins are explicitly designed not to allow recourse and refunds and that transactions in gold are not reversible by any legal authority.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    In both BTC and solid gold, reversibility is not a property of the currency. It is a part of the system which uses that currency.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    However, with Bitcoin (unlike with gold) the currency is explicitly designed with verifiable identity being fundamental to every transaction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    With Bitcoin, an individual can prove that they participated in a transaction that was later determined to be fraudulent. This is a fact of the currency. It is explicitly built in to Bitcoin at a foundational level.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Whether existing systems use that specific aspect of the currency to do anything meaningful is a separate matter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    But the fact is that bitcoin itself has more accountability than other currencies. Not less.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What I said was "not reversible by legal authority". That's true for both gold coins and bitcoin if the legal authority don't have them to give.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'm not saying bitcoin is less accountable and giving 6000$ in gold coins to a stranger promising to double them would only be slightly more responsible since then you'd at least know a physical jurisdiction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What I'm saying is that when bitcoin X leaves wallet Y to wallet Z the only way to get back X into Y is for the holder of Z to willingly give it, while "normal" digital transactions can be reversed by the transactor or by law. So if you want a transaction to be reversible by law you probably don't want it in bitcoin. Please let me know if I'm wrong.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • shuntress 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        You are not wrong but you are glossing over the fact that by "digital transactions" you seem to actually mean "transactions brokered by a third party".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        USD also works the way you describe. I may write someone a check based on a fraudulent premise then later demand my money back. If they have already cashed that check and run then the money is gone from their account and there is no way to reverse the transaction. The bank may charge them, cancel their account, pay me back anyway, etc. These are all actions taken by the third party broker.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        With USD the accountability of my_account -> check -> fraudsters_account -> cash is all part of the third party's (the bank's) system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        With BTC, this chain of accountability (my_wallet -> transaction -> fraudsters_wallet) is part of the currency itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If the fraudster is later caught and their fraudulent gains seized, with BTC I can prove which of those fraudulent gains came from my wallet and be reimbursed with potentially little technical fuss.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        My point is that your point may be true of the systems built to handle transactions made with bitcoin but is not true of bitcoin itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • SahAssar 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Agreed, but the financial system we have is set up to handle one of those scenarios and not the other. Bitcoin could be as good or better at this use-case, but for now that is not the case.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • twat 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is such a weird hill to die on

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • shuntress 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I was excited by Bitcoin when the whitepaper came out and I just think it's neat.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The huge explosion in Bitcoin popularity with daytrader "lambo" jerks led to a ton of people (even technically inclined people) talking about Bitcoin without understanding it too well. So now it sort of sets me off.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Plus, it's way easier (and more fun) to fight about something frivolous like Bitcoin than it is to fight about things that are actually important.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • advisedwang 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You can probably find the blockchain transaction of you paying them. So long as you can prove you own the sender, that's you proof right there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • null0pointer 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I think it's unlikely you will get any recourse here. However what you can do is the following.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1) Find one of the input addresses for the transaction(s) you sent to the scammers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2) Use that address to sign a message like "alexander1100 owns this address" (but use your legal name) to prove ownership of the address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3) Attempt to follow up with the FBI about recovering your lost funds. This is the step that you will have the most trouble with.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Good luck.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • daseiner1 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I don’t mean to be rude, but I have to ask - what were you thinking?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rocqua 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In EVE online, many doubling scams would actually pay out the first few times. This to encourage others to commit bigger sums. Hence, if you 'get in early' it might be worth it to try and get your money doubled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dtech 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unassuming it's not a troll, $ signs in the eyes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • cordite 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Good luck.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This is how bitcoin works. You send value to somewhere else of your will. There is no outside party here.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • shadowgovt 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Practically speaking, at this point the government is probably in possession of the private keys and could authorize reverse transactions to restore the stolen crypto.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The larger question is a question of policy and law... Does the government even consider entries in a blockchain ledger to be "returnable stolen property?"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • wmf 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yes, crypto scammers have been forced to give money back before.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • > is there any way I could prove that I was a victim

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sure, you just need to find the transaction hash, and prove that you own the sending address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            > and get my crypto back?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Now that the government has control of the wallets, my guess would be probably, eventually.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Jasper_ 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I thought Bitcoin's biggest feature was No Chargebacks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • rocqua 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                No central party can issue chargebacks. But if the FBI got the funds, they can just send the funds back.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mrtksn 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Can you please tell us how did you fall to this scam? I find it fascinating when something seems obvious to me but not to someone else and vice versa.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • superhuzza 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Wow, if true your "contribution" was around 5% of the total amount scammed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • spoopyskelly 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I can help you, but you need to send me $6k for verification and I'll send it back + the other 6k you lost.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • paulpauper 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      assuming not a troll, there is a possibility the money will be seized and returned to victims . i assume if the stolen coin are on coinbase, they have been frozen,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • neatze 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        this must be a joke.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • spir 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If the "mastermind" is a 17 year old, Jack should intervene to save his life from being ruined.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • forgotmypw17 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \/\The Conscience of a Hacker/\/
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         +++The Mentor+++
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Written on January 8, 1986

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Another one got caught today, it's all over the papers.  "Teenager
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • StandardFuture 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The only reason he got caught was because he used his access to attempt a BTC scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The likelihood that more sophisticated individuals and organizations have access to Twitter (and probably various other tech companies), and understand the importance of not letting your access be discovered, is probably far far higher than we realize.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Should we just assume all data held by Twitter and various other tech companies is compromised (by multiple different actors)?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Twitter seems to be wording things to make the attack seem out-of-this-world sophisticated, but I just have serious doubts about that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • luord 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Whenever I read news like these, I just think that this is such a waste of talent (assuming Twitter's security isn't analogous to Swiss cheese). This kid could have gone into ethical hacking and general security.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Now not only he's getting thrown in prison (over something he probably wasn't even convinced he could do, if the subpart attempt at capitalizing on it is any indication) for years, he's lost any potential career on the field.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • perl4ever 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • kgermino 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > Although the case against the teen was also investigated by the FBI and the U.S. Department of Justice, the Hillsborough State Attorney’s Office is prosecuting Clark because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and the Department of Justice will continue to partner with the office throughout the prosecution.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Wow. It isn’t news, but what a terrible reflection of the US approach to criminal justice.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • TwoBit 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What do you believe is terrible?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • foobaw 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Wonder when we'll get details on how he was actually able to do this - like how he got access to the internal tools, how did he succeed in social engineering, etc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • _jjkk 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      They did provide a little detail so far [1].

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account... The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      One likely scenario is they got access to the lower level employee's Slack account or similar and used it to impersonate and successfully find/phish the employee with the access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      [1]: https://www.washingtonpost.com/technology/2020/07/30/twitter...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • m90 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Meta: this link is not accessible from within the EU.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jacquesm 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That didn't require a mastermind. Twitter crew were lucky this ended the way that it did. It could have been much worse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • asutekku 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The third person has been identified in an Ars Technica article [1].

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. https://arstechnica.com/tech-policy/2020/07/florida-teen-arr...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jmount 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I don't have examples, but it seems to me you really hear a lot of teens pulling off successful social engineering attacks, even back to the days of phone-hacking. I guess that is evidence that some teens develop a fairly comprehensive understanding of social interaction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • StandardFuture 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          A kid who spends this much time at a computer thinking about how to break into Twitter has a good grasp of social interactions?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Or, maybe Twitter just had some obvious loopholes that even a not super social-aware hacker could find and use?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I think it is better to assume that in these situations it is more incompetence from the platform than "super-genius" from the hacker that allows for things like this to happen (regardless of what Twitter needs to say for PR or the media needs to imply for clicks).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • nicyl 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I’m very uncomfortable about the fact a very young person (only 17 years old) has had his identity released like this... where was this boys fair trial first? Regardless if he was behind the hack or not, this is not the way forward to a decent society.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • tazedsoul 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I’d imagine the FBI has more than just the link to these individuals via their drivers licenses being used for verification. Surely, these drivers licenses may have been used fraudulently by a hacker who wishes not to be found out so embarrassingly?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • robotcookies 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Wasn't there inside help? I read several articles saying that there was. Any of those insiders charged?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Twitter is in a bind. If there was no inside help, that says their security is pretty lax. If there was inside help, why have they not identified or named them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • shadowgovt 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unless there's additional info I didn't see, the "inside help" theory came from the fact that they had images of the internal dashboards. That doesn't necessarily indicate voluntary inside help (they may have found a hole in Twitter's internet / intranet firewall, or they may have spear-phished a service team member's credentials).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • ChicagoDave 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We really need to focus on rehabilitation instead of incarceration across the board.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • antihero 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Right, how are we going to try and prevent the British dude extradited?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • nicyl 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Not even a fair trial before his name is released like he is guilty. Just a young 17yo boy as well.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Moshville 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "Diplomatic immunity"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • GlTChWhISKY 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      My thoughts go to the fact they were able to hunt someone down based on their bitcoin address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Either they got help, this kid was already being watched or it just speaks to the DOJs data collection to all citizens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • stimpson_j_cat 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        They don't say they were able to hunt someone down based on their bitcoin address

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ahmedalsudani 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The kid probably did not practice good OpSec. A single slip is all you need when you attack is so high-profile.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dariusj18 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > The two other suspects were identified as 22-year-old Nima Fazeli, a.k.a. “Rolex,” of Orlando and 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the United Kingdom.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • hourislate 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            What's the big deal, he stole some bit coin and embarrassed Jack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Wall Street Insiders steal billions everyday from Joe6pack with the Governments help and they get to laugh about over a drink after work.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Now we can spend millions in tax payer money incarcerating him....

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            He should get a reward for exposing how shitty Twatter is. Besides the NSA is reading every txt you send and listening to every call you make. They know where you are 24/7 and what you bought for lunch. No one is punishing them.....

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's all theater for the masses I suppose....we caught the bad guys.....LOL...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • amiga_500 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2 more convictions than the great financial crash!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • gkoberger 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Summary for Europeans who are blocked from this site:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              (The rest of the article just rehashes the attack.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • sergiotapia 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If only he would have done it for the lulz he would be badass. By asking for bitcoin he became a tool scammer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • aquarin 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "This site is currently unavailable to visitors from the European Economic Area ..."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • svartkanin 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    So what will happen to the guy in the United Kingdom? Will he be extradited to the US?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ipunchghosts 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I find this hard to believe.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • almost_usual 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It doesn’t fit the narrative a lot of people expect or want to believe but it’s probably true.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • m3kw9 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Hope he’s not charged as an adult. I’m not getting the reasoning behind it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • supergirl 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          many years in prison for what this kid probably thought is a prank. while twitter will likely get no punishment for having so little security that even a child can hack them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • unionpivo 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I wonder if Kerbs will apologize for doxing the wrong guy

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • dkersten 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > Our European visitors are important to us.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > This site is currently unavailable to visitors from the European Economic Area

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              So we're not important to them then? Gotcha!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Block us, fine, whatever, but don't give us this BS about being important to you then.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • fataliss 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "Florida (young) man" - the saga continues!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • nicyl 7 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The moderation of my comment has completely stumped me. Is HN some sort of cliquey community or something?!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ggggtez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    >White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I had suspected that they had added special protections on his account after the (2017?) incident where an employee temporarily deactivated his account (and got fired for it). I guess this confirms it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • catsarebetter 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What a waste of talent

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rglover 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If this is true let this kid go and fire the people at Twitter who he duped.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mmmmmk 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Where's Kirk?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • alexander1100 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Is there any way I could prove that I was a victim of this crime?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • shadowgovt 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I'd start your legwork here with a phone call to your nearest FBI field office. Make sure you have the paper trail showing from your end you sent crypto to the perpetrators, and ask what the next step would be for claiming your defrauded property. It may also be worth consulting with a lawyer to see what your legal recourse might be here.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Fair warning: there may be no next step. I have no idea if the US government even considers cryptocurrency "property" in any legally-meaningful sense.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • paulpauper 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                if you have the private key, sign the wallet. if you used an exchange, there are probably records

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • slackwill 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Zero Cool man.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • rapnie 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Blocked with "Our European visitors are important to us"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Edit: http://archive.is/caOFK

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • macinjosh 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    play stupid games (GDPR), win stupid prizes (geoblocks). welcome to earth.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • AlexandrB 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      play stupid games (non-consensual tracking), win stupid prizes (GDPR). welcome to earth.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • closeparen 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Why would a local TV station in a random US city bend over backwards for Europeans?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • strictnein 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I've been wondering about that for a while.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Two possibilities (although there are obviously other possibilities):

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1. I think a lot of news media was given bad legal advice about GDPR

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2. They're all members of the AP and the AP required this of their members since they also work in the EU

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • p4bl0 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This is all I can see on this page :

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It should not be this complicated to respect laws that just enforce minimal good practices.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      A replacement link should be found for this story. Wfla dot com is clearly shit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • thelean12 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        wlfa is a super local US news station. Why would they put any effort at all to be compliant in Europe?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Hell, they could be currently compliant and it still wouldn't be worth the effort to figure that out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ColanR 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > It should not be this complicated to respect laws that just enforce minimal good practices.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It's not necessarily the compliance that's the issue, it can also be figuring out how to comply. IANAL, and I can't guarantee to myself that I can implement a site with policies that comply correctly. Better to just geoblock, because it's not necessarily worth the lawyer fees.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • soared 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Or... like 2% of their readers are from Europe and the publisher is likely struggling for revenue so they’ve opted to focus on other things?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • detaro 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Multiple people already have posted alternative links in the comments. Use those, and note that this kind of complaint is off-topic according to the site rules.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • cheez 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I do the same thing on my business site.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • sunilkumarc 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                On a different note, online presence is becoming very important and with remote work culture gaining traction, having a good online presence has become a must have asset. I bought a course on building Twitter audience and been able to improve my following significantly from past 2 months.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Twitter link: https://twitter.com/sunilc_

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If you're looking to increase your social presence too, here's the course that I found very useful:


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Rebelgecko 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It will be interesting to learn more as the case proceeds. Was he not using tor?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • kickopotomus 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Based on the fact that the article mentioned the IRS being involved and the fact that the IRS has been more attentive to cryptocurrencies, my assumption is that they found some way to tie him to the wallets he was using. I would be surprised if the IRS did not have some pretty sophisticated ledger processing tools at this point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • grezql 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Trump is a "protected" account in twitters internal system. Even Twitter employees cant access such protected accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jacquesm 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Not all of them can, but some of them can. For instance the people that could reset that 'protected' status. It certainly won't be the tooth fairy doing that, a Twitter employee is much more likely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • danso 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It's weird that Musk's didn't have elevated privileges. Trump's account getting hacked has obviously greater potential harm, but Musk's (non-hacked) tweets had demonstrably major financial and legal impact. And if you read the replies to his tweets, you can see they are constantly getting spammed by bitcoin-hawking accounts (even hacked verified accounts) impersonating Musk's display name and avatar.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If Musk didn't get elevated privileges, then who else besides Trump would have them? Or are the protections for Trump just the same emergency bespoke fix that they implemented when his account was previously deleted?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • eunos 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            But Biden's account wasn't? Quite peculiar considering the upcoming election.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • detaro 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Trumps account got attacked by an employee in the past, presumably it got a special case added then, but they didn't get to an overall policy on heads of state and candidates.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • eunos 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Maybe after "verified" account, there will be a "guarded/critical" account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • HumblyTossed 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > The day after the hack, White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • slackwill 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Zero_Cool man

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • VonBlue 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Hold on... how could they have de-anonymized the blockchain transactions? That seems.. false

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tomc1985 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Why not? People link their wallets to other wallets and financial services with reporting requirements all the time. Bitcoin isn't anonymous

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Rebelgecko 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  All transactions are public on the Bitcoin blockchain. I haven't followed the wallets, but it's possible that they tried to cash out on an exchange and got caught. Or they were initially found via other means and a search of their computers found the corresponding wallet.dat files.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • banana_giraffe 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Yeah, they used Coinbase, and Coinbase is of course willing to respond to warrants.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • techntoke 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Which would likely be encrypted

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Aaronstotle 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Bitcoin is a public blockchain, there are various blockchain analytic firms such as Elliptic/Chainalysis that offer bitcoin tracing services.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Bitcoin is not private nor anonymous, the rise of blockchain surveillance is why privacy coins like Monero are gaining in popularity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That being said, I'm sure it wasn't solely BTC transactions, these guys seemed to have very poor op-sec for performing such a big hack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • cyral 8 days ago


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It’s detailed here, very interesting read

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ChrisLomont 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It’s routinely done by researchers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Here’s a lot of papers on it.


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ideals 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          (If this is actually the person behind the attacks) Yes he may serve jail time for this, but he did get to read DMs of some of these people, and has had enough time to copy those contents to be read later. That's still valuable knowledge, he should leverage this to get people interested in those details to fund his legal defense in return for providing the contents of the DMs. Or is that illegal?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • akerl_ 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is just as viable as selling stolen diamonds to fund your defense for robbing a jewelry store.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It turns out that the legal system is already set up to make “selling illegally obtained material” also illegal, and to take notice of people doing so in order to fund their ongoing operations.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tptacek 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yes, that would be pretty illegal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • idlewords 8 days ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                But then he can do it again to pay for the second legal defense