The age of the attacker is irrelevant to Twitter's role in this story. However your underlying point still stands. If we want these types of attacks to stop, we can't just let all these companies off with a public embarrassment being the primary punishment. At a certain point we have to start calling it negligence when companies fall for these attacks and fail to have proper precautions in place to prevent them.
From memory, I recall the FBI did a study, and found that half of their employees would plug in a USB drive that they found on the ground in the parking lot. After training, that number was reduced to a quarter. If a security-focused government police agency is so vulnerable, it is unreasonable to expect perfection from a (less paranoid) company.
Then you need processes in place to make sure a single person being careless cant do this much damage. There are low tech solutions that would greatly improve security, however the overhead this introduces is hard to justify in a world in which these breaches aren't that damaging to a company. We need to change incentives for companies by either mandating these security practices or implementing harmful repercussions for choosing a less secure approach.
I agree that better security practices are advisable, but you're victim-blaming.
Twitter wasn't 'asking for it', and neither were the individuals who lost bitcoins; the 'hackers' intentionally perpetrated deceptions, misrepresentations, and fraud against both Twitter and the general public. If you compare what these three did to a white-collar crime, the dollar amount was small, but the behavior was egregious.
The push against "victim blaming" is not about removing any possible role a victim would have in their victimhood. It is about destigmatizing victimhood and not blaming victims for things that are out of their control or that any other reasonable person would do.
Let's imagine a situation in which someone breaks into my house and steals my TV. I deserve a decent amount of blame if I left my front door wide open before it happened. I deserve much less blame, but still some blame if I left my front door unlocked. I don't deserve any blame if someone broke down my front door to do it.
In this situation, Twitter left their front door unlocked.
Furthermore, Twitter is not even the primary victim here. The biggest victims are the people whose accounts were stolen and the people who were tricked into losing their bitcoin.
No one deserves any blame for being burgled when leaving their front door opened - however if a bank leaves the vault open they deserve blame because what's in the vault is not just theirs. Twitter left the vault open.
That's absurd. If someone does something risky, and gets burned,they share some of the blame for it. Even if they accidentally left their front door open, that's still on them.
Certainly the burglar deserves the lion's share of the blame for what happened, but there's plenty to spread around.
My view is that if a reasonable person would have taken actions that would have avoided the issue in the first place, a person not taking those actions shares in the blame.
My bicycle got stolen from my garage a couple weeks ago. The garage was closed and locked, but someone forced the door at 4am and stole my bike. My bike was not locked to anything. My neighbor's bike was locked to a railing a few feet away from my bike, and did not get stolen. I share some of the blame here because if I had locked my bike up -- an entirely reasonable and prudent thing to do -- my bike would likely not have gotten stolen.
I think maybe the issue is because people are conflating blame with shame. No one should be shamed for stuff like this; it's a learning opportunity. I accept blame and responsibility for my part in my bike's theft, and if/when I get a new bike, I'll take better care to secure it, even when it's indoors.
The internet is a place where everyone, everywhere is "around". You can talk about who to blame all you want, but blaming the attackers just means that you'll be attacked by people who don't care if you blame them. It's not an effective way of solving the problem.
And remember that "the problem" is that the attackers hijacked the accounts of people using twitter. Twitter had a duty to take adequate measures to protect those accounts, and failed to do so. The victims are the people whose accounts were stolen, and the people who were defrauded by the hijacked accounts.
No. Theft is still theft. The door could be wide open and someone that chooses to go on and steal is just as much a thief as the door breaker.
Should we blame women for dressing provocatively if they are raped? Should a murder victim be afforded less justice if they were walking around in a bad neighborhood? A crime isn’t a crime if the potential criminal chooses not to act. The ease of committing the crime should have no relevance. Someone doesn’t just accidentally walk into your unlocked house and steal a TV. It’s a choice and blaming the victim is simply wrong.
It depends on the situation. Blaming for negligence does not wash the criminal off their crime. Going alone and naked in front of a pride of lions will get you killed. The lions will do the killing, sure. But you placed yourself in a powerless position against predators, and you were at their mercy, and there lies your blame. You can be preemptive and kill the lions beforehand, or tame them. Maybe you are not able to do that at all at this time - and that was true until we made good enough weapons. But until measures are taken, and if you know the dangers, avoid them.
A woman that goes in a bad neighborhood dressed provocatively and that eventually gets raped, made the mistake of going there in the first place - and honestly speaking, the dress makes no difference. She placed herself in a situation where she is powerless against potential predators, and thus she will go by the predator's rules - because she is forced to do so. That does not mean we should not change this. We should do everything in our power to protect women, and make sure there ARE no such places dangerous for women. Until that happens, to avoid the danger wherever it is is better than rightfully punishing the criminals after the crime happens.
That is not a sexist matter, that goes for countless situations in this world. Women and men alike, or whole other groups are powerless against other people, depending on the situation, and it IS wise to avoid the danger, until we fight to eradicate this powerlessness on each occasion. You can go on despite the dangers to make a statement or in order to contribute to eradicate them, but you know what you are getting into.
> I don't deserve any blame if someone broke down my front door to do it.
I mean, you could have gotten a more sturdy door... drawing the boundary between someone opening an unlocked door and breaking down the door is hard; so I'd agree with "even less blame", but if we believe you are ever at blame here, there isn't anything magical about the lock that shifts you from having blame to being blameless.
To repeat myself, the opposition to victim blaming is about "not blaming victims for things that are out of their control or that any other reasonable person would do." I acknowledged that a standard lock is generally not going to stop many determined criminals, but it is an acceptable baseline that all reasonable people can be expected to meet in order to help prevent their home from being burgled. You can of course go above and beyond that, but I think anyone who meets that baseline standard doesn't deserve blame.
Back on topic, I think lots of people would agree that allowing low level employees the ability to completely hijack the accounts of some of the most prominent people on the planet with zero oversight is not a reasonable level of security.
Well, I think "the problem with victim blaming" is that it implies that there is something "a reasonable person" has to do in order to not get attacked: a woman should be able to walk around naked, for example, without being raped, and we shouldn't say "well any reasonable person would have at least worn clothes".
In fact, I would then claim pretty forcibly that a lock strong enough that someone has to break your door is absolutely not the thing reasonable people should have to do to prevent theft (assuming one believes in the idea that people own things, of course ;P).
Like maybe a chain lock should be good? I remember a glorious scene of some cartoon which was like "you know what this chain lock says? it means you aren't getting in here... unless you push with your hands". Closing your door is really not good enough? Having an exposed area with a door--even if open--that looks like a door of a household and not a business?
Look: I appreciate and even agree with the idea that Twitter should have blame here in some very real sense, in that someone always could have done better to protect you if they take responsibility for something about you, particularly if they don't really leave you much choice in how they do it: you friend who borrows your car and leaves it unlocked with its windows down is being negligent; and Twitter here looks like they didn't even try hard to protect anything.
But the reality is that we shouldn't think there is some magic level of "responsible" below which there is blame and above which there is no blame... in this kind of tug of war either we are working in the philosophical regime that you are ever to blame--in which case we can talk about matters of degree--or you are never to blame, but drawing some arbitrary line about "well the data storage was technically X3 7066 compliant, so this is on the other party" is actually an extremely dangerous thought process as it sets us up for companies putting in place minimum security theatre provisions that they know don't work but which they know technically absolves them of blame as it is reasonable (which is a thought process that crops up constantly).
(And seriously: is using a large, centralized social networking site and not expecting your data and accounts to be hacked every now and then reasonable? All of them get hacked. Thereby why are we stopping the blame at Twitter? If we are going into the philosophical regime of truly assigning blame, users should "know better by now" and stop using systems with centralized databases, right? I work in the field of decentralized systems and I absolutely am confused as to why people think their data in the "cloud" is secure and absolutely do not consider their usage "reasonable".)
(And like, to explain that context: this is all coming from someone in the field of hacking and security research who is also in progressive politics and thinks throwing the book at this kid with 30 felonies is ridiculous and maybe he should get some community service at best for what he did, and that we should be regulating big tech more to increase their liability as if we don't then it is essentially giving "moral subsidies" to centralized systems and making it harder for distributed, self sovereign, and end-to-end encrypted systems to compete. I actually agreed with your original comment, but in your defense against an accusation of "victim blaming" you actually do seem to have an inconsistency in your mental model and it is the same one we have to push back against in arguments about victim blaming for sexual assault: the lack of any specific protection doesn't mean you have something to blame for someone assaulting you. The argument for regulating against Twitter and holding them accountable has to come from somewhere different.)
In The Netherlands we have law to protect the youth against smart, sophisticated hacks (we're not talking about (D)DoS here). These people are then taught lessons about ethics an how they can apply their knowledge for Good.
As such, my proposal of punishment would be to give this fellow an unpaid, mandatory internship at Twitter. This teaches them to learn their victim, and Twitter can teach the perpetrator the proper way to handle a company's problems. Show him how fun red teaming or blue teaming or pentesting can be.
Twitter is not the victim here; the users who had their accounts taken over are. Twitter did not lose anything, except an entirely reasonable loss of reputation, because they could have taken measures to prevent this sort of thing from happening, but did not.
Companies need to be held accountable for their breaches. Sure, sometimes a company did do everything they could to prevent a breach, and took steps to mitigate the damage in the event of a breach, and they still happen. But that is vanishingly rare. The main thing I've learned from all the breach disclosures (at least where companies are truthful and forthcoming about what happened) is that security practices are lax and insufficient pretty much everywhere.
That's not ok, and we need to do something to incentivize these companies to properly protect our data, before we all become victims. If financial sanctions and public shaming is the best way to do that, so be it.
While the words do sound like victim blaming, id argue that sweeping conclusions that sound like the common rhetoric like “victims can do no wrong” deserve both careful consideration and some wiggle room. Not to mention that it’s a completely different situation than the usual instances where victim blaming is both toxic and common. The only egregious victim blaming that I can think of would be saying “those whose accounts were hacked were asking for it by being on twitter”. And I hope nobody is saying that.
I have a feeling that a vast majority would agree that choosing to send your money to a celebrity’s (apparent) bitcoin wallet for any reason will be tough to feel victim-sympathy for, and possibly asking to never see that money again given all of the well regulated systems and norms of money transfer that we have used for decades to centuries. But I understand that they were still taken advantage of and agree that they are victims.
Twitter is to blame here. The only thing they are a victim of is failing to protect their users (whom they have the obligation to protect) in a game where they have the ability to be solely the masters of their own security destiny.
Twitter is a platform used widely by some of the most powerful people in the world and in the US government. As a result, there is plenty of justification and precedent for said gov't to regulate their security practices and procedures. To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http.
Now, I don't think the government is prepared to do this proactively and effectively, but the idea of a telco that advertises resilience to hacks (whether through social engineering or technical incompetence) sounds like it would be quite appealing to a growing segment of the connected world and whatever such promises that find success in the marketplace might be used to inform legislation or regulation, eventually...
> To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http
This is probably off-topic, but companies shouldn't even be sending the passwords over HTTPS; passwords should be hashed client-side and then the hash should be sent to the server (preferably over HTTPS).
At that point you can do key derivation to get an ed25519 private key from the password and a server-supplied salt (specific to that user), after which the client signs a challenge the server supplied with that private key. When the password was set/changed, the corresponding public key was stored on the server.
Twitter controls a platform that they profit from. They have a clear responsibility to make their platform harder to abuse. We can't simplify the "victim" as simply Twitter itself, we must (as you did) consider the other victims: the owners of the accounts that were hacked, the narrow user base of twitter that was conned, or the general user base that have lost trust in the platform. These users could have great security discipline on their own accounts, but they couldn't do anything about holes in Twitter's backend. Other comments have mentioned front door locks for the metaphor of reasonable responsibility, but in the perspective of the Twitter users themselves, the broken lock was one they didn't control. Twitter must do better in the future, and whether or not legislation is passed to pass culpability, the general public will respond to future lapses in security.
The fact that Twitter had a system in which any of thousands of employees at all levels could single-handedly with no oversight alter any of the information in any account shows this was absolutely Twitter's fault.
An acquaintance of mine worked at the NSA and they also deal with this.
He said during his first week he made the mistake of putting a CD-ROM with some official training materials into his work system. Within 10 minute two people showed up to stop him and investigate what was going on with his computer. It was fine in the end but he was seriously reprimanded by his boss.
When you can’t trust users, the answer isn’t just to give up! It’s to acknowledge their fallibility and create a system that doesn’t rely on 100% compliance. In this case that means having software that instantly reports when any external media is connected.
And the same acquaintance described those NSA security protocols to you, who are now talking about them in a public forum. If your acquaintance actually did work for the NSA (God help us), he probably shouldn't have.
the study says 29% gave the password without chocolate as well .
Some where given chocolate before and after , nowhere it says chocolate was offered as payment for sharing the password. Small gifts could have been inducement to establish relationship and trust not the same as a bribe as you characterises it
I find it hard to believe 25 /40 % plus people readily share their password to total strangers , without knowing more details it seems unrealistic
Social engineering is still a problem but am not sure bribes are the real concern . And to insinuate the cost of bribing is as low as candy for significant chunk of the population is just wrong
What kind of mindset would lead to this behavior??
Maybe it doesn't matter.
It feels -to me- like simply being exposed to people
who say things like: "What?-- no, that's not good"
while remaining professional, respectful, and humorous,
is a vaccine against not wanting to seem jerky, yet
Perhaps it did not come out as I hoped, if it was offensive I appolgize
The premise that integrity of most people is bribed by few bars of candy was offensive to me I hope it is to you as well. The sensationalist headline basically claimed that, the abstract was a very different statement.
I am tired of studies that are constantly being cited these days: readers, journalists and even the principals invariably sensationalize the headlines.
It is a losing battle to get anyone to critically analyse information presented to them, sooner or later you are going to snap. Whether it is alternate medicine, creationism, or conspiracy theories there is a real damage out there everyday , few people ( Jon Stewart? ) are articulate despite being frustrated and are able to civil engage in discussion.
Even if the study actually claimed what the headline said, the bar to peer reviewed respected research in much of psychology and social sciences seems so low that just getting some correlation between two parameters is good enough. Raw data is rarely shared, and statistical methods used are superficially understood and discussed, half the analysis's are just putting data into a tool like SPSS with the whatever defaults IBM puts in these days. There is not much scope for replication of a finding, a core principle of the scientific method.
Except this is not expecting perfection, it is expecting a level of security that can prevent children, literal children, from walking right through it. Which would not even be a problem except for the fact that this is far, far less than what Twitter has led their average user and stockholder to believe. To illustrate my point, if Twitter told the truth in big bold print at the top of every page so every user knows: "Determined teenagers can take over your account at any time." do you think this might outrage their users or harm their stock price? Did Twitter at any point say anything that might indicate that this is the truth of the matter and that would not be easily misconstrued by users? The evidence indicates yes, they would be outraged, and no, they at no point ever said anything that would lead anybody to believe that this was possible and hilariously easy. So, it hardly matters that maybe they or anybody else (say the FBI) can not provide a high level of security, what matters is that they committed material fraud in egregiously misrepresenting their product security to their users and stockholders.
Oh believe me, I am under no illusion about that fact. My point is that the average user is completely unaware of it and Twitter, like most other companies, has gone to great lengths to obscure this material fact from their users and stockholders. If they told their users and stockholders, in no uncertain terms, the level of security they actually provide, which is massively different than what the users and stockholders believe, then I would not fault them for upholding their promises even if they are lackluster.
The problem is that they have not revealed the massive discrepancy between the common expectation and the truth which I, and I suspect most people, would consider to be fraud. Some might argue that they did not guarantee the common expectation and therefore it is the consumers problem for engaging in wishful thinking, but that is frankly a ridiculous argument. We generally expect, and the law codifies, certain requirements on the consumer-business relationship which effectively amount to: "Consumers have certain reasonable expectations based on common sense, you can't just willy-nilly toss those in a contract and blame the consumer for not reading a 100 page contract where you get to sacrifice their first born in fine-print every time they buy bananas." I do not believe the law exactly codifies this form of fraud, but I think most would agree that a massive discrepancy between consumer expectation and the truth should be clearly communicated (the larger the discrepancy the more clearly/loudly) and acting otherwise should be at the least in the general vicinity of fraud.
In my opinion, the discrepancy is sufficiently large that it should constitute either criminal fraud or gross negligence depending on how aware Twitter was as to their own internal security. If they were aware, they engaged in fraud given they made no effort to properly inform anyone of their security. If they were not aware, they are grossly negligent in that they could not observe such a massive discrepancy between their beliefs and the truth. To anybody who reads this and says that this is a "heads I win, tails you lose" situation, I say that this is a result of the ridiculous discrepancy. If it were less ridiculous, like say a small group of organized hackers or a top-flight hacker, it would probably not qualify as gross negligence in Twitter's case if they were unaware, though it might still be fraud depending on the expectations laid out.
Incidentally, this reasoning scales to other cases people have mentioned like nuclear power plants or banks where people have certain expectations on their security which are likely different and more stringent than Twitter. The important thing is not that they all have the same high level of security, it is that the expectation matches reality and the reality is properly communicated.
1. When was this study conducted? I remember a story like this from somewhere around 2008. A lot has changed since then. In fact, I recall that during my onboarding at a medium size tech company, it was an explicit part of the company's security training curriculum.
2. I think you may actually have it backwards. I would imagine the engineering group at Twitter (the people who have important credentials) is in some ways more paranoid, or at least more technically savvy and therefore more aware than many of the people at the FBI.
Comparatively, Cern does a phishing study from time to time  and the campaigns are in line with current expectations: People fall for phising, and security training has only a short term effect on phising. Unfortunately I can't find the real results right now.
We once had a bachelors thesis comparing the results over multiple years, and the results were mostly stable. (Years are mid 2010s).
Security training improves security but it doesn't get close to stopping 100% of attacks.
I know it's obvious, but it feels like it's only obvious to those that think about security. It's the same reason that putting your developers through a yearly OWASP Top 10 secure coding course isn't going to get you to 100% secure code.
Locking down systems seems draconian, but it's the only way:
- Disabling USB storage
- Moving away from passwords to hardware authentication
- Strong controls on internet access
- Stop incoming calls from reaching most employees. Better: take away phones altogether
Something like that (USB exploit of Windows zero days, breaching an airgap). (Edit: though not by leaving flash drives outside of the facilities, by infecting some with a virus that spread from Windows PC to Windows PC around the world.)
Someone successfully gained access to colleague's email account using a phishing technique. I Inform the senior management team not to open any emails just to get a message 2 min later that one of them entered email credentials after opening a link...
I wonder what sort of machine those folks were plugging it into? If it's their general purpose work issued machine, shame on them, but I can't believe the FBI doesn't have a high and low side networks. How many plugged into the high side? How many plugged into the "this is my email and timecard" computer?
I have a Chromebook running arch that has a borked network adapter than I use to plug weird things into/use as an airgapped box I can reset in about 5 minutes. I'd have no qualms about plugging anything into that
working at a court room I was bemused by the security talks about usb keys, yet the OS setup still allows usb driver installs automatically (granted their local presence). I know because I brought a keyboard to replace the busted one they had in-house and windows gladly set up everything plug`n`play.
I wonder if OSes have actual rules for this, and if there are secure corporate usb keys
>>If a security-focused government police agency is so vulnerable
I think calling FBI "security-focused" is a bit too generous. They are essentially glorified police detectives, with greater authority and jurisdiction. I don't believe the average FBI agent is particularly competent, in terms of technical (i.e. computer) skill or knowledge.
The FBI literally performs the background checks for security clearances. Like any other organization it has less security focused divisions, but insofar as any organization is security focused, the FBI is.
Why are random users allowed to attach USB drives? Is that normal? I would think any data going in or out should go through some centralized process? Sure, the Internet can be a loophole, but locking down physical access seems like an easy and obvious win.
Software engineers are much more aware and focused on the problem of technical attacks. An fbi agent has no innate reason to distrust usb sticks. After all, they're just for "moving files" or whatever other basic tasks they use them for.
> The age of the attacker is irrelevant to Twitter's role in this story.
I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.
Of course its steep. But he’s just a pawn. He is irrelevant. The bigger picture is that one of the largest tech companies with stock traded publicly got caught with pants down and revealed that their staff is not properly trained and vulnerable to social hacking. As a result millions of dollars invested in the stock were lost. Some angry billionaires who happen to write fat checks to politicians placed few very harsh phonecalls and then these politicians placed ten times more angry calls to the next in line, until they reached DOJ. That’s all it is. Now DOJ has last chance to look all serious and harsh before they turn the light off.
One could argue that the victims in this case are the people whose profiles had been hacked.
As for having full blown security getting in the way of getting stuff done, try replacing "Twitter" with "Equifax", a company that handles arguably more sensitive data and should have the "full blown security" you mentioned.
The stock when down for a couple of days, that should teach them. On a serious and besides note, it's such a clash between company and user-experience (i.e. every NA citizen) incentives that credit scores companies have a stock in the first place.
Overcharging has become the norm. Not just in high profile cases but in everyday ones as well. It's an effective leveraging tool used to get the accused to accept the actual charge in a plea bargain.
Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.
Yes, my apologies. I have become so ensured to history lately. I mean in the last 40-60 years or so. Essentially since defendants have made themselves peaky with the consequences of Gideon v. Wainwright the legal recourse has been to combine several tools to prevent trials.
Justice is expensive and Americans just don't have a taste for it.
> Hitting a 17yo with 30 felony charges feels a bit steep to me.
Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.
But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.
Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?
Four years of someone's life for damaging an inanimate object? Absolutely absurd. Did people get hurt? No. Fuck that. I often wonder if the "justice" system is a worse thing than criminals some of the time.
Although I would agree in this case and the rationale would be that it probably would take not much more amount of time to adjust behaviour of someone who did 5 vehicles vs 1. But maybe something like 7 years instead.
The only reason that we look at the Boston Tea Party as a "good" thing that happened is because that side ended up winning a war. If the British had won that conflict it would be a footnote in history, noting that some hooligans destroyed some property.
Again, you are misunderstanding the intention. 9/11 was an act of terrorism. Setting police cars on fire is vandalism, destruction of government property, maybe something for endangering police officers or something. All things condoned by your local friendly "anarchists".
What it isn't is terrorism.
Now go and listen to some Rage Against the Machine. Are they terrorists?
I remember when terrorism was blowing up a building injuring almost 1000 people and killing countless more, or crashing airplanes into two buildings, killing 3000 and injuring countless more. Burning police cars that ended in not even an injury is a felony, but terrorism? No way.
I really wish people would stop lowering the bar for what's called terrorism. It's a very dangerous slope.
I think the friction of an act contributes to the analysis. It isn't hard to get a bitcoin account. It's a number. With other fake numbers assigned to it. Get people to send fake numbers to your fake number.
Should a 17 year old lose prime years of his life? Is there a better way to educate/reform the person?
If you say "Well in this other instance, the book got thrown at so-and-so". To this, I would ask, does that make it right?
Adding repercussions to the targets would be a mistake in my opinion - that would be very antitransparency as they would be encouraged to be willfully blind to cover their own asses. "Look it is clearly just the fault that these dumbass rich people didn't secure their passwords properly. Password reset logs? Why on earth would we keep those?"
Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure.
It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.
I kind of like that idea, but defining the rules and boundaries would be really hard, and I'm not sure if the cure wouldn't be much worse than the disease, overall, for just blanket legalizing hacking.
Like, how far am I allowed to go?
Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?
Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?
Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?
Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?
Can I attack healthcare providers? Can I attack banks?
Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?
I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.
That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?
> It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.
That is exactly my point.
There are tons of crimes that basically anyone can do. If you said instead: people whose houses are set on fire by an arsonist should be liable for poor security, at the very least you'd not be taken very seriously.
There is a duty to not commit crime. There is no duty to avoid being the victim of a crime.
On top of that, there is broad industry consensus that it is largely impossible to write bug free software - certainly at the scale of Twitter. To suggest that they have the duty perform the impossible strikes me as deeply irresponsible if not simply malicious.
>There is no duty to avoid being the victim of a crime
If you entrust a bank with 10 thousand dollars, and the bank puts your money in a paper bag and leaves it in the lobby, they are going to be held liable if someone walks away with it. Twitter letting teenagers steal people's data is approaching that level of negligence for a mutli-billion dollar company.
The only thing between the inside of a home and the outside is a thin layer of glass. Should we hold home owners responsible for people breaking in and stealing? Lots of things are fragile, we have a laws to act as a deterrent to violations
Someone breaks in and steals your stuff? We generally don't care, because its solely your problem.
Someone breaks in and steals other people's stuff that you held, or stuff that's dangerous to others? Depending on what it was, you may be held liable if you didn't take appropriate measures.
If the stolen stuff was, for example, sensitive private information, and you didn't have it in at least a locked cabinet, you may be liable. If it was a gun, in many jurisdictions, you're liable. Your car gets stolen _because you didn't secure it correctly?_ In Germany, you're liable for the damage caused with it!
> There is no duty to avoid being the victim of a crime.
In Germany (and likely also other jurisdictions), if your car gets stolen because you left the door open and the keys in the ignition, you will be held liable for it to some extent: As the owner of a dangerous machine, you're responsible to reasonably secure it even against illegal acts. 
I don't see why this would be different if your machine is a lot bigger, and as a result arguably a lot more dangerous than a single car (imagine tweets trying to trigger violent mobs).
You are incorrect - there is a legal concept known as strict liability that defines an instance where one party is completely liable for damages to a party, regardless of the negligence of any other party. I am sure Twitter didn't run afoul of that concept here, but the question is, "should they?" Presumably, a skilled person with only a few years' experience was able to find a flaw in their system so severe, that multiple political and business leaders' accounts were manipulated. It's a dangerous embarrassment.
That was the other commenter's point: a 17 year old can hurt people with a car just as easily as a 40 year old. The age of the attacker has no relevance on how liable the recipient of the attack is for their security practices.
The same point stands with the car, any 17 year old could borrow their parents car and drive into a crowd. It's not the fault of the car owner for not securing their car.
Security is not preventing people from doing things, it's having some limitations so it's not too easily too quickly (cars are protected by keys, accounts by passwords). Anybody motivated can and will bypass security easily.
Well the age implicitly assumes potential levels of education and sophistication. Few would be surprised to hear a 30 year old engineer designed a novel world class chip - they could easily have a PhD at that point to have the sophistication capable. For a 17 year old that would be pretty damn extraordinary. Now hacking is less than thar even to laymen who don't know how simple some holes are but 17 implies a lack of great sophistication.
The whole thing is an ageist rough proxy anyway - a developmentally disabled 30 year old hacking it would be more shameful than a 17 year old college graduate.
If you were responsible for securing my stuff, and you put a cheap lock on your door protecting my stuff, and someone breaks in and steals all my stuff, then yes, you should be held liable for your poor security practices.
True, but I think this case opens up doors on regulation of tech companies for security, or at least new laws for security negligence. The power that Twitter has due to its highest-profile users is immense, however, this hack made them look incredibly stupid.
This is a tough topic. If we take the approach of effectively turning this kind of crime into job interviews and a way to enter life-long careers we would create a positive feedback loop. Punishment, on the other hand, creates a negative feedback loop. We can discuss the degree of punishment, but it is clear that humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.
The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.
Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.
> humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.
I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.
That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.
Having bad security is not criminal. If it was we wouldn't have a voting village at defcon cracked by pre-teens and there would be a lot more irresponsible CEO's in prison (so probably a better world).
agree. twitter is under no obligation to provide secret service level security on its platform because some high profile people use it. IF the government deems such security measures so important, they should pay twitter to implement them,
Negligence is actionable regardless of whether it’s criminal. And whether it’s criminal depends on the duty of care that can be reasonably expected from the negligent party.
In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.
Did you read the report? This hack involved spear phishing multiple employees who also had 2FA turned on. Good practices were in place. This was not some admin panel left open to the internet, that would be negligence.
I disagree. For every Mossack Fonseca, Mernis, Equifax, Twitter, LinkedIn, Ashley Madison we get public hacks from I think we have many more that see it as "the cost of doing business" and keep bad practices around.
In many types of businesses the cost of a security breach is "priced in" or not considered at all and they are gambling on it happening to their competitors (or not at all) instead of to them.
I think we are in agreement on mechanism. I meant "works on average" in the sense of "Keeps fraud and breaches to a level consumers are comfortable with." Nobody imagines breaches can be driven to zero; we seem to be comfortable as a society with the overall rate and severity of breaches (demonstrably, since people keep signing up for these rando online services willy-nilly with nary a care to who holds their data).
No, and that's why we (basically all nations that have banks or nuclear power plants) have specific laws governing them.
Look, if you want to pass a law saying all internet business having X personal data needs to prove Y security, then I'd probably be for it (depending on X and Y). We already have PCI-DSS and similar today for payment providers. I'm just saying that there is nothing like that today, and if there was we'd have a lot more irresponsible people in prison.
A nuclear power plant, no. Because, its most likely public property and so govt should have a say in its security. Even if it was a privately owned nuclear power plant, a breach would catastrophically and directly affect people who are not just its customers.
But, a bank, which is a privately owned entity. I think yes. If I own a bank and have bad security practices, and a breach impacts only my customers. I think the customers have the right to sue the bank but its up to me to decide what security I use, and if its not good the customers are free to choose to do business with another bank. But I don't think the govt should decide what level of security is sufficient?
Think of it this way, does this imply if my house is robbed I could be held liable because I chose to use locks on my house that were non compliant to govt regulation?
Large banks are designated as SIFI (systemically important financial institutions, aka "too big to fail"). When they screw up, the government steps in and props them up with taxpayer's money. To those banks losses from lax security are externality.
In that sense they are not very different from nuclear power plants. Indian Point is owned by Entergy and it gets the money when everything works fine, but the risks are covered by the government through Price-Anderson Nuclear Industries Indemnity Act.
If your house is robbed, it's your problem. But if you store personally identifiable information for everyone and it gets stolen, now it's everyone's problem.
> Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.
Not a home but if you were a bank and a 17 year old walked into the bank, talked to someone and was able to walk out with a fat stack of cash i think the insurance company would have to reconsider your policy.
According to a family friend who used to work bank robberies for the FBI, it's very easy to get away with one bank robbery. It's the compounding evidence when you commit more that gets you. Of course, that was a couple decades ago. I'm sure better surveillance technology has shifted that balance some.
Not home security, but I'm of the opinion this should apply for businesses and public places in some case. For instance, I usually carry a gun on me. If I go into the court house or a concert venue I'm prohibited from doing that. IMO they have now assumed a level of liability to provide a reasonable level of effective security and they're negligent if they don't and I'm injured or kill because of a mass shooting anyway because they didn't enforce their own policies.
Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.
I find it odd that you think a gun protects you in public. Its always seemed to me like you are more likely to be shot if you're carrying a gun, because an armed criminal now has to shoot you first if they want to ensure that they are not shot themselves. If you are unarmed they can simply threaten to shoot you and need not actually shoot.
I guess in the US thee are so many guns that perhaps criminals will just assume that you're armed anyway. But IMO that only makes the case for gun control stronger. Because the most effective way to change that attitude would be to dramtically decrease the number of guns in circulation.
Source for those charges? Article this currently points to says "The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. "
I think the fact that "a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world" does pretty serious damage to their reputation — that is in itself a repercussion.
You'd think so, but the history shows that this will only be a footnote in Twitters history. See Equifax; they have lost the personal finance data of basically everyone in the US and they're doing fine. Twitter is not going to suffer anything other than a few bad jokes at its expense.
that makes me so mad, not just for 17 year olds, but everyone subject to the whims of the criminal justice system.
for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.
we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.
In the United States, we generally consider minors who commit crimes to be a different class of criminal than people above 18. We do this because (AFAICT), there's a sort of societal agreement that wisdom/maturity is a logarithmic curve that begins to flatten in the late teens and 18 was picked as a legal threshold.
So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.
FWIW, don't imagine that there was anything as elegant as "logarithmic curve analysis" used to decide that the age of majority is 18.
It's an age that was settled upon by common-sense consensus over a grand function of "Well, most Americans (descended from Europeans) thought it should be around 21," and that's probably because 21 is a nice, round number. Then the draft age got pushed to 18 because we needed more bodies for the meat-grinder in World War II, and the voting age followed around Vietnam when too many people asked "Wait, in what way is it just or fair we can force people to fight and die in a war who can't even vote?"
There isn't a lot of hard science (beyond the most ancient human science of all: observation across millions of data-points loosely confederated into "common sense") underpinning the age of majority.
It's true. Apparently, that's because mothers against drunk driving campaigned hard to have the drinking age re-raised to 21 after they got their hands on some evidence suggesting that it cut down on deaths due to car accidents.
Just because he is 17 doesnt mean he didnt understand the repurcutions of his actions. That said, Twitter should be facing fines as well for not protecting their platform. I mean seriously what if someone gets hold of a say, Putin or Trump's account and starts stating they are launching strikes on XYZ country within the hour, what happens then? With great power comes great responsibility and these platforms of communication are no exception.
Nothing in the complaint (well, for the two others, since his is sealed) says that a state-level actor wasn't involved. Could be the tip of the iceberg. I find it hard to believe that this was prank hacking for about $150,000. You could sell Obama's handle for more, surely.
Do you know anybody willing to pay over $150,000 for temporary access to Obama’s twitter account? I find this type of comment kind of naive and poorly thought out.
Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.
To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.
Kid had the whole attention of the world for a few minutes, could've walked away a billionaire, start WW3, casino royale stock trading - everything, anything - CREATIVELY there's so much that could've been done and it all fell down to a bitcoin scam that netted less that 150K (wallet shows about 128k.)
That's a yearly salary of a help desk engineer on the west coast.
--I'm not sure which video to link of "Burn after reading" but the entire movie is how this was handled.
I feel like it would have been relatively trivial to make decent 7-9 figures depending on your initial leverage just by manipulating some key accounts.
Ie: short Tesla, musks account says solar roof delays, firmware error has started bricking cars, self driving is 10 years away, delivery numbers going to fall well short
Trump (surprised they didn’t hit that) - no new stimulus for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple small cap companies that are going to receive massive boosts like the Kodak thing.
Tim Cook: Apple sales flagging, iPhone production issues due to supply chain issues
Take a bit of timing to get it right and be able to walk away from the markets relatively untraced (market trade interrogation is a useful way to trace inside information so hard to do in a way that leaves no trace but if you know you can perform your hack at leisure you can set up the initial trades well forward, wait for the market and some other external condition to walk into your ambush and then pounce
Even setting up your trades in advance, there's no way you're going to make a billion dollars doing that kind of thing without being noticed. Millions, maybe (although maybe not), but certainly not hundreds of millions. Unless you already have hundreds of millions to work with, but then you're probably not a 17-year-old hacker.
Best case he'd probably have a few tens of thousands in capital, and he gets one shot at it. In order to get the kind of leverage needed, he'd need to use short term options and/or move penny stocks. Either one of those would paint a giant target on him.
Personally, I find "it was a prank" extremely easy to believe. It's the simplest answer to the question "Wait, if someone compromised Twitter so badly they could tweet anything from any account, why didn't they try to move the whole stock market or start World War III?"
"Because they're young punks and didn't think of that" is a reasonable answer.
Prank hacking would fit with the monetization when combined with statements of "who would be dumb enough" that underestimates stupidity like the whole charge your iPhone in the microwave or Soupy Sales' "send in all of the green paper in your parents wallets" not thinking people would actually do it. Plenty of precedent but easy to see why they would feel no responsibility for anyone mindbogglingly stupid enough to do so.
Well, of course that wouldn't be the move. The move would be to coerce the naive but capable hackers into doing this, and once the payload was delivered, burn them. I don't know what happened, but it's kinda a waste of a huge position, so I don't think it's that far-fetched.
The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)
I agree this bothers me to my core. Even the 22 year old hasn't developed a fully functional neocortex. I know it seems a little hypocritical of me for getting sad when this happens to a young programmer and not an inner city gang member, but it does.
To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.
That attitude is exactly the problem though. These kids getting hit with a 30 year sentence bothers those of us who relate, when the same thing happens to young black inner city kids every day. Plenty of them are just as intelligent, risky, and bold as these kids but we throw them in prison for the best parts of their life without a second thought.
That's violent crime though, which is more obviously bad, even to a teenager. If you're 17 and intentionally kill someone then your brain is broken and you should be kept away from innocent people forever unless you really have some delayed development that comes later.
Why do you assume black kids are being put away for violent crimes? Mostly it’s drug possession, and they get hit with years while a white kid caught for exactly the same drug and amount gets off with a warning “to avoid ruining his future.”
> To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't
They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.
You want those people LEADING us "into the future of science"?
If this turns out to be true, then we can conclude two things:
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Frankly, I don't take "a teenager did it" as an extra mark against hacked systems any more. It's the details that matter - the difference between one teenager and multiple adults being able to hack something is not large unless the context is government hacking.
The Krebs article says that prior to the bitcoin hack, they were selling accounts such as @6 for $2000. They probably had a rapidly shrinking window and the bitcoin scam was the last ditch effort before whatever admin account they hijacked got discovered.
People did say things like you could have made a fortune shorting stock by tweeting something insane from Elon Musks account. I don't buy that as necessarily better than a Bitcoin account. Stock transactions are heavily regulated and monitored. You'd leave a pretty large paper trail of any stock manipulation you hoped to profit from.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
You go on Binance, BitMEX, Bybit, FTX, Phemex or any other exchange that offers futures or perpetual swaps that track the bitcoin (or whatever) price. This is basic stuff. You can create a BitMEX account in minutes, load some bitcoin in and short with 100x leverage with minimal time or effort, just need a small amount of bitcoin to trade with.
He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam
If you don’t trust your exchange not to commit that kind of fraud, then you shouldn’t trade on it at all, as there are many ways they could defraud you even if you trade at 1x. There are plenty of. reasons why I wouldn’t recommend trading at 100x, but “the exchange might commit fraud” isn’t at the top.
Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.
Are any of those exchanges based out of the USA? And do any of them not allow USA based customers? My concern is if I made a great trade at 100x and then go to transfer bitcoin and they freeze my account saying I need to provide proof of residency or some BS.
Most do not allow US customers, but even BitMEX gives you a few days to withdraw your funds after freezing your account if found the be in the US (I’ve been told by people who had their accounts frozen). Some have KYC, sure, but in my experience, many do not and let you withdraw without issue. A lot of people (stupidly, IMHO, but that’s besides the point) trade 100x, its part of many of these exchanges selling points.
But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.
if you're someone whose regularly traded 10s of thousands of certain stocks over the last few years, it would be nearly impossible for them to detect a $100k profit from stock manipulation. especially a high volume stock like TSLA
If they knew up front they would be doing this, they could’ve shorted Tesla in smaller positions, over multiple accounts. There’s tons of people shorting Tesla, would it really be traceable to any of those?
Yes, because the SEC isn't stupid, and would trawl through the data, until they found:
* A set of freshly opened accounts.
* That only shorted a single stock.
* Right before a major hack.
* That cashed out all at once.
* That never traded again.
And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.
The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.
This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.
 If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.
Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.
None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.
Most "insider trading" is done by senior executives. As you observe, only non-connected "idiots" are ever prosecuted for insider trading. This "crime" is merely a way for corporate insiders to enforce penalties against those who defect from their conspiracy against the investing public. Non-insiders who trade on "inside" information release that information to the public, to the public's benefit, before the actual insiders are ready to profit at the public's expense.
I would add 3. People need to stop using "Trust <<insert large company>> instead of self hosting because they have teams of security "experts" and will have far better security than you ever could on your own"
Wasn't there one more person involve (Kirk#5270) who apparently did most of the work and let these kids do the work? Sounds like a MafiaBoy situation, where more experienced hackers did the work and let younger script kiddies take the fall for it.
I have an unrealistic idea (more of a thought experiment) that companies should face equal culpability to criminal hackers in attacks. After all, technically the way the hackers use systems /is/ authorized in a sense, even if the method of obtaining authorization is unconventional. Maybe this would get companies to pay more attention to securing their systems.
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
I disagree, no system created by humans is going it be without flaws. I think it should be possible to sue a company if a victim can show that the company was negligent in its actions. Damages should be apportioned between the scammers and the company on the basis of their contributions to the act.
> companies should face equal culpability to criminal hackers in attacks.
That's an interesting idea, and I think I agree with you in spirit. But don't most hacking-related criminal charges boil down to "unauthorized access to a computer"? It would be hard to argue that the company that owns the computers has unauthorized access.
Maybe a better phraseology would be to say that the company is an accomplice to the hacker. For that to really hold up, I think you would need to show that the company was negligent or not keeping up with security best practices.
> It would be hard to argue that the company that owns the computers has unauthorized access.
That's not the way I'd argue. I'd say the company has authorized access and they then gave access to fraudsters who should not have been given access to the system, which is where they were aiding the fraud.
So they aren't the principal offender, but they did aid in the offence which is what I'm suggesting makes them an accomplice (although as another paulpauper points out, an accomplice has to be aware they're aiding a crime - being duped isn't a crime).
> Should we make homeowners equally criminally liable when burglars break in?
Aren't they? I've seen a lot of insurance cases being denied due to negligence. This might even happen if you let your bag lie around openly in your locked car.
Also, burglar victims tend not to cause further damage. And, if they do, the victims will be in trouble as well. At least in Germany, a stolen gun will cause you a lot of problems, unless you can prove that you stored it securely according to the national guidelines.
Your home was broken into and your jewelry stolen? No, you're not criminally liable for anything, you were the only victim.
Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?
It doesn't have to be a binary thing either, there's nuance to it. A hacker steals unencrypted personal information off a server you didn't even password protect? You're more liable than a company that lost personal information that was strongly encrypted.
> Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?
This is one of those ideas that seems to be made in good faith but ultimately harms the competition far more than it harms the industry leaders. Twitter can afford cameras and alarm systems for its data centers; I can’t. Twitter can afford to hire armed guards; I can’t.
The ultimate end result of a policy like this is that people will simply kill anyone trespassing on their property; after all, who knows what documents they may have seen or confidential records they may have exfiltrated. It’s way too heavy handed.
Your comment just sparked an weird thought for me. We're all familiar with the adage that if a product is free, you're not the customer you're the product. In this Twitter breach, Twitter's customers were not harmed. However, the product was harmed.
I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
The story below the linked one is how a man rammed his way into a gated community, beat two people to death with a baseball bath, and then the police found the suspect unconscious after he drank some bleach.
That seems more weird than my local news, by a bit.
It's my opinion that Florida is weirder, because driving around, the weird signs of weird people (roadside, or on their vehicles for instance) are weirder and more common than up north. Not an airtight proof, but an independent datum not biased for the same reasons as the news.
For over a hundred years kooks and scammers from the Northeast and Midwest have made their way down to Florida. It's a weird place because weird and disreputable people move there. (Source: I grew up in the panhandle, and also inherited some "beach front" property in the middle of the woods that an uncle bought in the 1960s from a Chicago developer front running a classic Florida real estate racket. Also, see "Oh, Florida!: How America's Weirdest State Influences the Rest of the Country".)
I always thought this was for precisely the oppposite - i.e. that news headlines (edit: I mean whole articles) were more often "A Florida Man has been arrested" because they were not allowed/didn't have the names.
I think using the term "Florida Man" is a meme now and probably carries more weight than using the accused's actual name.
From the wikipedia article:
> Miami New Times claimed that freedom of information laws in Florida make it easier for journalists to obtain information about arrests from the police than in other states and that this is responsible for the large number of news articles
The headline is usually "A Florida Man has been arrested" because news stations all around the country dig through Florida public records to fill space when their local news is slow. It says "Florida" because it is not local to the outlet that is publishing it. Local news usually says "local man" or specifies a locality.
It has been a journalistic tradition done out of good faith not to print the names of accused minors. This has largely been done industry-wide under an implicit "gentleman's agreement." Similar traditions include not printing the names of victims of alleged rape victims or other sexual crimes.
There actually are very few legal restrictions on naming minors. There is substantially more scrutiny applied to false reporting when it involves accusing a minor of a crime. Most of the time when publications refuse to name a minor it’s because they promised not to while obtaining the minor’s name.
Don't expect reason or a sense of proportionality from USA "justice system". Prosecuting a social media hack will get a lot more attention than prosecuting e.g. some common crime of violence. Prosecutors are basically the worst people in USA. (In case you're wondering, yes they are worse than police.)
Sure, but it's plenty of time to just remove tracking cookies altogether. Which would have been easier to implement than what they're doing now (geolocating visitors, serving custom messages depending on jurisdiction, etc.)
I mean, if my privacy matters to them.
I know the online news business is difficult to monetize. Only a handful of major news orgs can put paywalls up and charge subscribers directly. I get that.
So, what they do instead is use 3rd party ad networks and analytics, and traffic in my personal data, while telling me that my privacy matters.
That's why this is doublespeak. They're saying one thing (my privacy matters) while doing another (funding their operations in part on my personal data).
Is it the only viable model for them? Maybe. That's not really relevant, though.
A man has a hotdog stand that he never cleans. One day, a health inspector comes by and tells him that unless he cleans his grill every day, he can’t keep selling hotdogs. The man shouts “I’ve never cleaned the grill in my life! It’s impossible, nobody does it! And who’s going to pay for the cleaner and the five minutes every day, me? No, I’ll just go sell my hotdogs somewhere else.” And he leaves. Later a regular comes by, sees the missing hotdog stand, hears it happened as a result of the health inspector’s visit, sees that other people are now eating the man’s hotdogs while he can’t, and thinks “Man I’m hungry. Screw health inspectors.”
"Those who don’t care much about privacy might say that they have nothing to hide. Those who do worry about it might say that keeping their personal data safe protects them from being harmed by hackers or unscrupulous companies. Both positions assume that caring about and protecting one’s privacy is a personal matter. This is a common misunderstanding."
You can take individual responsibility and disable JS by default. Also, don't visit sites that you disagree with. This is much more ethical than the European choice to bring in people with guns to coerce sites into behaving how they want. It's easy to understand why international sites block European visitors to avoid that violence-backed coercion.
> You can take individual responsibility and disable JS by default.
Sure, you try explaining that to the general public, and why most of the sites they visit don't work anymore. It's hard enough to manage as a techie. This is the same argument snake oil purveyors use to complain about health and safety regulations, and it's silly for the same reasons.
> This is much more ethical than the European choice to bring in people with guns to coerce sites into behaving how they want.
Which GDPR violations have been met with armed agents?
I don't know about the public. That is many people I don't have control of. I do know that I can do it myself and it works fine and I can work around things.
I think this is true for many technical people. And I think doing this would encourage many of us to think of better ways to design and implement no-JS fallback functionality when making things for the public to use.
Just to refresh, the context of this sub-thread is about what people outside of the EU should do. Those living in the EU already subscribe to social policies based on positive liberty and can ignore discussions about individual responsibility for their behavior.
Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing GDPR with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.
I'm reposting this reply to you because it makes my argument well. The other guy's "new" account got wiped out by it's new status and was easily downvoted away from people that can't read "dead" posts. Anyway, here it is:
People really need to stop suggesting using condoms as a solution. It’s not a solution.
First, it puts the blame on the victim. “Oh you got an STD? Should have used a condom.” Stop blaming the victim. Birthday suits don't come with condoms by default and many people expect unprotected sex, so it’s a reasonable expectation that people don't wear condoms.
Secondly there are a lot of places that people have SEX (Software EXchange). It’s not convenient to put on condoms in all places. If I used condoms when going to the local glory hole, every dick I sucked that needed a condom would make me stop, go to my bag, find my box of condoms, open one, and put it on him. Then go back to sucking dicks, bust this guy's nut, then go through the hassle of taking the condom off. That’s not a reasonable workflow to even suggest.
Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing sex-after-marriage with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.
People really need to stop suggesting using condoms as a solution. It’s not a solution.
First, it puts the blame on the victim. “Oh you got an STD? Should have used a condom.” Stop blaming the victim. Birthday suits don't come with condoms by default and many people expect unprotected sex, so it’s a reasonable expectation that people don't wear condoms.
Secondly there are a lot of places that people have SEX (Software EXchange). It’s not convenient to put on condoms in all places. If I used condoms when going to the local glory hole, every dick I sucked that needed a condom would make me stop, go to my bag, find my box of condoms, open one, and put it on him. Then go back to sucking dicks, bust this guy's nut, then go through the hassle of taking the condom off. That’s not a reasonable workflow to even suggest.
Lastly... ah nevermind, I don’t actually want to know if you honestly believe anyone is enforcing sex-after-marriage with a gun. It’s not true in any way but it’s such a ludicrous statement that I honestly don’t even want to hear if you’re being serious or not. For my own mental health I will pretend you’re joking.
It's sad to me how the authorities are bragging about how quickly they caught them and how effective they are at solving this type of crime.
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
It's also just another case where those not in power who attacked those in power are swiftly and promptly dealt with versus those in power perpetuating the same attacks go free. I would rather see them gloat over putting people with real power and influence with their attacks in jail versus bragging about locking up teenagers and people in their early twenties.
There's a quote in the article, "There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence", which just reiterates this perception of the justice system being "hard" on crime. Yet it conveniently ignores being soft on crime if you're rich or in power.
Obviously what they did is wrong but the kid is 17. To me this is a prime example of where a short sentence or community service should be used. Don't ruin his life - he could be a useful employee for a tech company.
It drives me a little nuts when people say stuff like this (they said it about Reiser, too) --- because you can say the same thing about tens of thousands of young offenders imprisoned for crimes we don't have a rooting interest in.
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
> At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
I wouldn’t be so sure. Look at Paras Jha, Zachary Buchta and Mir Islam.
All engaged in similar high profile crimes, all monetized. I think only Mir spent a little bit of time in prison.
I have a hard time thinking of any young, high profile offenders that were handed severe punishments for cybercrimes by federal courts in the past decade.
Private prisons represent only ~8% of the US state & federal prison population. Private prisons, while bad, are a distraction from the larger issues of policing and incarceration in the US and aren't the reason why we have so many people locked up. Almost half of all federally incarcerated people in the US are there for drug-related offenses thanks to the "War on Drugs", that's where you want to be focusing your efforts on change.
While that percentage is low, it doesn't tell the whole story. Private prisons are certainly a major symptom of the problem with our prisons. The U.S. has the largest private prison population in the world, and you'll note from your own link that the private prison population from 2000 to 2019 increased by 39%. Also, for federal prisons, the percentage of inmates in private prisons is 19.1%. These are definitely problems and discussing them also helps discuss the big issues such as why in the hell we're incarcerating so many people.
True he did commit a serious crime, but it's a non-violent crime. The kid obviously has some skill and potential in life. Sending young, misguided amateur criminals to prison just creates professional criminals. A crapton of strict probation and community service would be more appropriate than prison in my opinion.
Depends on your views of the justice system. Is it prevent person from committing the crime again? Is it punish the person for the crime regardless of whether or not the punishment prevents future crimes by the person? Or is it to punish the person so others will be fearful of similar consequences?
IIRC in the past, cyber criminals in similar situations were made to help federal cyber crime investigations, not sure whether through community service or a form of prison labor. The price tag for talented people is high so it's a win-win situation compared to wasting their talent by making them do low skilled labor.
Sure, it's a crime and he knew that. That being said, let's not pretend like this is a fully developed adult human who has committed murder. This is a child (legally) who committed fraud. The brain of a 17 year old is still physically developing; the prefrontal cortex isn't fully formed. I can't fathom how you would expect them to have the capacity to fully grasp the consequences of their actions with an issue as complex as this one.
It depends on how many laws with felony consequences each broke.
If a robber hacks a computer (a felony), impersonates law enforcement (a felony), uses that to commit fraud (a felony), then transfers stolen money across state lines (a felony), then tries to launder it (a felony).....
Using your analogy imagine the bank had kept the client's money in a cardboard box in a shed out the back. They did this because they didn't want to pay for a safe. The thieves should prosecuted but so should the bank.
technically he did not take the money but rather ppl gave it to him under a false pretense. It is close enough but one can imagine a jury being harder one someone who stole vs exploited his victim's greed and gullibility.
If a 17 year-old gains access temporarily to a bank vault, while they’re in there it’s not possible they could also cause a nuclear war. The crimes are similar at face value but meaningfully different.
Trying to paint this 17-year old kid as a criminal mastermind strikes me as rather gross. I can see it as a kid doing it to see if he could, and using an obviously meme-worthy fake post that got out of hand. I think everyone has done some dumb things at this age without thinking about the consequences. If that is the case here, I hope this doesn't ruin the guys life.
This kind of feels like "privilege" of the sort where you can kind of identify with this kid (he's a hacker, into computers) so you're excusing his actions.
Yes, everyone has done some dumb things at this age, but the consequences of this were pretty severe, and he certainly knew what he was doing. Just calling this a "meme-worthy fake post" is minimizing what he did.
But the potential was there. I was providing an all to likely possibility of someone hacking twitter in the way that happened here. Not sure why I have been downvoted for stating something sensible to the question that was asked.
Would that apply to criminals of all ages, based on their intelligence / mental maturity? Plenty of incarcerated 18+ adults with less brainpower than this guy were deemed responsible for their actions.
I think there are some arguments here to be made about the development of the prefrontal cortex. You may not be as “intelligent” as someone who is 17, but if you’re over the age of 25 your decision making capabilities are likely much much better.
There’s a lot of evidence to support this. I will present my own anecdotal evidence because hacker news loves that stuff. I acutely felt my decision making improve a few months before I turned twenty five. It hit me like a wave, and reflecting on my past decisions felt like looking at the actions of a completely different person. If I were in different, more difficult positions when I was younger, it is unlikely that my decisions would be as rationally thought out as they would be now.
> I acutely felt my decision making improve a few months before I turned twenty five. It hit me like a wave, and reflecting on my past decisions felt like looking at the actions of a completely different person.
I don't know if this actually exists, but I experienced something similar: Starting at around 17 I decided to ask myself at every birthday whether I thought I was more mature as a person than the year before, which I think relates to proper and holistic decision making. I kept saying "yes" to this question until I was 24.
I never stole $100,000 when I was a kid. Sometimes 17-year olds murder other people too. Society can't ignore it just because he's a minor. If he had posted memes, that would be one thing. But instead he decided to use this hack to commit grand theft.
Any leniency due to his age will come from the Judge.
Would you advocate leniency this forcefully for a 17 year old teenager of color who was charged with committing hundreds of thousands of dollars worth of property theft (e.g. stealing expensive cars)? Or do you want this kid to receive special treatment just because you identify with his demographic? Presumably you were also once a tech-savvy teenage hacker at some point.
People with your mindset are responsible for a lot of the inequity in the criminal justice system. Upper middle class suburban white kids (e.g. Brock Turner) get away with slaps on the wrist all the time for the same crimes that poor and minority teenagers get sent to prison for years over, because judges (who were almost all previously upper middle class white suburban kids themselves) feel sorry for them and chalk their crimes down to kids being kids.
> Sheppard had used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin.
Didn't even layer the Bitcoin through an anonymiser like Monero and extra Bitcoin wallets. Just sent and received BTC directly to an account linked with photo ID on multiple exchanges. Incredible really!
It's like robbing a bank and then making sure everyone knows you put the money in your personal bank account. If you spend 5 minutes reading about anonymizing Bitcoins you'll find plenty of ways to do it (tumblers, etc).
How can you do a hack that will certainly get you in jail for several years and not even research the most basic techniques to protect yourself? It just doesn't make sense.
* the attacker (allegedly) bragged to the press
* the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)
Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.
Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.
I just read one of the complaints, against the 22 year old "Rolex". It's not so much loose ends as loose everything.
He didn't use a VPN or anything to mask his home IP, he discussed the hack on Discord, an unencrypted third-party platform, and reused a gmail address for the hack that he also used for a Coinbase account. Said Coinbase account being verified with his driver's license...
I shouldn't be too surprised, but I still am. I would have expected, at the very least, all discussion being handled on Signal or similar, all access to involved accounts to be exclusively via a regular VPN or Tor, and only using a brand-new fastmail email for anything to do with the hack. Those are the very basic precautions.
Curious aside: there's a bug in the complaint document. The affidavit is by a Special Agent with the US Secret Service, but the title page lists him as "Special Agent, FBI".
> Networking Layer is invisible to 99% of users nowadays. "it just works."
Yes, but the problem is that it didn't take someone who knows better to hack what is (used as) an official government communication platform. Or one of the largest social networks, or a company with thousands of engineers - take your pick; it's hard to put this in a good light.
If there was any merit to the articles where people in the media were put in contact with people involved (and it seems so, now) then they left tracks all over the place. A) reaching out to the media at all. B) sharing screens of the OGUsername boards they hung out on C) Bragging.
If they were dumb enough to waste such a high value target on a small scale bitcoin scam then I wouldn’t be surprised if they were dumb enough to perform the malicious actions from their home IP address.
It seems that they mixed the stolen bitcoins with bitcoins that they withdrew from Coinbase. So law enforcement probably knew who they were from day 1. I feel that this is the time it took them to put together a case.
I don't remember if he was reporting on any of these 3 guys. But I do remember that a huge media outlet/conglomerate was quick to accuse Krebs of wrongfully accusing somebody (no idea how they got that, behind a paywall) and how he had previously wrongfully accused people.
Felt a lot like a hit piece to me, at the time. It would be interesting to know if Krebs turned out to be right. That could say a thing or two about that news paper.
> In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.
> On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database.
What about this implies parallel construction to you? The OGUsers databases (well, actually a couple, they've been hacked multiple times) has been publicly available for a while. Also, the discord chats and Vice article include details on selling accounts with desirable names - even if not explicitly linked to OGUsers (I don't recall off the top of my head if it was called out), you could track hacked accounts, see they were sold or discussed on OGUsers, and then give a look at the DB. That seems an obvious route of investigation to me?
Probably could have earned a lot more from his exploits if he went the formal route and directly confronted Twitter. But then who even knows if Twitter are a good 'first responder' when it comes to high-profile exploits of their system.
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne or wherever the skiddies flock to these days are not utilized thoroughly.
The opposite thing is true; people have wildly inflated expectations of how much money marginal bugs like XSS can earn, or even game-over bugs in marginally important applications. And if you're doing the financial comparison, as you note, you have to do it risk-weighted. Your intuitions about the risk of exploiting a vulnerability are likely heavily biased by the fact that most exploitation, or at least most of the exploitation you hear about, is non-monetary. Monetizing an exploit ratchets the risk up significantly.
I remember being 17. I was spectacularly bad at evaluating risks.
You're right - a lot of people who want to file bug bounties overestimate how much marginal ones are worth. At the same time, this scenario suggests to me that bug bounties aren't currently doing a good job of incentivizing people away from attempting to monetize significant exploits and towards more responsible security practices. If we have to depend on the risk analyses of teenagers, we may be in trouble.
I'm wondering what the objection is against this. There might be a conflict of interest in allowing an employee to share a bounty with a friend by giving the friend their password, but the rules of the bounty (and the employment contract) should be able to prevent that scenario.
In theory, any sensitive operation (such as changing the email address of a verified account) could be made to require approval from a second (randomly chosen) employee, and that second employee should see a log of recent actions taken by the first employee. An attacker may still manage to avoid raising suspicion for the first few targets, though.
When I was a teen I made long distance phone calls using calling card numbers that were not my own, obtained through a war dialer. I'm pretty sure I never would've gone as far as this kid did, but who knows. I hope this doesn't ruin his life.
Interesting to see that he's being charged in Florida, instead of federally. I mean yes, normally, when one commits a crime in a particular area, they're charged in that area. But my understanding is that once stuff crosses state lines, it becomes a federal issue, and this is part of why its usually the FBI that comes knocking.
Anything involving a computer connected to the internet (even firewalled or rarely connected) is considered to be a "protected computer" since it is involved in interstate commerce or communication and thus open to federal charges under 1030 (a).
No where in the article it mentions how did they nail him or how did he do. With Twitter saying that this entire process was done by social engineering some employee and then gaining system access of others by monitoring the process - this seems to have been done by someone with Corporate process understanding and hard to believe it could be a 18 yold.
Seems to me that a person sophisticated enough to social engineer Twitter employees is probably sophisticated enough to social engineer a Tampa teen into place for taking a fall. To me state level targets suggest state level actors and Twitter has been mucking about with state level political operations since at least the Arab Spring almost a decade ago.
Twitter has a lot of powerful people and organizations who have suffered discomfort at its hands. It is hard to swallow the thesis that a Tampa teen succeeded where intelligence agencies have failed despite years of efforts.
Law enforcement rarely advertises investigative techniques and sources, even in open court. Some amount of evidence they do have was already presented to a grand jury, and will be brought to bear at trial if the defendant doesn't plead out.
It may be a surprise to you but criminals are usually stupid. If they were smart you wouldn't realize they are there at all. Think about it: this idiot had access at a level that nation states secret services can only dream of and went for $100K in lousy bitcoins.
Because at Twitter a couple of people did not pay attention. Social engineering is the very low hanging fruit of hacking. People are so much more vulnerable than well designed systems, this has been proven over and over again.
It's doubtful that he actually did it. Probably just a teen groomed by a cracking group; the group gets away with the deed by leaving a paper trail pointing to the teen (that will get a reduced prison sentence) and the teen gets PR which will inevitably lead to a well-paying job.
I'm with you on this, he's probably a fall guy who's "caught" because he "confessed" or something like that. Two reasons for this; one, Twitter isn't exactly the kind of joint you stroll into and take over, it's not really an amateur operation and people are attacking it all the time. Second, coordinating all this work is not a simple one-person job. The timing of the attack suggests lots of coordination, practice, or both. Could one kid do it? Maybe, but highly improbable. And if it turns out this kid did do it, the CIA is going to find a way to own his ass basically forever.
> According to federal agents, Sheppard was found out partly because he used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin. Fazeli also used a driver’s license to verify with Coinbase, where accounts controlled by “Rolex” allegedly received payments in exchange for stolen Twitter usernames.
I wouldn't hire him. It's not like he _programmed_ his way in. And he didn't just post tweets saying "Twitter's security is bad." He actively tried to scam people. So he wasn't trying to accomplish anything good.
He's being charged with 30 felonies but at the same time exposed how woefully inadequate Twitter is at securing the accounts of high-profile people, some of which with control of apocalyptic weapons. I predict he'll plea out to doing a few years of free work for the government.
Off topic, but the linked WFLA video highlights how factual reporting takes a backseat to an insidious "breaking news", headlines-first approach. Twice we hear Mr. Buinno misstate the Twitter attack as occurring "a few months ago" before being corrected by his colleague after the second instance. I realize this is a trivial criticism, but it makes one question their general preparation and fact-checking processes. Is it too much to expect alignment on the basic details of a story before broadcasting it to hundreds of thousands of people?
Bitcoin transactions take place between addresses, which are hashes of public keys. It's actually better to call bitcoin "pseudonymous", since the addresses are pseudonyms that may or may not be tied to an irl identity.
So if you, a hacker, tell someone to submit Bitcoin to an address, that address is only really "anonymous" until you use your private keys to reroute the money to other addresses. As soon as the graph of transactions touches some known node (perhaps at the edges of the Bitcoin network that interact with the monetary system), you can trace back to figure out who might have controlled the original address.
It's very silly to try to cash in on ill-gotten bitcoin...
> Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of Bitcoins transaction?
Since Bitcoin is not anonymous but pseudonymous, it can be as simple as finding one or more transactions that link a wallet to a real identity (such as one tied to purchase of physical goods with an identified recipient and shipping information) and from there tieing every other transactions from.that wallet to the same identity. I would guess in practice it often involves more steps of connection.
> This reads like an Ad copy of a company that's against perceived anonymity.
The DoJ isn't a company, but it is very much against perceived lack of accountability, which is one of the reasons people choose systems that offer perceived anonymity.
Bitcoin is anonymous until you tie it to something that requires a real identity. For most people, it's probably tied to an exchange that has their real identity, credit card info, and maybe bank account info.
What they should've done is generate a new wallet with no previous transactions and just used that to buy things.
This is what bugs me the most about the bitcoin pushers (like Max Keiser)... they completely ignore the fact that bitcoin is not anonymous, and why even though I was in on bitcoin in the earliest days, I abandoned it. My conclusion was that the government loves btc because it's so easily traceable. Another reason is that, like tor, it is vulnerable to %50 attacks. If the central banks wanted to take over btc they could, and I posit they may have already positioned themselves as such. (thats my almost a bitcoin millionaire story...)
The closest to an anonymous coin afaik is monero or zcash, but in general I think wasting electricity and cpu cycles on arbitrary math is a bad path to go down. If we could tie a coin to some productive math like protein folding or seti, etc, that still has the same attributes as cash (which btc does not) then we might have a true potential dollar replacement digital coin, but I digress.
I'm not sure what your criticism of the quote means here. The biggest weakness of BTC for criminal enterprise is the fact that every transaction must be logged to a global public ledger. The hard part is aligning the public keys with private keys, but if you have enough additional information (such as, say, the private keys' owners sitting in a prison cell and the private keys themselves flayed out of their unencrypted hard drives), it's trivial to prove the money flowed from one user to another.
Well apropos the grand-parent comment using "Florida Man" We hear about "Florida Man" more often because, yeah, maybe there is a lot more partying in Florida, but also because Florida has some of the most open public record laws. I've read that unlike other places where you have to bother the police for reports, in Florida you can get yourself added to a daily email blast of reports.
They've updated the article in the last 5 minutes. The original article I read said something like "we're not releasing his name because he's under 18 years old" and now his name is fully out there. Crazy.
>He’s being charged as an adult, and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been — not just the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
I always thought that was exactly the point, an acknowledgment that children and teenagers sometimes do stupid things, but there’s a big difference between doing some graffiti vs raping and murdering someone when you’re 15.
I hope they will provide some more details about how they got caught. If this person can hack Twitter and they know about Bitcoin, then I'd be very surprised if they didn't take some basic steps to hide their tracks. E.g. Tor, VPN, cafe wifi, etc. I heard that some social engineering was involved, so maybe they called someone and their phone number was traced.
I would be interested to know if they forgot about one small detail. I think the FBI / NSA probably has full visibility into the Tor network and can easily deanonymise any users. Or it could be like the Harvard bomb hoax in 2013 . (They used Tor, but they were also the only person using Tor at the time.)
From the Verge article it seems like there was someone else providing access to the accounts? So was it social engineering or not?
> Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an unknown individual” with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems. It’s not clear if the Tampa teen is Kirk#5270, though it sounds like that’s possible. The Sheppard complaint is dated July 22nd, and the Tampa teen wasn’t arrested until today. Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:
It seems like "Kirk" is believed to be some other individual. From the complaint against Sheppard:
> On July 21, 2020, federal agents executed a search warrant authorized by U.S.
Magistrate Judge Alex G. Tse at a residence in the Northern District of California. Among the
occupants of the home was a juvenile (“Juvenile 1”). ““Juvenile 1” was believed to be a Discord
user identified in chats as an individual who assisted “Kirk#5270” and “Chaewon” in selling access
to Twitter accounts. Upon execution of the search warrant, “Juvenile 1” agreed to be interviewed.
“Juvenile 1” admitted to law enforcement agents that he/she was the Discord user who was
identified in chats as assisting “Kirk#5270” and that he/she participated in the sale of illegal
Twitter access. “Juvenile 1” admitted that he/she worked with “Chaewon” to sell Twitter account
access. According to “Juvenile 1,” his/her knowledge of “Chaewon” was that “Chaewon” lived
in the United Kingdom and “Juvenile 1” knew “Chaewon” by the name “Mason.” According to
“Juvenile 1,” he/she and “Chaewon” had discussed turning themselves in to law enforcement after
the Twitter hack became publicly known.
Yeah no surprise there. The second Discord logs of the scam being planned started circulating around Twitter I knew it'd be a matter of weeks before these guys were caught. Absolutely unreal that one of them was dumb enough to not only post chatlog screenshots on Twitter with their usernames uncensored, but to use something like Discord to plan this in the first place.
Since the crimes were financially-motivated all of them get upgraded to felonies. I have sympathy for people who get fucked by the US' dumb CJ system, but uh... touching a Presidential candidate's Twitter account was whose idea, exactly? What did they expect would happen? I have a hard time believing the "for the lulz" defense some people are making for these people when the whole thing was clearly financially motivated.
i was assured by the cybersecurity experts of hacker news that REALLY this was all a mastermind ploy to steal and sell twitter DMs. who would they sell them to? doesn't matter! what information of actual value is sent through twitter DMs? doesn't matter! we did it, hacker news.
Bitcoin is actually explicitly designed to enable recourse and refunds. Every single transaction is permanently and immutable tied to a verifiable identity.
Through common practice, these identities are treated as disposable and therefor generally ignored. But stating that the currency is explicitly designed to disallow accountability is not an accurate representation of reality.
Edit to add a practical example for clarification because this is being downvoted.
If the FBI conducts an effective warranted search + seizure of a mob safehouse, seizes a large safe, opens it up, and finds either:
A) Gold bricks
B) Bitcoin wallet private keys
In case (A), they can maybe correlate records, reports, statements, and other evidence to possibly determine the rightful owner of the gold or goods laundered for gold.
In case (B), they can check the BTC ledger against fraud reports that contain bitcoin wallet public keys, then publish a public statement asking people to prove they own any matching public keys -- because bitcoin, by it's fundamental nature, is more accountable in a way that enables recourse and refunds.
Transactions are not reversible by legal authority in bitcoin, only by the receiving party willingly doing the transaction in reverse.
What you are talking about is establishing reputability, not about refund-ability or the ability of authorities to reverse illicit transactions. You can see that as a feature of bitcoin or not, but if you want protections from a system you need to act within that system.
I am saying I know I made a mistake and if they truly caught those who are responsible, then I don't see why they won't be able to get access to the stolen funds. My eth is in that collection of stolen funds. I'd rather prove it's mine and have the government return it to me vs them auctioning it off.
I understand what you are saying, and I'm sorry you are in this situation. But I can also see that because you acted outside of the reach of the legal system then there is less chance of it being able to help you.
Sorry if I'm being heartless here but I'd also argue that the funds were not stolen, they were given in a system that provides almost no legal recourse.
Right, when the person is identifiable and within that jurisdiction. I'm saying that if I pay X bitcoin to someone on the internet for a service I have less change of recourse within the law if I don't get that service (in this case a back payment of x*2). If it was a normal digital/creditcard/whatever transaction it'd be easier to reverse and deal with.
This is like saying that gold coins are explicitly designed not to allow recourse and refunds and that transactions in gold are not reversible by any legal authority.
In both BTC and solid gold, reversibility is not a property of the currency. It is a part of the system which uses that currency.
However, with Bitcoin (unlike with gold) the currency is explicitly designed with verifiable identity being fundamental to every transaction.
With Bitcoin, an individual can prove that they participated in a transaction that was later determined to be fraudulent. This is a fact of the currency. It is explicitly built in to Bitcoin at a foundational level.
Whether existing systems use that specific aspect of the currency to do anything meaningful is a separate matter.
But the fact is that bitcoin itself has more accountability than other currencies. Not less.
What I said was "not reversible by legal authority". That's true for both gold coins and bitcoin if the legal authority don't have them to give.
I'm not saying bitcoin is less accountable and giving 6000$ in gold coins to a stranger promising to double them would only be slightly more responsible since then you'd at least know a physical jurisdiction.
What I'm saying is that when bitcoin X leaves wallet Y to wallet Z the only way to get back X into Y is for the holder of Z to willingly give it, while "normal" digital transactions can be reversed by the transactor or by law. So if you want a transaction to be reversible by law you probably don't want it in bitcoin. Please let me know if I'm wrong.
You are not wrong but you are glossing over the fact that by "digital transactions" you seem to actually mean "transactions brokered by a third party".
USD also works the way you describe. I may write someone a check based on a fraudulent premise then later demand my money back. If they have already cashed that check and run then the money is gone from their account and there is no way to reverse the transaction. The bank may charge them, cancel their account, pay me back anyway, etc. These are all actions taken by the third party broker.
With USD the accountability of my_account -> check -> fraudsters_account -> cash is all part of the third party's (the bank's) system.
With BTC, this chain of accountability (my_wallet -> transaction -> fraudsters_wallet) is part of the currency itself.
If the fraudster is later caught and their fraudulent gains seized, with BTC I can prove which of those fraudulent gains came from my wallet and be reimbursed with potentially little technical fuss.
My point is that your point may be true of the systems built to handle transactions made with bitcoin but is not true of bitcoin itself.
I was excited by Bitcoin when the whitepaper came out and I just think it's neat.
The huge explosion in Bitcoin popularity with daytrader "lambo" jerks led to a ton of people (even technically inclined people) talking about Bitcoin without understanding it too well. So now it sort of sets me off.
Plus, it's way easier (and more fun) to fight about something frivolous like Bitcoin than it is to fight about things that are actually important.
In EVE online, many doubling scams would actually pay out the first few times. This to encourage others to commit bigger sums. Hence, if you 'get in early' it might be worth it to try and get your money doubled.
The only reason he got caught was because he used his access to attempt a BTC scam.
The likelihood that more sophisticated individuals and organizations have access to Twitter (and probably various other tech companies), and understand the importance of not letting your access be discovered, is probably far far higher than we realize.
Should we just assume all data held by Twitter and various other tech companies is compromised (by multiple different actors)?
Twitter seems to be wording things to make the attack seem out-of-this-world sophisticated, but I just have serious doubts about that.
Whenever I read news like these, I just think that this is such a waste of talent (assuming Twitter's security isn't analogous to Swiss cheese). This kid could have gone into ethical hacking and general security.
Now not only he's getting thrown in prison (over something he probably wasn't even convinced he could do, if the subpart attempt at capitalizing on it is any indication) for years, he's lost any potential career on the field.
> Although the case against the teen was also investigated by the FBI and the U.S. Department of Justice, the Hillsborough State Attorney’s Office is prosecuting Clark because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and the Department of Justice will continue to partner with the office throughout the prosecution.
Wow. It isn’t news, but what a terrible reflection of the US approach to criminal justice.
> Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account... The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.
One likely scenario is they got access to the lower level employee's Slack account or similar and used it to impersonate and successfully find/phish the employee with the access.
I don't have examples, but it seems to me you really hear a lot of teens pulling off successful social engineering attacks, even back to the days of phone-hacking. I guess that is evidence that some teens develop a fairly comprehensive understanding of social interaction.
A kid who spends this much time at a computer thinking about how to break into Twitter has a good grasp of social interactions?
Or, maybe Twitter just had some obvious loopholes that even a not super social-aware hacker could find and use?
I think it is better to assume that in these situations it is more incompetence from the platform than "super-genius" from the hacker that allows for things like this to happen (regardless of what Twitter needs to say for PR or the media needs to imply for clicks).
I’m very uncomfortable about the fact a very young person (only 17 years old) has had his identity released like this... where was this boys fair trial first? Regardless if he was behind the hack or not, this is not the way forward to a decent society.
I’d imagine the FBI has more than just the link to these individuals via their drivers licenses being used for verification. Surely, these drivers licenses may have been used fraudulently by a hacker who wishes not to be found out so embarrassingly?
Unless there's additional info I didn't see, the "inside help" theory came from the fact that they had images of the internal dashboards. That doesn't necessarily indicate voluntary inside help (they may have found a hole in Twitter's internet / intranet firewall, or they may have spear-phished a service team member's credentials).
What's the big deal, he stole some bit coin and embarrassed Jack.
Wall Street Insiders steal billions everyday from Joe6pack with the Governments help and they get to laugh about over a drink after work.
Now we can spend millions in tax payer money incarcerating him....
He should get a reward for exposing how shitty Twatter is. Besides the NSA is reading every txt you send and listening to every call you make. They know where you are 24/7 and what you bought for lunch. No one is punishing them.....
It's all theater for the masses I suppose....we caught the bad guys.....LOL...
Summary for Europeans who are blocked from this site:
A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.
The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.
(The rest of the article just rehashes the attack.)
>White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.
I had suspected that they had added special protections on his account after the (2017?) incident where an employee temporarily deactivated his account (and got fired for it). I guess this confirms it.
I'd start your legwork here with a phone call to your nearest FBI field office. Make sure you have the paper trail showing from your end you sent crypto to the perpetrators, and ask what the next step would be for claiming your defrauded property. It may also be worth consulting with a lawyer to see what your legal recourse might be here.
Fair warning: there may be no next step. I have no idea if the US government even considers cryptocurrency "property" in any legally-meaningful sense.
> It should not be this complicated to respect laws that just enforce minimal good practices.
It's not necessarily the compliance that's the issue, it can also be figuring out how to comply. IANAL, and I can't guarantee to myself that I can implement a site with policies that comply correctly. Better to just geoblock, because it's not necessarily worth the lawyer fees.
On a different note, online presence is becoming very important and with remote work culture gaining traction, having a good online presence has become a must have asset.
I bought a course on building Twitter audience and been able to improve my following significantly from past 2 months.
It will be interesting to learn more as the case proceeds. Was he not using tor?
I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump
Based on the fact that the article mentioned the IRS being involved and the fact that the IRS has been more attentive to cryptocurrencies, my assumption is that they found some way to tie him to the wallets he was using. I would be surprised if the IRS did not have some pretty sophisticated ledger processing tools at this point.
It's weird that Musk's didn't have elevated privileges. Trump's account getting hacked has obviously greater potential harm, but Musk's (non-hacked) tweets had demonstrably major financial and legal impact. And if you read the replies to his tweets, you can see they are constantly getting spammed by bitcoin-hawking accounts (even hacked verified accounts) impersonating Musk's display name and avatar.
If Musk didn't get elevated privileges, then who else besides Trump would have them? Or are the protections for Trump just the same emergency bespoke fix that they implemented when his account was previously deleted?
> The day after the hack, White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.
Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?
All transactions are public on the Bitcoin blockchain. I haven't followed the wallets, but it's possible that they tried to cash out on an exchange and got caught. Or they were initially found via other means and a search of their computers found the corresponding wallet.dat files.
(If this is actually the person behind the attacks) Yes he may serve jail time for this, but he did get to read DMs of some of these people, and has had enough time to copy those contents to be read later. That's still valuable knowledge, he should leverage this to get people interested in those details to fund his legal defense in return for providing the contents of the DMs. Or is that illegal?