Hacker News new | comments | ask | show | jobs | submit login
The PewDiePie Hackers: Could hacking printers ruin your life? [video] (bbc.com)
50 points by petercooper 20 days ago | hide | past | web | favorite | 58 comments



This has a mockumentary vibe to it. BBC making a seriously produced video out of this joke, with the hackers in masks with voices changed, kept me questioning if the producers were being serious or not. Felt like an episode of Nathan for You.


I wasn't going to watch this video until I read your comment.

The producers were quite successful in temporarily filling the Nathan for You shaped hole in my life.

However, I must agree that I'm unsure whether that was their aim or not..


On one hand, I want to believe they're just being British and are in on the joke. But given this is "old" media, I also think they still don't understand the power that some YouTube creators wield, how pervasive their influence is, and that they are deftly scared of what they don't understand (we've already seen this with WSJ's/Polygon's continual efforts to smear and distort Felix's public image).


There is always going to be a portion of the population that are just users of technology, without any understanding of how it works. Consequently, there are going to be people who are going to feel violated, confused and angered by stunts like this. I don't think there was any malicious intent by the Hacker Giraffe, but I doubt they thought this through. One was bound to encounter a fair amount of systems owned by not-so-tech-literate persons who would react in the worst way possible to stunts like the ones they did.

I think some of the real questions that events like this raise are:

* How do reduce the technological illiteracy in the population?

* How do we develop polices to ensure that these devices that are being sold to millions of people are properly protected?


Technological illiteracy is red herring. The actual issues are lack of security on the devices and lack of boundaries on side of some tech and tech-adjacent subcultures. The third issue are disproportionate penalties, they are really too big now.

People are angry about analogical non-tech "pranks" when those happen too. It is convenient to chulk anger of prank target to his own faults, but no, they are not as cool as you think you are and people in general don't like pranks. And I am blaming culture instead of teenagers, because you have adults like PewDiePie saying this "I love it. Please keep it up, just don’t do anything illegal, because that will look bad on me—that’s the only reason—that will look bad on PewDiePie". What exactly does teenager hears there and would the teenager in that culture hear the opposite clear "it is illegal" and "don't do it, boundaries of others" messages?


i agree tech illiteracy is the red herring, the fact this vulnerability affected so many people, points to the issue being with the manufacturer, designing and coding this, without consideration to the security.

i think the "attack" they did is pretty perfectly grey hat, expose a weakness to the user with a "how-to-fix" guide.

(i should note, i'm talking about the chrome hack.)


One prank would be egging cars. Clearly it's the car companies fault for building cars that have paint ruined if you don't wash it quickly.

Another would be putting a potato in the exhaust -- why don't they build potato proof exhausts?

You can let car tyres down without causing an ounce of damage, what a hoot. It's the car company's fault that so many cars are susceptible.


Analogs to the real world are compelling, but this line of reasoning is nonsensical when applied to the digital realm. The magnitude differences of "constant factors" make the Internet paradigm/philosophy wildly different.

It's quite hard to accidentally put a potato in an exhaust pipe. One cannot write a script that mechanically puts a potato up every car in the world's tailpipe, in 5 minutes nonetheless!

An appropriate real world analogy would be something like a maker of explosion-proof equipment forgoes designing any actual protection against those harsh environments, and then blames the ensuing explosion on all that dust in the air.

The Internet was successful precisely due to scaling from the End to End principle. The Internet is hostile noise - as soon as something speaks IP, it must be capable of standing up for its own security rather than relying on some imagined benevolence or accountability. If a manufacturer is not up to this task, then there are plenty of non-globally-routing protocols (eg USB, bluetooth) that printers can use to communicate with a competent Internet node.

(Furthermore ignoring the digital spookiness, the actual damage doesn't even add up to much. If we assume they hacked 30k printers, that's only 60 reams of paper - on the scale of petty larceny. And given that we allow junk mail and other advertising companies to do far more damage as their above-board business, it's questionable whether that integral even applies!)


sorry, i guess companies shouldn't worry about writing code or making products that have vulnerability built in.

i'm sure you don't want secure strong products.


Of course they should. And we all on this forum know small internet devices are full of vulnerabilities. We also all know smart homes and such are security disaster waiting for happen. That does not mean it is for me to take advantage of that for pranks, fun or profit.

Just as we should not demonize acts like this as something more dangerous then it is, we should not add naive feel good interpretations that makes them misunderstood heroes.


the chrome cast hack, along with the printer hack aren't pranks, for fun or profit?

they did them to expose a weakness to the user so they could fix it.

if white hat is employed by companies, and black hat is working for malicious gain. their actions fall squarely into grey hat.

i'm not calling them saints, but it confuses me that anyone would have a issue with their actions? can you explain why they don't fit the model of grey hat?

what they do wrong?


They are pranks for fun. I don't buy "to expose vulnerability so that users fix it" explanation.

I think that what they did crossed the boundaries of other people. It did not caused much harm, just like walking around directors office without permission and without taking away something.

I don't care about hat color games. That just serves to obfuscate issues.

Also, it was illegal and put themselves in danger for that reason. So PewDiePie along with all adults who talk from both sides of their mounth in front of audience they intentionally build from young inexperienced impulsive people can stuff themselves too. "This illegal thing is totally cool I love you, I mean don't do anything illegal, I love you for doing that ilegal thing" is mastery of double message and manipulation.


"I don't buy "to expose vulnerability so that users fix it" explanation"

so why did the chrome cast hack include a 'how to fix this' guide?

https://www.veracode.com/blog/security-news/hackers-exploit-...

"the CastHack bug, allegedly disclosed nearly five years ago"

"A spokesperson from Google told TechCrunch, “We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”"

google has ignored this bug as it isn't a issue with the chromecast, but the router, so using this hack to teach users to fix the router issue is a legitimate way to help users.

your analogy suck, a better one is how bug hunters work, except this bug was exposed directly to the end-user.

sorry i know colours can be confusing, don't worry about it.

point me to the laws that were broken, just because you hate a YouTuber doesn't make him a bad person.


1.)The laws are certainly structured the way this is illegal. If in USA, unauthorised access and tampering as even quite extreme possible punishments. World is full of easy to exploit security bugs are everywhere around and that changes nothing on anything. The only exceptional thing is popularity.

Bug hunters work with prior agreement, they don't access devices owned by third parties without it. When they do they anonymize and hisr themselves. They do indeed fear legal and go through steps to protect themselves. They complain about these processes like all the time.

2.) Dude, the hacker giraffe wrote that he had anxiety attacks due to his activities even before all this. He also wrote he could not sleep due to persistent fear that every noise is swat team knocking. He wrote that he won't touch computer and will seek job without them. I am sceptical about feasibility of the last one.

I don't know whether youtuber is good or bad person. He is definitely irresponsible when he encourages teenagers to do what giraffe did.

Giraffe did everyone good service writing that letter, so really go read it. It might be fun and games for PewDiePie, but is not for giraffe. So let's hope he won't get caught affecting him even more, that his past activities are not too bad and that he learns from experience.

3.) This is exactly what compelled me to answer. These things have very real serious consequences, but due to the way we talk about it people don't realize until is too late. Go lob for change of laws, but don't say they don't exist to kids who might believe you.


1.) so you quote both the Serious Crime Act 2007 and the Computer Misuse Act 1990. both of these are UK laws, and don't apply to giraffe, as he's from the Midwest USA.

he wasn't bug hunting? he was showing users they are exposed to the internet so they could fix it!

2.) yes, i don't blame him, what was meant to be a harmless exercise in google scanning, has lead to people throwing death threats at him, and threatening law suits.

he didn't encourage any reckless actions, i see Felix as quite a rational guy.

i have read the chromecast hack, and the printer one, have you? i doubt he will, and if he does a simple defence could be made to fight for his case in court.

3.) i don't know if you are talking about me or felix? i doubt felix has a firm grasp on computer hacking law, but like i said he didn't tell them to do that, in fact he's stayed at arms length. the actions giraffe took don't fall foul of the UK law, idk about american.

i'm pretty much done with this exchange, and who ever has been down-voting my comments.


1.) That is not what bug hunting is. Also, law does not care about it and that is not how real world world bug fixing works at all.

2.) Just one note: being rational does not exclude irresponsible. Because what is in rational for Félix self-interest is not in interest of hacker giraffe nor in interest wannabe pre-teenage hackers in his audience. It might as well be rational for him to be irresponsible as his audience like it.

3.) No, he does not have form grasp of laws. Again that would be against his self interest, as he could not be funny clueless after.

I quoted him at full above. Frankly, sleezy and talking from both sides of mounth. Encouraging it while keeping plausible deniality. End result: he is safe while audience is having fun while they all think how cool consequences less it was.

4.) American law is batshit crazy with penalties, expansive and absurdly expensive even if you are actually innocent.


> so you quote both the Serious Crime Act 2007 and the Computer Misuse Act 1990. both of these are UK laws, and don't apply to giraffe, as he's from the Midwest USA.

The reason they may not apply is the lop-sided extradition arrangements that the UK has with the US.

But, since this is likely a crime in both countries with a potential sentence of longer than one year in prison he faces possible extradition to the UK if anyone can be bothered with that process.

UK based hackers who attacked US computers have been (or have come close to being) extradited to the US.

It's much harder to take US based hackers attacking UK systems to the UK.

https://en.wikipedia.org/wiki/UK%E2%80%93US_extradition_trea...

> The treaty has been claimed to be one-sided[3] because it allows the US to extradite UK citizens and others for offences committed against US law, even though the alleged offence may have been committed in the UK by a person living and working in the UK (see for example the NatWest Three), and there being no reciprocal right; and issues about the level of proof required being less to extradite from the UK to the US rather than vice versa.[4]

Although the US embassy does say this: https://uk.usembassy.gov/our-relationship/policy-history/the...

> Why is it so much easier to extradite someone from the UK to the U.S. than in the other direction

> It isn’t. The United States has not denied a single extradition request from the UK under the treaty; the UK has denied 10 requests from the U.S. since the treaty took effect.

> Moreover, extradition requests from the U.S. to the UK have taken as long as 13 years to work their way through the UK and European courts. For extradition requests from the UK to the U.S. the subjects are in most cases extradited within several months.

> A panel of UK extradition experts, led by well-respected retired judge Sir Scott Baker, found that the treaty is fair and balanced. Its report, issued in October 2011, provides considerable data and analysis to support the panel’s conclusions.

> The Baker panel report notes that the U.S. has a population about five times the size of the UK, but there have been fewer than twice the number of people extradited to the U.S. than to the UK. The number of U.S. requests is therefore not disproportionate.


> point me to the laws that were broken

Encouraging a crime is a crime in the UK based on the Serious Crime Act 2007

The actual hacking falls under the Computer Misuse Act 1990

If I leave my front door unlocked, return home, find that someone has gone into my house and left a note saying "Hi, your door was unlocked, you should lock it", I would not be happy. If they papered my living room with "visit this celeb's webpage" I'd be furious.


if you had a smart door, with a known vulnerability that has been reported, but the manufacturer says it not their problem.

i then walk past, notice your door and the vulnerability, and then slide a note through your door explaining the vulnerability and how to fix it. you would be out of your mind to cry foul.

Felix didn't encourage a crime, come on, act your age. just because you blindly hate someone doesn't mean you can twist their words without getting called out. i'll be the first to say that he's no saint, but he's way better than the average trash that floats around on the internet.

doing charity fund raisers that are worth donating to, calling out abusive personal and companies, being the genuine face of a massive community he never asked to represent.

Computer Misuse Act 1990

(1)A person is guilty of an offence if—

-(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured].

-(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and

-(c)he knows at the time when he causes the computer to perform the function that that is the case.

i don't believe using a google program to send out code to any device with the open ports falls under any of these, as the code didn't secure access to any program or data held, and wasn't malicious.

as he wasn't securing access, he doesn't fall foul of these laws.

as the bug had already been reported to google chrome, and they had stated it was user error, supplying the user with the means to fix it is a perfectly acceptable thing to do.


If you really want to piss of authorities with printer hacking, remove the watermarking.

https://en.wikipedia.org/wiki/Machine_Identification_Code


I doubt anyone is after them because even 50K pages of paper /ink is not much financial damage and I'm sure very few whose printer joined the party bothered reporting it. Am I missing something?


Weev found that certain urls had private AT&T user information on them, and scraped them to get 114k users' information. Then he notified a journalist and sent the information to the journalist as proof.

He was found to have done $73k damages. Why? AT&T sent a physical letter to all 114k people, and that was the cost of the postage. Convicted to 41 months in prison.

https://techcrunch.com/2013/03/22/weev-files-appeal-gets-new...


However, he did win on appeal and did not serve most of the conviction. https://www.eff.org/press/releases/appeals-court-overturns-a...


Yes, but the overturn wasn't based on urls, or scraping, or disclosure, or security, or damages, it was based on him being charged in the wrong state. The court system still thinks everything else about the case was fine.


Wow! This is disgusting. In a sane reality AT&T would've been the one paying damages...


Let's not forget that this gentleman is a neo nazi and white supremacist of the vilest sort.[1]

I may be downvoted to hell and then some, but it's impossible to look beyond those facts before mythologizing him into some sort of hacker hero

https://en.wikipedia.org/wiki/Weev#After_prison


One can both dislike a person and believe their actions were above board.

He doesn't have to be hero worshipped - his actions in this particular case should stand on their own. His terrible beliefs may only come into it if they are relevant to what actions he performed.

Serving prison time for notifying people of a serious privacy breach doesn't seem to be a balanced approach.


> Serving prison time for notifying people of a serious privacy breach doesn't seem to be a balanced approach.

Except his crime wasn't "notifying people of a privacy breach". It was breaching that privacy. There was absolutely no reason whatsoever for him to actually scrape the personal information of 114k people.


I don't agree what happened to him based on his "hack" and deem AT&T's (and the legal system's) actions despicable in this manner.

Reporting on his "hacker hero antics" without putting it in context of what a personality he really is is, in my book, whitewashing of history and engaging in revisionism.


Tone can be hard to convey over the internet - try and imagine this conversation is happening in a cafe over a coffee. I'm calm, and not trying to disagree with you for internet points or anything of the like. Just trying to have a conversation. I just lack the skill to write things in a sensitive enough manner.

---

Whilst I agree with you in part, I also believe that over-emphasising personality traits or behaviours of a person also engages in revisionism.

One should be able to view an event entirely separate from the person, if the person's generalised behaviour isn't relevant.

We don't need to think about the man at all, in my own opinion, in this particular case. Redact his name if you have concerns that the man is unworthy of attention.

Adding complaints of a person to any mention of them is calling for jury and judgement. It's a distraction from what's important. It takes an event that should be discussed and explored, and twists it so you are forced to take sides about the person.

You can use these tactics to derail any conversation. It's a debating tactic commonly used in politics to avoid answering questions.

It might be better in future just to say something along the lines of "Aside: Can we not use his name? The guy is actually a racist, and has a pretty deplorable past."

We don't want to get lost in the debate of a man's merits, when his actions may themselves be meritorious.


But when one claims that weev did it as white hat "to let them know about vulnerability" then personality traits and behaviors become relevant.

They are not relevant for judging whether scrapping data from unprotected 14mil urls should be seen as hack. They are relevant to whether suggestion that he was well intentioned white hat doing public service claims sounds naive or likely. It matters when I have to decide whether I will buy his framing of events and motivations or not. Such claims very much existed and were predominant interpretation of evens in circles I was in.

Edited to add: then you had weev using his bigger fame and sort of new credibility to try to cause further harm to person he harassed somewhere around going to/from prison. So to me, it makes sense for people seen it at the time to jump into these discussions to prevent further rise of credibility.


That's the real deal with his "hack" releasing this data from his trolling security company. He knew it wasn't a hack but he also knew he could use it for his pathological tolling. The criminal charges were more about how he presented everything and that he's a notorious public figure who denies being a nazi while being the sysadmin for Stormfront. AT&T wanted to mess with him, but the courts were super excited when they heard who they were going to try to convict. I am glad he won the case though. It could have been really problematic case law if he didn't. I'm also glad they tried to pin him to the wall for it. GNAA/Goatse Consulting (his "firm" that did the hacks. GNAA is a massively offensive racist and homophobic acronym.) and the thing he built with the help of many others felt like it was dominating tech culture's sense of humor for a while. The racist jokes were just for the sake of trolling.... right? Right?

I think the deal with Weev is that everything he does is both serious and a joke. He does appear to be a nazi but if you try to stitch together his actual person it gets twisted really quickly. He has a personality disorder. I think a lot of people caught in his reality distortion field didn't quite get that playing around with "edgy" troll stuff normalizes things that eat up self and society. I definitely have seen a change in the casual dabbling with it since Charlottesville. While I have some sympathy for people that believed the lie that it's all jokes... I don't think Weev ever thought it was just jokes. He's extremely smart and fucking dangerous. I hope one day he gets a moment to reflect and use his brain for something that isn't being the fentanyl of meme pushers.

EDIT: DO NOT GOOGLE GNAA or GOATSE AT WORK


Goatse Consulting

Seriously?

Probhably most readers are too young to remember this "important" piece of internet lore. Let's just say it was the first, massively not safe for work web site.[1]

Naming his company after that is quite fitting.

[1] https://en.wikipedia.org/wiki/Goatse.cx


Goatse Security actually, but yeah. Him and people from GNAA called it a security firm. Sort of grey hat trolling for hire? I guess it could be considered the template for what got us Cambridge Analytica, Brexit, and Trump. I'm not sure if it's up anymore, but the GNAA public code repo used to be just full of interesting software solutions for mass griefing people.

Here[0] is a DEFCON talk from a GNAA/lulsec affiliate talking about trolling as an art. I think the talk actually has some interesting things going on when looked at through the lens of what weaponized trolling has produced in the now. At one point someone in the audience asks the presenter to read his "funny" slides and it's a racist "joke" comic. He acts embarrassed and says "I don't believe this stuff." He does break down a few of their trolling tools from their repo that they were pretty proud of at the time. So the curious can scope that out if you don't have to browse to any of their official sites or do a risky google. This was before Facebook so it's mostly IRC tools and general troll culture commentary.

They used the ATT dump, knowing it wasn’t really illegal to get hype to sell their services. I think it worked?

Here's a pretty good piece on him with a reporter who followed him around during the first trial. I think it covers a lot of it[1].

[0] https://www.youtube.com/watch?v=AHqGV5WjS4w

[1] https://medium.com/matter/the-martyrdom-of-weev-9e72da8a133d

EDIT: DO NOT GOOGLE GNAA or GOATSE AT WORK. Links should be mostly SFW. Obviously YMMV. It's content made by/about professional offensive assholes.


GNAA is certainly NOT something you want to google at work.


Jesus. Definitely not. Sorry, I didn't want to type out the acronym. I should have put a NSFW. Many apologies, I added a warnings and more description so no one is caught off guard.


"Probhably most readers are too young"

Sniff. I want my natille portman and grits :'(


So I get that you, for one, don't welcome our new goatse overlords?


Pretty sure he's Jewish, and he gives the impression that he's seeking attention through acting like an edgelord and spouting extreme/hateful BS.

I have a mixed racial background and am of Jewish heritage, and could never take offense to what he spews because of the insincerity sensed in his tone and his own supposed Jewish heritage. If anything I just laugh at him because, like Alex Jones and Ann Coulter, he's a performance artist. A Tony Clifton, if you will


His politics are orthogonal to this case.


How is that relevant to the parent comment?


It's relevant in context to the despicable person he has proven to be, who is mythologized as a great hacker.


He's more Andy Kaufman than Steve Wozniak. I don't think anyone who has a clue thinks he's a great hacker. However, he might be one of the most effective shit wizards that have existed.


Andy Kaufman was funny at least.


Was he? Definitely the model of a modern troll in my book. I thought he was weird, but not funny really. He wasn't a nazi, so that was good.


Scraping urls doesn't make you a great hacker.


He was mythologized at the time and after. I remember having impression of him being genius and being overall good guy. People really wanted him to be that way, because they wanted him to win and kept to illusion long after.

That he is neonazi and harassed people quite hard (to the point of seriously affecting their careers and lives) are things that I learned only much later and people still don't like those two being brought up in pretty much any context.


someone can be a great hacker (though he isn't particularly) and also have despicable views - human beings are multi-dimensional.


Europol just shut down a site where you could buy DDOS attacks and as a result 150.000 people who had done so were targeted by police[1].

DDOSing has been a scourge. I work in the public sector of Denmark and we see then from time to time, and, you frankly feel rather helpless. I mean, these days we have ways of dealing with them technically, but I don’t think anyone ever expected the culprits to face any sort of consequences. Yet here we are.

https://www.dr.dk/nyheder/indland/dansk-politi-med-i-kaempe-...


The site had 151K registered usernames. This doesn't at all mean that there 151,000 actual people involved - it just sounds better that way in the press release.

More information here: https://www.europol.europa.eu/newsroom/news/authorities-acro...


150 000 people bought DDOS services? That boggles the mind.


These services are / were very popular in online gaming to knock opponents offline, you only need a few minutes of DDoS time to kill a residential connection. Console games in particular are quite vulnerable as a good amount of them still use peer to peer connections so you can easily find IPs to target. Other techniques such as booby trapped links, P2P voice chat, fake servers etc can find player IPs for PC games.


Even if the costs were minimal, the more attention they get the better example they’ll set if caught.

You wouldn’t steal a car.[0]

[0] https://youtu.be/HmZm8vNHBSU


You wouldn't steal a baby. [0]

https://www.youtube.com/watch?v=ALZZx1xmAzg


Subscribe to PewDiePie !


I may just might if Elon musk actually goes on after his tweet. If anything that’s definitely strong marketing game to gen -X-ers


I don't think that may be the case, in his video he posts too many "far right" red pills, even Paul Graham got criticised on Twitter for defending Kjelberg.


This simply isn't true, and just because someone gets criticised it doesn't mean that criticism is valid.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: