Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
- a test of a new hacking system
- a demonstration to a big client
- a first shot to threat some entity
- a diversion while they get the real loot
And that the BTC messages are just a way to justify it so it looks like a simple scam.
Such a hack is worth way, WAY more than the few BTC it could bring.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
Previously on HN:
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"
I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..
Now I wished I would've abused it and blogged about it for the resume.
Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.
Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a
'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
Companies will routinely downgrade the severity of your exploit so they can pay you less.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts?
And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general. If people are using Twitter as their personal press office, the company has no choice but to accommodate.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
Cons: trying to deal with 103k in bitcoin
Someone moved $1 billion nearly a year ago and I don’t believe we know who made it: https://arstechnica.com/tech-policy/2019/09/someone-moved-1-...
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
Unless they're saying that there's certain people who have raw DB access...
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
It's not uncommon for hackers to have these weird imbalances in skill and understanding.
Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.
Ah, here's a writeup!
Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”
You could easily, easily cause some pretty massive panic.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
Hanlon's Razor BOIIII
"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.
Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.
You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.
This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.
(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )
If they wanted to exfiltrate data, they already did that previously.
They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.
Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.
If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.
I think this would turn up alot more results than you bargained for.
* 5+ accounts tweeting exactly the same message
* Not using the mobile app
* Fewer than 10 followers
* Fewer than 10 following
* Liked fewer than 10 tweets
* Retweeted fewer than 10 tweets
* Accounts created within 24 hours of each other
* Account creation metadata is similar
* Account less than 1 month old
You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.
Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.
No need to do this, just sign a short piece of text with the private key.
The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.
It will take a while for the dust to settle.
You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions
A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h
Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.
So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?
And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?
Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.
Also number of transactions is in no way related to amount of money being transferred.
1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.
2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.
To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.
Unconfirmed transactions cannot be withdrawn.
Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.
Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.
I would say “taken” is fair; but “stolen” isn’t exactly right.
Plus there is no way it will be that much.
Well in this case people intended their money to go one place, but they got tricked and it ended up in another.
I'd call that stealing.
Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.
This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.
All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.
That's all that's happening here, except in units of BTC and not USD...
There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.
a) fix the bug if it‘s in their APIs
b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.
So they are probably on at least their second attack vector by now.
I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.
Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.
In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?
And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?
Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.
I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.
Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.
Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.
I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.
Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.
We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.
- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.
- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps
- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.
Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.
The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.
While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.
> or filesystem access
> or ability to modify the fleet.
Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).
Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.
OK, what about the people who have physical access?
> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
Who watches the init daemon?
What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.
> Who watches the init daemon?
Another important question! If you don't know what's running on your box, you really don't have a security story at all.
Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?
Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.
Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.
There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.
That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.
Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.
Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.
This was a v high profile project we had two board members as sponsors.
Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance
I could see this happening in FANG companies to
If it's a third party API key with special priviledged that they hacked, the potential harm is limited.
If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:
- scam them
- get them infected to gather a massive bot net
- make them very angry and start some kind of civil unrest in a specific part of the world
- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that
At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.
Unlikely since the tweets appeared from "Twitter Web App"
They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.
Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).
I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.
It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.
Yes, it would be ... but it would also be hard to prove.
I'd be surprised if that even got you interviewed, let alone searched for hacking tools.
Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.
Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.
Are there better options?
Unless you're Obama or Trump.
It‘s either incompetence or your fourth option.
Why weren’t these tweets deleted immediately and a note pinned to every users feed?
It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.
Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?
I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.
What value would you place on this?
The proof will go along with another method of hacking the account that is not disclosed.
I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.
Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?
I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.
I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.
I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.
So far, the address has received the equivalent of over 50,000 USD.
Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...
lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.
$7k vs $100k, you choose.
Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.
You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?
What else is there?
Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.
Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.
If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.
How about market manipulation via other tweets that subtly affect trading bots reading Twitter?
The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?
I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.
But then any number of well resourced 'political' actors would love to send that message to the large tech companies...
Twitter as a riderless horse would be wild.
- Bitcoin is used for scams
- Bitcoin hacks
- Bitcoin used for illegal activity
All the meanwhile, more people become aware and interested.
These sort of events prime the "nocoiners" to read and understand that little bit more.
There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?
People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.
And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.
People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.
The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."
Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"
Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...
I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.
And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.
Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.
If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.
Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.
Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.
Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.
Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.
These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.
Nothing in the world can protect you from poor hiring .
If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .
Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .
Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .
It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.
 before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.
100k USD = 4.2 billion rial or 2.3 billion dong
Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.