Hacker News new | past | comments | ask | show | jobs | submit login
Tampa teen accused of being ‘mastermind’ behind Twitter hack (wfla.com)
382 points by Firebrand 7 days ago | hide | past | favorite | 659 comments





See also https://www.justice.gov/usao-ndca/pr/three-individuals-charg...

(via https://news.ycombinator.com/item?id=24012968, but we merged the threads)

Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:

https://news.ycombinator.com/item?id=24011939&p=2


Hitting a 17yo with 30 felony charges feels a bit steep to me.

Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

If a 17yo could do it, I'm sure a nation state could do it.


The age of the attacker is irrelevant to Twitter's role in this story. However your underlying point still stands. If we want these types of attacks to stop, we can't just let all these companies off with a public embarrassment being the primary punishment. At a certain point we have to start calling it negligence when companies fall for these attacks and fail to have proper precautions in place to prevent them.

From memory, I recall the FBI did a study, and found that half of their employees would plug in a USB drive that they found on the ground in the parking lot. After training, that number was reduced to a quarter. If a security-focused government police agency is so vulnerable, it is unreasonable to expect perfection from a (less paranoid) company.

Then you need processes in place to make sure a single person being careless cant do this much damage. There are low tech solutions that would greatly improve security[1], however the overhead this introduces is hard to justify in a world in which these breaches aren't that damaging to a company. We need to change incentives for companies by either mandating these security practices or implementing harmful repercussions for choosing a less secure approach.

[1] - https://en.wikipedia.org/wiki/Two-man_rule


I agree that better security practices are advisable, but you're victim-blaming.

Twitter wasn't 'asking for it', and neither were the individuals who lost bitcoins; the 'hackers' intentionally perpetrated deceptions, misrepresentations, and fraud against both Twitter and the general public. If you compare what these three did to a white-collar crime, the dollar amount was small, but the behavior was egregious.


The push against "victim blaming" is not about removing any possible role a victim would have in their victimhood. It is about destigmatizing victimhood and not blaming victims for things that are out of their control or that any other reasonable person would do.

Let's imagine a situation in which someone breaks into my house and steals my TV. I deserve a decent amount of blame if I left my front door wide open before it happened. I deserve much less blame, but still some blame if I left my front door unlocked. I don't deserve any blame if someone broke down my front door to do it.

In this situation, Twitter left their front door unlocked.

Furthermore, Twitter is not even the primary victim here. The biggest victims are the people whose accounts were stolen and the people who were tricked into losing their bitcoin.


No one deserves any blame for being burgled when leaving their front door opened - however if a bank leaves the vault open they deserve blame because what's in the vault is not just theirs. Twitter left the vault open.

That's absurd. If someone does something risky, and gets burned,they share some of the blame for it. Even if they accidentally left their front door open, that's still on them.

Certainly the burglar deserves the lion's share of the blame for what happened, but there's plenty to spread around.

My view is that if a reasonable person would have taken actions that would have avoided the issue in the first place, a person not taking those actions shares in the blame.

My bicycle got stolen from my garage a couple weeks ago. The garage was closed and locked, but someone forced the door at 4am and stole my bike. My bike was not locked to anything. My neighbor's bike was locked to a railing a few feet away from my bike, and did not get stolen. I share some of the blame here because if I had locked my bike up -- an entirely reasonable and prudent thing to do -- my bike would likely not have gotten stolen.

I think maybe the issue is because people are conflating blame with shame. No one should be shamed for stuff like this; it's a learning opportunity. I accept blame and responsibility for my part in my bike's theft, and if/when I get a new bike, I'll take better care to secure it, even when it's indoors.


Leaving the door open is risky only because there are people who steal around. Not because leaving the door would be risky no matter where you live and who is around.

If people locked bikes in garages, people eager to steal bikes would have tools to cut chains in garages. So while it is safer to lock the bike, the blame for stealing goes to whoever stole it.


The internet is a place where everyone, everywhere is "around". You can talk about who to blame all you want, but blaming the attackers just means that you'll be attacked by people who don't care if you blame them. It's not an effective way of solving the problem.

And remember that "the problem" is that the attackers hijacked the accounts of people using twitter. Twitter had a duty to take adequate measures to protect those accounts, and failed to do so. The victims are the people whose accounts were stolen, and the people who were defrauded by the hijacked accounts.


When did a pie on a windowsill become a free pie?

That’s hobo mentality.

It’s not your pie. Keep your goddamn hands off the fucking pie.


If hobos are a known problem, you have no right to be shocked when one steals a pie.

If hackers are a known problem, a huge company like Twitter has no right to claim it was completely blindsided when it gets hacked.

Twitter is a multinational corporation with access to the personal data of hundreds of millions of users.

It has a duty of care to those users, and at a minimum it should have a dedicated team with security policies and recovery plans.

Aside from the reputational damage, an aggressive and ambitious lawyer could make a good case for a very expensive class action if those plans turn out be defective and/or inadequate.


They absolutely deserve the blame. At least if I was an insurance company, I’d definitely put that in my contract.

Ok well, according to this https://www.awinins.ca/blog/am-i-covered-if-i-leave-my-front...

"As long as it can be established that your possessions have been taken without your permission most policies will pay out on a claim even if your front door was unlocked or your window open."

so - as it says later "Familiarise yourself with the terms of your policy" which I guess would lead me not to buying insurance from your company.

Aside from that allowing insurance companies to determine who 'deserves blame' seems to run counter to the common perception regarding the moral worth of insurance companies.


The OP was making a point. Not actually getting into what legal (not relating to ethics) mechanisms there are for insurance.

No. Theft is still theft. The door could be wide open and someone that chooses to go on and steal is just as much a thief as the door breaker.

Should we blame women for dressing provocatively if they are raped? Should a murder victim be afforded less justice if they were walking around in a bad neighborhood? A crime isn’t a crime if the potential criminal chooses not to act. The ease of committing the crime should have no relevance. Someone doesn’t just accidentally walk into your unlocked house and steal a TV. It’s a choice and blaming the victim is simply wrong.


It depends on the situation. Blaming for negligence does not wash the criminal off their crime. Going alone and naked in front of a pride of lions will get you killed. The lions will do the killing, sure. But you placed yourself in a powerless position against predators, and you were at their mercy, and there lies your blame. You can be preemptive and kill the lions beforehand, or tame them. Maybe you are not able to do that at all at this time - and that was true until we made good enough weapons. But until measures are taken, and if you know the dangers, avoid them.

A woman that goes in a bad neighborhood dressed provocatively and that eventually gets raped, made the mistake of going there in the first place - and honestly speaking, the dress makes no difference. She placed herself in a situation where she is powerless against potential predators, and thus she will go by the predator's rules - because she is forced to do so. That does not mean we should not change this. We should do everything in our power to protect women, and make sure there ARE no such places dangerous for women. Until that happens, to avoid the danger wherever it is is better than rightfully punishing the criminals after the crime happens.

That is not a sexist matter, that goes for countless situations in this world. Women and men alike, or whole other groups are powerless against other people, depending on the situation, and it IS wise to avoid the danger, until we fight to eradicate this powerlessness on each occasion. You can go on despite the dangers to make a statement or in order to contribute to eradicate them, but you know what you are getting into.


> I don't deserve any blame if someone broke down my front door to do it.

I mean, you could have gotten a more sturdy door... drawing the boundary between someone opening an unlocked door and breaking down the door is hard; so I'd agree with "even less blame", but if we believe you are ever at blame here, there isn't anything magical about the lock that shifts you from having blame to being blameless.


To repeat myself, the opposition to victim blaming is about "not blaming victims for things that are out of their control or that any other reasonable person would do." I acknowledged that a standard lock is generally not going to stop many determined criminals, but it is an acceptable baseline that all reasonable people can be expected to meet in order to help prevent their home from being burgled. You can of course go above and beyond that, but I think anyone who meets that baseline standard doesn't deserve blame.

Back on topic, I think lots of people would agree that allowing low level employees the ability to completely hijack the accounts of some of the most prominent people on the planet with zero oversight is not a reasonable level of security.


Well, I think "the problem with victim blaming" is that it implies that there is something "a reasonable person" has to do in order to not get attacked: a woman should be able to walk around naked, for example, without being raped, and we shouldn't say "well any reasonable person would have at least worn clothes".

In fact, I would then claim pretty forcibly that a lock strong enough that someone has to break your door is absolutely not the thing reasonable people should have to do to prevent theft (assuming one believes in the idea that people own things, of course ;P).

Like maybe a chain lock should be good? I remember a glorious scene of some cartoon which was like "you know what this chain lock says? it means you aren't getting in here... unless you push with your hands". Closing your door is really not good enough? Having an exposed area with a door--even if open--that looks like a door of a household and not a business?

Look: I appreciate and even agree with the idea that Twitter should have blame here in some very real sense, in that someone always could have done better to protect you if they take responsibility for something about you, particularly if they don't really leave you much choice in how they do it: you friend who borrows your car and leaves it unlocked with its windows down is being negligent; and Twitter here looks like they didn't even try hard to protect anything.

But the reality is that we shouldn't think there is some magic level of "responsible" below which there is blame and above which there is no blame... in this kind of tug of war either we are working in the philosophical regime that you are ever to blame--in which case we can talk about matters of degree--or you are never to blame, but drawing some arbitrary line about "well the data storage was technically X3 7066 compliant, so this is on the other party" is actually an extremely dangerous thought process as it sets us up for companies putting in place minimum security theatre provisions that they know don't work but which they know technically absolves them of blame as it is reasonable (which is a thought process that crops up constantly).

(And seriously: is using a large, centralized social networking site and not expecting your data and accounts to be hacked every now and then reasonable? All of them get hacked. Thereby why are we stopping the blame at Twitter? If we are going into the philosophical regime of truly assigning blame, users should "know better by now" and stop using systems with centralized databases, right? I work in the field of decentralized systems and I absolutely am confused as to why people think their data in the "cloud" is secure and absolutely do not consider their usage "reasonable".)

(And like, to explain that context: this is all coming from someone in the field of hacking and security research who is also in progressive politics and thinks throwing the book at this kid with 30 felonies is ridiculous and maybe he should get some community service at best for what he did, and that we should be regulating big tech more to increase their liability as if we don't then it is essentially giving "moral subsidies" to centralized systems and making it harder for distributed, self sovereign, and end-to-end encrypted systems to compete. I actually agreed with your original comment, but in your defense against an accusation of "victim blaming" you actually do seem to have an inconsistency in your mental model and it is the same one we have to push back against in arguments about victim blaming for sexual assault: the lack of any specific protection doesn't mean you have something to blame for someone assaulting you. The argument for regulating against Twitter and holding them accountable has to come from somewhere different.)


In The Netherlands we have law to protect the youth against smart, sophisticated hacks (we're not talking about (D)DoS here). These people are then taught lessons about ethics an how they can apply their knowledge for Good.

As such, my proposal of punishment would be to give this fellow an unpaid, mandatory internship at Twitter. This teaches them to learn their victim, and Twitter can teach the perpetrator the proper way to handle a company's problems. Show him how fun red teaming or blue teaming or pentesting can be.


> you're victim-blaming.

Twitter is not the victim here; the users who had their accounts taken over are. Twitter did not lose anything, except an entirely reasonable loss of reputation, because they could have taken measures to prevent this sort of thing from happening, but did not.

Companies need to be held accountable for their breaches. Sure, sometimes a company did do everything they could to prevent a breach, and took steps to mitigate the damage in the event of a breach, and they still happen. But that is vanishingly rare. The main thing I've learned from all the breach disclosures (at least where companies are truthful and forthcoming about what happened) is that security practices are lax and insufficient pretty much everywhere.

That's not ok, and we need to do something to incentivize these companies to properly protect our data, before we all become victims. If financial sanctions and public shaming is the best way to do that, so be it.


While the words do sound like victim blaming, id argue that sweeping conclusions that sound like the common rhetoric like “victims can do no wrong” deserve both careful consideration and some wiggle room. Not to mention that it’s a completely different situation than the usual instances where victim blaming is both toxic and common. The only egregious victim blaming that I can think of would be saying “those whose accounts were hacked were asking for it by being on twitter”. And I hope nobody is saying that.

I have a feeling that a vast majority would agree that choosing to send your money to a celebrity’s (apparent) bitcoin wallet for any reason will be tough to feel victim-sympathy for, and possibly asking to never see that money again given all of the well regulated systems and norms of money transfer that we have used for decades to centuries. But I understand that they were still taken advantage of and agree that they are victims.

Twitter is to blame here. The only thing they are a victim of is failing to protect their users (whom they have the obligation to protect) in a game where they have the ability to be solely the masters of their own security destiny.


> but you're victim-blaming. Twitter wasn't 'asking for it'

It's a bit pathetic to extend this rape analogy to a business. We don't hold individuals and corporations to the same legal, and/or quality standards.

So, hopefully we can discuss these important policy issues without worrying if "twitters" feelings get hurt.


Twitter is a platform used widely by some of the most powerful people in the world and in the US government. As a result, there is plenty of justification and precedent for said gov't to regulate their security practices and procedures. To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http.

Now, I don't think the government is prepared to do this proactively and effectively, but the idea of a telco that advertises resilience to hacks (whether through social engineering or technical incompetence) sounds like it would be quite appealing to a growing segment of the connected world and whatever such promises that find success in the marketplace might be used to inform legislation or regulation, eventually...


> To illustrate this point, I doubt you'd have any sympathy for Twitter if they had been sending their passwords over http

This is probably off-topic, but companies shouldn't even be sending the passwords over HTTPS; passwords should be hashed client-side and then the hash should be sent to the server (preferably over HTTPS).


Wouldn't that allow for a compromised database to leak the information a nefarious user needs to log into accounts? Compared to needing to find a collision if a database of hashes leaked?

I think client-side password hashing is generally in addition to server-side hashing. Not instead of it.

Can you elaborate on how this makes things more secure (assuming HTTPS)

Surely if the server accepts a client side hash of a password, then the hash has become the password


At that point you can do key derivation to get an ed25519 private key from the password and a server-supplied salt (specific to that user), after which the client signs a challenge the server supplied with that private key. When the password was set/changed, the corresponding public key was stored on the server.

Off the top of my mind. Maybe it could be something like that:

1. Api gives user a fixed salt.

2. User types password into input.

3. Client hashes and sends hash to server.

4. Server has another salt and uses the client sent hash to hash it again.

5. This final hash is compared what is in the database.

This way server never has knowledge of the original PW and it's never sent over the network. This reduces for instance the chance of password getting logged in the service etc.


But in that case the hash sent to the server in stage 3 is always the same and behaves like a password - capture it and you can use it again elsewhere.

Twitter controls a platform that they profit from. They have a clear responsibility to make their platform harder to abuse. We can't simplify the "victim" as simply Twitter itself, we must (as you did) consider the other victims: the owners of the accounts that were hacked, the narrow user base of twitter that was conned, or the general user base that have lost trust in the platform. These users could have great security discipline on their own accounts, but they couldn't do anything about holes in Twitter's backend. Other comments have mentioned front door locks for the metaphor of reasonable responsibility, but in the perspective of the Twitter users themselves, the broken lock was one they didn't control. Twitter must do better in the future, and whether or not legislation is passed to pass culpability, the general public will respond to future lapses in security.

No, twitter is the perpetrator here, by having woefully inadequate systems. The kid is the victim, of his own hubris, and of twitter freely leaking customer information to anyone who asks for it.

I used to be CTO of an ecommerce platform - small fry, barely £1bn in annual transactions - but it was always absolutely clear in my mind that any breach would be my fault through negligence.


> victim-blaming.

sometimes the victim deserves some blame.Or at least their actions analysed to see where blame lays


Victim blaming is for when people have been psychology abused. It doesn't apply here.

It isn’t victim-blaming, it’s expecting Twitter to have relative safeguards in place and not have relative open doors to allow one person access to world leading accounts!

The fact that Twitter had a system in which any of thousands of employees at all levels could single-handedly with no oversight alter any of the information in any account shows this was absolutely Twitter's fault.

Did anyone in the FBI get fired for plugging in a USB drive into their computers?

If they did I bet those numbers would change pretty quickly.

Similarly, if Equifax had been shut down under the mountain of lawsuits they should have had for losing people’s data, I bet security would become a much bigger concern for everybody.

The FBI study basically shows that consequences are important.


An acquaintance of mine worked at the NSA and they also deal with this.

He said during his first week he made the mistake of putting a CD-ROM with some official training materials into his work system. Within 10 minute two people showed up to stop him and investigate what was going on with his computer. It was fine in the end but he was seriously reprimanded by his boss.

When you can’t trust users, the answer isn’t just to give up! It’s to acknowledge their fallibility and create a system that doesn’t rely on 100% compliance. In this case that means having software that instantly reports when any external media is connected.


This seems silly. Network admins can determine he inserted a CD and respond immediately in person - but nonetheless issue PCs with CD-ROMs and the ability to interact with removable media?

If it’s anything like the DoD does, the reason USB ports and CD drives aren’t physically disabled is because sometimes using authorized devices and media is required to perform your official duties.

And the same acquaintance described those NSA security protocols to you, who are now talking about them in a public forum. If your acquaintance actually did work for the NSA (God help us), he probably shouldn't have.

I remember an article a few years ago saying that large % of office employees would trade their password for chocolate.

Ah yes here we go, large scale study, 43% of participants gave away their password when bribed with a chocolate bar. People just don't realize how valuable passwords are.

https://www.sciencedaily.com/releases/2016/05/160512085123.h...


> If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords.

Nearly 30% of people just gave out their password and didn't even know they were getting chocolate! They gave it away for literally nothing.


the study says 29% gave the password without chocolate as well .

Some where given chocolate before and after , nowhere it says chocolate was offered as payment for sharing the password. Small gifts could have been inducement to establish relationship and trust not the same as a bribe as you characterises it

I find it hard to believe 25 /40 % plus people readily share their password to total strangers , without knowing more details it seems unrealistic

Social engineering is still a problem but am not sure bribes are the real concern . And to insinuate the cost of bribing is as low as candy for significant chunk of the population is just wrong


What kind of mindset would lead to this behavior?? Maybe it doesn't matter. It feels -to me- like simply being exposed to people who say things like: "What?-- no, that's not good" while remaining professional, respectful, and humorous, is a vaccine against not wanting to seem jerky, yet staying secure.

Perhaps it did not come out as I hoped, if it was offensive I appolgize

The premise that integrity of most people is bribed by few bars of candy was offensive to me I hope it is to you as well. The sensationalist headline basically claimed that, the abstract was a very different statement.

I am tired of studies that are constantly being cited these days: readers, journalists and even the principals invariably sensationalize the headlines.

It is a losing battle to get anyone to critically analyse information presented to them, sooner or later you are going to snap. Whether it is alternate medicine, creationism, or conspiracy theories there is a real damage out there everyday , few people ( Jon Stewart? ) are articulate despite being frustrated and are able to civil engage in discussion.

Even if the study actually claimed what the headline said, the bar to peer reviewed respected research in much of psychology and social sciences seems so low that just getting some correlation between two parameters is good enough. Raw data is rarely shared, and statistical methods used are superficially understood and discussed, half the analysis's are just putting data into a tool like SPSS with the whatever defaults IBM puts in these days. There is not much scope for replication of a finding, a core principle of the scientific method.


To take your question literally: a trusting mindset. Many people default to assuming that people they meet mean them no harm

Except this is not expecting perfection, it is expecting a level of security that can prevent children, literal children, from walking right through it. Which would not even be a problem except for the fact that this is far, far less than what Twitter has led their average user and stockholder to believe. To illustrate my point, if Twitter told the truth in big bold print at the top of every page so every user knows: "Determined teenagers can take over your account at any time." do you think this might outrage their users or harm their stock price? Did Twitter at any point say anything that might indicate that this is the truth of the matter and that would not be easily misconstrued by users? The evidence indicates yes, they would be outraged, and no, they at no point ever said anything that would lead anybody to believe that this was possible and hilariously easy. So, it hardly matters that maybe they or anybody else (say the FBI) can not provide a high level of security, what matters is that they committed material fraud in egregiously misrepresenting their product security to their users and stockholders.

Exactly. At least one of these kids used their personal gmail account on the hacking forum. These are not advanced hackers.

They've done more than you, and majority of others, though.

And robbers have done more robbing than me too. It's not a competition I'm interested in entering.

One underestimates the capability of determined teenagers at one's peril.

And many of them live in what amounts to a serviced apartment above a restaurant.

Idle hands.


> expecting a level of security that can prevent children, literal children, from walking right through it

Well, that's your problem.


Oh believe me, I am under no illusion about that fact. My point is that the average user is completely unaware of it and Twitter, like most other companies, has gone to great lengths to obscure this material fact from their users and stockholders. If they told their users and stockholders, in no uncertain terms, the level of security they actually provide, which is massively different than what the users and stockholders believe, then I would not fault them for upholding their promises even if they are lackluster.

The problem is that they have not revealed the massive discrepancy between the common expectation and the truth which I, and I suspect most people, would consider to be fraud. Some might argue that they did not guarantee the common expectation and therefore it is the consumers problem for engaging in wishful thinking, but that is frankly a ridiculous argument. We generally expect, and the law codifies, certain requirements on the consumer-business relationship which effectively amount to: "Consumers have certain reasonable expectations based on common sense, you can't just willy-nilly toss those in a contract and blame the consumer for not reading a 100 page contract where you get to sacrifice their first born in fine-print every time they buy bananas." I do not believe the law exactly codifies this form of fraud, but I think most would agree that a massive discrepancy between consumer expectation and the truth should be clearly communicated (the larger the discrepancy the more clearly/loudly) and acting otherwise should be at the least in the general vicinity of fraud.

In my opinion, the discrepancy is sufficiently large that it should constitute either criminal fraud or gross negligence depending on how aware Twitter was as to their own internal security. If they were aware, they engaged in fraud given they made no effort to properly inform anyone of their security. If they were not aware, they are grossly negligent in that they could not observe such a massive discrepancy between their beliefs and the truth. To anybody who reads this and says that this is a "heads I win, tails you lose" situation, I say that this is a result of the ridiculous discrepancy. If it were less ridiculous, like say a small group of organized hackers or a top-flight hacker, it would probably not qualify as gross negligence in Twitter's case if they were unaware, though it might still be fraud depending on the expectations laid out.

Incidentally, this reasoning scales to other cases people have mentioned like nuclear power plants or banks where people have certain expectations on their security which are likely different and more stringent than Twitter. The important thing is not that they all have the same high level of security, it is that the expectation matches reality and the reality is properly communicated.


My point was that there is no such level of security. It was a joke.

I mean determined teenagers created FB so...

> half of their employees would plug in a USB drive that they found on the ground in the parking lot

If that didn't work, StuxNet wouldn't have gone anywhere either.

Sometimes the right hand requires the left hand to fuck up.


1. When was this study conducted? I remember a story like this from somewhere around 2008. A lot has changed since then. In fact, I recall that during my onboarding at a medium size tech company, it was an explicit part of the company's security training curriculum.

2. I think you may actually have it backwards. I would imagine the engineering group at Twitter (the people who have important credentials) is in some ways more paranoid, or at least more technically savvy and therefore more aware than many of the people at the FBI.


Comparatively, Cern does a phishing study from time to time [1] and the campaigns are in line with current expectations: People fall for phising, and security training has only a short term effect on phising. Unfortunately I can't find the real results right now.

We once had a bachelors thesis comparing the results over multiple years, and the results were mostly stable. (Years are mid 2010s).

[1] https://home.cern/news/news/computing/computer-security-cern...


Security training improves security but it doesn't get close to stopping 100% of attacks.

I know it's obvious, but it feels like it's only obvious to those that think about security. It's the same reason that putting your developers through a yearly OWASP Top 10 secure coding course isn't going to get you to 100% secure code.

Locking down systems seems draconian, but it's the only way:

- Disabling USB storage

- Moving away from passwords to hardware authentication

- Strong controls on internet access

- Stop incoming calls from reaching most employees. Better: take away phones altogether

And so on.


in a remote only or remote first working environment, many of these policies are not feasible , ultimately employees have to be able work somewhat productively .

Such clean room requirements could perhaps work when the threat model include nation state actors or your are handling sensitive financial applications.

Most companies are not defence contractors or banks the security levels you propose won’t be worth the cost to a typical internet tech company .


Anytime there are humans involved, there is no way to 100% secure it

Isn't that how they got Stuxnet into the Iranian nuclear facilities?

Something like that (USB exploit of Windows zero days, breaching an airgap). (Edit: though not by leaving flash drives outside of the facilities, by infecting some with a virus that spread from Windows PC to Windows PC around the world.)

Someone successfully gained access to colleague's email account using a phishing technique. I Inform the senior management team not to open any emails just to get a message 2 min later that one of them entered email credentials after opening a link...

I wonder what sort of machine those folks were plugging it into? If it's their general purpose work issued machine, shame on them, but I can't believe the FBI doesn't have a high and low side networks. How many plugged into the high side? How many plugged into the "this is my email and timecard" computer?

I have a Chromebook running arch[0] that has a borked network adapter than I use to plug weird things into/use as an airgapped box I can reset in about 5 minutes. I'd have no qualms about plugging anything into that

[0] BTW I run Arch


Nice I run arch too. I like the way it is, and isn't.

As an aside to that important point, it seems like the solution here is to just remove all random device access points and drives before giving a system to some luddite with no security awareness.


Anecdote:

working at a court room I was bemused by the security talks about usb keys, yet the OS setup still allows usb driver installs automatically (granted their local presence). I know because I brought a keyboard to replace the busted one they had in-house and windows gladly set up everything plug`n`play.

I wonder if OSes have actual rules for this, and if there are secure corporate usb keys


You know you can create USB device filters in Windows so it will not allow unknown device to be installed. But sysadmin has to know about it.

https://docs.microsoft.com/en-us/windows/security/threat-pro...


Apparently these were not since I could also see my smartphone being registered as a new MTP endpoint (and could exchange files).

thanks for the tip


>>If a security-focused government police agency is so vulnerable

I think calling FBI "security-focused" is a bit too generous. They are essentially glorified police detectives, with greater authority and jurisdiction. I don't believe the average FBI agent is particularly competent, in terms of technical (i.e. computer) skill or knowledge.


The FBI literally performs the background checks for security clearances. Like any other organization it has less security focused divisions, but insofar as any organization is security focused, the FBI is.

Like I said, none of this translates to computer literacy.

Why are random users allowed to attach USB drives? Is that normal? I would think any data going in or out should go through some centralized process? Sure, the Internet can be a loophole, but locking down physical access seems like an easy and obvious win.

A criminal mastermind would leave a stick behind to infect those investigating.

I would be surprised if the average FBI agent was less likely to plug in an unknown USB drive than the average Twitter engineer.

What makes you say that?

Software engineers are much more aware and focused on the problem of technical attacks. An fbi agent has no innate reason to distrust usb sticks. After all, they're just for "moving files" or whatever other basic tasks they use them for.

> Software engineers are much more aware and focused on the problem of technical attacks.

We’re constantly presented with evidence to the contrary.


The point was "less likely", not that all engineers would not do that.

This reminds me of Mr.Robot. :)

> The age of the attacker is irrelevant to Twitter's role in this story.

I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.


Of course its steep. But he’s just a pawn. He is irrelevant. The bigger picture is that one of the largest tech companies with stock traded publicly got caught with pants down and revealed that their staff is not properly trained and vulnerable to social hacking. As a result millions of dollars invested in the stock were lost. Some angry billionaires who happen to write fat checks to politicians placed few very harsh phonecalls and then these politicians placed ten times more angry calls to the next in line, until they reached DOJ. That’s all it is. Now DOJ has last chance to look all serious and harsh before they turn the light off.

Yes. But at the same time, it's easy to get into "blame the victim" mode

Having full blown security could mean nothing is done easily anymore

Prosecuting is important


Depends on how you define the victim.

One could argue that the victims in this case are the people whose profiles had been hacked.

As for having full blown security getting in the way of getting stuff done, try replacing "Twitter" with "Equifax", a company that handles arguably more sensitive data and should have the "full blown security" you mentioned.

Did they suffer any tangible consequences?


The stock when down for a couple of days, that should teach them. On a serious and besides note, it's such a clash between company and user-experience (i.e. every NA citizen) incentives that credit scores companies have a stock in the first place.

Prosecuting is mostly irrelevant. A lot of attacks come from countries outside the reach of US law enforcement.

What about when NSA wants to build a backdoor in encryption standards? Who is at fault then?

Overcharging has become the norm. Not just in high profile cases but in everyday ones as well. It's an effective leveraging tool used to get the accused to accept the actual charge in a plea bargain.

Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.


> Overcharging has become the norm

With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.


What does this pointless nitpicking even supposed mean?

Modern legal frameworks have roots hundreds of years old, this habit is a recent development of the last few decades.

So why are you trying to browbeat this person over correctly referring to it as a recent trend, using a recent example to do so?

Reminder that every field is tech, churning through the framework of the week like it's going out of fashion...


Yes, my apologies. I have become so ensured to history lately. I mean in the last 40-60 years or so. Essentially since defendants have made themselves peaky with the consequences of Gideon v. Wainwright the legal recourse has been to combine several tools to prevent trials.

Justice is expensive and Americans just don't have a taste for it.


> Hitting a 17yo with 30 felony charges feels a bit steep to me.

Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.

But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.

Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?


The sentences should run concurrently.

4 years for setting a car on fire is not unreasonable, although maybe a little harsh depending on priors. It's a dangerous thing to do.

But setting five cars on fire is not particularly worse than setting one car on fire.


Maiming peaceful protesters with mace and rubber bullets is a dangerous thing to do.

Four years of someone's life for damaging an inanimate object? Absolutely absurd. Did people get hurt? No. Fuck that. I often wonder if the "justice" system is a worse thing than criminals some of the time.

What about murdering 5 people vs 1 person?

Although I would agree in this case and the rationale would be that it probably would take not much more amount of time to adjust behaviour of someone who did 5 vehicles vs 1. But maybe something like 7 years instead.


Life vs Items is a totally different thing. Not comparable whatsoever

I'm certainly not arguing all sentences should be concurrent. Most are, and I believe it's appropriate in this case.

O(log n) or O(sqrt(n)) might be a reasonable compromise between concurrent and consecutive sentences.

Setting five police cars on fire is an act of domestic terrorism. That's not in any way a normal protest action.. That's what the prosecutor will argue.

> Setting five police cars on fire is an act of domestic terrorism

No, it's not.

> That's not in any way a normal protest action.

Well, yeah, that’s why it's prosecutable as a crime at all rather than protected first amendment speech.


The Boston Tea Party was an act of domestic terrorism. It's hard to determine whether an act is right or wrong without a good duration of hindsight.

The only reason that we look at the Boston Tea Party as a "good" thing that happened is because that side ended up winning a war. If the British had won that conflict it would be a footnote in history, noting that some hooligans destroyed some property.

> The only reason that we look at the Boston Tea Party as a "good" thing that happened is because that side ended up winning a war.

No, it's because they ended up winning a war and became us. If it has been a group that went on to win war of national liberation against us, we probably wouldn't too kindly on it.


Sure, but the point remains. We remember the Boston Tea Party as a good thing only because the victors of that war celebrate it.

Yep and maybe she'll be vindicated by future historians. But right now she's going to do 20 years.

Doubtful.

Was it? Which part of it caused terror?

I mean, unless you're trying to be funny.


Sure, but no one would argue, I hope, that British society would have been improved if the British government had changed their laws so that the Tea Party would no longer be a crime.

Setting five police cars on fire is punk rock, not "domestic terrorism"

Setting cars on fire is not an act of spreading terror. It is an act of defiance


Your Honor, I firebombed those police cars because I'm PUNK ROCK!

do you see how you sound


Again, you are misunderstanding the intention. 9/11 was an act of terrorism. Setting police cars on fire is vandalism, destruction of government property, maybe something for endangering police officers or something. All things condoned by your local friendly "anarchists".

What it isn't is terrorism.

Now go and listen to some Rage Against the Machine. Are they terrorists?


Is lighting crosses on fire terrorism?

Yes, because the whole point of that act is to terrify whoever lives on the property of the cross you're burning

Why are people lighting cop cars on fire? Please don't say it's to make an intelligent and nuanced political statement.

Because they want to destroy the government. Or their frustrated. Or mad. Or feeling mischevious.

None of those things are terrorism


Calling lighting some cars on fire terrorism sounds more frightening than anything else. I feel terrorized just by that.

I agree the crime is serious. But that she did it more than once doesn't make it proportionally more serious, and certainly should not make the sentence proportionally longer.

Why doesn't it make it proportionally more serious?

Ehm, seriously? 10 machine 40 years? 20 machine 80 years? There's no correlation with the concept of reforming that person after a while

Usa system isn't reformative

I remember when terrorism was blowing up a building injuring almost 1000 people and killing countless more, or crashing airplanes into two buildings, killing 3000 and injuring countless more. Burning police cars that ended in not even an injury is a felony, but terrorism? No way.

I really wish people would stop lowering the bar for what's called terrorism. It's a very dangerous slope.


It feels terrorizing to call lighting cars on fire terrorism.

I think physical violence is (and should be) treated more harshly.

I felt a sting reading that too. He hit the idiot computer kid jackpot and did idiot computer kid things with it. Not saying no consequences, but damn.

Idiot kid things would be having Obama tweet "I think @Kelly2003 should go to the prom with Clark". If you're old enough to run a send back scam, you should know it's wrong.

I think the friction of an act contributes to the analysis. It isn't hard to get a bitcoin account. It's a number. With other fake numbers assigned to it. Get people to send fake numbers to your fake number.

Should a 17 year old lose prime years of his life? Is there a better way to educate/reform the person?

If you say "Well in this other instance, the book got thrown at so-and-so". To this, I would ask, does that make it right?


One thing I think we ought to give credit to is that as Infosec becomes higher profile and more public, the sophistification of kids will rise with it.

For example many of the techniques that are basically public info on youtube[1] nowadays was hidden in some "darkweb" forum not many years back.

[1]: https://www.youtube.com/c/STOKfredrik/videos


Adding repercussions to the targets would be a mistake in my opinion - that would be very antitransparency as they would be encouraged to be willfully blind to cover their own asses. "Look it is clearly just the fault that these dumbass rich people didn't secure their passwords properly. Password reset logs? Why on earth would we keep those?"

Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure. It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.


I kind of like that idea, but defining the rules and boundaries would be really hard, and I'm not sure if the cure wouldn't be much worse than the disease, overall, for just blanket legalizing hacking.

Like, how far am I allowed to go?

Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?

Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?

Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?

Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?

Can I attack healthcare providers? Can I attack banks?

Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?

I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.

That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?


> Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.


That is not the point that the parent comment is making, though.

It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.


> It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.

That is exactly my point.

There are tons of crimes that basically anyone can do. If you said instead: people whose houses are set on fire by an arsonist should be liable for poor security, at the very least you'd not be taken very seriously.

There is a duty to not commit crime. There is no duty to avoid being the victim of a crime.

On top of that, there is broad industry consensus that it is largely impossible to write bug free software - certainly at the scale of Twitter. To suggest that they have the duty perform the impossible strikes me as deeply irresponsible if not simply malicious.


>There is no duty to avoid being the victim of a crime

If you entrust a bank with 10 thousand dollars, and the bank puts your money in a paper bag and leaves it in the lobby, they are going to be held liable if someone walks away with it. Twitter letting teenagers steal people's data is approaching that level of negligence for a mutli-billion dollar company.


I don't think the fact that the person is a teenager really bears any significance as to how negligent a company is. Historically teenagers have done massive damage as sole actors in numerous roles.

The only thing between the inside of a home and the outside is a thin layer of glass. Should we hold home owners responsible for people breaking in and stealing? Lots of things are fragile, we have a laws to act as a deterrent to violations

We do in some cases.

Someone breaks in and steals your stuff? We generally don't care, because its solely your problem.

Someone breaks in and steals other people's stuff that you held, or stuff that's dangerous to others? Depending on what it was, you may be held liable if you didn't take appropriate measures.

If the stolen stuff was, for example, sensitive private information, and you didn't have it in at least a locked cabinet, you may be liable. If it was a gun, in many jurisdictions, you're liable. Your car gets stolen _because you didn't secure it correctly?_ In Germany, you're liable for the damage caused with it!


> There is no duty to avoid being the victim of a crime.

In Germany (and likely also other jurisdictions), if your car gets stolen because you left the door open and the keys in the ignition, you will be held liable for it to some extent: As the owner of a dangerous machine, you're responsible to reasonably secure it even against illegal acts. [1]

I don't see why this would be different if your machine is a lot bigger, and as a result arguably a lot more dangerous than a single car (imagine tweets trying to trigger violent mobs).

[1] https://dejure.org/gesetze/StVG/7.html subsection 3


You are incorrect - there is a legal concept known as strict liability that defines an instance where one party is completely liable for damages to a party, regardless of the negligence of any other party. I am sure Twitter didn't run afoul of that concept here, but the question is, "should they?" Presumably, a skilled person with only a few years' experience was able to find a flaw in their system so severe, that multiple political and business leaders' accounts were manipulated. It's a dangerous embarrassment.

That was the other commenter's point: a 17 year old can hurt people with a car just as easily as a 40 year old. The age of the attacker has no relevance on how liable the recipient of the attack is for their security practices.

The same point stands with the car, any 17 year old could borrow their parents car and drive into a crowd. It's not the fault of the car owner for not securing their car.

Security is not preventing people from doing things, it's having some limitations so it's not too easily too quickly (cars are protected by keys, accounts by passwords). Anybody motivated can and will bypass security easily.


> It's not the fault of the car owner for not securing their car.

Securing their car against... their children? Or distributing the car's keys to 2,000 people?


Is a 17 year old hacking them really proof of worse security than say a 30 year old?

Well the age implicitly assumes potential levels of education and sophistication. Few would be surprised to hear a 30 year old engineer designed a novel world class chip - they could easily have a PhD at that point to have the sophistication capable. For a 17 year old that would be pretty damn extraordinary. Now hacking is less than thar even to laymen who don't know how simple some holes are but 17 implies a lack of great sophistication.

The whole thing is an ageist rough proxy anyway - a developmentally disabled 30 year old hacking it would be more shameful than a 17 year old college graduate.


I put a cheap lock on my door and someone breaks in and steals everything.

Should I be held liable for my poor security practices?


If you were responsible for securing my stuff, and you put a cheap lock on your door protecting my stuff, and someone breaks in and steals all my stuff, then yes, you should be held liable for your poor security practices.

But that's not actually the law, is it? You could certainly bring a civil lawsuit (and so could Twitter users), but I haven't committed a crime.

True, but I think this case opens up doors on regulation of tech companies for security, or at least new laws for security negligence. The power that Twitter has due to its highest-profile users is immense, however, this hack made them look incredibly stupid.

I don't disagree, it's pretty damn embarrassing someone can get the keys to the kingdom through some social engineering.

My only concern is what happened with Equifax - some punishment is put on the company and it's only a token amount and nothing changes.


We generally handle that liability free-market style, i.e. "Why the hell would I sign up for a Twitter account? Their security is so lousy some 17-year-old could be speaking as me."

Twitter is a meme service with a bunch of self absorbed individuals talking over each other... just FYI in case you lived under the rock for last 10 years.

Well, maybe it was until a certain individual started using it to conduct matters of foreign and domestic policy.

I think that is just further proof.

Previous settlement regarding twitter security: https://www.ftc.gov/news-events/press-releases/2011/03/ftc-a...

This is a tough topic. If we take the approach of effectively turning this kind of crime into job interviews and a way to enter life-long careers we would create a positive feedback loop. Punishment, on the other hand, creates a negative feedback loop. We can discuss the degree of punishment, but it is clear that humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.

The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.

Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.


> humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.

I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.

That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.


Having bad security is not criminal. If it was we wouldn't have a voting village at defcon cracked by pre-teens and there would be a lot more irresponsible CEO's in prison (so probably a better world).

agree. twitter is under no obligation to provide secret service level security on its platform because some high profile people use it. IF the government deems such security measures so important, they should pay twitter to implement them,

Negligence is actionable regardless of whether it’s criminal. And whether it’s criminal depends on the duty of care that can be reasonably expected from the negligent party.

In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.


Did you read the report? This hack involved spear phishing multiple employees who also had 2FA turned on. Good practices were in place. This was not some admin panel left open to the internet, that would be negligence.

Usually, the counterweight to bad security is the extremely-practical "Pests, assholes, or criminals ownz you."

Which works on average.


I disagree. For every Mossack Fonseca, Mernis, Equifax, Twitter, LinkedIn, Ashley Madison we get public hacks from I think we have many more that see it as "the cost of doing business" and keep bad practices around.

In many types of businesses the cost of a security breach is "priced in" or not considered at all and they are gambling on it happening to their competitors (or not at all) instead of to them.


I think we are in agreement on mechanism. I meant "works on average" in the sense of "Keeps fraud and breaches to a level consumers are comfortable with." Nobody imagines breaches can be driven to zero; we seem to be comfortable as a society with the overall rate and severity of breaches (demonstrably, since people keep signing up for these rando online services willy-nilly with nary a care to who holds their data).

Is bad security ok for, say, a bank or a nuclear power plant?

No, and that's why we (basically all nations that have banks or nuclear power plants) have specific laws governing them.

Look, if you want to pass a law saying all internet business having X personal data needs to prove Y security, then I'd probably be for it (depending on X and Y). We already have PCI-DSS and similar today for payment providers. I'm just saying that there is nothing like that today, and if there was we'd have a lot more irresponsible people in prison.


In "2020 Commission Report" by Jeffrey Lewis, North Korea nukes the US because of one twit. This looks very plausible to me.

Are you arguing against something I've said? Because if so I don't understand what or how.

I'm arguing that Twitter is now critical infrastructure, like banking or power grid, and needs to take security seriously. If they don't do it themselves, they'll get regulation like HIPAA.

Then you need to find someone else to argue with. All I said was that bad security is not criminal currently.

A nuclear power plant, no. Because, its most likely public property and so govt should have a say in its security. Even if it was a privately owned nuclear power plant, a breach would catastrophically and directly affect people who are not just its customers.

But, a bank, which is a privately owned entity. I think yes. If I own a bank and have bad security practices, and a breach impacts only my customers. I think the customers have the right to sue the bank but its up to me to decide what security I use, and if its not good the customers are free to choose to do business with another bank. But I don't think the govt should decide what level of security is sufficient?

Think of it this way, does this imply if my house is robbed I could be held liable because I chose to use locks on my house that were non compliant to govt regulation?


Large banks are designated as SIFI (systemically important financial institutions, aka "too big to fail"). When they screw up, the government steps in and props them up with taxpayer's money. To those banks losses from lax security are externality.

In that sense they are not very different from nuclear power plants. Indian Point is owned by Entergy and it gets the money when everything works fine, but the risks are covered by the government through Price-Anderson Nuclear Industries Indemnity Act.

If your house is robbed, it's your problem. But if you store personally identifiable information for everyone and it gets stolen, now it's everyone's problem.


It's not steep, this is one of the many cruelties and abhorrent failures of the US justice system. They do this to force you to enter a plea bargain deal even if you are innocent.

A year or two and return the money. It's not like he tried to break into a nuclear plant. It is a messaging app, mostly nonsense.

... with the ability to move trillion dollar markets and potentially start riots or wars.

Lots of people have the ability to do bad things.

Seems you believe they should therefore all go to prison,

also if they didn't actually do those particular things


Then we should regulate Twitter's security controls like we do banks? A breach like this at a bank would get them investigated and fined by multiple state and federal agencies.

Their intentions will matter a lot. Are they just collecting accounts or was there intention to move trillion dollar markets/start riots or wars/etc.

> Hitting a 17yo with 30 felony charges feels a bit steep to me.

Someone's gonna talk if they haven't already?


Does it really change much about the sentence he'll face? Felony charges usually group.

> Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?

Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.


Not a home but if you were a bank and a 17 year old walked into the bank, talked to someone and was able to walk out with a fat stack of cash i think the insurance company would have to reconsider your policy.

Absolutely any 17 year old can walk into a bank/shop and get out with cash. Preferably armed and not alone.

The challenge is to get out and never be caught.


According to a family friend who used to work bank robberies for the FBI, it's very easy to get away with one bank robbery. It's the compounding evidence when you commit more that gets you. Of course, that was a couple decades ago. I'm sure better surveillance technology has shifted that balance some.

Not home security, but I'm of the opinion this should apply for businesses and public places in some case. For instance, I usually carry a gun on me. If I go into the court house or a concert venue I'm prohibited from doing that. IMO they have now assumed a level of liability to provide a reasonable level of effective security and they're negligent if they don't and I'm injured or kill because of a mass shooting anyway because they didn't enforce their own policies.

Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.


I find it odd that you think a gun protects you in public. Its always seemed to me like you are more likely to be shot if you're carrying a gun, because an armed criminal now has to shoot you first if they want to ensure that they are not shot themselves. If you are unarmed they can simply threaten to shoot you and need not actually shoot.

I guess in the US thee are so many guns that perhaps criminals will just assume that you're armed anyway. But IMO that only makes the case for gun control stronger. Because the most effective way to change that attitude would be to dramtically decrease the number of guns in circulation.


The gun is well concealed and I'm an accomplished competitive shooter - no I'm not concerned about that.

It isn't fair to compare to home security. If someone breaks into my home, only my belongings are lost.

If someone breaks into Twitter, user data is compromised. It's not just the business that pays a price.


Governments are touchy about propaganda channels, even (or especially?) when they are lower in quality than the Sun or the Daily Mirror.

>>* Hitting a 17yo with 30 felony charges feels a bit steep to me.*

what charge should they leave out? Also he will not serve, say 15 years X 30 charges, if found guilty.

Now they are dealing with him, what happens to Twitter, if anything, is a different story. 17 years old or 19...he knew what he did


Source for those charges? Article this currently points to says "The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. "

that makes me so mad, not just for 17 year olds, but everyone subject to the whims of the criminal justice system.

for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.

we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.


I think the fact that "a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world" does pretty serious damage to their reputation — that is in itself a repercussion.

You'd think so, but the history shows that this will only be a footnote in Twitters history. See Equifax; they have lost the personal finance data of basically everyone in the US and they're doing fine. Twitter is not going to suffer anything other than a few bad jokes at its expense.

He pissed off the wrong people.

Standard disclaimer for headline sentence lengths:

https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc...


What does the 17yo have to do with it? Would it be different for an 18yo?

In the United States, we generally consider minors who commit crimes to be a different class of criminal than people above 18. We do this because (AFAICT), there's a sort of societal agreement that wisdom/maturity is a logarithmic curve that begins to flatten in the late teens and 18 was picked as a legal threshold.

So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.


FWIW, don't imagine that there was anything as elegant as "logarithmic curve analysis" used to decide that the age of majority is 18.

It's an age that was settled upon by common-sense consensus over a grand function of "Well, most Americans (descended from Europeans) thought it should be around 21," and that's probably because 21 is a nice, round number. Then the draft age got pushed to 18 because we needed more bodies for the meat-grinder in World War II, and the voting age followed around Vietnam when too many people asked "Wait, in what way is it just or fair we can force people to fight and die in a war who can't even vote?"

There isn't a lot of hard science (beyond the most ancient human science of all: observation across millions of data-points loosely confederated into "common sense") underpinning the age of majority.


But they still can not drink alcohol...

It's true. Apparently, that's because mothers against drunk driving campaigned hard to have the drinking age re-raised to 21 after they got their hands on some evidence suggesting that it cut down on deaths due to car accidents.

As a society we generally make some allowance for a perpetrator's mental capacity. One aspect to that is we generally accept that teenage brains are not quite the same as adults.

I believe most states will charge a 17yo as and adult. Not sure what the feds would do.

First they need to determine his political leanings, then they'll have a good idea of how to move forward.

i could see this possibly be challenged by courts , possibly up to the supreme court

I looked it up and it’s only 3 states that do it. My state, Georgia, is trying to end it.

Conversely, would it be different for a 16yo? What about 15yo? Or 12yo?

Since the President makes all his official statements via Twitter, one could argue this is a matter of national security.

Also, Twitter is just a collection of people and a single person is trivial to exploit.


A nation state would more likely facilitate a 17yo doing it.

Do you really think Lee Harvey Oswald acted alone?

:)


Just because he is 17 doesnt mean he didnt understand the repurcutions of his actions. That said, Twitter should be facing fines as well for not protecting their platform. I mean seriously what if someone gets hold of a say, Putin or Trump's account and starts stating they are launching strikes on XYZ country within the hour, what happens then? With great power comes great responsibility and these platforms of communication are no exception.

Nothing in the complaint (well, for the two others, since his is sealed) says that a state-level actor wasn't involved. Could be the tip of the iceberg. I find it hard to believe that this was prank hacking for about $150,000. You could sell Obama's handle for more, surely.

Do you know anybody willing to pay over $150,000 for temporary access to Obama’s twitter account? I find this type of comment kind of naive and poorly thought out.

Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.

To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.


Cue the entire movie "Burn after reading."

Kid had the whole attention of the world for a few minutes, could've walked away a billionaire, start WW3, casino royale stock trading - everything, anything - CREATIVELY there's so much that could've been done and it all fell down to a bitcoin scam that netted less that 150K (wallet shows about 128k.)

That's a yearly salary of a help desk engineer on the west coast.

--I'm not sure which video to link of "Burn after reading" but the entire movie is how this was handled.


you cannot start world war 3 or become a billionaire through some tweets, this is not a movie.

I feel like it would have been relatively trivial to make decent 7-9 figures depending on your initial leverage just by manipulating some key accounts. Ie: short Tesla, musks account says solar roof delays, firmware error has started bricking cars, self driving is 10 years away, delivery numbers going to fall well short

Trump (surprised they didn’t hit that) - no new stimulus for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple small cap companies that are going to receive massive boosts like the Kodak thing.

Tim Cook: Apple sales flagging, iPhone production issues due to supply chain issues

Take a bit of timing to get it right and be able to walk away from the markets relatively untraced (market trade interrogation is a useful way to trace inside information so hard to do in a way that leaves no trace but if you know you can perform your hack at leisure you can set up the initial trades well forward, wait for the market and some other external condition to walk into your ambush and then pounce


Even setting up your trades in advance, there's no way you're going to make a billion dollars doing that kind of thing without being noticed. Millions, maybe (although maybe not), but certainly not hundreds of millions. Unless you already have hundreds of millions to work with, but then you're probably not a 17-year-old hacker.

Best case he'd probably have a few tens of thousands in capital, and he gets one shot at it. In order to get the kind of leverage needed, he'd need to use short term options and/or move penny stocks. Either one of those would paint a giant target on him.


Personally, I find "it was a prank" extremely easy to believe. It's the simplest answer to the question "Wait, if someone compromised Twitter so badly they could tweet anything from any account, why didn't they try to move the whole stock market or start World War III?"

"Because they're young punks and didn't think of that" is a reasonable answer.


Prank hacking would fit with the monetization when combined with statements of "who would be dumb enough" that underestimates stupidity like the whole charge your iPhone in the microwave or Soupy Sales' "send in all of the green paper in your parents wallets" not thinking people would actually do it. Plenty of precedent but easy to see why they would feel no responsibility for anyone mindbogglingly stupid enough to do so.

I guess he gets a hard lesson on how dumb people are on Twitter

yeah cuz a trillion dollar state entity is so strapped for cash it needs to steal 150k of bitcoin too, drawing attention to the scheme.

Well, of course that wouldn't be the move. The move would be to coerce the naive but capable hackers into doing this, and once the payload was delivered, burn them. I don't know what happened, but it's kinda a waste of a huge position, so I don't think it's that far-fetched.

> some of the most important individuals in the world

I have bad news, there are no important individuals. Sorry.


He’s being treated a lot better than the adult defendants.

He’s being charged in state court - specifically the state he resides in.

The charges are being brought in San Francisco - which is thousands of miles from the where the other suspects live.

Relative to the other defendants, he’s getting it easy.

Yes, he’s technically facing life in prison. But it’s a prison near his home.

He probably won’t get life in prison, but at least he’ll be able to get family visits, etc.


> He’s being charged in state court

The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)


Sorry I was incorporating information from another HN linked article: https://www.wfla.com/news/hillsborough-county/tampa-teen-acc...

It’s much clearer as to what’s happening at the state level.

It’s also clearer that, for now anyway, he’s being held near his family.


I agree this bothers me to my core. Even the 22 year old hasn't developed a fully functional neocortex. I know it seems a little hypocritical of me for getting sad when this happens to a young programmer and not an inner city gang member, but it does.

To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.


That attitude is exactly the problem though. These kids getting hit with a 30 year sentence bothers those of us who relate, when the same thing happens to young black inner city kids every day. Plenty of them are just as intelligent, risky, and bold as these kids but we throw them in prison for the best parts of their life without a second thought.

> These kids getting hit with a 30 year sentence

They will not get hit with a 30 year sentence.


That's violent crime though, which is more obviously bad, even to a teenager. If you're 17 and intentionally kill someone then your brain is broken and you should be kept away from innocent people forever unless you really have some delayed development that comes later.

Why do you assume black kids are being put away for violent crimes? Mostly it’s drug possession, and they get hit with years while a white kid caught for exactly the same drug and amount gets off with a warning “to avoid ruining his future.”

Where did GP mention violent crime or killing people?

> To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't

They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.

You want those people LEADING us "into the future of science"?


> they tried to fool the world into sending them money

Their mistake was they failed to call it a "series A funding round."


If this turns out to be true, then we can conclude two things:

1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.

2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.


Frankly, I don't take "a teenager did it" as an extra mark against hacked systems any more. It's the details that matter - the difference between one teenager and multiple adults being able to hack something is not large unless the context is government hacking.

Maybe in terms of raw skills, but adults are likely to have more experience, better judgement and better opsec.

This works against them in many ways. They're also more likely to say "that wouldn't work", and to be otherwise biased by their prior experience.

Yes, a teenager, especially one stuck at home and not going to school, might just spend weeks and weeks poking around to see what he can hack, and is much less afraid of the consequences

Not to mention likely have better access to hardware and other resources

The Krebs article says that prior to the bitcoin hack, they were selling accounts such as @6 for $2000. They probably had a rapidly shrinking window and the bitcoin scam was the last ditch effort before whatever admin account they hijacked got discovered.

> 1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.

Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.

You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.


My initial thought was that the bitcoin move was a red herring. DMs associated with the compromised accounts could be very well worth much more than $100k.

https://twitter.com/twittersupport/status/128608813552531865... https://www.theguardian.com/technology/2020/jul/23/twitter-h...

"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands."

You might be on to something.


People did say things like you could have made a fortune shorting stock by tweeting something insane from Elon Musks account. I don't buy that as necessarily better than a Bitcoin account. Stock transactions are heavily regulated and monitored. You'd leave a pretty large paper trail of any stock manipulation you hoped to profit from.

Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?


The stock idea is dumb, in my opinion, because there were safer (no SEC) ways that required less capital and didn't require fancy trade accounts.

For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.

Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.

The nice thing is, they could do one or even multiple of these and still do the scam.


How exactly do you short a specific cryptocurrency?

You go on Binance, BitMEX, Bybit, FTX, Phemex or any other exchange that offers futures or perpetual swaps that track the bitcoin (or whatever) price. This is basic stuff. You can create a BitMEX account in minutes, load some bitcoin in and short with 100x leverage with minimal time or effort, just need a small amount of bitcoin to trade with.

He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam


> load some bitcoin in and short with 100x leverage

Sounds like a great way to have a crooked exchange make you insolvent very quickly. Be very careful using any kind of leverage.


If you don’t trust your exchange not to commit that kind of fraud, then you shouldn’t trade on it at all, as there are many ways they could defraud you even if you trade at 1x. There are plenty of. reasons why I wouldn’t recommend trading at 100x, but “the exchange might commit fraud” isn’t at the top.

Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.


Are any of those exchanges based out of the USA? And do any of them not allow USA based customers? My concern is if I made a great trade at 100x and then go to transfer bitcoin and they freeze my account saying I need to provide proof of residency or some BS.

Most do not allow US customers, but even BitMEX gives you a few days to withdraw your funds after freezing your account if found the be in the US (I’ve been told by people who had their accounts frozen). Some have KYC, sure, but in my experience, many do not and let you withdraw without issue. A lot of people (stupidly, IMHO, but that’s besides the point) trade 100x, its part of many of these exchanges selling points.

But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.


if you're someone whose regularly traded 10s of thousands of certain stocks over the last few years, it would be nearly impossible for them to detect a $100k profit from stock manipulation. especially a high volume stock like TSLA

If you’re someone who regularly trades you already have money and are unlikely to be hacking twitter accounts. Certainly a 17 year old isn’t going to be in that category.

Especially that Tesla is shorted so much. That said, shorting even with leverage requires you to have some money to invest. If you are 17 you are most likely broke.

But the fact that _I_, could have made a higher return still holds. If I was 17 and broke, yeah the whole stock manipulation thing wouldn't be my first choice.

If they knew up front they would be doing this, they could’ve shorted Tesla in smaller positions, over multiple accounts. There’s tons of people shorting Tesla, would it really be traceable to any of those?

Yes, because the SEC isn't stupid, and would trawl through the data, until they found:

* A set of freshly opened accounts.

* That only shorted a single stock.

* Right before a major hack.

* That cashed out all at once.

* That never traded again.

And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.

The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.

This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short[1] on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.

[1] If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.


It would be nice if SEC were this dogged in its pursuit of actual insider trading.

It is.

Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.

None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.


Most "insider trading" is done by senior executives. As you observe, only non-connected "idiots" are ever prosecuted for insider trading. This "crime" is merely a way for corporate insiders to enforce penalties against those who defect from their conspiracy against the investing public. Non-insiders who trade on "inside" information release that information to the public, to the public's benefit, before the actual insiders are ready to profit at the public's expense.

Providing lots of examples of prosecutions does nothing to prove they catch even the majority of insider trades because there is no ground truth to work with here.

Maybe the SEC is just good at catching people who don’t think through the paper trail.


Haha, that's a good one.

Wasn't social engineering involved? It could simply be a numbers game. Twitter is no doubt probed daily by attackers and one managed to get through.

I would add 3. People need to stop using "Trust <<insert large company>> instead of self hosting because they have teams of security "experts" and will have far better security than you ever could on your own"

never underestimate the intelligence of a teenager!

Never overestimate the intelligence of teenager either.

I say this as a former teenager


How are we supposed to get an exact estimate of their intelligence then?

Imagine what a russian could do.

nyt 2025: Chinese-russian teenager gets donald trump elected in every single country using birth certificate 2fa

That you nancy pelosi?

Wasn't there one more person involve (Kirk#5270) who apparently did most of the work and let these kids do the work? Sounds like a MafiaBoy situation, where more experienced hackers did the work and let younger script kiddies take the fall for it.

It's implied that the 17 year old is kirk

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: