(via https://news.ycombinator.com/item?id=24012968, but we merged the threads)
Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
 - https://en.wikipedia.org/wiki/Two-man_rule
Twitter wasn't 'asking for it', and neither were the individuals who lost bitcoins; the 'hackers' intentionally perpetrated deceptions, misrepresentations, and fraud against both Twitter and the general public. If you compare what these three did to a white-collar crime, the dollar amount was small, but the behavior was egregious.
Let's imagine a situation in which someone breaks into my house and steals my TV. I deserve a decent amount of blame if I left my front door wide open before it happened. I deserve much less blame, but still some blame if I left my front door unlocked. I don't deserve any blame if someone broke down my front door to do it.
In this situation, Twitter left their front door unlocked.
Furthermore, Twitter is not even the primary victim here. The biggest victims are the people whose accounts were stolen and the people who were tricked into losing their bitcoin.
Certainly the burglar deserves the lion's share of the blame for what happened, but there's plenty to spread around.
My view is that if a reasonable person would have taken actions that would have avoided the issue in the first place, a person not taking those actions shares in the blame.
My bicycle got stolen from my garage a couple weeks ago. The garage was closed and locked, but someone forced the door at 4am and stole my bike. My bike was not locked to anything. My neighbor's bike was locked to a railing a few feet away from my bike, and did not get stolen. I share some of the blame here because if I had locked my bike up -- an entirely reasonable and prudent thing to do -- my bike would likely not have gotten stolen.
I think maybe the issue is because people are conflating blame with shame. No one should be shamed for stuff like this; it's a learning opportunity. I accept blame and responsibility for my part in my bike's theft, and if/when I get a new bike, I'll take better care to secure it, even when it's indoors.
If people locked bikes in garages, people eager to steal bikes would have tools to cut chains in garages. So while it is safer to lock the bike, the blame for stealing goes to whoever stole it.
And remember that "the problem" is that the attackers hijacked the accounts of people using twitter. Twitter had a duty to take adequate measures to protect those accounts, and failed to do so. The victims are the people whose accounts were stolen, and the people who were defrauded by the hijacked accounts.
That’s hobo mentality.
It’s not your pie. Keep your goddamn hands off the fucking pie.
If hackers are a known problem, a huge company like Twitter has no right to claim it was completely blindsided when it gets hacked.
Twitter is a multinational corporation with access to the personal data of hundreds of millions of users.
It has a duty of care to those users, and at a minimum it should have a dedicated team with security policies and recovery plans.
Aside from the reputational damage, an aggressive and ambitious lawyer could make a good case for a very expensive class action if those plans turn out be defective and/or inadequate.
"As long as it can be established that your possessions have been taken without your permission most policies will pay out on a claim even if your front door was unlocked or your window open."
so - as it says later "Familiarise yourself with the terms of your policy" which I guess would lead me not to buying insurance from your company.
Aside from that allowing insurance companies to determine who 'deserves blame' seems to run counter to the common perception regarding the moral worth of insurance companies.
Should we blame women for dressing provocatively if they are raped? Should a murder victim be afforded less justice if they were walking around in a bad neighborhood? A crime isn’t a crime if the potential criminal chooses not to act. The ease of committing the crime should have no relevance. Someone doesn’t just accidentally walk into your unlocked house and steal a TV. It’s a choice and blaming the victim is simply wrong.
A woman that goes in a bad neighborhood dressed provocatively and that eventually gets raped, made the mistake of going there in the first place - and honestly speaking, the dress makes no difference. She placed herself in a situation where she is powerless against potential predators, and thus she will go by the predator's rules - because she is forced to do so. That does not mean we should not change this. We should do everything in our power to protect women, and make sure there ARE no such places dangerous for women. Until that happens, to avoid the danger wherever it is is better than rightfully punishing the criminals after the crime happens.
That is not a sexist matter, that goes for countless situations in this world. Women and men alike, or whole other groups are powerless against other people, depending on the situation, and it IS wise to avoid the danger, until we fight to eradicate this powerlessness on each occasion. You can go on despite the dangers to make a statement or in order to contribute to eradicate them, but you know what you are getting into.
I mean, you could have gotten a more sturdy door... drawing the boundary between someone opening an unlocked door and breaking down the door is hard; so I'd agree with "even less blame", but if we believe you are ever at blame here, there isn't anything magical about the lock that shifts you from having blame to being blameless.
Back on topic, I think lots of people would agree that allowing low level employees the ability to completely hijack the accounts of some of the most prominent people on the planet with zero oversight is not a reasonable level of security.
In fact, I would then claim pretty forcibly that a lock strong enough that someone has to break your door is absolutely not the thing reasonable people should have to do to prevent theft (assuming one believes in the idea that people own things, of course ;P).
Like maybe a chain lock should be good? I remember a glorious scene of some cartoon which was like "you know what this chain lock says? it means you aren't getting in here... unless you push with your hands". Closing your door is really not good enough? Having an exposed area with a door--even if open--that looks like a door of a household and not a business?
Look: I appreciate and even agree with the idea that Twitter should have blame here in some very real sense, in that someone always could have done better to protect you if they take responsibility for something about you, particularly if they don't really leave you much choice in how they do it: you friend who borrows your car and leaves it unlocked with its windows down is being negligent; and Twitter here looks like they didn't even try hard to protect anything.
But the reality is that we shouldn't think there is some magic level of "responsible" below which there is blame and above which there is no blame... in this kind of tug of war either we are working in the philosophical regime that you are ever to blame--in which case we can talk about matters of degree--or you are never to blame, but drawing some arbitrary line about "well the data storage was technically X3 7066 compliant, so this is on the other party" is actually an extremely dangerous thought process as it sets us up for companies putting in place minimum security theatre provisions that they know don't work but which they know technically absolves them of blame as it is reasonable (which is a thought process that crops up constantly).
(And seriously: is using a large, centralized social networking site and not expecting your data and accounts to be hacked every now and then reasonable? All of them get hacked. Thereby why are we stopping the blame at Twitter? If we are going into the philosophical regime of truly assigning blame, users should "know better by now" and stop using systems with centralized databases, right? I work in the field of decentralized systems and I absolutely am confused as to why people think their data in the "cloud" is secure and absolutely do not consider their usage "reasonable".)
(And like, to explain that context: this is all coming from someone in the field of hacking and security research who is also in progressive politics and thinks throwing the book at this kid with 30 felonies is ridiculous and maybe he should get some community service at best for what he did, and that we should be regulating big tech more to increase their liability as if we don't then it is essentially giving "moral subsidies" to centralized systems and making it harder for distributed, self sovereign, and end-to-end encrypted systems to compete. I actually agreed with your original comment, but in your defense against an accusation of "victim blaming" you actually do seem to have an inconsistency in your mental model and it is the same one we have to push back against in arguments about victim blaming for sexual assault: the lack of any specific protection doesn't mean you have something to blame for someone assaulting you. The argument for regulating against Twitter and holding them accountable has to come from somewhere different.)
As such, my proposal of punishment would be to give this fellow an unpaid, mandatory internship at Twitter. This teaches them to learn their victim, and Twitter can teach the perpetrator the proper way to handle a company's problems. Show him how fun red teaming or blue teaming or pentesting can be.
Twitter is not the victim here; the users who had their accounts taken over are. Twitter did not lose anything, except an entirely reasonable loss of reputation, because they could have taken measures to prevent this sort of thing from happening, but did not.
Companies need to be held accountable for their breaches. Sure, sometimes a company did do everything they could to prevent a breach, and took steps to mitigate the damage in the event of a breach, and they still happen. But that is vanishingly rare. The main thing I've learned from all the breach disclosures (at least where companies are truthful and forthcoming about what happened) is that security practices are lax and insufficient pretty much everywhere.
That's not ok, and we need to do something to incentivize these companies to properly protect our data, before we all become victims. If financial sanctions and public shaming is the best way to do that, so be it.
I have a feeling that a vast majority would agree that choosing to send your money to a celebrity’s (apparent) bitcoin wallet for any reason will be tough to feel victim-sympathy for, and possibly asking to never see that money again given all of the well regulated systems and norms of money transfer that we have used for decades to centuries. But I understand that they were still taken advantage of and agree that they are victims.
Twitter is to blame here. The only thing they are a victim of is failing to protect their users (whom they have the obligation to protect) in a game where they have the ability to be solely the masters of their own security destiny.
It's a bit pathetic to extend this rape analogy to a business. We don't hold individuals and corporations to the same legal, and/or quality standards.
So, hopefully we can discuss these important policy issues without worrying if "twitters" feelings get hurt.
Now, I don't think the government is prepared to do this proactively and effectively, but the idea of a telco that advertises resilience to hacks (whether through social engineering or technical incompetence) sounds like it would be quite appealing to a growing segment of the connected world and whatever such promises that find success in the marketplace might be used to inform legislation or regulation, eventually...
This is probably off-topic, but companies shouldn't even be sending the passwords over HTTPS; passwords should be hashed client-side and then the hash should be sent to the server (preferably over HTTPS).
Surely if the server accepts a client side hash of a password, then the hash has become the password
1. Api gives user a fixed salt.
2. User types password into input.
3. Client hashes and sends hash to server.
4. Server has another salt and uses the client sent hash to hash it again.
5. This final hash is compared what is in the database.
This way server never has knowledge of the original PW and it's never sent over the network. This reduces for instance the chance of password getting logged in the service etc.
sometimes the victim deserves some blame.Or at least their actions analysed to see where blame lays
I used to be CTO of an ecommerce platform - small fry, barely £1bn in annual transactions - but it was always absolutely clear in my mind that any breach would be my fault through negligence.
If they did I bet those numbers would change pretty quickly.
Similarly, if Equifax had been shut down under the mountain of lawsuits they should have had for losing people’s data, I bet security would become a much bigger concern for everybody.
The FBI study basically shows that consequences are important.
He said during his first week he made the mistake of putting a CD-ROM with some official training materials into his work system. Within 10 minute two people showed up to stop him and investigate what was going on with his computer. It was fine in the end but he was seriously reprimanded by his boss.
When you can’t trust users, the answer isn’t just to give up! It’s to acknowledge their fallibility and create a system that doesn’t rely on 100% compliance. In this case that means having software that instantly reports when any external media is connected.
Ah yes here we go, large scale study, 43% of participants gave away their password when bribed with a chocolate bar. People just don't realize how valuable passwords are.
Nearly 30% of people just gave out their password and didn't even know they were getting chocolate! They gave it away for literally nothing.
Some where given chocolate before and after , nowhere it says chocolate was offered as payment for sharing the password. Small gifts could have been inducement to establish relationship and trust not the same as a bribe as you characterises it
I find it hard to believe 25 /40 % plus people readily share their password to total strangers , without knowing more details it seems unrealistic
Social engineering is still a problem but am not sure bribes are the real concern . And to insinuate the cost of bribing is as low as candy for significant chunk of the population is just wrong
The premise that integrity of most people is bribed by few bars of candy was offensive to me I hope it is to you as well. The sensationalist headline basically claimed that, the abstract was a very different statement.
I am tired of studies that are constantly being cited these days: readers, journalists and even the principals invariably sensationalize the headlines.
It is a losing battle to get anyone to critically analyse information presented to them, sooner or later you are going to snap. Whether it is alternate medicine, creationism, or conspiracy theories there is a real damage out there everyday , few people ( Jon Stewart? ) are articulate despite being frustrated and are able to civil engage in discussion.
Even if the study actually claimed what the headline said, the bar to peer reviewed respected research in much of psychology and social sciences seems so low that just getting some correlation between two parameters is good enough. Raw data is rarely shared, and statistical methods used are superficially understood and discussed, half the analysis's are just putting data into a tool like SPSS with the whatever defaults IBM puts in these days. There is not much scope for replication of a finding, a core principle of the scientific method.
Well, that's your problem.
The problem is that they have not revealed the massive discrepancy between the common expectation and the truth which I, and I suspect most people, would consider to be fraud. Some might argue that they did not guarantee the common expectation and therefore it is the consumers problem for engaging in wishful thinking, but that is frankly a ridiculous argument. We generally expect, and the law codifies, certain requirements on the consumer-business relationship which effectively amount to: "Consumers have certain reasonable expectations based on common sense, you can't just willy-nilly toss those in a contract and blame the consumer for not reading a 100 page contract where you get to sacrifice their first born in fine-print every time they buy bananas." I do not believe the law exactly codifies this form of fraud, but I think most would agree that a massive discrepancy between consumer expectation and the truth should be clearly communicated (the larger the discrepancy the more clearly/loudly) and acting otherwise should be at the least in the general vicinity of fraud.
In my opinion, the discrepancy is sufficiently large that it should constitute either criminal fraud or gross negligence depending on how aware Twitter was as to their own internal security. If they were aware, they engaged in fraud given they made no effort to properly inform anyone of their security. If they were not aware, they are grossly negligent in that they could not observe such a massive discrepancy between their beliefs and the truth. To anybody who reads this and says that this is a "heads I win, tails you lose" situation, I say that this is a result of the ridiculous discrepancy. If it were less ridiculous, like say a small group of organized hackers or a top-flight hacker, it would probably not qualify as gross negligence in Twitter's case if they were unaware, though it might still be fraud depending on the expectations laid out.
Incidentally, this reasoning scales to other cases people have mentioned like nuclear power plants or banks where people have certain expectations on their security which are likely different and more stringent than Twitter. The important thing is not that they all have the same high level of security, it is that the expectation matches reality and the reality is properly communicated.
2. I think you may actually have it backwards. I would imagine the engineering group at Twitter (the people who have important credentials) is in some ways more paranoid, or at least more technically savvy and therefore more aware than many of the people at the FBI.
We once had a bachelors thesis comparing the results over multiple years, and the results were mostly stable. (Years are mid 2010s).
I know it's obvious, but it feels like it's only obvious to those that think about security. It's the same reason that putting your developers through a yearly OWASP Top 10 secure coding course isn't going to get you to 100% secure code.
Locking down systems seems draconian, but it's the only way:
- Disabling USB storage
- Moving away from passwords to hardware authentication
- Strong controls on internet access
- Stop incoming calls from reaching most employees. Better: take away phones altogether
And so on.
Such clean room requirements could perhaps work when the threat model include nation state actors or your are handling sensitive financial applications.
Most companies are not defence contractors or banks the security levels you propose won’t be worth the cost to a typical internet tech company .
I have a Chromebook running arch that has a borked network adapter than I use to plug weird things into/use as an airgapped box I can reset in about 5 minutes. I'd have no qualms about plugging anything into that
 BTW I run Arch
As an aside to that important point, it seems like the solution here is to just remove all random device access points and drives before giving a system to some luddite with no security awareness.
working at a court room I was bemused by the security talks about usb keys, yet the OS setup still allows usb driver installs automatically (granted their local presence). I know because I brought a keyboard to replace the busted one they had in-house and windows gladly set up everything plug`n`play.
I wonder if OSes have actual rules for this, and if there are secure corporate usb keys
thanks for the tip
I think calling FBI "security-focused" is a bit too generous. They are essentially glorified police detectives, with greater authority and jurisdiction. I don't believe the average FBI agent is particularly competent, in terms of technical (i.e. computer) skill or knowledge.
We’re constantly presented with evidence to the contrary.
I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.
Having full blown security could mean nothing is done easily anymore
Prosecuting is important
One could argue that the victims in this case are the people whose profiles had been hacked.
As for having full blown security getting in the way of getting stuff done, try replacing "Twitter" with "Equifax", a company that handles arguably more sensitive data and should have the "full blown security" you mentioned.
Did they suffer any tangible consequences?
Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.
With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.
Modern legal frameworks have roots hundreds of years old, this habit is a recent development of the last few decades.
So why are you trying to browbeat this person over correctly referring to it as a recent trend, using a recent example to do so?
Reminder that every field is tech, churning through the framework of the week like it's going out of fashion...
Justice is expensive and Americans just don't have a taste for it.
Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.
But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.
Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?
4 years for setting a car on fire is not unreasonable, although maybe a little harsh depending on priors. It's a dangerous thing to do.
But setting five cars on fire is not particularly worse than setting one car on fire.
Although I would agree in this case and the rationale would be that it probably would take not much more amount of time to adjust behaviour of someone who did 5 vehicles vs 1. But maybe something like 7 years instead.
No, it's not.
> That's not in any way a normal protest action.
Well, yeah, that’s why it's prosecutable as a crime at all rather than protected first amendment speech.
No, it's because they ended up winning a war and became us. If it has been a group that went on to win war of national liberation against us, we probably wouldn't too kindly on it.
I mean, unless you're trying to be funny.
Setting cars on fire is not an act of spreading terror. It is an act of defiance
do you see how you sound
What it isn't is terrorism.
Now go and listen to some Rage Against the Machine. Are they terrorists?
I really wish people would stop lowering the bar for what's called terrorism. It's a very dangerous slope.
Should a 17 year old lose prime years of his life? Is there a better way to educate/reform the person?
If you say "Well in this other instance, the book got thrown at so-and-so". To this, I would ask, does that make it right?
For example many of the techniques that are basically public info on youtube nowadays was hidden in some "darkweb" forum not many years back.
Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure.
It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.
Like, how far am I allowed to go?
Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?
Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?
Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?
Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?
Can I attack healthcare providers? Can I attack banks?
Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?
I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.
That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?
200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.
It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.
That is exactly my point.
There are tons of crimes that basically anyone can do. If you said instead: people whose houses are set on fire by an arsonist should be liable for poor security, at the very least you'd not be taken very seriously.
There is a duty to not commit crime. There is no duty to avoid being the victim of a crime.
On top of that, there is broad industry consensus that it is largely impossible to write bug free software - certainly at the scale of Twitter. To suggest that they have the duty perform the impossible strikes me as deeply irresponsible if not simply malicious.
If you entrust a bank with 10 thousand dollars, and the bank puts your money in a paper bag and leaves it in the lobby, they are going to be held liable if someone walks away with it. Twitter letting teenagers steal people's data is approaching that level of negligence for a mutli-billion dollar company.
Someone breaks in and steals your stuff? We generally don't care, because its solely your problem.
Someone breaks in and steals other people's stuff that you held, or stuff that's dangerous to others? Depending on what it was, you may be held liable if you didn't take appropriate measures.
If the stolen stuff was, for example, sensitive private information, and you didn't have it in at least a locked cabinet, you may be liable. If it was a gun, in many jurisdictions, you're liable. Your car gets stolen _because you didn't secure it correctly?_ In Germany, you're liable for the damage caused with it!
In Germany (and likely also other jurisdictions), if your car gets stolen because you left the door open and the keys in the ignition, you will be held liable for it to some extent: As the owner of a dangerous machine, you're responsible to reasonably secure it even against illegal acts. 
I don't see why this would be different if your machine is a lot bigger, and as a result arguably a lot more dangerous than a single car (imagine tweets trying to trigger violent mobs).
 https://dejure.org/gesetze/StVG/7.html subsection 3
Security is not preventing people from doing things, it's having some limitations so it's not too easily too quickly (cars are protected by keys, accounts by passwords). Anybody motivated can and will bypass security easily.
Securing their car against... their children? Or distributing the car's keys to 2,000 people?
The whole thing is an ageist rough proxy anyway - a developmentally disabled 30 year old hacking it would be more shameful than a 17 year old college graduate.
Should I be held liable for my poor security practices?
My only concern is what happened with Equifax - some punishment is put on the company and it's only a token amount and nothing changes.
The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.
Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.
I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.
That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.
In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.
Which works on average.
In many types of businesses the cost of a security breach is "priced in" or not considered at all and they are gambling on it happening to their competitors (or not at all) instead of to them.
Look, if you want to pass a law saying all internet business having X personal data needs to prove Y security, then I'd probably be for it (depending on X and Y). We already have PCI-DSS and similar today for payment providers. I'm just saying that there is nothing like that today, and if there was we'd have a lot more irresponsible people in prison.
But, a bank, which is a privately owned entity. I think yes. If I own a bank and have bad security practices, and a breach impacts only my customers. I think the customers have the right to sue the bank but its up to me to decide what security I use, and if its not good the customers are free to choose to do business with another bank. But I don't think the govt should decide what level of security is sufficient?
Think of it this way, does this imply if my house is robbed I could be held liable because I chose to use locks on my house that were non compliant to govt regulation?
In that sense they are not very different from nuclear power plants. Indian Point is owned by Entergy and it gets the money when everything works fine, but the risks are covered by the government through Price-Anderson Nuclear Industries Indemnity Act.
If your house is robbed, it's your problem. But if you store personally identifiable information for everyone and it gets stolen, now it's everyone's problem.
Seems you believe they should therefore all go to prison,
also if they didn't actually do those particular things
Someone's gonna talk if they haven't already?
Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.
The challenge is to get out and never be caught.
If someone breaks into Twitter, user data is compromised. It's not just the business that pays a price.
Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.
I guess in the US thee are so many guns that perhaps criminals will just assume that you're armed anyway. But IMO that only makes the case for gun control stronger. Because the most effective way to change that attitude would be to dramtically decrease the number of guns in circulation.
for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.
we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.
what charge should they leave out? Also he will not serve, say 15 years X 30 charges, if found guilty.
Now they are dealing with him, what happens to Twitter, if anything, is a different story. 17 years old or 19...he knew what he did
So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.
It's an age that was settled upon by common-sense consensus over a grand function of "Well, most Americans (descended from Europeans) thought it should be around 21," and that's probably because 21 is a nice, round number. Then the draft age got pushed to 18 because we needed more bodies for the meat-grinder in World War II, and the voting age followed around Vietnam when too many people asked "Wait, in what way is it just or fair we can force people to fight and die in a war who can't even vote?"
There isn't a lot of hard science (beyond the most ancient human science of all: observation across millions of data-points loosely confederated into "common sense") underpinning the age of majority.
Also, Twitter is just a collection of people and a single person is trivial to exploit.
Do you really think Lee Harvey Oswald acted alone?
Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.
To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.
Kid had the whole attention of the world for a few minutes, could've walked away a billionaire, start WW3, casino royale stock trading - everything, anything - CREATIVELY there's so much that could've been done and it all fell down to a bitcoin scam that netted less that 150K (wallet shows about 128k.)
That's a yearly salary of a help desk engineer on the west coast.
--I'm not sure which video to link of "Burn after reading" but the entire movie is how this was handled.
Trump (surprised they didn’t hit that) - no new stimulus for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple small cap companies that are going to receive massive boosts like the Kodak thing.
Tim Cook: Apple sales flagging, iPhone production issues due to supply chain issues
Take a bit of timing to get it right and be able to walk away from the markets relatively untraced (market trade interrogation is a useful way to trace inside information so hard to do in a way that leaves no trace but if you know you can perform your hack at leisure you can set up the initial trades well forward, wait for the market and some other external condition to walk into your ambush and then pounce
Best case he'd probably have a few tens of thousands in capital, and he gets one shot at it. In order to get the kind of leverage needed, he'd need to use short term options and/or move penny stocks. Either one of those would paint a giant target on him.
"Because they're young punks and didn't think of that" is a reasonable answer.
I have bad news, there are no important individuals. Sorry.
He’s being charged in state court - specifically the state he resides in.
The charges are being brought in San Francisco - which is thousands of miles from the where the other suspects live.
Relative to the other defendants, he’s getting it easy.
Yes, he’s technically facing life in prison. But it’s a prison near his home.
He probably won’t get life in prison, but at least he’ll be able to get family visits, etc.
The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)
It’s much clearer as to what’s happening at the state level.
It’s also clearer that, for now anyway, he’s being held near his family.
To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.
They will not get hit with a 30 year sentence.
They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.
You want those people LEADING us "into the future of science"?
Their mistake was they failed to call it a "series A funding round."
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands."
You might be on to something.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam
Sounds like a great way to have a crooked exchange make you insolvent very quickly. Be very careful using any kind of leverage.
Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.
But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.
* A set of freshly opened accounts.
* That only shorted a single stock.
* Right before a major hack.
* That cashed out all at once.
* That never traded again.
And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.
The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.
This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.
 If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.
Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.
None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.
Maybe the SEC is just good at catching people who don’t think through the paper trail.
I say this as a former teenager