Hacker News new | past | comments | ask | show | jobs | submit login
Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident (ny.gov)
102 points by lelf 36 days ago | hide | past | favorite | 54 comments

Still pretty hilarious that they only managed to get some $100k worth of Bitcoin.

Imagine if instead they tweeted from Musk saying something along the lines of Tesla batteries being faulty and they all need to be recalled. Buy some Tesla puts beforehand and that right there is instant millions.

Heck, even selling the rights to this hack would have gotten them millions.

> Coinbase blocked approximately 5,670 transfers, valued at approximately $1,294,000.

Wasn’t the whole point of crypto that some centralized authority couldn’t do things like this?

That feature is a bug. Exchanges are providing a bug correction service. Fraud protection and reversibility are actually massive features of the classical banking helping the markets tik.

It could become a feature in a post apocalyptic world where the society doesn’t function. Until that day, a system based on social contract will prevail due to massively better user experience.

Wasn't the whole point to be different than the classical banking system? If it's just going to copy it, what's the point?

The whole point is freedom to choose if you want to use coinbase or be your own bank.

The whole point was to convince other people to buy in to a system which guarantees early participants will be subsidized by later ones. The spiel about banking sold well to libertarians and other people who’d given up on regulating banks but you shouldn’t trust the surface message any more than you’d trust a beer commercial saying the point of their product is making attractive people want to have sex with you.

A post apocalyptic world where mining farms and the internet still function?

Honestly? Depends on the apocalypse.

Imagine a climate change apocalypse rather than the nuclear wasteland of Fallout or Mad Max.

Let the sea levels rise enough to displace everyone who is within 30 feet of sea level, add in some famines (also brought on by climate change) and since it's the theme this year, a plague or two exacerbated by a billion climate refugees in camps and slums being ignored by anyone still prosperous.

You could end up in a situation fairly apocalyptic, but still have the scavenged resources to assemble an internet, assuming there wasn't some sort of anti-tech uprising among the survivors, angry at technology for causing the disaster and determined to smash any surviving technology (and technologists) to prevent it from happening again.

I could buy a network of at least regional scale but the resource constraints would prohibit cryptocurrencies with no meaningful benefits to justify the huge cost increases. It’d all come down to trust between parties anyway without a shared government legal system to fall back on, and in that case there’s be no reason not to use PKI signatures at orders of magnitude lower cost.

I mean, as long as we're fabricating fantastic situations we can maybe come up with one where PoW actually makes sense.

So the thing about PoW is that it doesn't matter how much is actually spent on the "work" part as long as you can't feasibly do more.

So let's add onto our climate change apocalypse some light nuclear war -- not enough that it dominates the end of the world as we know it, but enough that it destroys the infrastructure needed to produce the most specialized mining hardware, and maybe some of the larger datacenters.

Now you have plenty of scavenged ordinary hardware to keep the internet running, plentiful power (since in this hypothetical the population has shrunk dramatically without much infrastructure loss) and a finite supply of mining hardware.

This last would prevent the runaway problem of PoW -- you could string thousands of regular PCs together to compete with the good hardware, but the return would be low enough that it wouldn't be worth while to try to expand the mining pool until the old hardware started to fail completely or the new infrastructure was built to fab new hardware -- you might have a few decades before the old incentives to grow the pool kicked back in.

Granted, this is all pretty far-fetched, not the least the social component of people wanting to use cryptocurrency as a widespread unit of exchange, but hey, I'm work-shopping a story set in a dystopian future here, not trying to sell Bitcoin.

I guess my question remains: why? It doesn’t appear to offer anything over a signed IOU – if you don’t deliver the goods when I ask for something real, it doesn’t matter how many bits I have saying you will – and if I need more assurance I’m going to need to find a third party to broker the transaction in any case.

Yeah, there my powers of imagination fall short.

The best I can come up with is "well, if some critical mass of people adopt it early for quirky reasons it could take off", but that doesn't distinguish it from bottle caps.

Sounds like Snow Crash

Sure, under the premise that individuals don't pretend like an account at e.g. Coinbase is equivalent to owning and holding cryptocurrency.

Don't trust, verify. Not your keys, not your crypto.


The “whole point of crypto” was that you didn’t have to use a service like Coinbase if you didn’t want to. And you don’t.

Crypto does, but Coinbase is a centralized service that can; if people use it for transfers instead of the underlying network, that's on them.

Some insight as to why it's had to make money from the hack: https://fortenf.org/e/security/2020/07/15/twitter-hack.html

Sell what? They called Twitter employees pretending to be from the IT department.

> Armed with these personal details, the Hackers successfully convinced several Twitter employees that they were from Twitter’s IT department and stole their credentials.

>Heck, even selling the rights to this hack would have gotten them millions.

IIUC, the crackers did sell access to the hacked accounts[0]:

"Sheppard’s alleged alias Chaewon was mentioned twice in stories here since the July 15 incident. On July 16, KrebsOnSecurity wrote that just before the Twitter hack took place, a member of the social media account hacking forum OGUsers named Chaewon advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece."

But that didn't net anyone millions, but apparently that wasn't the point of the hack[1]:

"People within the SIM swapping community are obsessed with hijacking so-called “OG” social media accounts. Short for “original gangster,” OG accounts typically are those with short profile names (such as @B or @joe). Possession of these OG accounts confers a measure of status and perceived influence and wealth in SIM swapping circles, as such accounts can often fetch thousands of dollars when resold in the underground."

[0] https://krebsonsecurity.com/2020/07/three-charged-in-july-15...

[1] https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...

Yes, but don't you think that your proposed scheme it is very easily traceable and reversible?

I think you're right, but it's funny (scary?) to think about how “newbie trader makes big options trade on TSLA” is probably not exceedingly rare in the age of Robinhood and WallStreetBets.

well, it was easily traceable what they did anyway. Some schemes can be more easily hidden than others.

If you were smart enough to think hey, wait instead of stealing bitcoin I could just use this to cause some stocks to have problems then I can short them.

At the point you are smart enough to switch from the dominant way of making money in your enterprise you can probably think up multiple ways to make money that would be even sneakier, and think of ways to hide it, keep the money even if you get caught.

Bitcoin is a bit traceable. Massively out of the money puts are incredibly traceable, and quite well monitored.

$100k is a huge amount for a 17 years old kid.

> Twitter plays a central role in how we communicate and how news is spread.

The fact a government agency has said this in an official report is saddening.

Can you expand on why it's sad? As someone who doesn't have a twitter account or participate much in social networking sites, it still seems like a true statement at face value for a large part of the population.

It is indeed true. I suppose it's more the juxtaposition of Twitter, which many people (including myself) have come to despise, with the government, which should be impartial about private endeavors (arguably), in the same report about Twitter's security deficiencies related to the election.

It's just a strange pairing, and to me a bit sad that Twitter of all things has become America's backbone of formal communication.

It feels like it could be in Idiocracy. That's all.

The language of this release feels rather off...

10 to 1, it was somebody at Twitter outsourcing their work to wrong person

I literally felt the hand of the Doomsday Clock move closer to midnight, and all these hackers were interested in was making a bunch of traceable transactions to a few accounts linked to Gmail.

For shame, we need to be teaching our youth better dystopian hacker ethics.

you spend too much time online if you think you can start any war over twitter

We detached this subthread from https://news.ycombinator.com/item?id=24835277.

Respectfully, I don't think I'm spending too much time online to be cognizant of the fact that we have an administration that is very much capable of doing so.


Wait, on the one hand there's the perception of "Trump just tweets whatever comes to his mind", and on the other hand he/whoever actually runs it is drafting tweets, they're purposefully leaking these drafts to NK to gather what they'd feel like if that was sent? That doesn't seem to fit together.

I don’t have the means (or time or interest) to do this analysis myself, but it has been claimed that half that accounts’ tweets are him personally and the other half are a team: http://varianceexplained.org/r/trump-tweets/

It’s already been documented that there is a Twitter guy who works closely with Mr. Trump who originates most of the tweets and then gets approval to send them. It was kind of a big deal because he has his own office very close (physically) to the Oval Office. There was a profile of him done a few years ago. I think it was on CBS News.

Was he a Twitter employee? I just remember it as some WH kid who had a converted closet as an office.

"Twitter guy" could mean "person whose job is to post on twitter.com" rather than "person employed by Twitter, Inc."

"That doesn't seem to fit together" is what I have been feeling for 4 years.

He's not exactly the only one to 'worry' about on Twitter. Here you have the Supreme leader of Iran who 'actually' posted a tweet as a call to violence to 'destroy' another country via a tweet. [0]

If Trump tweeted just that or something similar, it would have been removed instantly. But this one and others from the supreme leader of Iran are still publicly available for all to see.

But nothing violent here or anything to worry about I guess?

[0] https://twitter.com/khamenei_ir/status/1263749566744100864

There's pretty reasonable odds that Trump literally murdered Solemani because Soleimani was constantly owning him on Twitter (or more accurately, that Trump said yes to the same set of belligerent Iran war hawks he normally says no to because he recognized the name from Twitter.)

Trump threatening to destroy Iranian cultural sites and sites important to the country itself, not just destroy a regime:


Exactly. Both tweets should be flagged for glorifying violence and threatening behaviour which is against Twitter's ToS. [0]

But it seems the 'rules' are enforced more on one person over another. You probably can guess why that is.

Downvoters: So these tweets are not signs of threatening behaviour and shouldn't be flagged or don't violate Twitter's ToS? Explain your case.

[0] https://help.twitter.com/en/rules-and-policies/violent-threa...

there isn't a tweet you can send that will start a war unless the administration sending it is willing to confirm that is indeed a move they're making. you think diplomats are idiots.

that tweet threat isn't even an immediate threat.

sorry you just don't understand how the world works. nobody is ever starting a war over twitter, not least because people understand that accounts can be hacked. and the president's twitter account tweeting about a war would mean the president gets a call within 2 minutes. it would never happen.

north korea would absolutely never initiate a war over a tweet, they're fully rational.

also nice link to an article about a tweet that the president actually wanted to send, as opposed to a hacker tweeting, which would be denied by the white house within 15 minutes.

I guess on a tech forum, all the techies like to feel powerful. Also, words have never been taken more serious than before. Im sure you have noticed cancel culture. Now it's say what we like or your next!

Stuxnet can/should start wars, your social media app is just that, a social media app, let's not blow too hard.

Step 1: Call up Twitter employees and say you're Twitter's IT department and ask the employee to visit a page to troubleshoot a connection problem they're having, and that page asks for a username, password, and MFA code

Step 2: With that password, log in to the internal website Twitter employees use to moderate accounts, change jack's account password to "password", log in to twitter.com with username "jack" and password "password" (and repeat for every user you want to login as)

Step 3: Make a tweet saying "send Bitcoin to [address] and I'll send double back"

> In monetary value, the Hackers stole over $118,000 worth of bitcoin

Did they, really? I mean anyone stupid enough to fall for that ploy was going to lose it some other way shortly anyway.

Fraud is illegal, wire fraud is a federal crime. You didn't really demonstrate a shred of intelligence yourself by praising scammers defrauding people, scammers that eventually got caught because of their complete stupidity.

That was a joke. An obvious one, too.

idk didn't read like a joke to me. Poe's law I guess

Don't be cruel to the desperate.

Via theft?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact