(via https://news.ycombinator.com/item?id=24012968, but we merged the threads)
Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
 - https://en.wikipedia.org/wiki/Two-man_rule
Twitter wasn't 'asking for it', and neither were the individuals who lost bitcoins; the 'hackers' intentionally perpetrated deceptions, misrepresentations, and fraud against both Twitter and the general public. If you compare what these three did to a white-collar crime, the dollar amount was small, but the behavior was egregious.
Let's imagine a situation in which someone breaks into my house and steals my TV. I deserve a decent amount of blame if I left my front door wide open before it happened. I deserve much less blame, but still some blame if I left my front door unlocked. I don't deserve any blame if someone broke down my front door to do it.
In this situation, Twitter left their front door unlocked.
Furthermore, Twitter is not even the primary victim here. The biggest victims are the people whose accounts were stolen and the people who were tricked into losing their bitcoin.
Twitter is not the victim here; the users who had their accounts taken over are. Twitter did not lose anything, except an entirely reasonable loss of reputation, because they could have taken measures to prevent this sort of thing from happening, but did not.
Companies need to be held accountable for their breaches. Sure, sometimes a company did do everything they could to prevent a breach, and took steps to mitigate the damage in the event of a breach, and they still happen. But that is vanishingly rare. The main thing I've learned from all the breach disclosures (at least where companies are truthful and forthcoming about what happened) is that security practices are lax and insufficient pretty much everywhere.
That's not ok, and we need to do something to incentivize these companies to properly protect our data, before we all become victims. If financial sanctions and public shaming is the best way to do that, so be it.
I have a feeling that a vast majority would agree that choosing to send your money to a celebrity’s (apparent) bitcoin wallet for any reason will be tough to feel victim-sympathy for, and possibly asking to never see that money again given all of the well regulated systems and norms of money transfer that we have used for decades to centuries. But I understand that they were still taken advantage of and agree that they are victims.
Twitter is to blame here. The only thing they are a victim of is failing to protect their users (whom they have the obligation to protect) in a game where they have the ability to be solely the masters of their own security destiny.
It's a bit pathetic to extend this rape analogy to a business. We don't hold individuals and corporations to the same legal, and/or quality standards.
So, hopefully we can discuss these important policy issues without worrying if "twitters" feelings get hurt.
Now, I don't think the government is prepared to do this proactively and effectively, but the idea of a telco that advertises resilience to hacks (whether through social engineering or technical incompetence) sounds like it would be quite appealing to a growing segment of the connected world and whatever such promises that find success in the marketplace might be used to inform legislation or regulation, eventually...
I used to be CTO of an ecommerce platform - small fry, barely £1bn in annual transactions - but it was always absolutely clear in my mind that any breach would be my fault through negligence.
sometimes the victim deserves some blame.Or at least their actions analysed to see where blame lays
If they did I bet those numbers would change pretty quickly.
Similarly, if Equifax had been shut down under the mountain of lawsuits they should have had for losing people’s data, I bet security would become a much bigger concern for everybody.
The FBI study basically shows that consequences are important.
He said during his first week he made the mistake of putting a CD-ROM with some official training materials into his work system. Within 10 minute two people showed up to stop him and investigate what was going on with his computer. It was fine in the end but he was seriously reprimanded by his boss.
When you can’t trust users, the answer isn’t just to give up! It’s to acknowledge their fallibility and create a system that doesn’t rely on 100% compliance. In this case that means having software that instantly reports when any external media is connected.
Ah yes here we go, large scale study, 43% of participants gave away their password when bribed with a chocolate bar. People just don't realize how valuable passwords are.
Nearly 30% of people just gave out their password and didn't even know they were getting chocolate! They gave it away for literally nothing.
Some where given chocolate before and after , nowhere it says chocolate was offered as payment for sharing the password. Small gifts could have been inducement to establish relationship and trust not the same as a bribe as you characterises it
I find it hard to believe 25 /40 % plus people readily share their password to total strangers , without knowing more details it seems unrealistic
Social engineering is still a problem but am not sure bribes are the real concern . And to insinuate the cost of bribing is as low as candy for significant chunk of the population is just wrong
Well, that's your problem.
The problem is that they have not revealed the massive discrepancy between the common expectation and the truth which I, and I suspect most people, would consider to be fraud. Some might argue that they did not guarantee the common expectation and therefore it is the consumers problem for engaging in wishful thinking, but that is frankly a ridiculous argument. We generally expect, and the law codifies, certain requirements on the consumer-business relationship which effectively amount to: "Consumers have certain reasonable expectations based on common sense, you can't just willy-nilly toss those in a contract and blame the consumer for not reading a 100 page contract where you get to sacrifice their first born in fine-print every time they buy bananas." I do not believe the law exactly codifies this form of fraud, but I think most would agree that a massive discrepancy between consumer expectation and the truth should be clearly communicated (the larger the discrepancy the more clearly/loudly) and acting otherwise should be at the least in the general vicinity of fraud.
In my opinion, the discrepancy is sufficiently large that it should constitute either criminal fraud or gross negligence depending on how aware Twitter was as to their own internal security. If they were aware, they engaged in fraud given they made no effort to properly inform anyone of their security. If they were not aware, they are grossly negligent in that they could not observe such a massive discrepancy between their beliefs and the truth. To anybody who reads this and says that this is a "heads I win, tails you lose" situation, I say that this is a result of the ridiculous discrepancy. If it were less ridiculous, like say a small group of organized hackers or a top-flight hacker, it would probably not qualify as gross negligence in Twitter's case if they were unaware, though it might still be fraud depending on the expectations laid out.
Incidentally, this reasoning scales to other cases people have mentioned like nuclear power plants or banks where people have certain expectations on their security which are likely different and more stringent than Twitter. The important thing is not that they all have the same high level of security, it is that the expectation matches reality and the reality is properly communicated.
2. I think you may actually have it backwards. I would imagine the engineering group at Twitter (the people who have important credentials) is in some ways more paranoid, or at least more technically savvy and therefore more aware than many of the people at the FBI.
We once had a bachelors thesis comparing the results over multiple years, and the results were mostly stable. (Years are mid 2010s).
I know it's obvious, but it feels like it's only obvious to those that think about security. It's the same reason that putting your developers through a yearly OWASP Top 10 secure coding course isn't going to get you to 100% secure code.
Locking down systems seems draconian, but it's the only way:
- Disabling USB storage
- Moving away from passwords to hardware authentication
- Strong controls on internet access
- Stop incoming calls from reaching most employees. Better: take away phones altogether
And so on.
Such clean room requirements could perhaps work when the threat model include nation state actors or your are handling sensitive financial applications.
Most companies are not defence contractors or banks the security levels you propose won’t be worth the cost to a typical internet tech company .
I have a Chromebook running arch that has a borked network adapter than I use to plug weird things into/use as an airgapped box I can reset in about 5 minutes. I'd have no qualms about plugging anything into that
 BTW I run Arch
As an aside to that important point, it seems like the solution here is to just remove all random device access points and drives before giving a system to some luddite with no security awareness.
working at a court room I was bemused by the security talks about usb keys, yet the OS setup still allows usb driver installs automatically (granted their local presence). I know because I brought a keyboard to replace the busted one they had in-house and windows gladly set up everything plug`n`play.
I wonder if OSes have actual rules for this, and if there are secure corporate usb keys
thanks for the tip
I think calling FBI "security-focused" is a bit too generous. They are essentially glorified police detectives, with greater authority and jurisdiction. I don't believe the average FBI agent is particularly competent, in terms of technical (i.e. computer) skill or knowledge.
I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.
Having full blown security could mean nothing is done easily anymore
Prosecuting is important
One could argue that the victims in this case are the people whose profiles had been hacked.
As for having full blown security getting in the way of getting stuff done, try replacing "Twitter" with "Equifax", a company that handles arguably more sensitive data and should have the "full blown security" you mentioned.
Did they suffer any tangible consequences?
Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.
With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.
Modern legal frameworks have roots hundreds of years old, this habit is a recent development of the last few decades.
So why are you trying to browbeat this person over correctly referring to it as a recent trend, using a recent example to do so?
Reminder that every field is tech, churning through the framework of the week like it's going out of fashion...
Justice is expensive and Americans just don't have a taste for it.
Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.
But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.
Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?
4 years for setting a car on fire is not unreasonable, although maybe a little harsh depending on priors. It's a dangerous thing to do.
But setting five cars on fire is not particularly worse than setting one car on fire.
Although I would agree in this case and the rationale would be that it probably would take not much more amount of time to adjust behaviour of someone who did 5 vehicles vs 1. But maybe something like 7 years instead.
No, it's not.
> That's not in any way a normal protest action.
Well, yeah, that’s why it's prosecutable as a crime at all rather than protected first amendment speech.
I mean, unless you're trying to be funny.
Setting cars on fire is not an act of spreading terror. It is an act of defiance
do you see how you sound
I really wish people would stop lowering the bar for what's called terrorism. It's a very dangerous slope.
Should a 17 year old lose prime years of his life? Is there a better way to educate/reform the person?
If you say "Well in this other instance, the book got thrown at so-and-so". To this, I would ask, does that make it right?
For example many of the techniques that are basically public info on youtube nowadays was hidden in some "darkweb" forum not many years back.
Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure.
It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.
Like, how far am I allowed to go?
Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?
Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?
Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?
Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?
Can I attack healthcare providers? Can I attack banks?
Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?
I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.
That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?
200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.
It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.
That is exactly my point.
There are tons of crimes that basically anyone can do. If you said instead: people whose houses are set on fire by an arsonist should be liable for poor security, at the very least you'd not be taken very seriously.
There is a duty to not commit crime. There is no duty to avoid being the victim of a crime.
On top of that, there is broad industry consensus that it is largely impossible to write bug free software - certainly at the scale of Twitter. To suggest that they have the duty perform the impossible strikes me as deeply irresponsible if not simply malicious.
If you entrust a bank with 10 thousand dollars, and the bank puts your money in a paper bag and leaves it in the lobby, they are going to be held liable if someone walks away with it. Twitter letting teenagers steal people's data is approaching that level of negligence for a mutli-billion dollar company.
In Germany (and likely also other jurisdictions), if your car gets stolen because you left the door open and the keys in the ignition, you will be held liable for it to some extent: As the owner of a dangerous machine, you're responsible to reasonably secure it even against illegal acts. 
I don't see why this would be different if your machine is a lot bigger, and as a result arguably a lot more dangerous than a single car (imagine tweets trying to trigger violent mobs).
 https://dejure.org/gesetze/StVG/7.html subsection 3
Security is not preventing people from doing things, it's having some limitations so it's not too easily too quickly (cars are protected by keys, accounts by passwords). Anybody motivated can and will bypass security easily.
Securing their car against... their children? Or distributing the car's keys to 2,000 people?
The whole thing is an ageist rough proxy anyway - a developmentally disabled 30 year old hacking it would be more shameful than a 17 year old college graduate.
Should I be held liable for my poor security practices?
The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.
Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.
I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.
That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.
In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.
Which works on average.
In many types of businesses the cost of a security breach is "priced in" or not considered at all and they are gambling on it happening to their competitors (or not at all) instead of to them.
Look, if you want to pass a law saying all internet business having X personal data needs to prove Y security, then I'd probably be for it (depending on X and Y). We already have PCI-DSS and similar today for payment providers. I'm just saying that there is nothing like that today, and if there was we'd have a lot more irresponsible people in prison.
But, a bank, which is a privately owned entity. I think yes. If I own a bank and have bad security practices, and a breach impacts only my customers. I think the customers have the right to sue the bank but its up to me to decide what security I use, and if its not good the customers are free to choose to do business with another bank. But I don't think the govt should decide what level of security is sufficient?
Think of it this way, does this imply if my house is robbed I could be held liable because I chose to use locks on my house that were non compliant to govt regulation?
In that sense they are not very different from nuclear power plants. Indian Point is owned by Entergy and it gets the money when everything works fine, but the risks are covered by the government through Price-Anderson Nuclear Industries Indemnity Act.
If your house is robbed, it's your problem. But if you store personally identifiable information for everyone and it gets stolen, now it's everyone's problem.
Seems you believe they should therefore all go to prison,
also if they didn't actually do those particular things
Someone's gonna talk if they haven't already?
Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.
The challenge is to get out and never be caught.
Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.
I guess in the US thee are so many guns that perhaps criminals will just assume that you're armed anyway. But IMO that only makes the case for gun control stronger. Because the most effective way to change that attitude would be to dramtically decrease the number of guns in circulation.
If someone breaks into Twitter, user data is compromised. It's not just the business that pays a price.
what charge should they leave out? Also he will not serve, say 15 years X 30 charges, if found guilty.
Now they are dealing with him, what happens to Twitter, if anything, is a different story. 17 years old or 19...he knew what he did
for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.
we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.
So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.
It's an age that was settled upon by common-sense consensus over a grand function of "Well, most Americans (descended from Europeans) thought it should be around 21," and that's probably because 21 is a nice, round number. Then the draft age got pushed to 18 because we needed more bodies for the meat-grinder in World War II, and the voting age followed around Vietnam when too many people asked "Wait, in what way is it just or fair we can force people to fight and die in a war who can't even vote?"
There isn't a lot of hard science (beyond the most ancient human science of all: observation across millions of data-points loosely confederated into "common sense") underpinning the age of majority.
Also, Twitter is just a collection of people and a single person is trivial to exploit.
Do you really think Lee Harvey Oswald acted alone?
Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.
To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.
Kid had the whole attention of the world for a few minutes, could've walked away a billionaire, start WW3, casino royale stock trading - everything, anything - CREATIVELY there's so much that could've been done and it all fell down to a bitcoin scam that netted less that 150K (wallet shows about 128k.)
That's a yearly salary of a help desk engineer on the west coast.
--I'm not sure which video to link of "Burn after reading" but the entire movie is how this was handled.
Trump (surprised they didn’t hit that) - no new stimulus for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple small cap companies that are going to receive massive boosts like the Kodak thing.
Tim Cook: Apple sales flagging, iPhone production issues due to supply chain issues
Take a bit of timing to get it right and be able to walk away from the markets relatively untraced (market trade interrogation is a useful way to trace inside information so hard to do in a way that leaves no trace but if you know you can perform your hack at leisure you can set up the initial trades well forward, wait for the market and some other external condition to walk into your ambush and then pounce
"Because they're young punks and didn't think of that" is a reasonable answer.
I have bad news, there are no important individuals. Sorry.
He’s being charged in state court - specifically the state he resides in.
The charges are being brought in San Francisco - which is thousands of miles from the where the other suspects live.
Relative to the other defendants, he’s getting it easy.
Yes, he’s technically facing life in prison. But it’s a prison near his home.
He probably won’t get life in prison, but at least he’ll be able to get family visits, etc.
The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)
It’s much clearer as to what’s happening at the state level.
It’s also clearer that, for now anyway, he’s being held near his family.
To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.
They will not get hit with a 30 year sentence.
They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.
You want those people LEADING us "into the future of science"?
Their mistake was they failed to call it a "series A funding round."
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands."
You might be on to something.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam
Sounds like a great way to have a crooked exchange make you insolvent very quickly. Be very careful using any kind of leverage.
* A set of freshly opened accounts.
* That only shorted a single stock.
* Right before a major hack.
* That cashed out all at once.
* That never traded again.
And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.
The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.
This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.
 If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.
Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.
None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.
I say this as a former teenager
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
And yes, the charge count is insane but the US loves holding a bit of life-ruining theater when they catch hackers threatening commercial interests. e.g. Aaron Swartz's conviction: https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...
Social engineering most often involves impersonation, so the person getting access was not really the intended party.
That's an interesting idea, and I think I agree with you in spirit. But don't most hacking-related criminal charges boil down to "unauthorized access to a computer"? It would be hard to argue that the company that owns the computers has unauthorized access.
Maybe a better phraseology would be to say that the company is an accomplice to the hacker. For that to really hold up, I think you would need to show that the company was negligent or not keeping up with security best practices.
That's not the way I'd argue. I'd say the company has authorized access and they then gave access to fraudsters who should not have been given access to the system, which is where they were aiding the fraud.
So they aren't the principal offender, but they did aid in the offence which is what I'm suggesting makes them an accomplice (although as another paulpauper points out, an accomplice has to be aware they're aiding a crime - being duped isn't a crime).
It can be. Twitter could be found criminally negligent if they knew the risk of this type of attack (or it was obvious) but chose to ignore it.
Aren't they? I've seen a lot of insurance cases being denied due to negligence. This might even happen if you let your bag lie around openly in your locked car.
Also, burglar victims tend not to cause further damage. And, if they do, the victims will be in trouble as well. At least in Germany, a stolen gun will cause you a lot of problems, unless you can prove that you stored it securely according to the national guidelines.
Your home was broken into and your jewelry stolen? No, you're not criminally liable for anything, you were the only victim.
Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?
It doesn't have to be a binary thing either, there's nuance to it. A hacker steals unencrypted personal information off a server you didn't even password protect? You're more liable than a company that lost personal information that was strongly encrypted.
This is one of those ideas that seems to be made in good faith but ultimately harms the competition far more than it harms the industry leaders. Twitter can afford cameras and alarm systems for its data centers; I can’t. Twitter can afford to hire armed guards; I can’t.
The ultimate end result of a policy like this is that people will simply kill anyone trespassing on their property; after all, who knows what documents they may have seen or confidential records they may have exfiltrated. It’s way too heavy handed.
That will probably get you more jail time than whatever other liabilities you might have had, which realistically maybe would have just been civil anyway, were some policy like this to become real.
But put another way, in context of business collecting personal user data: if you can't secure it, don't collect it. If your business isn't viable then, well, tough shit.
Twitter is also a much bigger target, and it makes sense to apply very different standards to what "reasonable" security is.
In the Twitter case, the victim were the users.
Sending packets is peaceful speech.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.
That seems more weird than my local news, by a bit.
In Florida, the media hears about anything that involves an arrest because it's all published for public inspection. It's not just mugshots but other records too.
The smallest community newspapers in Florida will have a section about who got arrested.
Come to Oregon and we can talk weird.
Speed-trap towns that had to decommission their police:
For over a hundred years kooks and scammers from the Northeast and Midwest have made their way down to Florida. It's a weird place because weird and disreputable people move there. (Source: I grew up in the panhandle, and also inherited some "beach front" property in the middle of the woods that an uncle bought in the 1960s from a Chicago developer front running a classic Florida real estate racket. Also, see "Oh, Florida!: How America's Weirdest State Influences the Rest of the Country".)
From the wikipedia article:
> Miami New Times claimed that freedom of information laws in Florida make it easier for journalists to obtain information about arrests from the police than in other states and that this is responsible for the large number of news articles
"Tim Jones has been arrested" isn't exactly an informative headline.
But there's no law against it that I am aware of.
Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."
"Your privacy matters to us." -> Then why are you asking me to give it up? If my privacy mattered to you you wouldn't even ask to install tracking cookies and gather my data.
It's a legacy site and they haven't finished implementing out-out-only / data-deletion / etc... I wouldn't assume malicious intent.
No, it doesn't. If it mattered, then you would act like it.
I mean, if my privacy matters to them.
I know the online news business is difficult to monetize. Only a handful of major news orgs can put paywalls up and charge subscribers directly. I get that.
So, what they do instead is use 3rd party ad networks and analytics, and traffic in my personal data, while telling me that my privacy matters.
That's why this is doublespeak. They're saying one thing (my privacy matters) while doing another (funding their operations in part on my personal data).
Is it the only viable model for them? Maybe. That's not really relevant, though.
What is "out-out-only"? My google fu is failing me.
Taking care of people can be a thankless job.
Here are a dozen healthier options: https://duckduckgo.com/?q=graham+clark&t=osx&iar=news&ia=new...
You may find this site helpful
Yes, quite. I won't repeat the phrase that immediately came to mind when I read that, but I will say it ended with, "you News Channel 8!"
Europeans should be impressed that American sites were so quick to comply with their well thought out and reasonable regulations.
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
There's a quote in the article, "There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence", which just reiterates this perception of the justice system being "hard" on crime. Yet it conveniently ignores being soft on crime if you're rich or in power.
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
You don't just disagree, but actually believe people asking for leniency are outright behaving immorally. You can disagree without calling someone immoral.
Sending a 17 year old to prison for a non violent crime for 2-4x as long as a murderer would get in my country seems criminal in itself (but I don't think you are immoral for advocating for it).
Reiser was a murderer. An equivalent to this crime would be a 17 Yr old who managed to pick the lock of Fort Knox with a toothpick and walk out with a 1kg gold bar.
I wouldn’t be so sure. Look at Paras Jha, Zachary Buchta and Mir Islam.
All engaged in similar high profile crimes, all monetized. I think only Mir spent a little bit of time in prison.
I have a hard time thinking of any young, high profile offenders that were handed severe punishments for cybercrimes by federal courts in the past decade.
So, like Twitter.
I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?
I think he gets tried as an adult. He just yeeted his life.
Or a 17 year old steals a couple of cars from random people off the street...
The crime is not breaking into Twitter. The crime is theft. Twitter didn't steal that money, this guy did. Let's not pretend the internet is a magical land without consequences.
I think that's a great comparison. But it's not an armed robbery, it's a break-and-enter where no property gets destroyed.
How many felonies does the robber get after being caught? I don't actually know but I'm guessing 1-3? Certainly stealing $100k is a deserving felony. But 30 felonies seems a bit steep.
That money is very much destroyed for the people whom it was stolen from.
It's more as if he, once in the bank, added a poster:
"mail money to street 123 city Abcde, and we'll mail you twice back"
If a robber hacks a computer (a felony), impersonates law enforcement (a felony), uses that to commit fraud (a felony), then transfers stolen money across state lines (a felony), then tries to launder it (a felony).....
You can see how such things can stack up.
Now imagine not only the 17yo stole 100k from the bank, but also entered the houses of people such as Obama and Biden, and potentially stole documents from their desks.
Yes, everyone has done some dumb things at this age, but the consequences of this were pretty severe, and he certainly knew what he was doing. Just calling this a "meme-worthy fake post" is minimizing what he did.
Can you elaborate on this? The consequences were mild at best, with people easily duped being duped and twitter having a (understandably) worse reputation.
There’s a lot of evidence to support this. I will present my own anecdotal evidence because hacker news loves that stuff. I acutely felt my decision making improve a few months before I turned twenty five. It hit me like a wave, and reflecting on my past decisions felt like looking at the actions of a completely different person. If I were in different, more difficult positions when I was younger, it is unlikely that my decisions would be as rationally thought out as they would be now.
I don't know if this actually exists, but I experienced something similar: Starting at around 17 I decided to ask myself at every birthday whether I thought I was more mature as a person than the year before, which I think relates to proper and holistic decision making. I kept saying "yes" to this question until I was 24.
And forcing Twitter to pay part of it, for their lousy "security".
Plus three months working in a shelter for homeless people
17 year olds understand the consequences of stealing $100,000 (and honestly they were probably very disappointed with how little they got).
Agree that his life shouldn't be "ruined" because of this, but he's committed a serious crime that was obviously a serious crime.
I never stole $100,000 when I was a kid. Sometimes 17-year olds murder other people too. Society can't ignore it just because he's a minor. If he had posted memes, that would be one thing. But instead he decided to use this hack to commit grand theft.
Any leniency due to his age will come from the Judge.
People with your mindset are responsible for a lot of the inequity in the criminal justice system. Upper middle class suburban white kids (e.g. Brock Turner) get away with slaps on the wrist all the time for the same crimes that poor and minority teenagers get sent to prison for years over, because judges (who were almost all previously upper middle class white suburban kids themselves) feel sorry for them and chalk their crimes down to kids being kids.
So these guys were able to get into Twitter but they chatted freely on Discord without considering everything would be recorded?
And then they make one of the most public hacks in recent history without considering someone would go through all the logs with all the noise they made?
Didn't even layer the Bitcoin through an anonymiser like Monero and extra Bitcoin wallets. Just sent and received BTC directly to an account linked with photo ID on multiple exchanges. Incredible really!
How can you do a hack that will certainly get you in jail for several years and not even research the most basic techniques to protect yourself? It just doesn't make sense.
It's because social engineering attacks are noisy as heck. Within 30 minutes of them posting these tweets, you can bet the FBI was already on the line with Twitter's security team.
The fact that they chose to do this attack at all demonstrates how amateur they were.
* the attacker (allegedly) bragged to the press
* the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)
Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.
Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.
How do you know? Coercion is a type of social engineering.
Anyone know what the loose end was that got these guys busted?
He didn't use a VPN or anything to mask his home IP, he discussed the hack on Discord, an unencrypted third-party platform, and reused a gmail address for the hack that he also used for a Coinbase account. Said Coinbase account being verified with his driver's license...
I shouldn't be too surprised, but I still am. I would have expected, at the very least, all discussion being handled on Signal or similar, all access to involved accounts to be exclusively via a regular VPN or Tor, and only using a brand-new fastmail email for anything to do with the hack. Those are the very basic precautions.
Curious aside: there's a bug in the complaint document. The affidavit is by a Special Agent with the US Secret Service, but the title page lists him as "Special Agent, FBI".
The Discord connection was known early on. I was really surprised anyone would do something like this and communicate over Discord about it.
The fact that no VPN/Tor were involved, the fact that Gmail was involved... that's really crazy. It's hard to tell when being dumb ends and being self destructive begins?
Is it possible to be this ignorant about the Internet while perpetrating something so big?
Networking Layer is invisible to 99% of users nowadays. "it just works."
Yes, but the problem is that it didn't take someone who knows better to hack what is (used as) an official government communication platform. Or one of the largest social networks, or a company with thousands of engineers - take your pick; it's hard to put this in a good light.
Seems like the OGUsers database was the key piece of info, but it was 'a rival criminal hacking forum' that actually got the db and the FBI 'obtained' a copy of it.
Felt a lot like a hit piece to me, at the time. It would be interesting to know if Krebs turned out to be right. That could say a thing or two about that news paper.
- Brian Krebs [https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...]
Seems very convenient. Parallel construction?
I'd love to know as well.
Don't do that though, don't scam people.
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne or wherever the skiddies flock to these days are not utilized thoroughly.
Also do x or i release the sploit could be considered extortion if you word it wrong, and then you are in all sorts of additional trouble
A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.
I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
If you don't think you'll get caught, why would you take the $40k instead of tripling that?
You're right - a lot of people who want to file bug bounties overestimate how much marginal ones are worth. At the same time, this scenario suggests to me that bug bounties aren't currently doing a good job of incentivizing people away from attempting to monetize significant exploits and towards more responsible security practices. If we have to depend on the risk analyses of teenagers, we may be in trouble.
Which is to say I suspect we have both problems.
> I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
You're not paying attention.
Have any of those $250k bounties been paid out? The $40k figure was something I found from a bounty that's actually been paid, rather than a hypothetical one.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
- Social engineering of Twitter staff or contractors
Pretty standard for most if not all of the program rules I have come across.
In theory, any sensitive operation (such as changing the email address of a verified account) could be made to require approval from a second (randomly chosen) employee, and that second employee should see a log of recent actions taken by the first employee. An attacker may still manage to avoid raising suspicion for the first few targets, though.
That's never going to fly; all Twitter bounties are multiples of $140.
Based (loosely) on the Beale ciphers, a real-life combination of cryptography, myth, and scams (probably)
That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
I would also like to see a loop of the first 4.5 seconds.
Edit: Another post on HN covers the federal charges. So, it sounds like this kid is being charged by both the state and the feds. I don't envy him.
Twitter has a lot of powerful people and organizations who have suffered discomfort at its hands. It is hard to swallow the thesis that a Tampa teen succeeded where intelligence agencies have failed despite years of efforts.
If you're so stupid how can you social engineer your way into Twitter?
At NYTimes, from another submission:
That is such a simple mistake to make, wow.
Yes, this will initially be very expensive as there will be thousands of payouts, but eventually the employees will learn.
Offer $200 if you can get an employee's password.
Regardless if he was behind the hack or not, this is not the way forward to a decent society.
Often interviews reformed "hackers" who have turned their lives around.
Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of Bitcoins transaction?
>Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office.
This reads like an Ad copy of a company that's against perceived anonymity.
So if you, a hacker, tell someone to submit Bitcoin to an address, that address is only really "anonymous" until you use your private keys to reroute the money to other addresses. As soon as the graph of transactions touches some known node (perhaps at the edges of the Bitcoin network that interact with the monetary system), you can trace back to figure out who might have controlled the original address.
It's very silly to try to cash in on ill-gotten bitcoin...
What's the alternative? Sit on the coins or use them for purchases?
Possibilities are endless. Coolest thing I heard was use the bitcoin to rent bitcoin miners. Then spend the resultant cleanly mined coins.
Since Bitcoin is not anonymous but pseudonymous, it can be as simple as finding one or more transactions that link a wallet to a real identity (such as one tied to purchase of physical goods with an identified recipient and shipping information) and from there tieing every other transactions from.that wallet to the same identity. I would guess in practice it often involves more steps of connection.
> This reads like an Ad copy of a company that's against perceived anonymity.
The DoJ isn't a company, but it is very much against perceived lack of accountability, which is one of the reasons people choose systems that offer perceived anonymity.
What they should've done is generate a new wallet with no previous transactions and just used that to buy things.
The closest to an anonymous coin afaik is monero or zcash, but in general I think wasting electricity and cpu cycles on arbitrary math is a bad path to go down. If we could tie a coin to some productive math like protein folding or seti, etc, that still has the same attributes as cash (which btc does not) then we might have a true potential dollar replacement digital coin, but I digress.
This is the set of people that legislators listen to. I think we may be screwed.
The quote seems accurate.
That's certainly an understandable take, and I'm probably just overly pessimistic.
- Uses Words Like "Mastermind" and "Massive Fraud"
>He’s being charged as an adult, and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been — not just the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
Hacking into Twitter accounts isn't a depraved, violent crime. I could see that as the immaturity or lack of foresight of a smart teenager. Yes, they're prominent people. Doesn't really change it IMO.
I would be interested to know if they forgot about one small detail. I think the FBI / NSA probably has full visibility into the Tor network and can easily deanonymise any users. Or it could be like the Harvard bomb hoax in 2013 . (They used Tor, but they were also the only person using Tor at the time.)
> Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an unknown individual” with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems. It’s not clear if the Tampa teen is Kirk#5270, though it sounds like that’s possible. The Sheppard complaint is dated July 22nd, and the Tampa teen wasn’t arrested until today. Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:
> On July 21, 2020, federal agents executed a search warrant authorized by U.S.
Magistrate Judge Alex G. Tse at a residence in the Northern District of California. Among the
occupants of the home was a juvenile (“Juvenile 1”). ““Juvenile 1” was believed to be a Discord
user identified in chats as an individual who assisted “Kirk#5270” and “Chaewon” in selling access
to Twitter accounts. Upon execution of the search warrant, “Juvenile 1” agreed to be interviewed.
“Juvenile 1” admitted to law enforcement agents that he/she was the Discord user who was
identified in chats as assisting “Kirk#5270” and that he/she participated in the sale of illegal
Twitter access. “Juvenile 1” admitted that he/she worked with “Chaewon” to sell Twitter account
access. According to “Juvenile 1,” his/her knowledge of “Chaewon” was that “Chaewon” lived
in the United Kingdom and “Juvenile 1” knew “Chaewon” by the name “Mason.” According to
“Juvenile 1,” he/she and “Chaewon” had discussed turning themselves in to law enforcement after
the Twitter hack became publicly known.
Since the crimes were financially-motivated all of them get upgraded to felonies. I have sympathy for people who get fucked by the US' dumb CJ system, but uh... touching a Presidential candidate's Twitter account was whose idea, exactly? What did they expect would happen? I have a hard time believing the "for the lulz" defense some people are making for these people when the whole thing was clearly financially motivated.
Assuming this isn't a joke, consider that $6k a lesson to not be such a gullible mark.
Seriously, if you want the protections of the legal system, then use currency controlled by the legal system.
Through common practice, these identities are treated as disposable and therefor generally ignored. But stating that the currency is explicitly designed to disallow accountability is not an accurate representation of reality.
Edit to add a practical example for clarification because this is being downvoted.
If the FBI conducts an effective warranted search + seizure of a mob safehouse, seizes a large safe, opens it up, and finds either:
A) Gold bricks
B) Bitcoin wallet private keys
In case (A), they can maybe correlate records, reports, statements, and other evidence to possibly determine the rightful owner of the gold or goods laundered for gold.
In case (B), they can check the BTC ledger against fraud reports that contain bitcoin wallet public keys, then publish a public statement asking people to prove they own any matching public keys -- because bitcoin, by it's fundamental nature, is more accountable in a way that enables recourse and refunds.
What you are talking about is establishing reputability, not about refund-ability or the ability of authorities to reverse illicit transactions. You can see that as a feature of bitcoin or not, but if you want protections from a system you need to act within that system.
Sorry if I'm being heartless here but I'd also argue that the funds were not stolen, they were given in a system that provides almost no legal recourse.
In both BTC and solid gold, reversibility is not a property of the currency. It is a part of the system which uses that currency.
However, with Bitcoin (unlike with gold) the currency is explicitly designed with verifiable identity being fundamental to every transaction.
With Bitcoin, an individual can prove that they participated in a transaction that was later determined to be fraudulent. This is a fact of the currency. It is explicitly built in to Bitcoin at a foundational level.
Whether existing systems use that specific aspect of the currency to do anything meaningful is a separate matter.
But the fact is that bitcoin itself has more accountability than other currencies. Not less.
I'm not saying bitcoin is less accountable and giving 6000$ in gold coins to a stranger promising to double them would only be slightly more responsible since then you'd at least know a physical jurisdiction.
What I'm saying is that when bitcoin X leaves wallet Y to wallet Z the only way to get back X into Y is for the holder of Z to willingly give it, while "normal" digital transactions can be reversed by the transactor or by law. So if you want a transaction to be reversible by law you probably don't want it in bitcoin. Please let me know if I'm wrong.
1) Find one of the input addresses for the transaction(s) you sent to the scammers
2) Use that address to sign a message like "alexander1100 owns this address" (but use your legal name) to prove ownership of the address.
3) Attempt to follow up with the FBI about recovering your lost funds. This is the step that you will have the most trouble with.
This is how bitcoin works. You send value to somewhere else of your will. There is no outside party here.
The larger question is a question of policy and law... Does the government even consider entries in a blockchain ledger to be "returnable stolen property?"
Sure, you just need to find the transaction hash, and prove that you own the sending address.
> and get my crypto back?
Now that the government has control of the wallets, my guess would be probably, eventually.
\/\The Conscience of a Hacker/\/
Written on January 8, 1986
Another one got caught today, it's all over the papers. "Teenager
Now not only he's getting thrown in prison (over something he probably wasn't even convinced he could do, if the subpart attempt at capitalizing on it is any indication) for years, he's lost any potential career on the field.
The likelihood that more sophisticated individuals and organizations have access to Twitter (and probably various other tech companies), and understand the importance of not letting your access be discovered, is probably far far higher than we realize.
Should we just assume all data held by Twitter and various other tech companies is compromised (by multiple different actors)?
Twitter seems to be wording things to make the attack seem out-of-this-world sophisticated, but I just have serious doubts about that.
Wow. It isn’t news, but what a terrible reflection of the US approach to criminal justice.
> Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account... The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.
One likely scenario is they got access to the lower level employee's Slack account or similar and used it to impersonate and successfully find/phish the employee with the access.
Or, maybe Twitter just had some obvious loopholes that even a not super social-aware hacker could find and use?
I think it is better to assume that in these situations it is more incompetence from the platform than "super-genius" from the hacker that allows for things like this to happen (regardless of what Twitter needs to say for PR or the media needs to imply for clicks).
Twitter is in a bind. If there was no inside help, that says their security is pretty lax. If there was inside help, why have they not identified or named them.
Either they got help, this kid was already being watched or it just speaks to the DOJs data collection to all citizens.
Wall Street Insiders steal billions everyday from Joe6pack with the Governments help and they get to laugh about over a drink after work.
Now we can spend millions in tax payer money incarcerating him....
He should get a reward for exposing how shitty Twatter is. Besides the NSA is reading every txt you send and listening to every call you make. They know where you are 24/7 and what you bought for lunch. No one is punishing them.....
It's all theater for the masses I suppose....we caught the bad guys.....LOL...
A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.
The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.
(The rest of the article just rehashes the attack.)
> This site is currently unavailable to visitors from the European Economic Area
So we're not important to them then? Gotcha!
Block us, fine, whatever, but don't give us this BS about being important to you then.
I had suspected that they had added special protections on his account after the (2017?) incident where an employee temporarily deactivated his account (and got fired for it). I guess this confirms it.
Fair warning: there may be no next step. I have no idea if the US government even considers cryptocurrency "property" in any legally-meaningful sense.
I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump
If Musk didn't get elevated privileges, then who else besides Trump would have them? Or are the protections for Trump just the same emergency bespoke fix that they implemented when his account was previously deleted?
Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?
Bitcoin is not private nor anonymous, the rise of blockchain surveillance is why privacy coins like Monero are gaining in popularity.
That being said, I'm sure it wasn't solely BTC transactions, these guys seemed to have very poor op-sec for performing such a big hack.
It’s detailed here, very interesting read
Here’s a lot of papers on it.
It turns out that the legal system is already set up to make “selling illegally obtained material” also illegal, and to take notice of people doing so in order to fund their ongoing operations.