[HN Gopher] Three Individuals Charged for Alleged Roles in Twitt... ___________________________________________________________________ Three Individuals Charged for Alleged Roles in Twitter Hack Author : catacombs Score : 175 points Date : 2020-07-31 19:38 UTC (3 hours ago) (HTM) web link (www.justice.gov) (TXT) w3m dump (www.justice.gov) | alexander1100 wrote: | I personally lost $6000 dollars, is there any way I could prove | that I was a victim and get my crypto back? | mrtksn wrote: | Can you please tell us how did you fall to this scam? I find it | fascinating when something seems obvious to me but not to | someone else and vice versa. | daseiner1 wrote: | I don't mean to be rude, but I have to ask - what were you | thinking? | dtech wrote: | Unassuming it's not a troll, $ signs in the eyes. | creato wrote: | You sent $6k in bitcoin to Elon Musk because you thought he'd | give you $12k back? | | Assuming this isn't a joke, consider that $6k a lesson to not | be such a gullible mark. | [deleted] | SahAssar wrote: | If you want legal recourse and refunds why would you use a | currency that explicitly does not allow for those? | | Seriously, if you want the protections of the legal system, | then use currency controlled by the legal system. | shuntress wrote: | Bitcoin is actually explicitly designed to _enable_ recourse | and refunds. Every single transaction is permanently and | immutable tied to a verifiable identity. | | Through common practice, these identities are treated as | disposable and therefor generally ignored. But stating that | the currency is explicitly designed to disallow | accountability is not an accurate representation of reality. | | -- | | Edit to add a practical example for clarification because | this is being downvoted. | | If the FBI conducts an effective warranted search + seizure | of a mob safehouse, seizes a large safe, opens it up, and | finds either: | | A) Gold bricks | | or | | B) Bitcoin wallet private keys | | In case (A), they can _maybe_ correlate records, reports, | statements, and other evidence to possibly determine the | rightful owner of the gold or goods laundered for gold. | | In case (B), they can check the BTC ledger against fraud | reports that contain bitcoin wallet public keys, then publish | a public statement asking people to prove they own any | matching public keys -- because bitcoin, by it's fundamental | nature, is more accountable in a way that enables recourse | and refunds. | SahAssar wrote: | Transactions are not reversible by legal authority in | bitcoin, only by the receiving party willingly doing the | transaction in reverse. | | What you are talking about is establishing reputability, | not about refund-ability or the ability of authorities to | reverse illicit transactions. You can see that as a feature | of bitcoin or not, but if you want protections from a | system you need to act within that system. | shuntress wrote: | This is like saying that gold coins are explicitly | designed not to allow recourse and refunds and that | transactions in gold are not reversible by any legal | authority. | | In both BTC and solid gold, reversibility is _not_ a | property of the currency. It is a part of the system | which uses that currency. | | However, with Bitcoin (unlike with gold) the currency is | _explicitly designed_ with verifiable identity being | fundamental to every transaction. | | With Bitcoin, an individual can _prove_ that they | participated in a transaction that was later determined | to be fraudulent. This is a fact of the currency. It is | explicitly built in to Bitcoin at a foundational level. | | Whether existing systems use that specific aspect of the | currency to do anything meaningful is a separate matter. | | But the fact is that bitcoin itself has _more_ | accountability than other currencies. Not less. | SahAssar wrote: | What I said was "not reversible by legal authority". | That's true for both gold coins and bitcoin if the legal | authority don't have them to give. | | I'm not saying bitcoin is less accountable and giving | 6000$ in gold coins to a stranger promising to double | them would only be slightly more responsible since then | you'd at least know a physical jurisdiction. | | What I'm saying is that when bitcoin X leaves wallet Y to | wallet Z the only way to get back X into Y is for the | holder of Z to willingly give it, while "normal" digital | transactions can be reversed by the transactor or by law. | So if you want a transaction to be reversible by law you | probably don't want it in bitcoin. Please let me know if | I'm wrong. | shuntress wrote: | You are not _wrong_ but you are glossing over the fact | that by "digital transactions" you seem to actually mean | "transactions brokered by a third party". | | USD also works the way you describe. I may write someone | a check based on a fraudulent premise then later demand | my money back. If they have already cashed that check and | run then the money is gone from their account and there | is no way to reverse the transaction. The bank may charge | them, cancel their account, pay me back anyway, etc. | These are all actions taken by the third party broker. | | With USD the accountability of my_account -> check -> | fraudsters_account -> cash is all part of the third | party's (the bank's) system. | | With BTC, this chain of accountability (my_wallet -> | transaction -> fraudsters_wallet) is part of the currency | itself. | | If the fraudster is later caught and their fraudulent | gains seized, with BTC I can _prove_ which of those | fraudulent gains came from my wallet and be reimbursed | with potentially little technical fuss. | | My point is that _your_ point may be true of the systems | built to handle transactions made with bitcoin but is not | true of bitcoin itself. | SahAssar wrote: | Agreed, but the financial system we have is set up to | handle one of those scenarios and not the other. Bitcoin | could be as good or better at this use-case, but for now | that is not the case. | alexander1100 wrote: | I am saying I know I made a mistake and if they truly | caught those who are responsible, then I don't see why | they won't be able to get access to the stolen funds. My | eth is in that collection of stolen funds. I'd rather | prove it's mine and have the government return it to me | vs them auctioning it off. | SahAssar wrote: | I understand what you are saying, and I'm sorry you are | in this situation. But I can also see that because you | acted outside of the reach of the legal system then there | is less chance of it being able to help you. | | Sorry if I'm being heartless here but I'd also argue that | the funds were not stolen, they were given in a system | that provides almost no legal recourse. | wmf wrote: | Cryptocurrency is not outside of the reach of the legal | system. | | "the United States District Court for the Eastern | District of Texas ... ordered Trendon Shavers to pay more | than $40 million in disgorgement and prejudgment | interest, and a civil penalty of $150,000 related to | [Bitcoin scam] BCS&T." https://www.justice.gov/usao- | sdny/pr/texas-man-sentenced-ope... | SahAssar wrote: | Right, when the person is identifiable and within that | jurisdiction. I'm saying that if I pay X bitcoin to | someone on the internet for a service I have less change | of recourse within the law if I don't get that service | (in this case a back payment of x*2). If it was a normal | digital/creditcard/whatever transaction it'd be easier to | reverse and deal with. | null0pointer wrote: | I think it's unlikely you will get any recourse here. However | what you can do is the following. | | 1) Find one of the input addresses for the transaction(s) you | sent to the scammers | | 2) Use that address to sign a message like "alexander1100 owns | this address" (but use your legal name) to prove ownership of | the address. | | 3) Attempt to follow up with the FBI about recovering your lost | funds. This is the step that you will have the most trouble | with. | | Good luck. | advisedwang wrote: | You can probably find the blockchain transaction of you paying | them. So long as you can prove you own the sender, that's you | proof right there. | Jasper_ wrote: | I thought Bitcoin's biggest feature was No Chargebacks | cordite wrote: | Good luck. | | This is how bitcoin works. You send value to somewhere else of | your will. There is no outside party here. | shadowgovt wrote: | Practically speaking, at this point the government is | probably in possession of the private keys and could | authorize reverse transactions to restore the stolen crypto. | | The larger question is a question of policy and law... Does | the government even consider entries in a blockchain ledger | to be "returnable stolen property?" | wmf wrote: | Yes, crypto scammers have been forced to give money back | before. | boring_twenties wrote: | > is there any way I could prove that I was a victim | | Sure, you just need to find the transaction hash, and prove | that you own the sending address. | | > and get my crypto back? | | Now that the government has control of the wallets, my guess | would be probably, eventually. | neatze wrote: | this must be a joke. | superhuzza wrote: | Wow, if true your "contribution" was around 5% of the total | amount scammed. | paulpauper wrote: | assuming not a troll, there is a possibility the money will be | seized and returned to victims . i assume if the stolen coin | are on coinbase, they have been frozen, | [deleted] | alexander1100 wrote: | Is there any way I could prove that I was a victim of this crime? | shadowgovt wrote: | I'd start your legwork here with a phone call to your nearest | FBI field office. Make sure you have the paper trail showing | from your end you sent crypto to the perpetrators, and ask what | the next step would be for claiming your defrauded property. It | may also be worth consulting with a lawyer to see what your | legal recourse might be here. | | Fair warning: there may be no next step. I have no idea if the | US government even considers cryptocurrency "property" in any | legally-meaningful sense. | paulpauper wrote: | if you have the private key, sign the wallet. if you used an | exchange, there are probably records | varenc wrote: | > "Washington DC Field Office Cyber Crimes Unit analyzed the | blockchain and de-anonymized bitcoin transactions allowing for | the identification of two different hackers" | zionic wrote: | Should have used Monero lol | Shared404 wrote: | Got to love government knowledge of tech. | | This is the set of people that legislators listen to. I think | we may be screwed. | shadowgovt wrote: | I'm not sure what your criticism of the quote means here. The | biggest weakness of BTC for criminal enterprise is the fact | that every transaction must be logged to a global public | ledger. The hard part is aligning the public keys with | private keys, but if you have enough additional information | (such as, say, the private keys' owners sitting in a prison | cell and the private keys themselves flayed out of their | unencrypted hard drives), it's trivial to prove the money | flowed from one user to another. | | The quote seems accurate. | Shared404 wrote: | I know the quote was accurate. I thought it was common | knowledge that bitcoin is not anonymous, therefore making | "de-anonymized the bitcoin transactions" a bit of an | overstatement. | shadowgovt wrote: | Ah, now I follow. I assume they intended "de-anonymized" | to mean "tied the public keys to identifiable human | beings IRL." | Shared404 wrote: | No hard feelings. | | That's certainly an understandable take, and I'm probably | just overly pessimistic. | tolbish wrote: | It is and it isn't. Hacker News is anonymous until | someone ties your username to your identity. | asutekku wrote: | The third person has been identified in an Ars Technica article | [1]. | | 1. https://arstechnica.com/tech-policy/2020/07/florida-teen- | arr... | Pfhreak wrote: | We protect juveniles for a reason. It seems reasonable to make | an effort not to spread their identities around on social media | (even if they are reported by press sites.) | latchkey wrote: | Except for the part that it is Florida and they release all | this stuff... which is what brought on the whole Florida Man | meme. | | https://www.wfla.com/news/hillsborough-county/tampa-teen- | acc... | boogies wrote: | Legal [?] ethical | robotcookies wrote: | Wasn't there inside help? I read several articles saying that | there was. Any of those insiders charged? | | Twitter is in a bind. If there was no inside help, that says | their security is pretty lax. If there was inside help, why have | they not identified or named them. | shadowgovt wrote: | Unless there's additional info I didn't see, the "inside help" | theory came from the fact that they had images of the internal | dashboards. That doesn't necessarily indicate voluntary inside | help (they may have found a hole in Twitter's internet / | intranet firewall, or they may have spear-phished a service | team member's credentials). | par wrote: | > Today's announcement proves that cybercriminals can no longer | hide behind perceived global anonymity | | Anyone know what the loose end was that got these guys busted? | koolba wrote: | If they were dumb enough to waste such a high value target on a | small scale bitcoin scam then I wouldn't be surprised if they | were dumb enough to perform the malicious actions from their | home IP address. | SV_BubbleTime wrote: | Didn't the hack need internal access? VPN maybe? | function_seven wrote: | Sure, but if they connected to the VPN from their own IP, | then that's not going to hide anything. | thinkloop wrote: | Is connecting to a VPN through another secure VPN | doable/benefit? | Nacraile wrote: | Doable, although annoying to configure correctly. | Beneficial if you want to obscure your identity from the | second VPN server (i.e. Twitter's, in this case, which | ought to be logging connections) | ehsankia wrote: | Really seems like a modern day MafiaBoy. | ACS_Solver wrote: | I just read one of the complaints, against the 22 year old | "Rolex". It's not so much loose ends as loose everything. | | He didn't use a VPN or anything to mask his home IP, he | discussed the hack on Discord, an unencrypted third-party | platform, and reused a gmail address for the hack that he also | used for a Coinbase account. Said Coinbase account being | verified with his driver's license... | | I shouldn't be too surprised, but I still am. I would have | expected, at the very least, all discussion being handled on | Signal or similar, all access to involved accounts to be | exclusively via a regular VPN or Tor, and only using a brand- | new fastmail email for anything to do with the hack. Those are | the very basic precautions. | | Curious aside: there's a bug in the complaint document. The | affidavit is by a Special Agent with the US Secret Service, but | the title page lists him as "Special Agent, FBI". | dmitryminkovsky wrote: | I don't know, tbh I'm still surprised. | | The Discord connection was known early on. I was really | surprised anyone would do something like this and communicate | over Discord about it. | | The fact that no VPN/Tor were involved, the fact that Gmail | was involved... that's really crazy. It's hard to tell when | being dumb ends and being self destructive begins? | | Is it possible to be this ignorant about the Internet while | perpetrating something so big? | rootsudo wrote: | Yes, many people consider facebook and Twitter "The | Internet." and while they are just two giant tech companies | publishing web apps. | | Networking Layer is invisible to 99% of users nowadays. "it | just works." | jeherr wrote: | I thought I read a blog post detailing a link to the OGUsername | discord. | Shared404 wrote: | > > Today's announcement proves that cybercriminals can no | longer hide behind perceived global anonymity | | ThorSquint.jpeg | | I'd love to know as well. | subculture wrote: | Reading the two complaints, it seems that they basically | obtained Discord chat records and tied those usernames to an | OGUsers db that was hacked & leaked in April. | | Seems like the OGUsers database was the key piece of info, but | it was 'a rival criminal hacking forum' that actually got the | db and the FBI 'obtained' a copy of it. | waihtis wrote: | Guess is there was some opsec failures, and this is typical | scaremongering with intent to deter future to-be-hackers | tptacek wrote: | Didn't Krebs run a story about these people a week or so ago? | It looks like it was 100% loose ends. | elmo2you wrote: | I don't remember if he was reporting on any of these 3 guys. | But I do remember that a huge media outlet/conglomerate was | quick to accuse Krebs of wrongfully accusing somebody (no | idea how they got that, behind a paywall) and how he had | previously wrongfully accused people. | | Felt a lot like a hit piece to me, at the time. It would be | interesting to know if Krebs turned out to be right. That | could say a thing or two about that news paper. | coldpie wrote: | One of the people mentioned in Krebs's article is being | charged, but not all of them: | https://krebsonsecurity.com/2020/07/whos-behind- | wednesdays-e... | libraryatnight wrote: | If there was any merit to the articles where people in the | media were put in contact with people involved (and it seems | so, now) then they left tracks all over the place. A) reaching | out to the media at all. B) sharing screens of the OGUsername | boards they hung out on C) Bragging. | coldpie wrote: | Yeah, as soon as that Vice article came out it was clear they | were toast. You don't brag like that and get away with it. | athyuttamre wrote: | This report has some details: https://www.justice.gov/usao- | ndca/press-release/file/1300126... | kevin_thibedeau wrote: | > On April 2, 2020, the administrator of the OGUsers forum | publicly announced that OGUsers website was successfully | hacked. Shortly after the announcement, a rival criminal | hacking forum publicly released a link to download the | OGUsers forum database, claiming it contained all of the | forum's user information. The publicly released database has | been available on various websites since approximately April | 2020. On or about April 9, 2020, the FBI obtained a copy of | this database. | | Seems very convenient. Parallel construction? | ramimac wrote: | What about this implies parallel construction to you? The | OGUsers databases (well, actually a couple, they've been | hacked multiple times) has been publicly available for a | while. Also, the discord chats and Vice article include | details on selling accounts with desirable names - even if | not explicitly linked to OGUsers (I don't recall off the | top of my head if it was called out), you could track | hacked accounts, see they were sold or discussed on | OGUsers, and then give a look at the DB. That seems an | obvious route of investigation to me? | josu wrote: | It seems that they mixed the stolen bitcoins with bitcoins that | they withdrew from Coinbase. So law enforcement probably knew | who they were from day 1. I feel that this is the time it took | them to put together a case. | | https://twitter.com/ErgoBTC/status/1283561433972846592?s=19 | sepulchers wrote: | > In the days leading up to Wednesday's attack on Twitter, | there were signs that some actors in the SIM swapping community | were selling the ability to change an email address tied to any | Twitter account. In a post on OGusers -- a forum dedicated to | account hijacking -- a user named "Chaewon" advertised they | could change email address tied to any Twitter account for | $250, and provide direct access to accounts for between $2,000 | and $3,000 apiece. | | - Brian Krebs [https://krebsonsecurity.com/2020/07/whos-behind- | wednesdays-e...] | [deleted] | [deleted] | qppo wrote: | They should have just scammed old people with spoofed phone | numbers, then the government would never have caught them. | throw_m239339 wrote: | Well their biggest mistake was to live in US and be US | citizens. Most of the people operating high scale phone scams | live abroad, India, Africa, South East Asia... | | Don't do that though, don't scam people. | Taek wrote: | Hitting a 17yo with 30 felony charges feels a bit steep to me. | | Also should any repercussions be considered against Twitter that | a 17yo was able to gain access to the private messages of | potentially some of the most important individuals in the world? | | If a 17yo could do it, I'm sure a nation state could do it. | ggggtez wrote: | Imagine a 17 year old robs a bank and steal 100k from the | savings accounts of random people. | | Or a 17 year old steals a couple of cars from random people off | the street... | | The crime is not breaking into Twitter. The crime is theft. | Twitter didn't steal that money, this guy did. Let's not | pretend the internet is a magical land without consequences. | Taek wrote: | > Imagine a 17 year old robs a bank and steal 100k from the | savings accounts of random people. | | I think that's a great comparison. But it's not an armed | robbery, it's a break-and-enter where no property gets | destroyed. | | How many felonies does the robber get after being caught? I | don't actually know but I'm guessing 1-3? Certainly stealing | $100k is a deserving felony. But 30 felonies seems a bit | steep. | ehsankia wrote: | They technically also violated every single person they | hacked, which includes the previous president of the united | states, large company such as apple, and the upcoming | presidential candidate. | | Now imagine not only the 17yo stole 100k from the bank, but | also entered the houses of people such as Obama and Biden, | and potentially stole documents from their desks. | user5994461 wrote: | The guys have a very long history of scams, with $700 000 | seized before this twitter thing it seems. | | That money is very much destroyed for the people whom it | was stolen from. | ChrisLomont wrote: | It depends on how many laws with felony consequences each | broke. | | If a robber hacks a computer (a felony), impersonates law | enforcement (a felony), uses that to commit fraud (a | felony), then transfers stolen money across state lines (a | felony), then tries to launder it (a felony)..... | | You can see how such things can stack up. | paulpauper wrote: | technically he did not take the money but rather ppl gave it | to him under a false pretense. It is close enough but one can | imagine a jury being harder one someone who stole vs | exploited his victim's greed and gullibility. | ehsankia wrote: | In the US, scams are still "conspiracy to commit money | laundering", which is what the kid was charged with. Also | wire fraud. | Jabbles wrote: | Standard disclaimer for headline sentence lengths: | | https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc... | threatofrain wrote: | > Also should any repercussions be considered against Twitter | that a 17yo was able to gain access to the private messages of | potentially some of the most important individuals in the | world? | | Is the suggestion that if your security is weak, at least some | of the blame goes to the hacked? If your home security is weak, | should we grant more leniency to a burglar? The insurance | company should be the one to punish the riskiness of homeowner | security. | TallGuyShort wrote: | Not home security, but I'm of the opinion this should apply | for businesses and public places in some case. For instance, | I usually carry a gun on me. If I go into the court house or | a concert venue I'm prohibited from doing that. IMO they have | now assumed a level of liability to provide a reasonable | level of effective security and they're negligent if they | don't and I'm injured or kill because of a mass shooting | anyway because they didn't enforce their own policies. | | Speaking of guns, it's actually also not unheard of for | people to be partly responsible for crimes committed with | guns that were stolen from them, even in their home. You have | something dangerous, like a network that has become a de | facto platform for government officials, then yeah: you have | a responsibility to take reasonable preventative measures | too. | bcohen5055 wrote: | Not a home but if you were a bank and a 17 year old walked | into the bank, talked to someone and was able to walk out | with a fat stack of cash i think the insurance company would | have to reconsider your policy. | user5994461 wrote: | Absolutely any 17 year old can walk into a bank/shop and | get out with cash. Preferably armed and not alone. | | The challenge is to get out and never be caught. | pyuser583 wrote: | He's being treated a lot better than the adult defendants. | | He's being charged in state court - specifically the state he | resides in. | | The charges are being brought in San Francisco - which is | thousands of miles from the where the other suspects live. | | Relative to the other defendants, he's getting it easy. | | Yes, he's technically facing life in prison. But it's a prison | near his home. | | He probably won't get life in prison, but at least he'll be | able to get family visits, etc. | dragonwriter wrote: | > He's being charged in state court | | The release doesn't say that either thar he _is_ being | charged in state court or that he is _not_ being charged in | federal court. First it says _why they won 't tell you | details of any federal charges_--"With exceptions that do not | apply to this case, juvenile proceedings in federal court are | sealed to protect the identity of the juvenile"--then it says | that the federal authorities have referred the juvenile to | state authorities (without saying anything about action taken | by the state authorities.) | pyuser583 wrote: | Sorry I was incorporating information from another HN | linked article: https://www.wfla.com/news/hillsborough- | county/tampa-teen-acc... | | It's much clearer as to what's happening at the state | level. | | It's also clearer that, for now anyway, he's being held | near his family. | stefap2 wrote: | A year or two and return the money. It's not like he tried to | break into a nuclear plant. It is a messaging app, mostly | nonsense. | ChrisLomont wrote: | ... with the ability to move trillion dollar markets and | potentially start riots or wars. | JKCalhoun wrote: | I think the fact that "a 17yo was able to gain access to the | private messages of potentially some of the most important | individuals in the world" does pretty serious damage to their | reputation -- that is in itself a repercussion. | rwbhn wrote: | Source for those charges? Article this currently points to says | "The third defendant is a juvenile. With exceptions that do not | apply to this case, juvenile proceedings in federal court are | sealed to protect the identity of the juvenile. " | ponker wrote: | What does the 17yo have to do with it? Would it be different | for an 18yo? | trimbo wrote: | In the United States, we generally consider minors who commit | crimes to be a different class of criminal than people above | 18. We do this because (AFAICT), there's a sort of societal | agreement that wisdom/maturity is a logarithmic curve that | begins to flatten in the late teens and 18 was picked as a | legal threshold. | | So if a 2 year old, 8 year old and 18 year old all shoot and | kill someone, we prescribe much different levels of | punishment based on their relative maturity. Sometimes, | prosecutors decide to charge minors "as an adult" based on | their behavior (Google for "X year old charged as adult" for | examples). I assume that's what they're doing here. | shadowgovt wrote: | FWIW, don't imagine that there was anything as elegant as | "logarithmic curve analysis" used to decide that the age of | majority is 18. | | It's an age that was settled upon by common-sense consensus | over a grand function of "Well, most Americans (descended | from Europeans) thought it should be around 21," and that's | probably because 21 is a nice, round number. Then the draft | age got pushed to 18 because we needed more bodies for the | meat-grinder in World War II, and the voting age followed | around Vietnam when too many people asked "Wait, in what | way is it just or fair we can force people to fight and die | in a war who can't even vote?" | | There isn't a lot of hard science (beyond the most ancient | human science of all: observation across millions of data- | points loosely confederated into "common sense") | underpinning the age of majority. | dboreham wrote: | As a society we generally make some allowance for a | perpetrator's mental capacity. One aspect to that is we | generally accept that teenage brains are not quite the same | as adults. | zenta wrote: | Conversely, would it be different for a 16yo? What about | 15yo? Or 12yo? | wil421 wrote: | I believe most states will charge a 17yo as and adult. Not | sure what the feds would do. | paulpauper wrote: | i could see this possibly be challenged by courts , | possibly up to the supreme court | onetimemanytime wrote: | >>* Hitting a 17yo with 30 felony charges feels a bit steep to | me.* | | what charge should they leave out? Also he will not serve, say | 15 years X 30 charges, if found guilty. | | Now they are dealing with him, what happens to Twitter, if | anything, is a different story. 17 years old or 19...he knew | what he did | libraryatnight wrote: | I felt a sting reading that too. He hit the idiot computer kid | jackpot and did idiot computer kid things with it. Not saying | no consequences, but damn. | tedunangst wrote: | Idiot kid things would be having Obama tweet "I think | @Kelly2003 should go to the prom with Clark". If you're old | enough to run a send back scam, you should know it's wrong. | maerF0x0 wrote: | One thing I think we ought to give credit to is that as | Infosec becomes higher profile and more public, the | sophistification of kids will rise with it. | | For example many of the techniques that are basically | public info on youtube[1] nowadays was hidden in some | "darkweb" forum not many years back. | | [1]: https://www.youtube.com/c/STOKfredrik/videos | slg wrote: | The age of the attacker is irrelevant to Twitter's role in this | story. However your underlying point still stands. If we want | these types of attacks to stop, we can't just let all these | companies off with a public embarrassment being the primary | punishment. At a certain point we have to start calling it | negligence when companies fall for these attacks and fail to | have proper precautions in place to prevent them. | nickff wrote: | From memory, I recall the FBI did a study, and found that | half of their employees would plug in a USB drive that they | found on the ground in the parking lot. After training, that | number was reduced to a quarter. If a security-focused | government police agency is so vulnerable, it is unreasonable | to expect perfection from a (less paranoid) company. | Swizec wrote: | I remember an article a few years ago saying that large % | of office employees would trade their password for | chocolate. | | Ah yes here we go, large scale study, 43% of participants | gave away their password when bribed with a chocolate bar. | People just don't realize how valuable passwords are. | | https://www.sciencedaily.com/releases/2016/05/160512085123. | h... | davinic wrote: | > If the chocolate was only given out afterwards, 29.8 | per cent of participants revealed their passwords. | | Nearly 30% of people just gave out their password and | didn't even know they were getting chocolate! They gave | it away for literally nothing. | qppo wrote: | Isn't that how they got Stuxnet into the Iranian nuclear | facilities? | boogies wrote: | Something like that (USB exploit of Windows zero days, | breaching an airgap). (Edit: though not by leaving flash | drives outside of the facilities, by infecting some with | a virus that spread from Windows PC to Windows PC around | the world.) | slg wrote: | Then you need processes in place to make sure a single | person being careless cant do this much damage. There are | low tech solutions that would greatly improve security[1], | however the overhead this introduces is hard to justify in | a world in which these breaches aren't that damaging to a | company. We need to change incentives for companies by | either mandating these security practices or implementing | harmful repercussions for choosing a less secure approach. | | [1] - https://en.wikipedia.org/wiki/Two-man_rule | nickff wrote: | I agree that better security practices are advisable, but | you're victim-blaming. | | Twitter wasn't 'asking for it', and neither were the | individuals who lost bitcoins; the 'hackers' | intentionally perpetrated deceptions, misrepresentations, | and fraud against both Twitter and the general public. If | you compare what these three did to a white-collar crime, | the dollar amount was small, but the behavior was | egregious. | rschneid wrote: | Twitter is a platform used widely by some of the most | powerful people in the world and in the US government. As | a result, there is plenty of justification and precedent | for said gov't to regulate their security practices and | procedures. To illustrate this point, I doubt you'd have | any sympathy for Twitter if they had been sending their | passwords over http. | | Now, I don't think the government is prepared to do this | proactively and effectively, but the idea of a telco that | advertises resilience to hacks (whether through social | engineering or technical incompetence) sounds like it | would be quite appealing to a growing segment of the | connected world and whatever such promises that find | success in the marketplace might be used to inform | legislation or regulation, eventually... | slg wrote: | "Victim blaming" is not about removing any possible role | a victim would have in their victimhood. It is about | destigmatizing victimhood and not blaming victims for | things they are out of their control or that any other | reasonable person would do. | | Let's imagine a situation in which someone breaks into my | house and steals my TV. I deserve a decent amount of | blame if I left my front door wide open before it | happened. I deserve much less blame, but still some blame | if I left my front door unlocked. I don't deserve any | blame if someone broke down my front door to do it. | | In this situation, Twitter left their front door | unlocked. | | Furthermore, Twitter is not even the primary victim here. | The biggest victims are the people whose accounts were | stolen and the people who were tricked into losing their | bitcoin. | Veserv wrote: | Except this is not expecting perfection, it is expecting a | level of security that can prevent children, literal | children, from walking right through it. Which would not | even be a problem except for the fact that this is far, far | less than what Twitter has led their average user and | stockholder to believe. To illustrate my point, if Twitter | told the truth in big bold print at the top of every page | so every user knows: "Determined teenagers can take over | your account at any time." do you think this might outrage | their users or harm their stock price? Did Twitter at any | point say anything that might indicate that this is the | truth of the matter and that would not be easily | misconstrued by users? The evidence indicates yes, they | would be outraged, and no, they at no point ever said | anything that would lead anybody to believe that this was | possible and hilariously easy. So, it hardly matters that | maybe they or anybody else (say the FBI) can not provide a | high level of security, what matters is that they committed | material fraud in egregiously misrepresenting their product | security to their users and stockholders. | ISL wrote: | One underestimates the capability of determined teenagers | at one's peril. | davinic wrote: | Exactly. At least one of these kids used their personal | gmail account on the hacking forum. These are not | advanced hackers. | enraged_camel wrote: | >>If a security-focused government police agency is so | vulnerable | | I think calling FBI "security-focused" is a bit too | generous. They are essentially glorified police detectives, | with greater authority and jurisdiction. I don't believe | the average FBI agent is particularly competent, in terms | of technical (i.e. computer) skill or knowledge. | nickff wrote: | The FBI literally performs the background checks for | security clearances. Like any other organization it has | less security focused divisions, but insofar as any | organization is security focused, the FBI is. | LeifCarrotson wrote: | I would be surprised if the average FBI agent was less | likely to plug in an unknown USB drive than the average | Twitter engineer. | gav wrote: | Security training improves security but it doesn't get | close to stopping 100% of attacks. | | I know it's obvious, but it feels like it's only obvious to | those that think about security. It's the same reason that | putting your developers through a yearly OWASP Top 10 | secure coding course isn't going to get you to 100% secure | code. | | Locking down systems seems draconian, but it's the only | way: | | - Disabling USB storage | | - Moving away from passwords to hardware authentication | | - Strong controls on internet access | | - Stop incoming calls from reaching most employees. Better: | take away phones altogether | | And so on. | manquer wrote: | in a remote only or remote first working environment, | many of these policies are not feasible , ultimately | employees have to be able work somewhat productively . | | Such clean room requirements could perhaps work when the | threat model include nation state actors or your are | handling sensitive financial applications. | | Most companies are not defence contractors or banks the | security levels you propose won't be worth the cost to a | typical internet tech company . | raverbashing wrote: | Yes. But at the same time, it's easy to get into "blame the | victim" mode | | Having full blown security could mean nothing is done easily | anymore | | Prosecuting is important | sakisv wrote: | Depends on how you define the victim. | | One could argue that the victims in this case are the | people whose profiles had been hacked. | | As for having full blown security getting in the way of | getting stuff done, try replacing "Twitter" with "Equifax", | a company that handles arguably more sensitive data and | should have the "full blown security" you mentioned. | | Did they suffer _any tangible_ consequences? | nmarks122 wrote: | Governments are touchy about propaganda channels, even (or | especially?) when they are lower in quality than the Sun or the | Daily Mirror. | tptacek wrote: | Does it really change much about the sentence he'll face? | Felony charges usually group. | [deleted] | nordsieck wrote: | > Also should any repercussions be considered against Twitter | that a 17yo was able to gain access to the private messages of | potentially some of the most important individuals in the | world? | | 200 Million Americans could drive a car into a crowd. That | doesn't make it any less bad for someone to do. | gregschlom wrote: | That is not the point that the parent comment is making, | though. | | It's not whether it's bad for someone to commit this crime, | it's whether Twitter should be held liable for such poor | security practices that a 17 year old can hack them. | shadowgovt wrote: | We generally handle that liability free-market style, i.e. | "Why the hell would I sign up for a Twitter account? Their | security is so lousy some 17-year-old could be speaking as | me." | refurb wrote: | I put a cheap lock on my door and someone breaks in and | steals everything. | | Should I be held liable for my poor security practices? | 7786655 wrote: | If you were responsible for securing my stuff, and you | put a cheap lock on your door protecting my stuff, and | someone breaks in and steals all my stuff, then yes, you | should be held liable for your poor security practices. | baddox wrote: | That was the other commenter's point: a 17 year old can | hurt people with a car just as easily as a 40 year old. The | age of the attacker has no relevance on how liable the | recipient of the attack is for their security practices. | nordsieck wrote: | > It's not whether it's bad for someone to commit this | crime, it's whether Twitter should be held liable for such | poor security practices that a 17 year old can hack them. | | That is exactly my point. | | There are tons of crimes that basically anyone can do. If | you said instead: people whose houses are set on fire by an | arsonist should be liable for poor security, at the very | least you'd not be taken very seriously. | | There is a duty to not commit crime. There is no duty to | avoid being the victim of a crime. | | On top of that, there is broad industry consensus that it | is largely impossible to write bug free software - | certainly at the scale of Twitter. To suggest that they | have the duty perform the impossible strikes me as deeply | irresponsible if not simply malicious. | etrabroline wrote: | >There is no duty to avoid being the victim of a crime | | If you entrust a bank with 10 thousand dollars, and the | bank puts your money in a paper bag and leaves it in the | lobby, they are going to be held liable if someone walks | away with it. Twitter letting teenagers steal people's | data is approaching that level of negligence for a mutli- | billion dollar company. | Google234 wrote: | The only thing between the inside of a home and the | outside is a thin layer of glass. Should we hold home | owners responsible for people breaking in and stealing? | Lots of things are fragile, we have a laws to act as a | deterrent to violations | kodt wrote: | Is a 17 year old hacking them really proof of worse | security than say a 30 year old? | Nasrudith wrote: | Well the age implicitly assumes potential levels of | education and sophistication. Few would be surprised to | hear a 30 year old engineer designed a novel world class | chip - they could easily have a PhD at that point to have | the sophistication capable. For a 17 year old that would | be pretty damn extraordinary. Now hacking is less than | thar even to laymen who don't know how simple some holes | are but 17 implies a lack of great sophistication. | | The whole thing is an ageist rough proxy anyway - a | developmentally disabled 30 year old hacking it would be | more shameful than a 17 year old college graduate. | [deleted] | user5994461 wrote: | The same point stands with the car, any 17 year old could | borrow their parents car and drive into a crowd. It's not | the fault of the car owner for not securing their car. | | Security is not preventing people from doing things, it's | having some limitations so it's not too easily too quickly | (cars are protected by keys, accounts by passwords). | Anybody motivated can and will bypass security easily. | mehrdadn wrote: | > It's not the fault of the car owner for not securing | their car. | | Securing their car against... their children? Or | distributing the car's keys to 2,000 people? | [deleted] | sheeshkebab wrote: | Twitter is a meme service with a bunch of self absorbed | individuals talking over each other... just FYI in case you | lived under the rock for last 10 years. | hw8kw13 wrote: | Well, maybe it was until a certain individual started using | it to conduct matters of foreign and domestic policy. | Nasrudith wrote: | I think that is just further proof. | kolbe wrote: | I agree this bothers me to my core. Even the 22 year old hasn't | developed a fully functional neocortex. I know it seems a | little hypocritical of me for getting sad when this happens to | a young programmer and not an inner city gang member, but it | does. | | To pull off a hack like this is indicative of these kids being | intelligent, risky and bold. Yeah, they went where they | shouldn't, but I personally think these are the types of people | we need leading us into the future of science. It does us no | good to keep rewarding sycophants with 4.0s and fellowships and | tenure, but removing the "trouble makers" from the system. | camjohnson26 wrote: | That attitude is exactly the problem though. These kids | getting hit with a 30 year sentence bothers those of us who | relate, when the same thing happens to young black inner city | kids every day. Plenty of them are just as intelligent, | risky, and bold as these kids but we throw them in prison for | the best parts of their life without a second thought. | newacct583 wrote: | > To pull off a hack like this is indicative of these kids | being intelligent, risky and bold. Yeah, they went where they | shouldn't | | They engaged in straight up fraud! It's not like they just | pranked some folks, they tried to fool the world into sending | them money. It's true the fraud didn't work that well (or | rather, not in relation to the severity of the Twitter hack), | but they still stole some $100kUS or whatever. | | You want those people LEADING us "into the future of | science"? | shadowgovt wrote: | > they tried to fool the world into sending them money | | Their mistake was they failed to call it a "series A | funding round." | ibejoeb wrote: | Nothing in the complaint (well, for the two others, since his | is sealed) says that a state-level actor wasn't involved. Could | be the tip of the iceberg. I find it hard to believe that this | was prank hacking for about $150,000. You could sell Obama's | handle for more, surely. | shadowgovt wrote: | Personally, I find "it was a prank" extremely easy to | believe. It's the simplest answer to the question "Wait, if | someone compromised Twitter so badly they could tweet | anything from any account, why didn't they try to move the | whole stock market or start World War III?" | | "Because they're young punks and didn't think of that" is a | reasonable answer. | Nasrudith wrote: | Prank hacking would fit with the monetization when combined | with statements of "who would be dumb enough" that | underestimates stupidity like the whole charge your iPhone | in the microwave or Soupy Sales' "send in all of the green | paper in your parents wallets" not thinking people would | actually do it. Plenty of precedent but easy to see why | they would feel no responsibility for anyone mindbogglingly | stupid enough to do so. | paulpauper wrote: | yeah cuz a trillion dollar state entity is so strapped for | cash it needs to steal 150k of bitcoin too, drawing attention | to the scheme. | brokencode wrote: | Do you know anybody willing to pay over $150,000 for | temporary access to Obama's twitter account? I find this type | of comment kind of naive and poorly thought out. | | Just because you're a hacker doesn't mean you know how to | sell secrets to Russia, and trying to establish lines of | communication like that are probably going to raise red flags | with law enforcement. | | To be fair, the strategy of scamming for bitcoin was crazily | simplistic and destined to fail, due to how easy it is to | track bitcoin. I am not at all surprised that some of the | people allegedly involved have already been caught. | rootsudo wrote: | Cue the entire movie "Burn after reading." | | Kid had the whole attention of the world for a few minutes, | could've walked away a billionaire, start WW3, casino | royale stock trading - everything, anything - CREATIVELY | there's so much that could've been done and it all fell | down to a bitcoin scam that netted less that 150K (wallet | shows about 128k.) | | That's a yearly salary of a help desk engineer on the west | coast. | | --I'm not sure which video to link of "Burn after reading" | but the entire movie is how this was handled. | Kaveren wrote: | you cannot start world war 3 or become a billionaire | through some tweets, this is not a movie. | robbiep wrote: | I feel like it would have been relatively trivial to make | decent 7-9 figures depending on your initial leverage | just by manipulating some key accounts. Ie: short Tesla, | musks account says solar roof delays, firmware error has | started bricking cars, self driving is 10 years away, | delivery numbers going to fall well short | | Trump (surprised they didn't hit that) - no new stimulus | for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT | BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple | small cap companies that are going to receive massive | boosts like the Kodak thing. | | Tim Cook: Apple sales flagging, iPhone production issues | due to supply chain issues | | Take a bit of timing to get it right and be able to walk | away from the markets relatively untraced (market trade | interrogation is a useful way to trace inside information | so hard to do in a way that leaves no trace but if you | know you can perform your hack at leisure you can set up | the initial trades well forward, wait for the market and | some other external condition to walk into your ambush | and then pounce | Nasrudith wrote: | Adding repercussions to the targets would be a mistake in my | opinion - that would be very antitransparency as they would be | encouraged to be willfully blind to cover their own asses. | "Look it is clearly just the fault that these dumbass rich | people didn't secure their passwords properly. Password reset | logs? Why on earth would we keep those?" | | Personally I suspect the security of the systems could be | improved best over time by a radical measure of legalizing | hacking and social engineering. Going after hackers is a | bandaid measure. It would be unapologetically darwinistic but | this domain doesn't behave the same as meatspace and imposing | its assumptions on it is a mistake just as much as putting | closing times on websites. | SahAssar wrote: | Having bad security is not criminal. If it was we wouldn't have | a voting village at defcon cracked by pre-teens and there would | be a lot more irresponsible CEO's in prison (so probably a | better world). | shadowgovt wrote: | Usually, the counterweight to bad security is the extremely- | practical "Pests, assholes, or criminals ownz you." | | Which works on average. | SahAssar wrote: | I disagree. For every Mossack Fonseca, Mernis, Equifax, | Twitter, LinkedIn, Ashley Madison we get public hacks from | I think we have many more that see it as "the cost of doing | business" and keep bad practices around. | | In many types of businesses the cost of a security breach | is "priced in" or not considered at all and they are | gambling on it happening to their competitors (or not at | all) instead of to them. | shadowgovt wrote: | I think we are in agreement on mechanism. I meant "works | on average" in the sense of "Keeps fraud and breaches to | a level consumers are comfortable with." Nobody imagines | breaches can be driven to zero; we seem to be comfortable | as a society with the overall rate and severity of | breaches (demonstrably, since people keep signing up for | these rando online services willy-nilly with nary a care | to who holds their data). | pps43 wrote: | Is bad security ok for, say, a bank or a nuclear power plant? | SahAssar wrote: | No, and that's why we (basically all nations that have | banks or nuclear power plants) have specific laws governing | them. | | Look, if you want to pass a law saying all internet | business having X personal data needs to prove Y security, | then I'd probably be for it (depending on X and Y). We | already have PCI-DSS and similar today for payment | providers. I'm just saying that there is nothing like that | today, and if there was we'd have a lot more irresponsible | people in prison. | pps43 wrote: | In "2020 Commission Report" by Jeffrey Lewis, North Korea | nukes the US because of one twit. This looks very | plausible to me. | SahAssar wrote: | Are you arguing against something I've said? Because if | so I don't understand what or how. | pps43 wrote: | I'm arguing that Twitter is now critical infrastructure, | like banking or power grid, and needs to take security | seriously. If they don't do it themselves, they'll get | regulation like HIPAA. | paulpauper wrote: | agree. twitter is under no obligation to provide secret | service level security on its platform because some high | profile people use it. IF the government deems such security | measures so important, they should pay twitter to implement | them, | snarf21 wrote: | Since the President makes all his official statements via | Twitter, one could argue this is a matter of national security. | | Also, Twitter is just a collection of people and a single | person is trivial to exploit. | tedunangst wrote: | Previous settlement regarding twitter security: | https://www.ftc.gov/news-events/press-releases/2011/03/ftc-a... | indigochill wrote: | I have an unrealistic idea (more of a thought experiment) that | companies should face equal culpability to criminal hackers in | attacks. After all, technically the way the hackers use systems | /is/ authorized in a sense, even if the method of obtaining | authorization is unconventional. Maybe this would get companies | to pay more attention to securing their systems. | | From a certain perspective, Twitter is an accomplice to fraud | by providing the platform and the access to the fraudsters | (although I'm fuzzy on whether knowledge of one's aiding of a | crime is necessary for an entity to be legally considered an | accomplice - probably is). | | And yes, the charge count is insane but the US loves holding a | bit of life-ruining theater when they catch hackers threatening | commercial interests. e.g. Aaron Swartz's conviction: | https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec... | paulpauper wrote: | accomplice means they knowingly aided in the fraud or | profited from it. Being caught off guard is not a crime. The | culpability is the reputation damage from being hacked. | tantalor wrote: | >Being caught off guard is not a crime | | It can be. Twitter could be found criminally negligent if | they knew the risk of this type of attack (or it was | obvious) but chose to ignore it. | SparkyMcUnicorn wrote: | I'm not sure I would call this "authorized in a sense" since | social engineering, in order to gain access to an internal | tool, was the method. | | Social engineering most often involves impersonation, so the | person getting access was not really the intended party. | ChrisLomont wrote: | Should we make homeowners equally criminally liable when | burglars break in? Certainly if the homeowner had been less | lax or obtained more security, that burglary could have been | prevented. | tantalor wrote: | Bad analogy: the only victim of a home invasion is the home | owner. | | In the Twitter case, the victim were the users. | sneak wrote: | Breaking and entering requires breaking. | | Sending packets is peaceful speech. | nickff wrote: | Sending these particular packets was more akin to fraud. | Should fraud be legalized? | [deleted] | vsareto wrote: | > Hitting a 17yo with 30 felony charges feels a bit steep to | me. | | Someone's gonna talk if they haven't already? | aerovistae wrote: | It's sad to me how the authorities are bragging about how quickly | they caught them and how effective they are at solving this type | of crime. | | The truth is, the vast majority of these crimes go unpursued. | They handled this quickly because it was so prominent, but if | this happened to an everyday individual, the police wouldn't even | bother. | | I don't see this as much of a triumph. It never should have | happened in the first place, and the consequences could have been | utterly dire if it hadn't just been teenagers running a Bitcoin | scam. This isn't a victory for nation-state security, it's an | utter failure, and no policy changes have been made to prevent it | happening again. | | So what we have is a world in which our leadership is vulnerable | to hackers, as are the rest of us, but only attacks against the | rich and famous have actual consequences. It's the worst of all | worlds. | apengwin wrote: | I don't think they're bragging. They're trying to dissuade the | next attacker. | bmitc wrote: | It's also just another case where those not in power who | attacked those in power are swiftly and promptly dealt with | versus those in power perpetuating the same attacks go free. I | would rather see them gloat over putting people with real power | and influence with their attacks in jail versus bragging about | locking up teenagers and people in their early twenties. | | There's a quote in the article, "There is a false belief within | the criminal hacker community that attacks like the Twitter | hack can be perpetrated anonymously and without consequence", | which just reiterates this perception of the justice system | being "hard" on crime. Yet it conveniently ignores being soft | on crime if you're rich or in power. | dig1 wrote: | "Someone has to go to prison, Ben" - quoting Harvey Keitel from | National Treasure movie (1:50) [1] | | [1] https://www.youtube.com/watch?v=co4EsnwAM1Q | cryptoz wrote: | For all its flaws, I love that movie. | | Based (loosely) on the Beale ciphers, a real-life combination | of cryptography, myth, and scams (probably) | | https://en.wikipedia.org/wiki/Beale_ciphers | VonBlue wrote: | Hold on... how could they have de-anonymized the blockchain | transactions? That seems.. false | Aaronstotle wrote: | Bitcoin is a public blockchain, there are various blockchain | analytic firms such as Elliptic/Chainalysis that offer bitcoin | tracing services. | | Bitcoin is not private nor anonymous, the rise of blockchain | surveillance is why privacy coins like Monero are gaining in | popularity. | | That being said, I'm sure it wasn't solely BTC transactions, | these guys seemed to have very poor op-sec for performing such | a big hack. | ChrisLomont wrote: | It's routinely done by researchers. | | Here's a lot of papers on it. | | https://scholar.google.com/scholar?hl=en&as_sdt=0,15&q=bitco... | tomc1985 wrote: | Why not? People link their wallets to other wallets and | financial services with reporting requirements all the time. | Bitcoin isn't anonymous | cyral wrote: | https://www.justice.gov/usao-ndca/press-release/file/1300126... | | It's detailed here, very interesting read | Rebelgecko wrote: | All transactions are public on the Bitcoin blockchain. I | haven't followed the wallets, but it's possible that they tried | to cash out on an exchange and got caught. Or they were | initially found via other means and a search of their computers | found the corresponding wallet.dat files. | banana_giraffe wrote: | Yeah, they used Coinbase, and Coinbase is of course willing | to respond to warrants. | techntoke wrote: | Which would likely be encrypted | amrrs wrote: | > Washington DC Field Office Cyber Crimes Unit analyzed the | blockchain and de-anonymized bitcoin transactions allowing for | the identification of two different hackers. | | Anyone with Bitcoin Transaction knowledge, what's this de- | anonymization of Bitcoins transaction? | | >Today's announcement proves that cybercriminals can no longer | hide behind perceived global anonymity," said Thomas Edwards, | Special Agent in Charge, U.S. Secret Service, San Francisco Field | Office. | | This reads like an Ad copy of a company that's against | _perceived_ anonymity. | dragonwriter wrote: | > Anyone with Bitcoin Transaction knowledge, what's this de- | anonymization of Bitcoins transaction? | | Since Bitcoin is not anonymous but pseudonymous, it can be as | simple as finding one or more transactions that link a wallet | to a real identity (such as one tied to purchase of physical | goods with an identified recipient and shipping information) | and from there tieing every other transactions from.that wallet | to the same identity. I would guess in practice it often | involves more steps of connection. | | > This reads like an Ad copy of a company that's against | perceived anonymity. | | The DoJ isn't a company, but it is very much against perceived | lack of accountability, which is one of the reasons people | choose systems that offer perceived anonymity. | dumbfoundded wrote: | Bitcoin is anonymous until you tie it to something that | requires a real identity. For most people, it's probably tied | to an exchange that has their real identity, credit card info, | and maybe bank account info. | | What they should've done is generate a new wallet with no | previous transactions and just used that to buy things. | dhosek wrote: | But wouldn't the purchase transactions be able to be | connected to the perpetrators? | rodiger wrote: | Dump it through some mixers and it becomes a lot harder to | tell who is who. | dumbfoundded wrote: | It depends on what you buy. The best thing to buy would be | a currency like Monero where you're actually anonymous. | arminiusreturns wrote: | This is what bugs me the most about the bitcoin pushers (like | Max Keiser)... they completely ignore the fact that _bitcoin is | not anonymous_ , and why even though I was in on bitcoin in the | earliest days, I abandoned it. My conclusion was that the | government loves btc because it's so easily traceable. Another | reason is that, like tor, it is vulnerable to %50 attacks. If | the central banks wanted to take over btc they could, and I | posit they may have already positioned themselves as such. | (thats my almost a bitcoin millionaire story...) | | The closest to an anonymous coin afaik is monero or zcash, but | in general I think wasting electricity and cpu cycles on | arbitrary math is a bad path to go down. If we could tie a coin | to some productive math like protein folding or seti, etc, that | still has the same attributes as cash (which btc does not) then | we might have a true potential dollar replacement digital coin, | but I digress. | tibbar wrote: | Bitcoin transactions take place between addresses, which are | hashes of public keys. It's actually better to call bitcoin | "pseudonymous", since the addresses are pseudonyms that may or | may not be tied to an irl identity. | | So if you, a hacker, tell someone to submit Bitcoin to an | address, that address is only really "anonymous" until you use | your private keys to reroute the money to other addresses. As | soon as the graph of transactions touches some known node | (perhaps at the edges of the Bitcoin network that interact with | the monetary system), you can trace back to figure out who | might have controlled the original address. | | It's very silly to try to cash in on ill-gotten bitcoin... | catacombs wrote: | > It's very silly to try to cash in on ill-gotten bitcoin... | | What's the alternative? Sit on the coins or use them for | purchases? | rocqua wrote: | Launder them. | | Possibilities are endless. Coolest thing I heard was use | the bitcoin to rent bitcoin miners. Then spend the | resultant cleanly mined coins. | sna1l wrote: | From the Verge[1] article it seems like there was someone else | providing access to the accounts? So was it social engineering or | not? | | > Intriguingly, Sheppard and Fazeli may just be middlemen for the | scam -- "an unknown individual" with the handle "Kirk#5270" is | believed to be the one who got access to Twitter's internal | systems. It's not clear if the Tampa teen is Kirk#5270, though it | sounds like that's possible. The Sheppard complaint is dated July | 22nd, and the Tampa teen wasn't arrested until today. Originally, | "Kirk" claimed to be a Twitter employee, according to a Discord | chat log: | | [1]: https://www.theverge.com/2020/7/31/21349920/twitter-hack- | arr... | ehsankia wrote: | Damn, did these kids really get MafiaBoy'd? | MiroF wrote: | What I heard was that one of the hackers managed to get access | to Twitter's internal Slack, and that hacker was the one posing | as having a Twitter employee friend. Don't know if that's true | though. | junar wrote: | It seems like "Kirk" is believed to be some other individual. | From the complaint against Sheppard: | | > On July 21, 2020, federal agents executed a search warrant | authorized by U.S. Magistrate Judge Alex G. Tse at a residence | in the Northern District of California. Among the occupants of | the home was a juvenile ("Juvenile 1"). ""Juvenile 1" was | believed to be a Discord user identified in chats as an | individual who assisted "Kirk#5270" and "Chaewon" in selling | access to Twitter accounts. Upon execution of the search | warrant, "Juvenile 1" agreed to be interviewed. "Juvenile 1" | admitted to law enforcement agents that he/she was the Discord | user who was identified in chats as assisting "Kirk#5270" and | that he/she participated in the sale of illegal Twitter access. | "Juvenile 1" admitted that he/she worked with "Chaewon" to sell | Twitter account access. According to "Juvenile 1," his/her | knowledge of "Chaewon" was that "Chaewon" lived in the United | Kingdom and "Juvenile 1" knew "Chaewon" by the name "Mason." | According to "Juvenile 1," he/she and "Chaewon" had discussed | turning themselves in to law enforcement after the Twitter hack | became publicly known. | | https://www.justice.gov/usao-ndca/press-release/file/1300126... | stevievee wrote: | The announcement video is quite intense and feels odd for some | reason. Maybe it's the aspect ratio or cold intro - not sure. | https://youtu.be/z80K3-q3Kqg | mkoryak wrote: | They could have trimmed the first few seconds of that video. | | I would also like to see a loop of the first 4.5 seconds. | ehsankia wrote: | Not sure anyone else watches this show, but this video gives me | strong Homecoming[0] vibes. | | [0] https://en.wikipedia.org/wiki/Homecoming_(TV_series) | Kaveren wrote: | i was assured by the cybersecurity experts of hacker news that | REALLY this was all a mastermind ploy to steal and sell twitter | DMs. who would they sell them to? doesn't matter! what | information of actual value is sent through twitter DMs? doesn't | matter! we did it, hacker news. ___________________________________________________________________ (page generated 2020-07-31 23:00 UTC)