[HN Gopher] Three Individuals Charged for Alleged Roles in Twitt...
___________________________________________________________________
Three Individuals Charged for Alleged Roles in Twitter Hack
Author : catacombs
Score : 175 points
Date : 2020-07-31 19:38 UTC (3 hours ago)
(HTM) web link (www.justice.gov)
(TXT) w3m dump (www.justice.gov)
| alexander1100 wrote:
| I personally lost $6000 dollars, is there any way I could prove
| that I was a victim and get my crypto back?
| mrtksn wrote:
| Can you please tell us how did you fall to this scam? I find it
| fascinating when something seems obvious to me but not to
| someone else and vice versa.
| daseiner1 wrote:
| I don't mean to be rude, but I have to ask - what were you
| thinking?
| dtech wrote:
| Unassuming it's not a troll, $ signs in the eyes.
| creato wrote:
| You sent $6k in bitcoin to Elon Musk because you thought he'd
| give you $12k back?
|
| Assuming this isn't a joke, consider that $6k a lesson to not
| be such a gullible mark.
| [deleted]
| SahAssar wrote:
| If you want legal recourse and refunds why would you use a
| currency that explicitly does not allow for those?
|
| Seriously, if you want the protections of the legal system,
| then use currency controlled by the legal system.
| shuntress wrote:
| Bitcoin is actually explicitly designed to _enable_ recourse
| and refunds. Every single transaction is permanently and
| immutable tied to a verifiable identity.
|
| Through common practice, these identities are treated as
| disposable and therefor generally ignored. But stating that
| the currency is explicitly designed to disallow
| accountability is not an accurate representation of reality.
|
| --
|
| Edit to add a practical example for clarification because
| this is being downvoted.
|
| If the FBI conducts an effective warranted search + seizure
| of a mob safehouse, seizes a large safe, opens it up, and
| finds either:
|
| A) Gold bricks
|
| or
|
| B) Bitcoin wallet private keys
|
| In case (A), they can _maybe_ correlate records, reports,
| statements, and other evidence to possibly determine the
| rightful owner of the gold or goods laundered for gold.
|
| In case (B), they can check the BTC ledger against fraud
| reports that contain bitcoin wallet public keys, then publish
| a public statement asking people to prove they own any
| matching public keys -- because bitcoin, by it's fundamental
| nature, is more accountable in a way that enables recourse
| and refunds.
| SahAssar wrote:
| Transactions are not reversible by legal authority in
| bitcoin, only by the receiving party willingly doing the
| transaction in reverse.
|
| What you are talking about is establishing reputability,
| not about refund-ability or the ability of authorities to
| reverse illicit transactions. You can see that as a feature
| of bitcoin or not, but if you want protections from a
| system you need to act within that system.
| shuntress wrote:
| This is like saying that gold coins are explicitly
| designed not to allow recourse and refunds and that
| transactions in gold are not reversible by any legal
| authority.
|
| In both BTC and solid gold, reversibility is _not_ a
| property of the currency. It is a part of the system
| which uses that currency.
|
| However, with Bitcoin (unlike with gold) the currency is
| _explicitly designed_ with verifiable identity being
| fundamental to every transaction.
|
| With Bitcoin, an individual can _prove_ that they
| participated in a transaction that was later determined
| to be fraudulent. This is a fact of the currency. It is
| explicitly built in to Bitcoin at a foundational level.
|
| Whether existing systems use that specific aspect of the
| currency to do anything meaningful is a separate matter.
|
| But the fact is that bitcoin itself has _more_
| accountability than other currencies. Not less.
| SahAssar wrote:
| What I said was "not reversible by legal authority".
| That's true for both gold coins and bitcoin if the legal
| authority don't have them to give.
|
| I'm not saying bitcoin is less accountable and giving
| 6000$ in gold coins to a stranger promising to double
| them would only be slightly more responsible since then
| you'd at least know a physical jurisdiction.
|
| What I'm saying is that when bitcoin X leaves wallet Y to
| wallet Z the only way to get back X into Y is for the
| holder of Z to willingly give it, while "normal" digital
| transactions can be reversed by the transactor or by law.
| So if you want a transaction to be reversible by law you
| probably don't want it in bitcoin. Please let me know if
| I'm wrong.
| shuntress wrote:
| You are not _wrong_ but you are glossing over the fact
| that by "digital transactions" you seem to actually mean
| "transactions brokered by a third party".
|
| USD also works the way you describe. I may write someone
| a check based on a fraudulent premise then later demand
| my money back. If they have already cashed that check and
| run then the money is gone from their account and there
| is no way to reverse the transaction. The bank may charge
| them, cancel their account, pay me back anyway, etc.
| These are all actions taken by the third party broker.
|
| With USD the accountability of my_account -> check ->
| fraudsters_account -> cash is all part of the third
| party's (the bank's) system.
|
| With BTC, this chain of accountability (my_wallet ->
| transaction -> fraudsters_wallet) is part of the currency
| itself.
|
| If the fraudster is later caught and their fraudulent
| gains seized, with BTC I can _prove_ which of those
| fraudulent gains came from my wallet and be reimbursed
| with potentially little technical fuss.
|
| My point is that _your_ point may be true of the systems
| built to handle transactions made with bitcoin but is not
| true of bitcoin itself.
| SahAssar wrote:
| Agreed, but the financial system we have is set up to
| handle one of those scenarios and not the other. Bitcoin
| could be as good or better at this use-case, but for now
| that is not the case.
| alexander1100 wrote:
| I am saying I know I made a mistake and if they truly
| caught those who are responsible, then I don't see why
| they won't be able to get access to the stolen funds. My
| eth is in that collection of stolen funds. I'd rather
| prove it's mine and have the government return it to me
| vs them auctioning it off.
| SahAssar wrote:
| I understand what you are saying, and I'm sorry you are
| in this situation. But I can also see that because you
| acted outside of the reach of the legal system then there
| is less chance of it being able to help you.
|
| Sorry if I'm being heartless here but I'd also argue that
| the funds were not stolen, they were given in a system
| that provides almost no legal recourse.
| wmf wrote:
| Cryptocurrency is not outside of the reach of the legal
| system.
|
| "the United States District Court for the Eastern
| District of Texas ... ordered Trendon Shavers to pay more
| than $40 million in disgorgement and prejudgment
| interest, and a civil penalty of $150,000 related to
| [Bitcoin scam] BCS&T." https://www.justice.gov/usao-
| sdny/pr/texas-man-sentenced-ope...
| SahAssar wrote:
| Right, when the person is identifiable and within that
| jurisdiction. I'm saying that if I pay X bitcoin to
| someone on the internet for a service I have less change
| of recourse within the law if I don't get that service
| (in this case a back payment of x*2). If it was a normal
| digital/creditcard/whatever transaction it'd be easier to
| reverse and deal with.
| null0pointer wrote:
| I think it's unlikely you will get any recourse here. However
| what you can do is the following.
|
| 1) Find one of the input addresses for the transaction(s) you
| sent to the scammers
|
| 2) Use that address to sign a message like "alexander1100 owns
| this address" (but use your legal name) to prove ownership of
| the address.
|
| 3) Attempt to follow up with the FBI about recovering your lost
| funds. This is the step that you will have the most trouble
| with.
|
| Good luck.
| advisedwang wrote:
| You can probably find the blockchain transaction of you paying
| them. So long as you can prove you own the sender, that's you
| proof right there.
| Jasper_ wrote:
| I thought Bitcoin's biggest feature was No Chargebacks
| cordite wrote:
| Good luck.
|
| This is how bitcoin works. You send value to somewhere else of
| your will. There is no outside party here.
| shadowgovt wrote:
| Practically speaking, at this point the government is
| probably in possession of the private keys and could
| authorize reverse transactions to restore the stolen crypto.
|
| The larger question is a question of policy and law... Does
| the government even consider entries in a blockchain ledger
| to be "returnable stolen property?"
| wmf wrote:
| Yes, crypto scammers have been forced to give money back
| before.
| boring_twenties wrote:
| > is there any way I could prove that I was a victim
|
| Sure, you just need to find the transaction hash, and prove
| that you own the sending address.
|
| > and get my crypto back?
|
| Now that the government has control of the wallets, my guess
| would be probably, eventually.
| neatze wrote:
| this must be a joke.
| superhuzza wrote:
| Wow, if true your "contribution" was around 5% of the total
| amount scammed.
| paulpauper wrote:
| assuming not a troll, there is a possibility the money will be
| seized and returned to victims . i assume if the stolen coin
| are on coinbase, they have been frozen,
| [deleted]
| alexander1100 wrote:
| Is there any way I could prove that I was a victim of this crime?
| shadowgovt wrote:
| I'd start your legwork here with a phone call to your nearest
| FBI field office. Make sure you have the paper trail showing
| from your end you sent crypto to the perpetrators, and ask what
| the next step would be for claiming your defrauded property. It
| may also be worth consulting with a lawyer to see what your
| legal recourse might be here.
|
| Fair warning: there may be no next step. I have no idea if the
| US government even considers cryptocurrency "property" in any
| legally-meaningful sense.
| paulpauper wrote:
| if you have the private key, sign the wallet. if you used an
| exchange, there are probably records
| varenc wrote:
| > "Washington DC Field Office Cyber Crimes Unit analyzed the
| blockchain and de-anonymized bitcoin transactions allowing for
| the identification of two different hackers"
| zionic wrote:
| Should have used Monero lol
| Shared404 wrote:
| Got to love government knowledge of tech.
|
| This is the set of people that legislators listen to. I think
| we may be screwed.
| shadowgovt wrote:
| I'm not sure what your criticism of the quote means here. The
| biggest weakness of BTC for criminal enterprise is the fact
| that every transaction must be logged to a global public
| ledger. The hard part is aligning the public keys with
| private keys, but if you have enough additional information
| (such as, say, the private keys' owners sitting in a prison
| cell and the private keys themselves flayed out of their
| unencrypted hard drives), it's trivial to prove the money
| flowed from one user to another.
|
| The quote seems accurate.
| Shared404 wrote:
| I know the quote was accurate. I thought it was common
| knowledge that bitcoin is not anonymous, therefore making
| "de-anonymized the bitcoin transactions" a bit of an
| overstatement.
| shadowgovt wrote:
| Ah, now I follow. I assume they intended "de-anonymized"
| to mean "tied the public keys to identifiable human
| beings IRL."
| Shared404 wrote:
| No hard feelings.
|
| That's certainly an understandable take, and I'm probably
| just overly pessimistic.
| tolbish wrote:
| It is and it isn't. Hacker News is anonymous until
| someone ties your username to your identity.
| asutekku wrote:
| The third person has been identified in an Ars Technica article
| [1].
|
| 1. https://arstechnica.com/tech-policy/2020/07/florida-teen-
| arr...
| Pfhreak wrote:
| We protect juveniles for a reason. It seems reasonable to make
| an effort not to spread their identities around on social media
| (even if they are reported by press sites.)
| latchkey wrote:
| Except for the part that it is Florida and they release all
| this stuff... which is what brought on the whole Florida Man
| meme.
|
| https://www.wfla.com/news/hillsborough-county/tampa-teen-
| acc...
| boogies wrote:
| Legal [?] ethical
| robotcookies wrote:
| Wasn't there inside help? I read several articles saying that
| there was. Any of those insiders charged?
|
| Twitter is in a bind. If there was no inside help, that says
| their security is pretty lax. If there was inside help, why have
| they not identified or named them.
| shadowgovt wrote:
| Unless there's additional info I didn't see, the "inside help"
| theory came from the fact that they had images of the internal
| dashboards. That doesn't necessarily indicate voluntary inside
| help (they may have found a hole in Twitter's internet /
| intranet firewall, or they may have spear-phished a service
| team member's credentials).
| par wrote:
| > Today's announcement proves that cybercriminals can no longer
| hide behind perceived global anonymity
|
| Anyone know what the loose end was that got these guys busted?
| koolba wrote:
| If they were dumb enough to waste such a high value target on a
| small scale bitcoin scam then I wouldn't be surprised if they
| were dumb enough to perform the malicious actions from their
| home IP address.
| SV_BubbleTime wrote:
| Didn't the hack need internal access? VPN maybe?
| function_seven wrote:
| Sure, but if they connected to the VPN from their own IP,
| then that's not going to hide anything.
| thinkloop wrote:
| Is connecting to a VPN through another secure VPN
| doable/benefit?
| Nacraile wrote:
| Doable, although annoying to configure correctly.
| Beneficial if you want to obscure your identity from the
| second VPN server (i.e. Twitter's, in this case, which
| ought to be logging connections)
| ehsankia wrote:
| Really seems like a modern day MafiaBoy.
| ACS_Solver wrote:
| I just read one of the complaints, against the 22 year old
| "Rolex". It's not so much loose ends as loose everything.
|
| He didn't use a VPN or anything to mask his home IP, he
| discussed the hack on Discord, an unencrypted third-party
| platform, and reused a gmail address for the hack that he also
| used for a Coinbase account. Said Coinbase account being
| verified with his driver's license...
|
| I shouldn't be too surprised, but I still am. I would have
| expected, at the very least, all discussion being handled on
| Signal or similar, all access to involved accounts to be
| exclusively via a regular VPN or Tor, and only using a brand-
| new fastmail email for anything to do with the hack. Those are
| the very basic precautions.
|
| Curious aside: there's a bug in the complaint document. The
| affidavit is by a Special Agent with the US Secret Service, but
| the title page lists him as "Special Agent, FBI".
| dmitryminkovsky wrote:
| I don't know, tbh I'm still surprised.
|
| The Discord connection was known early on. I was really
| surprised anyone would do something like this and communicate
| over Discord about it.
|
| The fact that no VPN/Tor were involved, the fact that Gmail
| was involved... that's really crazy. It's hard to tell when
| being dumb ends and being self destructive begins?
|
| Is it possible to be this ignorant about the Internet while
| perpetrating something so big?
| rootsudo wrote:
| Yes, many people consider facebook and Twitter "The
| Internet." and while they are just two giant tech companies
| publishing web apps.
|
| Networking Layer is invisible to 99% of users nowadays. "it
| just works."
| jeherr wrote:
| I thought I read a blog post detailing a link to the OGUsername
| discord.
| Shared404 wrote:
| > > Today's announcement proves that cybercriminals can no
| longer hide behind perceived global anonymity
|
| ThorSquint.jpeg
|
| I'd love to know as well.
| subculture wrote:
| Reading the two complaints, it seems that they basically
| obtained Discord chat records and tied those usernames to an
| OGUsers db that was hacked & leaked in April.
|
| Seems like the OGUsers database was the key piece of info, but
| it was 'a rival criminal hacking forum' that actually got the
| db and the FBI 'obtained' a copy of it.
| waihtis wrote:
| Guess is there was some opsec failures, and this is typical
| scaremongering with intent to deter future to-be-hackers
| tptacek wrote:
| Didn't Krebs run a story about these people a week or so ago?
| It looks like it was 100% loose ends.
| elmo2you wrote:
| I don't remember if he was reporting on any of these 3 guys.
| But I do remember that a huge media outlet/conglomerate was
| quick to accuse Krebs of wrongfully accusing somebody (no
| idea how they got that, behind a paywall) and how he had
| previously wrongfully accused people.
|
| Felt a lot like a hit piece to me, at the time. It would be
| interesting to know if Krebs turned out to be right. That
| could say a thing or two about that news paper.
| coldpie wrote:
| One of the people mentioned in Krebs's article is being
| charged, but not all of them:
| https://krebsonsecurity.com/2020/07/whos-behind-
| wednesdays-e...
| libraryatnight wrote:
| If there was any merit to the articles where people in the
| media were put in contact with people involved (and it seems
| so, now) then they left tracks all over the place. A) reaching
| out to the media at all. B) sharing screens of the OGUsername
| boards they hung out on C) Bragging.
| coldpie wrote:
| Yeah, as soon as that Vice article came out it was clear they
| were toast. You don't brag like that and get away with it.
| athyuttamre wrote:
| This report has some details: https://www.justice.gov/usao-
| ndca/press-release/file/1300126...
| kevin_thibedeau wrote:
| > On April 2, 2020, the administrator of the OGUsers forum
| publicly announced that OGUsers website was successfully
| hacked. Shortly after the announcement, a rival criminal
| hacking forum publicly released a link to download the
| OGUsers forum database, claiming it contained all of the
| forum's user information. The publicly released database has
| been available on various websites since approximately April
| 2020. On or about April 9, 2020, the FBI obtained a copy of
| this database.
|
| Seems very convenient. Parallel construction?
| ramimac wrote:
| What about this implies parallel construction to you? The
| OGUsers databases (well, actually a couple, they've been
| hacked multiple times) has been publicly available for a
| while. Also, the discord chats and Vice article include
| details on selling accounts with desirable names - even if
| not explicitly linked to OGUsers (I don't recall off the
| top of my head if it was called out), you could track
| hacked accounts, see they were sold or discussed on
| OGUsers, and then give a look at the DB. That seems an
| obvious route of investigation to me?
| josu wrote:
| It seems that they mixed the stolen bitcoins with bitcoins that
| they withdrew from Coinbase. So law enforcement probably knew
| who they were from day 1. I feel that this is the time it took
| them to put together a case.
|
| https://twitter.com/ErgoBTC/status/1283561433972846592?s=19
| sepulchers wrote:
| > In the days leading up to Wednesday's attack on Twitter,
| there were signs that some actors in the SIM swapping community
| were selling the ability to change an email address tied to any
| Twitter account. In a post on OGusers -- a forum dedicated to
| account hijacking -- a user named "Chaewon" advertised they
| could change email address tied to any Twitter account for
| $250, and provide direct access to accounts for between $2,000
| and $3,000 apiece.
|
| - Brian Krebs [https://krebsonsecurity.com/2020/07/whos-behind-
| wednesdays-e...]
| [deleted]
| [deleted]
| qppo wrote:
| They should have just scammed old people with spoofed phone
| numbers, then the government would never have caught them.
| throw_m239339 wrote:
| Well their biggest mistake was to live in US and be US
| citizens. Most of the people operating high scale phone scams
| live abroad, India, Africa, South East Asia...
|
| Don't do that though, don't scam people.
| Taek wrote:
| Hitting a 17yo with 30 felony charges feels a bit steep to me.
|
| Also should any repercussions be considered against Twitter that
| a 17yo was able to gain access to the private messages of
| potentially some of the most important individuals in the world?
|
| If a 17yo could do it, I'm sure a nation state could do it.
| ggggtez wrote:
| Imagine a 17 year old robs a bank and steal 100k from the
| savings accounts of random people.
|
| Or a 17 year old steals a couple of cars from random people off
| the street...
|
| The crime is not breaking into Twitter. The crime is theft.
| Twitter didn't steal that money, this guy did. Let's not
| pretend the internet is a magical land without consequences.
| Taek wrote:
| > Imagine a 17 year old robs a bank and steal 100k from the
| savings accounts of random people.
|
| I think that's a great comparison. But it's not an armed
| robbery, it's a break-and-enter where no property gets
| destroyed.
|
| How many felonies does the robber get after being caught? I
| don't actually know but I'm guessing 1-3? Certainly stealing
| $100k is a deserving felony. But 30 felonies seems a bit
| steep.
| ehsankia wrote:
| They technically also violated every single person they
| hacked, which includes the previous president of the united
| states, large company such as apple, and the upcoming
| presidential candidate.
|
| Now imagine not only the 17yo stole 100k from the bank, but
| also entered the houses of people such as Obama and Biden,
| and potentially stole documents from their desks.
| user5994461 wrote:
| The guys have a very long history of scams, with $700 000
| seized before this twitter thing it seems.
|
| That money is very much destroyed for the people whom it
| was stolen from.
| ChrisLomont wrote:
| It depends on how many laws with felony consequences each
| broke.
|
| If a robber hacks a computer (a felony), impersonates law
| enforcement (a felony), uses that to commit fraud (a
| felony), then transfers stolen money across state lines (a
| felony), then tries to launder it (a felony).....
|
| You can see how such things can stack up.
| paulpauper wrote:
| technically he did not take the money but rather ppl gave it
| to him under a false pretense. It is close enough but one can
| imagine a jury being harder one someone who stole vs
| exploited his victim's greed and gullibility.
| ehsankia wrote:
| In the US, scams are still "conspiracy to commit money
| laundering", which is what the kid was charged with. Also
| wire fraud.
| Jabbles wrote:
| Standard disclaimer for headline sentence lengths:
|
| https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc...
| threatofrain wrote:
| > Also should any repercussions be considered against Twitter
| that a 17yo was able to gain access to the private messages of
| potentially some of the most important individuals in the
| world?
|
| Is the suggestion that if your security is weak, at least some
| of the blame goes to the hacked? If your home security is weak,
| should we grant more leniency to a burglar? The insurance
| company should be the one to punish the riskiness of homeowner
| security.
| TallGuyShort wrote:
| Not home security, but I'm of the opinion this should apply
| for businesses and public places in some case. For instance,
| I usually carry a gun on me. If I go into the court house or
| a concert venue I'm prohibited from doing that. IMO they have
| now assumed a level of liability to provide a reasonable
| level of effective security and they're negligent if they
| don't and I'm injured or kill because of a mass shooting
| anyway because they didn't enforce their own policies.
|
| Speaking of guns, it's actually also not unheard of for
| people to be partly responsible for crimes committed with
| guns that were stolen from them, even in their home. You have
| something dangerous, like a network that has become a de
| facto platform for government officials, then yeah: you have
| a responsibility to take reasonable preventative measures
| too.
| bcohen5055 wrote:
| Not a home but if you were a bank and a 17 year old walked
| into the bank, talked to someone and was able to walk out
| with a fat stack of cash i think the insurance company would
| have to reconsider your policy.
| user5994461 wrote:
| Absolutely any 17 year old can walk into a bank/shop and
| get out with cash. Preferably armed and not alone.
|
| The challenge is to get out and never be caught.
| pyuser583 wrote:
| He's being treated a lot better than the adult defendants.
|
| He's being charged in state court - specifically the state he
| resides in.
|
| The charges are being brought in San Francisco - which is
| thousands of miles from the where the other suspects live.
|
| Relative to the other defendants, he's getting it easy.
|
| Yes, he's technically facing life in prison. But it's a prison
| near his home.
|
| He probably won't get life in prison, but at least he'll be
| able to get family visits, etc.
| dragonwriter wrote:
| > He's being charged in state court
|
| The release doesn't say that either thar he _is_ being
| charged in state court or that he is _not_ being charged in
| federal court. First it says _why they won 't tell you
| details of any federal charges_--"With exceptions that do not
| apply to this case, juvenile proceedings in federal court are
| sealed to protect the identity of the juvenile"--then it says
| that the federal authorities have referred the juvenile to
| state authorities (without saying anything about action taken
| by the state authorities.)
| pyuser583 wrote:
| Sorry I was incorporating information from another HN
| linked article: https://www.wfla.com/news/hillsborough-
| county/tampa-teen-acc...
|
| It's much clearer as to what's happening at the state
| level.
|
| It's also clearer that, for now anyway, he's being held
| near his family.
| stefap2 wrote:
| A year or two and return the money. It's not like he tried to
| break into a nuclear plant. It is a messaging app, mostly
| nonsense.
| ChrisLomont wrote:
| ... with the ability to move trillion dollar markets and
| potentially start riots or wars.
| JKCalhoun wrote:
| I think the fact that "a 17yo was able to gain access to the
| private messages of potentially some of the most important
| individuals in the world" does pretty serious damage to their
| reputation -- that is in itself a repercussion.
| rwbhn wrote:
| Source for those charges? Article this currently points to says
| "The third defendant is a juvenile. With exceptions that do not
| apply to this case, juvenile proceedings in federal court are
| sealed to protect the identity of the juvenile. "
| ponker wrote:
| What does the 17yo have to do with it? Would it be different
| for an 18yo?
| trimbo wrote:
| In the United States, we generally consider minors who commit
| crimes to be a different class of criminal than people above
| 18. We do this because (AFAICT), there's a sort of societal
| agreement that wisdom/maturity is a logarithmic curve that
| begins to flatten in the late teens and 18 was picked as a
| legal threshold.
|
| So if a 2 year old, 8 year old and 18 year old all shoot and
| kill someone, we prescribe much different levels of
| punishment based on their relative maturity. Sometimes,
| prosecutors decide to charge minors "as an adult" based on
| their behavior (Google for "X year old charged as adult" for
| examples). I assume that's what they're doing here.
| shadowgovt wrote:
| FWIW, don't imagine that there was anything as elegant as
| "logarithmic curve analysis" used to decide that the age of
| majority is 18.
|
| It's an age that was settled upon by common-sense consensus
| over a grand function of "Well, most Americans (descended
| from Europeans) thought it should be around 21," and that's
| probably because 21 is a nice, round number. Then the draft
| age got pushed to 18 because we needed more bodies for the
| meat-grinder in World War II, and the voting age followed
| around Vietnam when too many people asked "Wait, in what
| way is it just or fair we can force people to fight and die
| in a war who can't even vote?"
|
| There isn't a lot of hard science (beyond the most ancient
| human science of all: observation across millions of data-
| points loosely confederated into "common sense")
| underpinning the age of majority.
| dboreham wrote:
| As a society we generally make some allowance for a
| perpetrator's mental capacity. One aspect to that is we
| generally accept that teenage brains are not quite the same
| as adults.
| zenta wrote:
| Conversely, would it be different for a 16yo? What about
| 15yo? Or 12yo?
| wil421 wrote:
| I believe most states will charge a 17yo as and adult. Not
| sure what the feds would do.
| paulpauper wrote:
| i could see this possibly be challenged by courts ,
| possibly up to the supreme court
| onetimemanytime wrote:
| >>* Hitting a 17yo with 30 felony charges feels a bit steep to
| me.*
|
| what charge should they leave out? Also he will not serve, say
| 15 years X 30 charges, if found guilty.
|
| Now they are dealing with him, what happens to Twitter, if
| anything, is a different story. 17 years old or 19...he knew
| what he did
| libraryatnight wrote:
| I felt a sting reading that too. He hit the idiot computer kid
| jackpot and did idiot computer kid things with it. Not saying
| no consequences, but damn.
| tedunangst wrote:
| Idiot kid things would be having Obama tweet "I think
| @Kelly2003 should go to the prom with Clark". If you're old
| enough to run a send back scam, you should know it's wrong.
| maerF0x0 wrote:
| One thing I think we ought to give credit to is that as
| Infosec becomes higher profile and more public, the
| sophistification of kids will rise with it.
|
| For example many of the techniques that are basically
| public info on youtube[1] nowadays was hidden in some
| "darkweb" forum not many years back.
|
| [1]: https://www.youtube.com/c/STOKfredrik/videos
| slg wrote:
| The age of the attacker is irrelevant to Twitter's role in this
| story. However your underlying point still stands. If we want
| these types of attacks to stop, we can't just let all these
| companies off with a public embarrassment being the primary
| punishment. At a certain point we have to start calling it
| negligence when companies fall for these attacks and fail to
| have proper precautions in place to prevent them.
| nickff wrote:
| From memory, I recall the FBI did a study, and found that
| half of their employees would plug in a USB drive that they
| found on the ground in the parking lot. After training, that
| number was reduced to a quarter. If a security-focused
| government police agency is so vulnerable, it is unreasonable
| to expect perfection from a (less paranoid) company.
| Swizec wrote:
| I remember an article a few years ago saying that large %
| of office employees would trade their password for
| chocolate.
|
| Ah yes here we go, large scale study, 43% of participants
| gave away their password when bribed with a chocolate bar.
| People just don't realize how valuable passwords are.
|
| https://www.sciencedaily.com/releases/2016/05/160512085123.
| h...
| davinic wrote:
| > If the chocolate was only given out afterwards, 29.8
| per cent of participants revealed their passwords.
|
| Nearly 30% of people just gave out their password and
| didn't even know they were getting chocolate! They gave
| it away for literally nothing.
| qppo wrote:
| Isn't that how they got Stuxnet into the Iranian nuclear
| facilities?
| boogies wrote:
| Something like that (USB exploit of Windows zero days,
| breaching an airgap). (Edit: though not by leaving flash
| drives outside of the facilities, by infecting some with
| a virus that spread from Windows PC to Windows PC around
| the world.)
| slg wrote:
| Then you need processes in place to make sure a single
| person being careless cant do this much damage. There are
| low tech solutions that would greatly improve security[1],
| however the overhead this introduces is hard to justify in
| a world in which these breaches aren't that damaging to a
| company. We need to change incentives for companies by
| either mandating these security practices or implementing
| harmful repercussions for choosing a less secure approach.
|
| [1] - https://en.wikipedia.org/wiki/Two-man_rule
| nickff wrote:
| I agree that better security practices are advisable, but
| you're victim-blaming.
|
| Twitter wasn't 'asking for it', and neither were the
| individuals who lost bitcoins; the 'hackers'
| intentionally perpetrated deceptions, misrepresentations,
| and fraud against both Twitter and the general public. If
| you compare what these three did to a white-collar crime,
| the dollar amount was small, but the behavior was
| egregious.
| rschneid wrote:
| Twitter is a platform used widely by some of the most
| powerful people in the world and in the US government. As
| a result, there is plenty of justification and precedent
| for said gov't to regulate their security practices and
| procedures. To illustrate this point, I doubt you'd have
| any sympathy for Twitter if they had been sending their
| passwords over http.
|
| Now, I don't think the government is prepared to do this
| proactively and effectively, but the idea of a telco that
| advertises resilience to hacks (whether through social
| engineering or technical incompetence) sounds like it
| would be quite appealing to a growing segment of the
| connected world and whatever such promises that find
| success in the marketplace might be used to inform
| legislation or regulation, eventually...
| slg wrote:
| "Victim blaming" is not about removing any possible role
| a victim would have in their victimhood. It is about
| destigmatizing victimhood and not blaming victims for
| things they are out of their control or that any other
| reasonable person would do.
|
| Let's imagine a situation in which someone breaks into my
| house and steals my TV. I deserve a decent amount of
| blame if I left my front door wide open before it
| happened. I deserve much less blame, but still some blame
| if I left my front door unlocked. I don't deserve any
| blame if someone broke down my front door to do it.
|
| In this situation, Twitter left their front door
| unlocked.
|
| Furthermore, Twitter is not even the primary victim here.
| The biggest victims are the people whose accounts were
| stolen and the people who were tricked into losing their
| bitcoin.
| Veserv wrote:
| Except this is not expecting perfection, it is expecting a
| level of security that can prevent children, literal
| children, from walking right through it. Which would not
| even be a problem except for the fact that this is far, far
| less than what Twitter has led their average user and
| stockholder to believe. To illustrate my point, if Twitter
| told the truth in big bold print at the top of every page
| so every user knows: "Determined teenagers can take over
| your account at any time." do you think this might outrage
| their users or harm their stock price? Did Twitter at any
| point say anything that might indicate that this is the
| truth of the matter and that would not be easily
| misconstrued by users? The evidence indicates yes, they
| would be outraged, and no, they at no point ever said
| anything that would lead anybody to believe that this was
| possible and hilariously easy. So, it hardly matters that
| maybe they or anybody else (say the FBI) can not provide a
| high level of security, what matters is that they committed
| material fraud in egregiously misrepresenting their product
| security to their users and stockholders.
| ISL wrote:
| One underestimates the capability of determined teenagers
| at one's peril.
| davinic wrote:
| Exactly. At least one of these kids used their personal
| gmail account on the hacking forum. These are not
| advanced hackers.
| enraged_camel wrote:
| >>If a security-focused government police agency is so
| vulnerable
|
| I think calling FBI "security-focused" is a bit too
| generous. They are essentially glorified police detectives,
| with greater authority and jurisdiction. I don't believe
| the average FBI agent is particularly competent, in terms
| of technical (i.e. computer) skill or knowledge.
| nickff wrote:
| The FBI literally performs the background checks for
| security clearances. Like any other organization it has
| less security focused divisions, but insofar as any
| organization is security focused, the FBI is.
| LeifCarrotson wrote:
| I would be surprised if the average FBI agent was less
| likely to plug in an unknown USB drive than the average
| Twitter engineer.
| gav wrote:
| Security training improves security but it doesn't get
| close to stopping 100% of attacks.
|
| I know it's obvious, but it feels like it's only obvious to
| those that think about security. It's the same reason that
| putting your developers through a yearly OWASP Top 10
| secure coding course isn't going to get you to 100% secure
| code.
|
| Locking down systems seems draconian, but it's the only
| way:
|
| - Disabling USB storage
|
| - Moving away from passwords to hardware authentication
|
| - Strong controls on internet access
|
| - Stop incoming calls from reaching most employees. Better:
| take away phones altogether
|
| And so on.
| manquer wrote:
| in a remote only or remote first working environment,
| many of these policies are not feasible , ultimately
| employees have to be able work somewhat productively .
|
| Such clean room requirements could perhaps work when the
| threat model include nation state actors or your are
| handling sensitive financial applications.
|
| Most companies are not defence contractors or banks the
| security levels you propose won't be worth the cost to a
| typical internet tech company .
| raverbashing wrote:
| Yes. But at the same time, it's easy to get into "blame the
| victim" mode
|
| Having full blown security could mean nothing is done easily
| anymore
|
| Prosecuting is important
| sakisv wrote:
| Depends on how you define the victim.
|
| One could argue that the victims in this case are the
| people whose profiles had been hacked.
|
| As for having full blown security getting in the way of
| getting stuff done, try replacing "Twitter" with "Equifax",
| a company that handles arguably more sensitive data and
| should have the "full blown security" you mentioned.
|
| Did they suffer _any tangible_ consequences?
| nmarks122 wrote:
| Governments are touchy about propaganda channels, even (or
| especially?) when they are lower in quality than the Sun or the
| Daily Mirror.
| tptacek wrote:
| Does it really change much about the sentence he'll face?
| Felony charges usually group.
| [deleted]
| nordsieck wrote:
| > Also should any repercussions be considered against Twitter
| that a 17yo was able to gain access to the private messages of
| potentially some of the most important individuals in the
| world?
|
| 200 Million Americans could drive a car into a crowd. That
| doesn't make it any less bad for someone to do.
| gregschlom wrote:
| That is not the point that the parent comment is making,
| though.
|
| It's not whether it's bad for someone to commit this crime,
| it's whether Twitter should be held liable for such poor
| security practices that a 17 year old can hack them.
| shadowgovt wrote:
| We generally handle that liability free-market style, i.e.
| "Why the hell would I sign up for a Twitter account? Their
| security is so lousy some 17-year-old could be speaking as
| me."
| refurb wrote:
| I put a cheap lock on my door and someone breaks in and
| steals everything.
|
| Should I be held liable for my poor security practices?
| 7786655 wrote:
| If you were responsible for securing my stuff, and you
| put a cheap lock on your door protecting my stuff, and
| someone breaks in and steals all my stuff, then yes, you
| should be held liable for your poor security practices.
| baddox wrote:
| That was the other commenter's point: a 17 year old can
| hurt people with a car just as easily as a 40 year old. The
| age of the attacker has no relevance on how liable the
| recipient of the attack is for their security practices.
| nordsieck wrote:
| > It's not whether it's bad for someone to commit this
| crime, it's whether Twitter should be held liable for such
| poor security practices that a 17 year old can hack them.
|
| That is exactly my point.
|
| There are tons of crimes that basically anyone can do. If
| you said instead: people whose houses are set on fire by an
| arsonist should be liable for poor security, at the very
| least you'd not be taken very seriously.
|
| There is a duty to not commit crime. There is no duty to
| avoid being the victim of a crime.
|
| On top of that, there is broad industry consensus that it
| is largely impossible to write bug free software -
| certainly at the scale of Twitter. To suggest that they
| have the duty perform the impossible strikes me as deeply
| irresponsible if not simply malicious.
| etrabroline wrote:
| >There is no duty to avoid being the victim of a crime
|
| If you entrust a bank with 10 thousand dollars, and the
| bank puts your money in a paper bag and leaves it in the
| lobby, they are going to be held liable if someone walks
| away with it. Twitter letting teenagers steal people's
| data is approaching that level of negligence for a mutli-
| billion dollar company.
| Google234 wrote:
| The only thing between the inside of a home and the
| outside is a thin layer of glass. Should we hold home
| owners responsible for people breaking in and stealing?
| Lots of things are fragile, we have a laws to act as a
| deterrent to violations
| kodt wrote:
| Is a 17 year old hacking them really proof of worse
| security than say a 30 year old?
| Nasrudith wrote:
| Well the age implicitly assumes potential levels of
| education and sophistication. Few would be surprised to
| hear a 30 year old engineer designed a novel world class
| chip - they could easily have a PhD at that point to have
| the sophistication capable. For a 17 year old that would
| be pretty damn extraordinary. Now hacking is less than
| thar even to laymen who don't know how simple some holes
| are but 17 implies a lack of great sophistication.
|
| The whole thing is an ageist rough proxy anyway - a
| developmentally disabled 30 year old hacking it would be
| more shameful than a 17 year old college graduate.
| [deleted]
| user5994461 wrote:
| The same point stands with the car, any 17 year old could
| borrow their parents car and drive into a crowd. It's not
| the fault of the car owner for not securing their car.
|
| Security is not preventing people from doing things, it's
| having some limitations so it's not too easily too quickly
| (cars are protected by keys, accounts by passwords).
| Anybody motivated can and will bypass security easily.
| mehrdadn wrote:
| > It's not the fault of the car owner for not securing
| their car.
|
| Securing their car against... their children? Or
| distributing the car's keys to 2,000 people?
| [deleted]
| sheeshkebab wrote:
| Twitter is a meme service with a bunch of self absorbed
| individuals talking over each other... just FYI in case you
| lived under the rock for last 10 years.
| hw8kw13 wrote:
| Well, maybe it was until a certain individual started using
| it to conduct matters of foreign and domestic policy.
| Nasrudith wrote:
| I think that is just further proof.
| kolbe wrote:
| I agree this bothers me to my core. Even the 22 year old hasn't
| developed a fully functional neocortex. I know it seems a
| little hypocritical of me for getting sad when this happens to
| a young programmer and not an inner city gang member, but it
| does.
|
| To pull off a hack like this is indicative of these kids being
| intelligent, risky and bold. Yeah, they went where they
| shouldn't, but I personally think these are the types of people
| we need leading us into the future of science. It does us no
| good to keep rewarding sycophants with 4.0s and fellowships and
| tenure, but removing the "trouble makers" from the system.
| camjohnson26 wrote:
| That attitude is exactly the problem though. These kids
| getting hit with a 30 year sentence bothers those of us who
| relate, when the same thing happens to young black inner city
| kids every day. Plenty of them are just as intelligent,
| risky, and bold as these kids but we throw them in prison for
| the best parts of their life without a second thought.
| newacct583 wrote:
| > To pull off a hack like this is indicative of these kids
| being intelligent, risky and bold. Yeah, they went where they
| shouldn't
|
| They engaged in straight up fraud! It's not like they just
| pranked some folks, they tried to fool the world into sending
| them money. It's true the fraud didn't work that well (or
| rather, not in relation to the severity of the Twitter hack),
| but they still stole some $100kUS or whatever.
|
| You want those people LEADING us "into the future of
| science"?
| shadowgovt wrote:
| > they tried to fool the world into sending them money
|
| Their mistake was they failed to call it a "series A
| funding round."
| ibejoeb wrote:
| Nothing in the complaint (well, for the two others, since his
| is sealed) says that a state-level actor wasn't involved. Could
| be the tip of the iceberg. I find it hard to believe that this
| was prank hacking for about $150,000. You could sell Obama's
| handle for more, surely.
| shadowgovt wrote:
| Personally, I find "it was a prank" extremely easy to
| believe. It's the simplest answer to the question "Wait, if
| someone compromised Twitter so badly they could tweet
| anything from any account, why didn't they try to move the
| whole stock market or start World War III?"
|
| "Because they're young punks and didn't think of that" is a
| reasonable answer.
| Nasrudith wrote:
| Prank hacking would fit with the monetization when combined
| with statements of "who would be dumb enough" that
| underestimates stupidity like the whole charge your iPhone
| in the microwave or Soupy Sales' "send in all of the green
| paper in your parents wallets" not thinking people would
| actually do it. Plenty of precedent but easy to see why
| they would feel no responsibility for anyone mindbogglingly
| stupid enough to do so.
| paulpauper wrote:
| yeah cuz a trillion dollar state entity is so strapped for
| cash it needs to steal 150k of bitcoin too, drawing attention
| to the scheme.
| brokencode wrote:
| Do you know anybody willing to pay over $150,000 for
| temporary access to Obama's twitter account? I find this type
| of comment kind of naive and poorly thought out.
|
| Just because you're a hacker doesn't mean you know how to
| sell secrets to Russia, and trying to establish lines of
| communication like that are probably going to raise red flags
| with law enforcement.
|
| To be fair, the strategy of scamming for bitcoin was crazily
| simplistic and destined to fail, due to how easy it is to
| track bitcoin. I am not at all surprised that some of the
| people allegedly involved have already been caught.
| rootsudo wrote:
| Cue the entire movie "Burn after reading."
|
| Kid had the whole attention of the world for a few minutes,
| could've walked away a billionaire, start WW3, casino
| royale stock trading - everything, anything - CREATIVELY
| there's so much that could've been done and it all fell
| down to a bitcoin scam that netted less that 150K (wallet
| shows about 128k.)
|
| That's a yearly salary of a help desk engineer on the west
| coast.
|
| --I'm not sure which video to link of "Burn after reading"
| but the entire movie is how this was handled.
| Kaveren wrote:
| you cannot start world war 3 or become a billionaire
| through some tweets, this is not a movie.
| robbiep wrote:
| I feel like it would have been relatively trivial to make
| decent 7-9 figures depending on your initial leverage
| just by manipulating some key accounts. Ie: short Tesla,
| musks account says solar roof delays, firmware error has
| started bricking cars, self driving is 10 years away,
| delivery numbers going to fall well short
|
| Trump (surprised they didn't hit that) - no new stimulus
| for unemployed, CORPORATE WELFARE MUST STOP, I WILL NOT
| BE RESPONSIBLE FOR MASSIVE DEFICITS, then pick a couple
| small cap companies that are going to receive massive
| boosts like the Kodak thing.
|
| Tim Cook: Apple sales flagging, iPhone production issues
| due to supply chain issues
|
| Take a bit of timing to get it right and be able to walk
| away from the markets relatively untraced (market trade
| interrogation is a useful way to trace inside information
| so hard to do in a way that leaves no trace but if you
| know you can perform your hack at leisure you can set up
| the initial trades well forward, wait for the market and
| some other external condition to walk into your ambush
| and then pounce
| Nasrudith wrote:
| Adding repercussions to the targets would be a mistake in my
| opinion - that would be very antitransparency as they would be
| encouraged to be willfully blind to cover their own asses.
| "Look it is clearly just the fault that these dumbass rich
| people didn't secure their passwords properly. Password reset
| logs? Why on earth would we keep those?"
|
| Personally I suspect the security of the systems could be
| improved best over time by a radical measure of legalizing
| hacking and social engineering. Going after hackers is a
| bandaid measure. It would be unapologetically darwinistic but
| this domain doesn't behave the same as meatspace and imposing
| its assumptions on it is a mistake just as much as putting
| closing times on websites.
| SahAssar wrote:
| Having bad security is not criminal. If it was we wouldn't have
| a voting village at defcon cracked by pre-teens and there would
| be a lot more irresponsible CEO's in prison (so probably a
| better world).
| shadowgovt wrote:
| Usually, the counterweight to bad security is the extremely-
| practical "Pests, assholes, or criminals ownz you."
|
| Which works on average.
| SahAssar wrote:
| I disagree. For every Mossack Fonseca, Mernis, Equifax,
| Twitter, LinkedIn, Ashley Madison we get public hacks from
| I think we have many more that see it as "the cost of doing
| business" and keep bad practices around.
|
| In many types of businesses the cost of a security breach
| is "priced in" or not considered at all and they are
| gambling on it happening to their competitors (or not at
| all) instead of to them.
| shadowgovt wrote:
| I think we are in agreement on mechanism. I meant "works
| on average" in the sense of "Keeps fraud and breaches to
| a level consumers are comfortable with." Nobody imagines
| breaches can be driven to zero; we seem to be comfortable
| as a society with the overall rate and severity of
| breaches (demonstrably, since people keep signing up for
| these rando online services willy-nilly with nary a care
| to who holds their data).
| pps43 wrote:
| Is bad security ok for, say, a bank or a nuclear power plant?
| SahAssar wrote:
| No, and that's why we (basically all nations that have
| banks or nuclear power plants) have specific laws governing
| them.
|
| Look, if you want to pass a law saying all internet
| business having X personal data needs to prove Y security,
| then I'd probably be for it (depending on X and Y). We
| already have PCI-DSS and similar today for payment
| providers. I'm just saying that there is nothing like that
| today, and if there was we'd have a lot more irresponsible
| people in prison.
| pps43 wrote:
| In "2020 Commission Report" by Jeffrey Lewis, North Korea
| nukes the US because of one twit. This looks very
| plausible to me.
| SahAssar wrote:
| Are you arguing against something I've said? Because if
| so I don't understand what or how.
| pps43 wrote:
| I'm arguing that Twitter is now critical infrastructure,
| like banking or power grid, and needs to take security
| seriously. If they don't do it themselves, they'll get
| regulation like HIPAA.
| paulpauper wrote:
| agree. twitter is under no obligation to provide secret
| service level security on its platform because some high
| profile people use it. IF the government deems such security
| measures so important, they should pay twitter to implement
| them,
| snarf21 wrote:
| Since the President makes all his official statements via
| Twitter, one could argue this is a matter of national security.
|
| Also, Twitter is just a collection of people and a single
| person is trivial to exploit.
| tedunangst wrote:
| Previous settlement regarding twitter security:
| https://www.ftc.gov/news-events/press-releases/2011/03/ftc-a...
| indigochill wrote:
| I have an unrealistic idea (more of a thought experiment) that
| companies should face equal culpability to criminal hackers in
| attacks. After all, technically the way the hackers use systems
| /is/ authorized in a sense, even if the method of obtaining
| authorization is unconventional. Maybe this would get companies
| to pay more attention to securing their systems.
|
| From a certain perspective, Twitter is an accomplice to fraud
| by providing the platform and the access to the fraudsters
| (although I'm fuzzy on whether knowledge of one's aiding of a
| crime is necessary for an entity to be legally considered an
| accomplice - probably is).
|
| And yes, the charge count is insane but the US loves holding a
| bit of life-ruining theater when they catch hackers threatening
| commercial interests. e.g. Aaron Swartz's conviction:
| https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...
| paulpauper wrote:
| accomplice means they knowingly aided in the fraud or
| profited from it. Being caught off guard is not a crime. The
| culpability is the reputation damage from being hacked.
| tantalor wrote:
| >Being caught off guard is not a crime
|
| It can be. Twitter could be found criminally negligent if
| they knew the risk of this type of attack (or it was
| obvious) but chose to ignore it.
| SparkyMcUnicorn wrote:
| I'm not sure I would call this "authorized in a sense" since
| social engineering, in order to gain access to an internal
| tool, was the method.
|
| Social engineering most often involves impersonation, so the
| person getting access was not really the intended party.
| ChrisLomont wrote:
| Should we make homeowners equally criminally liable when
| burglars break in? Certainly if the homeowner had been less
| lax or obtained more security, that burglary could have been
| prevented.
| tantalor wrote:
| Bad analogy: the only victim of a home invasion is the home
| owner.
|
| In the Twitter case, the victim were the users.
| sneak wrote:
| Breaking and entering requires breaking.
|
| Sending packets is peaceful speech.
| nickff wrote:
| Sending these particular packets was more akin to fraud.
| Should fraud be legalized?
| [deleted]
| vsareto wrote:
| > Hitting a 17yo with 30 felony charges feels a bit steep to
| me.
|
| Someone's gonna talk if they haven't already?
| aerovistae wrote:
| It's sad to me how the authorities are bragging about how quickly
| they caught them and how effective they are at solving this type
| of crime.
|
| The truth is, the vast majority of these crimes go unpursued.
| They handled this quickly because it was so prominent, but if
| this happened to an everyday individual, the police wouldn't even
| bother.
|
| I don't see this as much of a triumph. It never should have
| happened in the first place, and the consequences could have been
| utterly dire if it hadn't just been teenagers running a Bitcoin
| scam. This isn't a victory for nation-state security, it's an
| utter failure, and no policy changes have been made to prevent it
| happening again.
|
| So what we have is a world in which our leadership is vulnerable
| to hackers, as are the rest of us, but only attacks against the
| rich and famous have actual consequences. It's the worst of all
| worlds.
| apengwin wrote:
| I don't think they're bragging. They're trying to dissuade the
| next attacker.
| bmitc wrote:
| It's also just another case where those not in power who
| attacked those in power are swiftly and promptly dealt with
| versus those in power perpetuating the same attacks go free. I
| would rather see them gloat over putting people with real power
| and influence with their attacks in jail versus bragging about
| locking up teenagers and people in their early twenties.
|
| There's a quote in the article, "There is a false belief within
| the criminal hacker community that attacks like the Twitter
| hack can be perpetrated anonymously and without consequence",
| which just reiterates this perception of the justice system
| being "hard" on crime. Yet it conveniently ignores being soft
| on crime if you're rich or in power.
| dig1 wrote:
| "Someone has to go to prison, Ben" - quoting Harvey Keitel from
| National Treasure movie (1:50) [1]
|
| [1] https://www.youtube.com/watch?v=co4EsnwAM1Q
| cryptoz wrote:
| For all its flaws, I love that movie.
|
| Based (loosely) on the Beale ciphers, a real-life combination
| of cryptography, myth, and scams (probably)
|
| https://en.wikipedia.org/wiki/Beale_ciphers
| VonBlue wrote:
| Hold on... how could they have de-anonymized the blockchain
| transactions? That seems.. false
| Aaronstotle wrote:
| Bitcoin is a public blockchain, there are various blockchain
| analytic firms such as Elliptic/Chainalysis that offer bitcoin
| tracing services.
|
| Bitcoin is not private nor anonymous, the rise of blockchain
| surveillance is why privacy coins like Monero are gaining in
| popularity.
|
| That being said, I'm sure it wasn't solely BTC transactions,
| these guys seemed to have very poor op-sec for performing such
| a big hack.
| ChrisLomont wrote:
| It's routinely done by researchers.
|
| Here's a lot of papers on it.
|
| https://scholar.google.com/scholar?hl=en&as_sdt=0,15&q=bitco...
| tomc1985 wrote:
| Why not? People link their wallets to other wallets and
| financial services with reporting requirements all the time.
| Bitcoin isn't anonymous
| cyral wrote:
| https://www.justice.gov/usao-ndca/press-release/file/1300126...
|
| It's detailed here, very interesting read
| Rebelgecko wrote:
| All transactions are public on the Bitcoin blockchain. I
| haven't followed the wallets, but it's possible that they tried
| to cash out on an exchange and got caught. Or they were
| initially found via other means and a search of their computers
| found the corresponding wallet.dat files.
| banana_giraffe wrote:
| Yeah, they used Coinbase, and Coinbase is of course willing
| to respond to warrants.
| techntoke wrote:
| Which would likely be encrypted
| amrrs wrote:
| > Washington DC Field Office Cyber Crimes Unit analyzed the
| blockchain and de-anonymized bitcoin transactions allowing for
| the identification of two different hackers.
|
| Anyone with Bitcoin Transaction knowledge, what's this de-
| anonymization of Bitcoins transaction?
|
| >Today's announcement proves that cybercriminals can no longer
| hide behind perceived global anonymity," said Thomas Edwards,
| Special Agent in Charge, U.S. Secret Service, San Francisco Field
| Office.
|
| This reads like an Ad copy of a company that's against
| _perceived_ anonymity.
| dragonwriter wrote:
| > Anyone with Bitcoin Transaction knowledge, what's this de-
| anonymization of Bitcoins transaction?
|
| Since Bitcoin is not anonymous but pseudonymous, it can be as
| simple as finding one or more transactions that link a wallet
| to a real identity (such as one tied to purchase of physical
| goods with an identified recipient and shipping information)
| and from there tieing every other transactions from.that wallet
| to the same identity. I would guess in practice it often
| involves more steps of connection.
|
| > This reads like an Ad copy of a company that's against
| perceived anonymity.
|
| The DoJ isn't a company, but it is very much against perceived
| lack of accountability, which is one of the reasons people
| choose systems that offer perceived anonymity.
| dumbfoundded wrote:
| Bitcoin is anonymous until you tie it to something that
| requires a real identity. For most people, it's probably tied
| to an exchange that has their real identity, credit card info,
| and maybe bank account info.
|
| What they should've done is generate a new wallet with no
| previous transactions and just used that to buy things.
| dhosek wrote:
| But wouldn't the purchase transactions be able to be
| connected to the perpetrators?
| rodiger wrote:
| Dump it through some mixers and it becomes a lot harder to
| tell who is who.
| dumbfoundded wrote:
| It depends on what you buy. The best thing to buy would be
| a currency like Monero where you're actually anonymous.
| arminiusreturns wrote:
| This is what bugs me the most about the bitcoin pushers (like
| Max Keiser)... they completely ignore the fact that _bitcoin is
| not anonymous_ , and why even though I was in on bitcoin in the
| earliest days, I abandoned it. My conclusion was that the
| government loves btc because it's so easily traceable. Another
| reason is that, like tor, it is vulnerable to %50 attacks. If
| the central banks wanted to take over btc they could, and I
| posit they may have already positioned themselves as such.
| (thats my almost a bitcoin millionaire story...)
|
| The closest to an anonymous coin afaik is monero or zcash, but
| in general I think wasting electricity and cpu cycles on
| arbitrary math is a bad path to go down. If we could tie a coin
| to some productive math like protein folding or seti, etc, that
| still has the same attributes as cash (which btc does not) then
| we might have a true potential dollar replacement digital coin,
| but I digress.
| tibbar wrote:
| Bitcoin transactions take place between addresses, which are
| hashes of public keys. It's actually better to call bitcoin
| "pseudonymous", since the addresses are pseudonyms that may or
| may not be tied to an irl identity.
|
| So if you, a hacker, tell someone to submit Bitcoin to an
| address, that address is only really "anonymous" until you use
| your private keys to reroute the money to other addresses. As
| soon as the graph of transactions touches some known node
| (perhaps at the edges of the Bitcoin network that interact with
| the monetary system), you can trace back to figure out who
| might have controlled the original address.
|
| It's very silly to try to cash in on ill-gotten bitcoin...
| catacombs wrote:
| > It's very silly to try to cash in on ill-gotten bitcoin...
|
| What's the alternative? Sit on the coins or use them for
| purchases?
| rocqua wrote:
| Launder them.
|
| Possibilities are endless. Coolest thing I heard was use
| the bitcoin to rent bitcoin miners. Then spend the
| resultant cleanly mined coins.
| sna1l wrote:
| From the Verge[1] article it seems like there was someone else
| providing access to the accounts? So was it social engineering or
| not?
|
| > Intriguingly, Sheppard and Fazeli may just be middlemen for the
| scam -- "an unknown individual" with the handle "Kirk#5270" is
| believed to be the one who got access to Twitter's internal
| systems. It's not clear if the Tampa teen is Kirk#5270, though it
| sounds like that's possible. The Sheppard complaint is dated July
| 22nd, and the Tampa teen wasn't arrested until today. Originally,
| "Kirk" claimed to be a Twitter employee, according to a Discord
| chat log:
|
| [1]: https://www.theverge.com/2020/7/31/21349920/twitter-hack-
| arr...
| ehsankia wrote:
| Damn, did these kids really get MafiaBoy'd?
| MiroF wrote:
| What I heard was that one of the hackers managed to get access
| to Twitter's internal Slack, and that hacker was the one posing
| as having a Twitter employee friend. Don't know if that's true
| though.
| junar wrote:
| It seems like "Kirk" is believed to be some other individual.
| From the complaint against Sheppard:
|
| > On July 21, 2020, federal agents executed a search warrant
| authorized by U.S. Magistrate Judge Alex G. Tse at a residence
| in the Northern District of California. Among the occupants of
| the home was a juvenile ("Juvenile 1"). ""Juvenile 1" was
| believed to be a Discord user identified in chats as an
| individual who assisted "Kirk#5270" and "Chaewon" in selling
| access to Twitter accounts. Upon execution of the search
| warrant, "Juvenile 1" agreed to be interviewed. "Juvenile 1"
| admitted to law enforcement agents that he/she was the Discord
| user who was identified in chats as assisting "Kirk#5270" and
| that he/she participated in the sale of illegal Twitter access.
| "Juvenile 1" admitted that he/she worked with "Chaewon" to sell
| Twitter account access. According to "Juvenile 1," his/her
| knowledge of "Chaewon" was that "Chaewon" lived in the United
| Kingdom and "Juvenile 1" knew "Chaewon" by the name "Mason."
| According to "Juvenile 1," he/she and "Chaewon" had discussed
| turning themselves in to law enforcement after the Twitter hack
| became publicly known.
|
| https://www.justice.gov/usao-ndca/press-release/file/1300126...
| stevievee wrote:
| The announcement video is quite intense and feels odd for some
| reason. Maybe it's the aspect ratio or cold intro - not sure.
| https://youtu.be/z80K3-q3Kqg
| mkoryak wrote:
| They could have trimmed the first few seconds of that video.
|
| I would also like to see a loop of the first 4.5 seconds.
| ehsankia wrote:
| Not sure anyone else watches this show, but this video gives me
| strong Homecoming[0] vibes.
|
| [0] https://en.wikipedia.org/wiki/Homecoming_(TV_series)
| Kaveren wrote:
| i was assured by the cybersecurity experts of hacker news that
| REALLY this was all a mastermind ploy to steal and sell twitter
| DMs. who would they sell them to? doesn't matter! what
| information of actual value is sent through twitter DMs? doesn't
| matter! we did it, hacker news.
___________________________________________________________________
(page generated 2020-07-31 23:00 UTC)