Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
Hitting a 17yo with 30 felony charges feels a bit steep to me.
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
If this turns out to be true, then we can conclude two things:
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
I have an unrealistic idea (more of a thought experiment) that companies should face equal culpability to criminal hackers in attacks. After all, technically the way the hackers use systems /is/ authorized in a sense, even if the method of obtaining authorization is unconventional. Maybe this would get companies to pay more attention to securing their systems.
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."
It's sad to me how the authorities are bragging about how quickly they caught them and how effective they are at solving this type of crime.
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
Obviously what they did is wrong but the kid is 17. To me this is a prime example of where a short sentence or community service should be used. Don't ruin his life - he could be a useful employee for a tech company.
It drives me a little nuts when people say stuff like this (they said it about Reiser, too) --- because you can say the same thing about tens of thousands of young offenders imprisoned for crimes we don't have a rooting interest in.
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
If he had gotten into twitter to make some funny status's then sure, community service makes sense. But this kid scammed a lot of money from a lot of people, severe criminal charges are appropriate.
And this is where the distinction between minor and adult breaks down. He's 17, he's going to be an adult within 365 days.
I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?
I think he gets tried as an adult. He just yeeted his life.
Depends on your views of the justice system. Is it prevent person from committing the crime again? Is it punish the person for the crime regardless of whether or not the punishment prevents future crimes by the person? Or is it to punish the person so others will be fearful of similar consequences?
Hard disagree. Beyond the 'hacking', if that's what you can even call it, he knowingly scammed people. That's not kids being kids, that's some inherent mental state. Throw the book at him.
IIRC in the past, cyber criminals in similar situations were made to help federal cyber crime investigations, not sure whether through community service or a form of prison labor. The price tag for talented people is high so it's a win-win situation compared to wasting their talent by making them do low skilled labor.
Imagine a 17 year old robs a bank and steal 100k from the savings accounts of random people.
Or a 17 year old steals a couple of cars from random people off the street...
The crime is not breaking into Twitter. The crime is theft. Twitter didn't steal that money, this guy did. Let's not pretend the internet is a magical land without consequences.
> Imagine a 17 year old robs a bank and steal 100k from the savings accounts of random people.
I think that's a great comparison. But it's not an armed robbery, it's a break-and-enter where no property gets destroyed.
How many felonies does the robber get after being caught? I don't actually know but I'm guessing 1-3? Certainly stealing $100k is a deserving felony. But 30 felonies seems a bit steep.
Using your analogy imagine the bank had kept the client's money in a cardboard box in a shed out the back. They did this because they didn't want to pay for a safe. The thieves should prosecuted but so should the bank.
technically he did not take the money but rather ppl gave it to him under a false pretense. It is close enough but one can imagine a jury being harder one someone who stole vs exploited his victim's greed and gullibility.
If a 17 year-old gains access temporarily to a bank vault, while they’re in there it’s not possible they could also cause a nuclear war. The crimes are similar at face value but meaningfully different.
Trying to paint this 17-year old kid as a criminal mastermind strikes me as rather gross. I can see it as a kid doing it to see if he could, and using an obviously meme-worthy fake post that got out of hand. I think everyone has done some dumb things at this age without thinking about the consequences. If that is the case here, I hope this doesn't ruin the guys life.
This kind of feels like "privilege" of the sort where you can kind of identify with this kid (he's a hacker, into computers) so you're excusing his actions.
Yes, everyone has done some dumb things at this age, but the consequences of this were pretty severe, and he certainly knew what he was doing. Just calling this a "meme-worthy fake post" is minimizing what he did.
Would that apply to criminals of all ages, based on their intelligence / mental maturity? Plenty of incarcerated 18+ adults with less brainpower than this guy were deemed responsible for their actions.
I never stole $100,000 when I was a kid. Sometimes 17-year olds murder other people too. Society can't ignore it just because he's a minor. If he had posted memes, that would be one thing. But instead he decided to use this hack to commit grand theft.
Any leniency due to his age will come from the Judge.
Would you advocate leniency this forcefully for a 17 year old teenager of color who was charged with committing hundreds of thousands of dollars worth of property theft (e.g. stealing expensive cars)? Or do you want this kid to receive special treatment just because you identify with his demographic? Presumably you were also once a tech-savvy teenage hacker at some point.
People with your mindset are responsible for a lot of the inequity in the criminal justice system. Upper middle class suburban white kids (e.g. Brock Turner) get away with slaps on the wrist all the time for the same crimes that poor and minority teenagers get sent to prison for years over, because judges (who were almost all previously upper middle class white suburban kids themselves) feel sorry for them and chalk their crimes down to kids being kids.
* the attacker (allegedly) bragged to the press
* the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)
Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.
Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.
Well their biggest mistake was to live in US and be US citizens. Most of the people operating high scale phone scams live abroad, India, Africa, South East Asia...
Probably could have earned a lot more from his exploits if he went the formal route and directly confronted Twitter. But then who even knows if Twitter are a good 'first responder' when it comes to high-profile exploits of their system.
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
> It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.
I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
If you don't think you'll get caught, why would you take the $40k instead of tripling that?
> the scheme reaped more than $100,000 in Bitcoin in just one day
That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
All of the popular crypto currency exchanges blocked the btc address. The same one was used on all accounts. They acted faster than Twitter in mitigating this issue.
When I was a teen I made long distance phone calls using calling card numbers that were not my own, obtained through a war dialer. I'm pretty sure I never would've gone as far as this kid did, but who knows. I hope this doesn't ruin his life.
The announcement video is quite intense and feels odd for some reason. Maybe it's the aspect ratio or cold intro - not sure. https://youtu.be/z80K3-q3Kqg
Interesting to see that he's being charged in Florida, instead of federally. I mean yes, normally, when one commits a crime in a particular area, they're charged in that area. But my understanding is that once stuff crosses state lines, it becomes a federal issue, and this is part of why its usually the FBI that comes knocking.
Anything involving a computer connected to the internet (even firewalled or rarely connected) is considered to be a "protected computer" since it is involved in interstate commerce or communication and thus open to federal charges under 1030 (a).
[+] [-] dang|5 years ago|reply
(via https://news.ycombinator.com/item?id=24012968, but we merged the threads)
Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
https://news.ycombinator.com/item?id=24011939&p=2
[+] [-] Taek|5 years ago|reply
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
[+] [-] montenegrohugo|5 years ago|reply
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
[+] [-] indigochill|5 years ago|reply
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
And yes, the charge count is insane but the US loves holding a bit of life-ruining theater when they catch hackers threatening commercial interests. e.g. Aaron Swartz's conviction: https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...
[+] [-] ziddoap|5 years ago|reply
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
[+] [-] pojntfx|5 years ago|reply
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."
nice
[+] [-] aerovistae|5 years ago|reply
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
[+] [-] bilbopotter|5 years ago|reply
[+] [-] tptacek|5 years ago|reply
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
[+] [-] Waterluvian|5 years ago|reply
[+] [-] abarwick|5 years ago|reply
[+] [-] meddlepal|5 years ago|reply
I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?
I think he gets tried as an adult. He just yeeted his life.
[+] [-] willio58|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] bradly|5 years ago|reply
[+] [-] axaxs|5 years ago|reply
[+] [-] est31|5 years ago|reply
[+] [-] mychael|5 years ago|reply
[+] [-] ggggtez|5 years ago|reply
Or a 17 year old steals a couple of cars from random people off the street...
The crime is not breaking into Twitter. The crime is theft. Twitter didn't steal that money, this guy did. Let's not pretend the internet is a magical land without consequences.
[+] [-] Taek|5 years ago|reply
I think that's a great comparison. But it's not an armed robbery, it's a break-and-enter where no property gets destroyed.
How many felonies does the robber get after being caught? I don't actually know but I'm guessing 1-3? Certainly stealing $100k is a deserving felony. But 30 felonies seems a bit steep.
[+] [-] burntbridge|5 years ago|reply
[+] [-] paulpauper|5 years ago|reply
[+] [-] tazedsoul|5 years ago|reply
[+] [-] dshep|5 years ago|reply
[+] [-] hn_throwaway_99|5 years ago|reply
Yes, everyone has done some dumb things at this age, but the consequences of this were pretty severe, and he certainly knew what he was doing. Just calling this a "meme-worthy fake post" is minimizing what he did.
[+] [-] justchilly|5 years ago|reply
[+] [-] paulcole|5 years ago|reply
17 year olds understand the consequences of stealing $100,000 (and honestly they were probably very disappointed with how little they got).
Agree that his life shouldn't be "ruined" because of this, but he's committed a serious crime that was obviously a serious crime.
[+] [-] ggggtez|5 years ago|reply
I never stole $100,000 when I was a kid. Sometimes 17-year olds murder other people too. Society can't ignore it just because he's a minor. If he had posted memes, that would be one thing. But instead he decided to use this hack to commit grand theft.
Any leniency due to his age will come from the Judge.
[+] [-] esoterica|5 years ago|reply
People with your mindset are responsible for a lot of the inequity in the criminal justice system. Upper middle class suburban white kids (e.g. Brock Turner) get away with slaps on the wrist all the time for the same crimes that poor and minority teenagers get sent to prison for years over, because judges (who were almost all previously upper middle class white suburban kids themselves) feel sorry for them and chalk their crimes down to kids being kids.
[+] [-] donarb|5 years ago|reply
https://www.theverge.com/2020/7/31/21349920/twitter-hack-arr...
[+] [-] bawolff|5 years ago|reply
* the attacker (allegedly) bragged to the press * the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)
Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.
Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.
[+] [-] par|5 years ago|reply
Anyone know what the loose end was that got these guys busted?
[+] [-] qppo|5 years ago|reply
[+] [-] throw_m239339|5 years ago|reply
Don't do that though, don't scam people.
[+] [-] jermier|5 years ago|reply
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
[0] https://www.hackerone.com/
[+] [-] bawolff|5 years ago|reply
Also do x or i release the sploit could be considered extortion if you word it wrong, and then you are in all sorts of additional trouble
[+] [-] Kalium|5 years ago|reply
A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.
I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
If you don't think you'll get caught, why would you take the $40k instead of tripling that?
[+] [-] gruez|5 years ago|reply
[+] [-] ggggtez|5 years ago|reply
[+] [-] dig1|5 years ago|reply
[1] https://www.youtube.com/watch?v=co4EsnwAM1Q
[+] [-] bluedevil2k|5 years ago|reply
That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
[+] [-] ideals|5 years ago|reply
[+] [-] slezyr|5 years ago|reply
[+] [-] js2|5 years ago|reply
[+] [-] stevievee|5 years ago|reply
[+] [-] ehsankia|5 years ago|reply
[0] https://en.wikipedia.org/wiki/Homecoming_(TV_series)
[+] [-] mkoryak|5 years ago|reply
I would also like to see a loop of the first 4.5 seconds.
[+] [-] korethr|5 years ago|reply
[+] [-] ja27|5 years ago|reply
[+] [-] hughw|5 years ago|reply