Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
Hitting a 17yo with 30 felony charges feels a bit steep to me.
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
The age of the attacker is irrelevant to Twitter's role in this story. However your underlying point still stands. If we want these types of attacks to stop, we can't just let all these companies off with a public embarrassment being the primary punishment. At a certain point we have to start calling it negligence when companies fall for these attacks and fail to have proper precautions in place to prevent them.
From memory, I recall the FBI did a study, and found that half of their employees would plug in a USB drive that they found on the ground in the parking lot. After training, that number was reduced to a quarter. If a security-focused government police agency is so vulnerable, it is unreasonable to expect perfection from a (less paranoid) company.
> The age of the attacker is irrelevant to Twitter's role in this story.
I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.
Of course its steep. But he’s just a pawn. He is irrelevant. The bigger picture is that one of the largest tech companies with stock traded publicly got caught with pants down and revealed that their staff is not properly trained and vulnerable to social hacking. As a result millions of dollars invested in the stock were lost. Some angry billionaires who happen to write fat checks to politicians placed few very harsh phonecalls and then these politicians placed ten times more angry calls to the next in line, until they reached DOJ. That’s all it is. Now DOJ has last chance to look all serious and harsh before they turn the light off.
Overcharging has become the norm. Not just in high profile cases but in everyday ones as well. It's an effective leveraging tool used to get the accused to accept the actual charge in a plea bargain.
Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.
With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.
> Hitting a 17yo with 30 felony charges feels a bit steep to me.
Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.
But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.
Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?
I felt a sting reading that too. He hit the idiot computer kid jackpot and did idiot computer kid things with it. Not saying no consequences, but damn.
Idiot kid things would be having Obama tweet "I think @Kelly2003 should go to the prom with Clark". If you're old enough to run a send back scam, you should know it's wrong.
Adding repercussions to the targets would be a mistake in my opinion - that would be very antitransparency as they would be encouraged to be willfully blind to cover their own asses. "Look it is clearly just the fault that these dumbass rich people didn't secure their passwords properly. Password reset logs? Why on earth would we keep those?"
Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure.
It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.
I kind of like that idea, but defining the rules and boundaries would be really hard, and I'm not sure if the cure wouldn't be much worse than the disease, overall, for just blanket legalizing hacking.
Like, how far am I allowed to go?
Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?
Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?
Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?
Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?
Can I attack healthcare providers? Can I attack banks?
Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?
I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.
That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?
> Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.
That is not the point that the parent comment is making, though.
It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.
Twitter is a meme service with a bunch of self absorbed individuals talking over each other... just FYI in case you lived under the rock for last 10 years.
This is a tough topic. If we take the approach of effectively turning this kind of crime into job interviews and a way to enter life-long careers we would create a positive feedback loop. Punishment, on the other hand, creates a negative feedback loop. We can discuss the degree of punishment, but it is clear that humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.
The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.
Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.
> humans, for the most part, only tend to self regulate if they understand that the consequences of their actions are negative enough.
I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.
That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.
Having bad security is not criminal. If it was we wouldn't have a voting village at defcon cracked by pre-teens and there would be a lot more irresponsible CEO's in prison (so probably a better world).
agree. twitter is under no obligation to provide secret service level security on its platform because some high profile people use it. IF the government deems such security measures so important, they should pay twitter to implement them,
Negligence is actionable regardless of whether it’s criminal. And whether it’s criminal depends on the duty of care that can be reasonably expected from the negligent party.
In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.
It's not steep, this is one of the many cruelties and abhorrent failures of the US justice system. They do this to force you to enter a plea bargain deal even if you are innocent.
> Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.
Not a home but if you were a bank and a 17 year old walked into the bank, talked to someone and was able to walk out with a fat stack of cash i think the insurance company would have to reconsider your policy.
Not home security, but I'm of the opinion this should apply for businesses and public places in some case. For instance, I usually carry a gun on me. If I go into the court house or a concert venue I'm prohibited from doing that. IMO they have now assumed a level of liability to provide a reasonable level of effective security and they're negligent if they don't and I'm injured or kill because of a mass shooting anyway because they didn't enforce their own policies.
Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.
Source for those charges? Article this currently points to says "The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. "
I think the fact that "a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world" does pretty serious damage to their reputation — that is in itself a repercussion.
You'd think so, but the history shows that this will only be a footnote in Twitters history. See Equifax; they have lost the personal finance data of basically everyone in the US and they're doing fine. Twitter is not going to suffer anything other than a few bad jokes at its expense.
that makes me so mad, not just for 17 year olds, but everyone subject to the whims of the criminal justice system.
for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.
we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.
In the United States, we generally consider minors who commit crimes to be a different class of criminal than people above 18. We do this because (AFAICT), there's a sort of societal agreement that wisdom/maturity is a logarithmic curve that begins to flatten in the late teens and 18 was picked as a legal threshold.
So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.
As a society we generally make some allowance for a perpetrator's mental capacity. One aspect to that is we generally accept that teenage brains are not quite the same as adults.
Just because he is 17 doesnt mean he didnt understand the repurcutions of his actions. That said, Twitter should be facing fines as well for not protecting their platform. I mean seriously what if someone gets hold of a say, Putin or Trump's account and starts stating they are launching strikes on XYZ country within the hour, what happens then? With great power comes great responsibility and these platforms of communication are no exception.
Nothing in the complaint (well, for the two others, since his is sealed) says that a state-level actor wasn't involved. Could be the tip of the iceberg. I find it hard to believe that this was prank hacking for about $150,000. You could sell Obama's handle for more, surely.
Do you know anybody willing to pay over $150,000 for temporary access to Obama’s twitter account? I find this type of comment kind of naive and poorly thought out.
Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.
To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.
Personally, I find "it was a prank" extremely easy to believe. It's the simplest answer to the question "Wait, if someone compromised Twitter so badly they could tweet anything from any account, why didn't they try to move the whole stock market or start World War III?"
"Because they're young punks and didn't think of that" is a reasonable answer.
The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)
I agree this bothers me to my core. Even the 22 year old hasn't developed a fully functional neocortex. I know it seems a little hypocritical of me for getting sad when this happens to a young programmer and not an inner city gang member, but it does.
To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.
That attitude is exactly the problem though. These kids getting hit with a 30 year sentence bothers those of us who relate, when the same thing happens to young black inner city kids every day. Plenty of them are just as intelligent, risky, and bold as these kids but we throw them in prison for the best parts of their life without a second thought.
> To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't
They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.
You want those people LEADING us "into the future of science"?
If this turns out to be true, then we can conclude two things:
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Frankly, I don't take "a teenager did it" as an extra mark against hacked systems any more. It's the details that matter - the difference between one teenager and multiple adults being able to hack something is not large unless the context is government hacking.
The Krebs article says that prior to the bitcoin hack, they were selling accounts such as @6 for $2000. They probably had a rapidly shrinking window and the bitcoin scam was the last ditch effort before whatever admin account they hijacked got discovered.
> 1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
My initial thought was that the bitcoin move was a red herring. DMs associated with the compromised accounts could be very well worth much more than $100k.
People did say things like you could have made a fortune shorting stock by tweeting something insane from Elon Musks account. I don't buy that as necessarily better than a Bitcoin account. Stock transactions are heavily regulated and monitored. You'd leave a pretty large paper trail of any stock manipulation you hoped to profit from.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
The stock idea is dumb, in my opinion, because there were safer (no SEC) ways that required less capital and didn't require fancy trade accounts.
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
If they knew up front they would be doing this, they could’ve shorted Tesla in smaller positions, over multiple accounts. There’s tons of people shorting Tesla, would it really be traceable to any of those?
I would add 3. People need to stop using "Trust <<insert large company>> instead of self hosting because they have teams of security "experts" and will have far better security than you ever could on your own"
Wasn't there one more person involve (Kirk#5270) who apparently did most of the work and let these kids do the work? Sounds like a MafiaBoy situation, where more experienced hackers did the work and let younger script kiddies take the fall for it.
I have an unrealistic idea (more of a thought experiment) that companies should face equal culpability to criminal hackers in attacks. After all, technically the way the hackers use systems /is/ authorized in a sense, even if the method of obtaining authorization is unconventional. Maybe this would get companies to pay more attention to securing their systems.
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
I disagree, no system created by humans is going it be without flaws. I think it should be possible to sue a company if a victim can show that the company was negligent in its actions. Damages should be apportioned between the scammers and the company on the basis of their contributions to the act.
> companies should face equal culpability to criminal hackers in attacks.
That's an interesting idea, and I think I agree with you in spirit. But don't most hacking-related criminal charges boil down to "unauthorized access to a computer"? It would be hard to argue that the company that owns the computers has unauthorized access.
Maybe a better phraseology would be to say that the company is an accomplice to the hacker. For that to really hold up, I think you would need to show that the company was negligent or not keeping up with security best practices.
> It would be hard to argue that the company that owns the computers has unauthorized access.
That's not the way I'd argue. I'd say the company has authorized access and they then gave access to fraudsters who should not have been given access to the system, which is where they were aiding the fraud.
So they aren't the principal offender, but they did aid in the offence which is what I'm suggesting makes them an accomplice (although as another paulpauper points out, an accomplice has to be aware they're aiding a crime - being duped isn't a crime).
accomplice means they knowingly aided in the fraud or profited from it. Being caught off guard is not a crime. The culpability is the reputation damage from being hacked.
Should we make homeowners equally criminally liable when burglars break in? Certainly if the homeowner had been less lax or obtained more security, that burglary could have been prevented.
> Should we make homeowners equally criminally liable when burglars break in?
Aren't they? I've seen a lot of insurance cases being denied due to negligence. This might even happen if you let your bag lie around openly in your locked car.
Also, burglar victims tend not to cause further damage. And, if they do, the victims will be in trouble as well. At least in Germany, a stolen gun will cause you a lot of problems, unless you can prove that you stored it securely according to the national guidelines.
Your home was broken into and your jewelry stolen? No, you're not criminally liable for anything, you were the only victim.
Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?
It doesn't have to be a binary thing either, there's nuance to it. A hacker steals unencrypted personal information off a server you didn't even password protect? You're more liable than a company that lost personal information that was strongly encrypted.
I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
Florida has some of the most permissive laws about mugshots and criminal info.
The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.
The story below the linked one is how a man rammed his way into a gated community, beat two people to death with a baseball bath, and then the police found the suspect unconscious after he drank some bleach.
That seems more weird than my local news, by a bit.
I always thought this was for precisely the oppposite - i.e. that news headlines (edit: I mean whole articles) were more often "A Florida Man has been arrested" because they were not allowed/didn't have the names.
It has been a journalistic tradition done out of good faith not to print the names of accused minors. This has largely been done industry-wide under an implicit "gentleman's agreement." Similar traditions include not printing the names of victims of alleged rape victims or other sexual crimes.
Update: 18 USC Section 5038 (Juvenile Justice Act) generally prohibits the publication of juvenile delinquency records, including the identity of the accused: https://www.law.cornell.edu/uscode/text/18/5038
Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.
There actually are very few legal restrictions on naming minors. There is substantially more scrutiny applied to false reporting when it involves accusing a minor of a crime. Most of the time when publications refuse to name a minor it’s because they promised not to while obtaining the minor’s name.
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."
Why do all these prompts use doublespeak so blatantly? It's actually insane.
"Your privacy matters to us." -> Then why are you asking me to give it up? If my privacy mattered to you you wouldn't even ask to install tracking cookies and gather my data.
It is true though. It matters to them in the same way virginity matters to someone trying to seduce someone. It is an absolute binary status that maintaining gets in the way of what they want.
It means they're not complying with European Union laws. Whether you think complying with a law is synonymous with protection, or security or privacy is up to your experience and worldview.
It's sad to me how the authorities are bragging about how quickly they caught them and how effective they are at solving this type of crime.
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
It's also just another case where those not in power who attacked those in power are swiftly and promptly dealt with versus those in power perpetuating the same attacks go free. I would rather see them gloat over putting people with real power and influence with their attacks in jail versus bragging about locking up teenagers and people in their early twenties.
There's a quote in the article, "There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence", which just reiterates this perception of the justice system being "hard" on crime. Yet it conveniently ignores being soft on crime if you're rich or in power.
Obviously what they did is wrong but the kid is 17. To me this is a prime example of where a short sentence or community service should be used. Don't ruin his life - he could be a useful employee for a tech company.
It drives me a little nuts when people say stuff like this (they said it about Reiser, too) --- because you can say the same thing about tens of thousands of young offenders imprisoned for crimes we don't have a rooting interest in.
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
> But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
You don't just disagree, but actually believe people asking for leniency are outright behaving immorally. You can disagree without calling someone immoral.
Sending a 17 year old to prison for a non violent crime for 2-4x as long as a murderer would get in my country seems criminal in itself (but I don't think you are immoral for advocating for it).
Reiser was a murderer. An equivalent to this crime would be a 17 Yr old who managed to pick the lock of Fort Knox with a toothpick and walk out with a 1kg gold bar.
> At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
I wouldn’t be so sure. Look at Paras Jha, Zachary Buchta and Mir Islam.
All engaged in similar high profile crimes, all monetized. I think only Mir spent a little bit of time in prison.
I have a hard time thinking of any young, high profile offenders that were handed severe punishments for cybercrimes by federal courts in the past decade.
And enriching the private prisons owners, who then lobby both parties for harsher sentences and this is why the US, a free democracy, has the highest incarceration rate in the World.
If he had gotten into twitter to make some funny status's then sure, community service makes sense. But this kid scammed a lot of money from a lot of people, severe criminal charges are appropriate.
And this is where the distinction between minor and adult breaks down. He's 17, he's going to be an adult within 365 days.
I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?
I think he gets tried as an adult. He just yeeted his life.
True he did commit a serious crime, but it's a non-violent crime. The kid obviously has some skill and potential in life. Sending young, misguided amateur criminals to prison just creates professional criminals. A crapton of strict probation and community service would be more appropriate than prison in my opinion.
Depends on your views of the justice system. Is it prevent person from committing the crime again? Is it punish the person for the crime regardless of whether or not the punishment prevents future crimes by the person? Or is it to punish the person so others will be fearful of similar consequences?
Hard disagree. Beyond the 'hacking', if that's what you can even call it, he knowingly scammed people. That's not kids being kids, that's some inherent mental state. Throw the book at him.
IIRC in the past, cyber criminals in similar situations were made to help federal cyber crime investigations, not sure whether through community service or a form of prison labor. The price tag for talented people is high so it's a win-win situation compared to wasting their talent by making them do low skilled labor.
Sure, it's a crime and he knew that. That being said, let's not pretend like this is a fully developed adult human who has committed murder. This is a child (legally) who committed fraud. The brain of a 17 year old is still physically developing; the prefrontal cortex isn't fully formed. I can't fathom how you would expect them to have the capacity to fully grasp the consequences of their actions with an issue as complex as this one.
Readit News
(via https://news.ycombinator.com/item?id=24012968, but we merged the threads)
Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:
https://news.ycombinator.com/item?id=24011939&p=2
Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?
If a 17yo could do it, I'm sure a nation state could do it.
I don't think so. Of course, you cannot put every 17 year old in a bucket, but I'm 99% sure that there is no hacker that age with three decades of experience. Therefore, this is strongly suggesting (yet not proving) that the skill cap needed is rather low.
Having full blown security could mean nothing is done easily anymore
Prosecuting is important
Deleted Comment
Generally the American criminal justice system has bent all of its pressure upon convictions without trial. The system is designed to make your life a nightmare upon accusation in the hopes you cannot afford or dare to resist.
With regard to "has become", this is completely false. Overcharging is not "new" in any way, shape, or form, as I hope the recent post commemorating Aaron Swartz's death would have reminded all of us.
Deleted Comment
Hitting them with 30 felony charges is perfectly reasonable/correct. Those are what the charges are for the crimes.
But the punishment for those 30 felonies should/will be adjusted down. I think at most this person will lose 5 years of their life.
Not like the 25 year old girl in Seattle that set a bunch of Seattle Police cars on fire during the protests. She's going to do 4 years for each carbombing. 4 * 5 = 20 years. 25 year old girl... and now here life is basically over. And for what?
4 years for setting a car on fire is not unreasonable, although maybe a little harsh depending on priors. It's a dangerous thing to do.
But setting five cars on fire is not particularly worse than setting one car on fire.
Dead Comment
Personally I suspect the security of the systems could be improved best over time by a radical measure of legalizing hacking and social engineering. Going after hackers is a bandaid measure. It would be unapologetically darwinistic but this domain doesn't behave the same as meatspace and imposing its assumptions on it is a mistake just as much as putting closing times on websites.
Like, how far am I allowed to go?
Deface somecompany.com? Deface it to say "We're going out of business"? Deface it to show the rotten.com best-of?
Can I just delete somecompany.com's customer database? Can I dump and download before I delete? Can I delete backups? Can I tamper with backup mechanisms, set a time bomb for in seven days when all rotating online backups are corrupted, destroy everything? How nefarious exactly am I allowed to be? After all, anyone without regular offline backups deserves to get hit, don't they?
Can I sell that database dump, or at least show it to others? Can I take a peek at blueprints I find on some network share? Can I have look into that User\ List.xslx file I find? Can I access users' private data? May I keep Beyonce's nudes? Can I use the information I find for personal gain, or even to gain an upper hand over a competitor?
Can I play with industrial automation software if I get in that far (you definitely would, sometimes)? What if I don't even realize this super outdated Windows box is controlling some kind of machinery and people get harmed when I inadvertently break something?
Can I attack healthcare providers? Can I attack banks?
Can I use any minutes-old zero-day disclosed by some hackfluencer on his Youtube channel, even if noone reasonably could have reacted to that so quickly?
I guess we'd also see the hacking-for-prestige (or hacking for likes, nowadays?) sector to get much, much more sophisticated; that was happening already before it got outlawed where I live (not in the US), I'd expect that to surge.
That might lead to everyone below big corporation level virtually having to migrate everyting they can to cloud and serverless products, since I'd expect it to get increasingly harder and expensive to run your own bespoke infrastructure in a secure way and not get pwned 15 times a week by some Twitch hackfluencer. AWS may be able to have a fix for a zero day deployed in within the hour, but how many small companies (or individuals running services) could do the same?
200 Million Americans could drive a car into a crowd. That doesn't make it any less bad for someone to do.
It's not whether it's bad for someone to commit this crime, it's whether Twitter should be held liable for such poor security practices that a 17 year old can hack them.
Deleted Comment
The seriousness of this incursion has to be put into context as well. There's the money, of course. Yet, I don't believe this is the most serious aspect of the breach. This was a case of mass momentary identity theft and fraud. This kid temporarily stole the online identities of a number of people and committed fraud against everyone watching. He could have triggered a massively negative event that would have led to the loss of one to thousands of lives.
Think George Wells' War of the Worlds and imagine someone playing puppeteer with the accounts of a range of prominent and less prominent people on social media. The outcome could be horrific.
I agree with this. But I don't think it necessarily needs to be consequences to themselves that they understand. Coming to understand the consequences their actions have had on others can also effectively chnage behaviour, and can often turn past offenders into very effective advocates against the crime they committed.
That isn't necessarily to say that I don't think there should be consequences for the perpetrator. Just that I don't think it's the only way to prevent crime.
In this case, I’ll leave the expected duty of care to your imagination, but I’ll point out that we’re talking about a publicly-traded multinational corporation with many millions of users including governments and world leaders.
Which works on average.
Someone's gonna talk if they haven't already?
Is the suggestion that if your security is weak, at least some of the blame goes to the hacked? If your home security is weak, should we grant more leniency to a burglar? The insurance company should be the one to punish the riskiness of homeowner security.
Speaking of guns, it's actually also not unheard of for people to be partly responsible for crimes committed with guns that were stolen from them, even in their home. You have something dangerous, like a network that has become a de facto platform for government officials, then yeah: you have a responsibility to take reasonable preventative measures too.
If someone breaks into Twitter, user data is compromised. It's not just the business that pays a price.
what charge should they leave out? Also he will not serve, say 15 years X 30 charges, if found guilty.
Now they are dealing with him, what happens to Twitter, if anything, is a different story. 17 years old or 19...he knew what he did
for this young man, it should be 1 charge, maybe 1-2 weeks in jail (to deomonstrate the seriousness of the offense, not so much for retribution), and then a whole bunch of community service as restitution and rehabilitation.
we destroy lives gone astray rather than nudge them back onto the happier path(s). mischievousness like this is rarely an expression of malice, but more likely curiosity, rebelliousness, perhaps boredom, etc. the punishment should reflect that.
https://www.popehat.com/2013/02/05/crime-whale-sushi-sentenc...
So if a 2 year old, 8 year old and 18 year old all shoot and kill someone, we prescribe much different levels of punishment based on their relative maturity. Sometimes, prosecutors decide to charge minors "as an adult" based on their behavior (Google for "X year old charged as adult" for examples). I assume that's what they're doing here.
Deleted Comment
Also, Twitter is just a collection of people and a single person is trivial to exploit.
Do you really think Lee Harvey Oswald acted alone?
:)
Just because you’re a hacker doesn’t mean you know how to sell secrets to Russia, and trying to establish lines of communication like that are probably going to raise red flags with law enforcement.
To be fair, the strategy of scamming for bitcoin was crazily simplistic and destined to fail, due to how easy it is to track bitcoin. I am not at all surprised that some of the people allegedly involved have already been caught.
"Because they're young punks and didn't think of that" is a reasonable answer.
I have bad news, there are no important individuals. Sorry.
He’s being charged in state court - specifically the state he resides in.
The charges are being brought in San Francisco - which is thousands of miles from the where the other suspects live.
Relative to the other defendants, he’s getting it easy.
Yes, he’s technically facing life in prison. But it’s a prison near his home.
He probably won’t get life in prison, but at least he’ll be able to get family visits, etc.
The release doesn't say that either thar he is being charged in state court or that he is not being charged in federal court. First it says why they won't tell you details of any federal charges—“With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile”—then it says that the federal authorities have referred the juvenile to state authorities (without saying anything about action taken by the state authorities.)
To pull off a hack like this is indicative of these kids being intelligent, risky and bold. Yeah, they went where they shouldn't, but I personally think these are the types of people we need leading us into the future of science. It does us no good to keep rewarding sycophants with 4.0s and fellowships and tenure, but removing the "trouble makers" from the system.
They engaged in straight up fraud! It's not like they just pranked some folks, they tried to fool the world into sending them money. It's true the fraud didn't work that well (or rather, not in relation to the severity of the Twitter hack), but they still stole some $100kUS or whatever.
You want those people LEADING us "into the future of science"?
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands."
You might be on to something.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
I say this as a former teenager
Dead Comment
Dead Comment
From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).
And yes, the charge count is insane but the US loves holding a bit of life-ruining theater when they catch hackers threatening commercial interests. e.g. Aaron Swartz's conviction: https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...
Social engineering most often involves impersonation, so the person getting access was not really the intended party.
That's an interesting idea, and I think I agree with you in spirit. But don't most hacking-related criminal charges boil down to "unauthorized access to a computer"? It would be hard to argue that the company that owns the computers has unauthorized access.
Maybe a better phraseology would be to say that the company is an accomplice to the hacker. For that to really hold up, I think you would need to show that the company was negligent or not keeping up with security best practices.
That's not the way I'd argue. I'd say the company has authorized access and they then gave access to fraudsters who should not have been given access to the system, which is where they were aiding the fraud.
So they aren't the principal offender, but they did aid in the offence which is what I'm suggesting makes them an accomplice (although as another paulpauper points out, an accomplice has to be aware they're aiding a crime - being duped isn't a crime).
It can be. Twitter could be found criminally negligent if they knew the risk of this type of attack (or it was obvious) but chose to ignore it.
Aren't they? I've seen a lot of insurance cases being denied due to negligence. This might even happen if you let your bag lie around openly in your locked car.
Also, burglar victims tend not to cause further damage. And, if they do, the victims will be in trouble as well. At least in Germany, a stolen gun will cause you a lot of problems, unless you can prove that you stored it securely according to the national guidelines.
Your home was broken into and your jewelry stolen? No, you're not criminally liable for anything, you were the only victim.
Your home was broken into and they stole the stack of personal records for your small business' employees that you left sitting on the dining room table? Yes, you should be liable for that because you were not the only victim and those others were victimized due to your own negligence. The documents were not properly secured, was your home properly secured as well given the sensitive material you were housing there?
It doesn't have to be a binary thing either, there's nuance to it. A hacker steals unencrypted personal information off a server you didn't even password protect? You're more liable than a company that lost personal information that was strongly encrypted.
In the Twitter case, the victim were the users.
Sending packets is peaceful speech.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.
That seems more weird than my local news, by a bit.
Alligators:
https://nypost.com/2020/06/11/florida-man-fights-off-alligat...
https://nypost.com/2018/07/30/florida-man-brings-gator-into-...
https://www.wfla.com/news/florida/8-foot-gator-wrestled-from...
Pythons:
https://www.naplesnews.com/story/news/local/2019/08/12/6-foo...
https://www.foxnews.com/science/alligator-fights-python-on-f...
Driving dogs:
https://www.cnn.com/2019/11/22/us/florida-dog-drives-circles...
Kangaroos:
https://www.sun-sentinel.com/local/broward/fort-lauderdale/f...
Speed-trap towns that had to decommission their police:
https://www.youtube.com/watch?v=kELze26IXpk
https://en.wikipedia.org/wiki/Waldo,_Florida
But there's no law against it that I am aware of.
Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.
https://splc.org/2020/01/naming-names-identifying-minors/
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."
nice
"Your privacy matters to us." -> Then why are you asking me to give it up? If my privacy mattered to you you wouldn't even ask to install tracking cookies and gather my data.
It's a legacy site and they haven't finished implementing out-out-only / data-deletion / etc... I wouldn't assume malicious intent.
Deleted Comment
Yes, quite. I won't repeat the phrase that immediately came to mind when I read that, but I will say it ended with, "you News Channel 8!"
Europeans should be impressed that American sites were so quick to comply with their well thought out and reasonable regulations.
The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.
I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.
So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
There's a quote in the article, "There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence", which just reiterates this perception of the justice system being "hard" on crime. Yet it conveniently ignores being soft on crime if you're rich or in power.
We need to reduce sentences across the board, for both violent and nonviolent crimes, because our sentencing ranges are bonkers. But it's immoral to single out crimes committed by people we identify with personally as particularly worthy of leniency.
At any rate, presuming the evidence holds up, it's unlikely that this person is going to find any leniency at all. High profile is tough but survivable; monetized is tougher still. High profile and monetized? My guess is they're going to make an example out of him.
You don't just disagree, but actually believe people asking for leniency are outright behaving immorally. You can disagree without calling someone immoral.
Sending a 17 year old to prison for a non violent crime for 2-4x as long as a murderer would get in my country seems criminal in itself (but I don't think you are immoral for advocating for it).
Reiser was a murderer. An equivalent to this crime would be a 17 Yr old who managed to pick the lock of Fort Knox with a toothpick and walk out with a 1kg gold bar.
I wouldn’t be so sure. Look at Paras Jha, Zachary Buchta and Mir Islam.
All engaged in similar high profile crimes, all monetized. I think only Mir spent a little bit of time in prison.
I have a hard time thinking of any young, high profile offenders that were handed severe punishments for cybercrimes by federal courts in the past decade.
So, like Twitter.
I dunno what you do here. The book would absolutely be thrown at him if he were 18. He might get off "lightly" at 17, but should he? He should know better right?
I think he gets tried as an adult. He just yeeted his life.
Deleted Comment