Ex-Ubiquiti employee here. Nick Sharp wasn't just a senior software engineer. He was the Cloud Lead and ran the whole cloud team. His LinkedIn profile will confirm it. This is why he had access to everything.
Nick had his hands in everything from GitHub to Slack and we could never understand why or how. He rose to power in the company by claiming to find a vulnerability that let him access the CEO's personal system, but nobody I spoke to ever knew what the vulnerability was. I discussed this with another ex-Ubiquiti person in an old thread [1] Now I'm positive he faked the security issue as a power move, just as he faked this attack for extortion purposes.
He would also harass people and use his control over Slack and GitHub against the people he didn't like. Many people left around this time partially because Nick made everything so difficult at the company. What a terribly depressing series of events.
Is this why Ubiquiti quality has fallen over the last ~2 years? I went all-in on Ubiquiti almost 3 years ago and I’ve been less than thrilled with the quality and level of support. This chaos that you say happened seems to line up with what I was seeing as a customer but everyone has been shocked at how UI has dropped in terms of quality.
I used to recommend them. Not anymore. My complete home setup is all their kit (the GUI means that if I kick it, the family can likely sort - it is import). I opened a case that a replacement switch (new model, old is EOL) did not work with one of their POE devices. I know this stuff backwards and forwards. I did my testing and basically sent the case to support with all the details (I know this stuff at the ASIC level). Wasted my time for a week. Finally I just said screw it and RMA the switch (nothing wrong with it) because support would not move. I received the replacement and surprise, same issue. Only after that I got the "sorry, we will reach out to L2 support." Wasted my time on a good debug that clearly ID the issue and I had to pay for shipping on RMA. I am stuck with them for now, but as soon as I can find a better offering I am going switch.
(My issue is that I understand that most users are clueless, heck I started in support for Win3.1 for an ISP, but the stuff in the debug clearly was a statement that I understood what I was say, and even as a Jr. engineer 30 years ago, I would have read it and said "hum, this dude knows his stuff, maybe I should ask at the next level").
When I first bought ubnt (a sec gateway), I could chat with support agents FROM THE GATEWAY'S WEB UI! The service was shockingly good at the time, and I was committed to using UBNT from then on. Agents would be on the chat usually within a minute, maybe a few.
Now... submit a ticket. Frustrating/pointless UI changes. Breaking system upgrades. Backed up your configuration? Doesn't matter, you're going to need to reset this update... disappointing. I still have hope they'll turn it around because they have the best UI of any network gear I've used for getting small/mid size networks up and done.
I mean this genuinely: I'm amazed there was a point at which people were ever thrilled enough with the quality and level of support from Ubiquiti that they are now shocked. Other than the working hours first level chat support I can't think of anything they had in support that remotely resembled having quality support. Shit, 3 years ago I was happy if there was someone on the forums that found a version of firmware that had killer features like "routing, hardware NAT, and IPv6" working all at the same time without (major) bugs. Low quality software and support with cheap hardware is what they've always been known for with everyone I've ever talked to.
I used to like Ubiquiti a lot, but nowadays i prefer to use other brands which are even easier to implement and manage. For the clients that still want to use Ubiquiti i try and implement a Debian 11 VM with the Ubiquiti software on it.
A lot of tech is suffering from quality issues in the past 2 years: We're in the middle of a global pandemic. Components are being stripped out left and right to meet demand, especially in the automotive sector. Ubiquiti is no different, and their store being constantly out of stock is a clear indicator of that.
Personally, I would argue that Ubiquiti handled the pandemic much better than other companies. Take the Cloud Key firmware: Back when it was first released, the thing was so unstable it had to be reset every few weeks. Every firmware update required a factory reset. Nowadays, it's solid. Even flashing beta builds is a smooth, issue-free process. Features like person and vehicle detection in their Protect lineup are a much welcome addition, as is the revamp of the Protect app. All of this happened during the pandemic.
I know people whine about how Ubiquiti unified everything under a global login, but come on.. if it works, it works. It's hardly a reason to bash Ubiquiti because you're upset you temporarily have to sign into ui.com.
Now, maybe they are putting more effort into Protect than they are into the network side of things. I don't know, because I primarily use them for Protect. With that being said, I'm fairly satisfied.
If it makes you feel any better I worked with him at Nike in 2014 and he was a complete jerk then too. I’m surprised this didn’t happen sooner if anything. How do these people stay employed?
He extorted himself a promotion, by knowing some dirt on the CEO.
Actually not unusual.
Lots of the Highest Ranked Sys Admins in larger companies are quite "invulnerable" due to the implication, that they might know everyones mail & the companies dirt.
I've always been fascinated by the idea that intelligence lies within a spectrum. Someone might be incredibly smart about a narrow topic or field, yet be blind to their own stupidity within another realm.
To me, this seems like a classic example. To quote the press release: "During the execution of that search, SHARP made numerous false statements to FBI agents, including, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. When confronted with records demonstrating that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase."
This man was a senior developer yet this quote sounds like it comes from a nine year-old. Not to mention "hire a lawyer, don't talk to the police" has always been pretty solid advice.
He now faces significant prison time, and the strong potential for a dismal life.
When faced correcting a false reality you have created, it can be quite hard to decide to phase change into telling the truth. The lies that come out come from not being prepared and not being a very good liar. For people who lie like this, a good way to think about it is as though it were a disease.
Actually intelligent people just don't do things like this, even if they have nefarious intent. There are quite smarter ways to accomplish substantially the same thing that this crime does not reflect.
I'm not convinced that this person was particularly intelligent in the first place.
> When faced correcting a false reality you have created, it can be quite hard to decide to phase change into telling the truth. The lies that come out come from not being prepared and not being a very good liar. For people who lie like this, a good way to think about it is as though it were a disease.
Or just don’t talk to the police and lawyer up. I agree the best thing is to not do the crime, but if you are a criminal then the intelligent and simple thing is to use a lawyer.
> I've always been fascinated by the idea that intelligence lies within a spectrum. Someone might be incredibly smart about a narrow topic or field, yet be blind to their own stupidity within another realm.
I've been seriously bitten by this, and find it more scary than fascinating. Growing up, I thought people who followed cult leaders and charismatic narcissists were so stupid (still do), it appeared so transparent to me. Later, in my professional and adult life I found myself to be equally gullible when intelligent people were abusive or outright dumb in other areas. This has been a challenge to unlearn, like learning an old dog to sit. Basically, our proxies for predicting people's character range from bad to terrible.
I think the first thing you must learn when trending towards adulthood is that nobody has any clue and we're just marginally fancier than ants in the grand scheme.
Hell I grew up in Normandy and was 16 when some Americans became so mad we refused to follow their war in Iraq they called us ungrateful. Talk about the fall of an idol :D So all that freedom we were supposed to be grateful for was only ever supposed to be used when deciding between buying a coca cola or a pepsi cola, but never for real big boy decision ? Thanks I guess ?
Rules have no intrinsic meaning, authorities are there by luck and circumstances and not their mystical ability to always lead towards the right direction, people try their best and often fail and nobody truly is intelligent in all circumstances.
> I found myself to be equally gullible when intelligent people were abusive or outright dumb in other areas. This has been a challenge to unlearn, like learning an old dog to sit. Basically, our proxies for predicting people's character range from bad to terrible.
oh I am 100% with you on this. I tried to elaborate but I just sound bitter and twisted, and that's probably true. But I've spent the last few years unlearning things I thought I knew. It has been a painful and expensive set of lessons.
long story short: I think we judge people's reaction to a situation by projecting how we would act... but that's not how people actually act.
> This man was a senior developer yet this quote sounds like it comes from a nine year-old.
Tech has a contempt culture problem, and this can be one manifestation of it: feeling that being moderately bright about getting computers to do things makes you a tremendous intellect, and everyone else around you an easily hoodwinked moron.
Perhaps the most extreme example was Hans Reiser. Anyone who followed the twists and turns of the case against him for murdering his wife will remember how many trivially disproved lies he told, apparently under the illusion that he was a mastermind who could put one over on the courts based on his faulty understanding of ideas like reasonable doubt.
Yes, and I remember Reiser having rejected a plea deal whereby he'd only serve 3 years, which is just about winning the lottery when it comes to being prosecuted for murder:
A lot of the tech community have pretty hostile attitudes in general for reasons I can only wildly conjecture, but the question I also would pose is if the distribution is all that different from the rest of the population. Look at the doctors and lawyers we’ve been seeing that are at least in public saying some of the most ridiculous things imaginable oftentimes even without an obvious financial motive involved like in most cases I’ve heard with engineers being deceitful.
It is very, VERY difficult to not answer questions from a trained law enforcement interrogator even if you a) are smart and b) know not to answer questions. I can't stress this enough.
It actually takes explicit training and practice, as it goes against every social habit and "instinct" we have developed throughout our entire adult lives.
Any tips for how one might maintain composure enough to handle these situations if they ever find themselves in them? I imagine the obvious answer is just practice saying "no comment, I need my lawyer present" but I'm not convinced this would make one immune to their Jedi mind tricks when the day comes to exercise it
Dude, let's not be generous. Could he write code? Yes. But this is a guy who wrote everything in Node, but absolutely _refused_ to use any existing libraries except for ones he personally wrote. He didn't "trust" them.
He wasn't even hired on as a dev, he was hired to be the "Cloud guy", essentially a sysadmin for AWS, and basically spooked the CEO into giving him the keys to the castle.
Mr. Sharp is apparently not so sharp. He carried out the attack from his home network. He connected directly for enough time that his bare IP was logged. The rest of the time, he carried out the attack using a commercially purchased VPN solution that was trivial to trace back to him via the purchase record. He lied to the FBI. (I have yet to understand why people talk to law enforcement instead of staying silent so as to not implicate themselves.) And, for no apparently good reason (meaning, there's no claim of him shorting the stock), after the raid, he seeded fake news that drove the company's stock down 20%.
(I have yet to understand why people talk to law enforcement instead of staying silent so as to not implicate themselves.)
When the FBI knock at the door you totally do the whole "no comment/talk to my lawyer" thing. But what happens next if you're actually part of an investigation is they hand you a grand jury subpoena (which they were going to do anyway, even if you just talked willingly, because they have already gone to the trouble of asking a judge to issue one and have it with them by the time they ring your doorbell)
That subpoena is likely to require you to hand over any digital records you have related to the investigation (you can't plead 5th on that) and turn up at a time and place to be interviewed (you have to turn up, even if it's on the other side of the country eg in the Southern District of NY in Manhattan and you live in SF Bay Area). BTW I don't think people widely realize the government has the power to compel you to hand over EVERY piece of material you have on a given subject they are investigating - eg search and share anything from every email you have ever received since you signed up for GMail in 2004, etc.
You can plead 5th during the interview but if you have material information (or are actually guilty) and knowing they have all of the documentation subpoenaed and whatever other evidence from other subjects/targets/witnesses, it will likely help you at that point to be cooperative via guidance from your attorney. Remaining silent at that point is just going to leave you at the mercy of whatever other witnesses/subjects/targets convey and their own conclusions from the subpoenas.
If you are on a visa or green card you almost certainly can't plead the 5th because they can leverage your right to remain in the US.
So, that's why people typically talk to the FBI. It's not at the doorstep when they first engage you, it's once you have been compelled to participate.
The difference is that every step after the initial "no comment" can/should be done with explicit guidance from an attorney, and no attorney in the country will have their client blatantly lie in front of the FBI or a grand jury despite there being solid evidence proving otherwise.
Police often give the line, "It'll go better for you if you just tell me the truth now" or "You'll get a better deal if we don't get lawyers involved". This often spooks people into cooperating without lawyers and they end up taking the first deal they get. I'd like see some real legal experts weigh in on the legality of these pre-lawyer offers.
You left off the bit where they sieze all your assets in a civil forfeiture, and require you to go to court and prove, beyond reasonable doubt, your innocence so you can get your house and bank account back.
While I agree that the mistake Mr. Sharp made -- it sounds like he had a network disconnection which briefly caused him to perform actions via his home IP address, rather than his VPN address -- we also don't know everything here. It doesn't sound like the guy was all that sophisticated. Using a VPN provider, in the first place, can make you a whole lot easier to be caught depending on the circumstances/provider trustworthiness/jurisdictions. I recall that there were providers which accepted cryptocurrency, but chances are good if he couldn't figure out how to block all traffic when the VPN was down, he'd have made several mistakes trying to keep the Bitcoin/Ethereum from being traced back to him.
For a crime like this -- as serious as this was, with the damages involved, the company and its internal resources/practices -- he probably had no prayer of getting away with it and in a Dunning-Kruger-like manner, he not only didn't know what he didn't know, I don't think there's any way he could have known enough about his adversary's capabilities to get away with it long term.
If a criminal wishes to be successful in getting away with a serious crime without getting caught over their lifetime, that criminal must successfully thwart detection from all current and future technologies. I mention serious because those crimes often do not have a statute of limitations these days. I'm assuming a perfect law enforcement body that similarly makes no mistakes, so a "luck factor" weighs in, but given a (not too) high-profile crime with motivation, budget, competent investigators and expanding technology, I'll law enforcement is gong to rank higher in the luck category.
It's not enough to look at what they're capable of currently. Consider this scenario: A murderer with Type O+ blood (with other common properties) strangles a man with a wire in 1980 leaving behind only that wire as evidence. In the struggle, the wire also cut the murderers hand and deposited a tiny drop of their blood on it. Being that it was a small item stored for an open case and was well preserved, it's still there, today. Luck. Back in 1980, it was of little evidentiary value. Today, that drop has a good chance of producing a DNA profile. Has the murderer been arrested (not convicted) of a felony in the last few decades? They'll probably be caught. Did a family member use certain (do they all do this?) consumer DNA services? Their family might be found, which will narrow the suspect down to a pool of people. Forget drawing suspicions by getting warrants, because it takes so little biological material and you deposit it everywhere you go, the police just wait for garbage day or follow you around town, grab something that came into contact with your mouth and they've get a profile (which will be used to get an easy warrant for a blood sample to confirm it).
Budding criminals, are you storing all of your secret plans on your drive in a bullet-proof encrypted manner and ensuring that it is airgapped? Are you doing all of your secret research on a similarly configured device, but configured to ensure all networking only works via Tor? Are you sure you didn't make a mistake that couldn't rise to the standards required to get a warrant to image your drive/take your equipment (that's hopefully turned off)? That bullet-proof encryption is rotting, and 30 years from now could represent a small hurdle above plain text.
And what happens when the time required to investigate crimes is reduced further? "We'll get around to bike theft when we're done solving all of the murders."
But what if solving a small percentage of the bike thefts went from "complaint" to "likely suspect" almost instantly if certain circumstances were right. For instance, imagine law enforcement could automate geo-fence style warrant requests (requests to get "people in a location at a certain time" from Gooble/Apple/mobile phone provider histories[0]) for every bike theft where the bike was stolen from an area infrequently traveled where and the time of the theft is known to within an hour. For any where the there was exactly one person logged, you have a person of interest -- probably the thief. Not enough evidence to prove a crime, but enough to scare some of the petty thieves into giving up more evidence through questioning (or maybe just give up). It's a stretch, on purpose -- but as technology make solving crimes less costly, less serious crimes will be prosecuted more frequently/reliably.
Full disclosure: My only credentials in this area are working in Corporate Security at a multi-national (large) telecom company for a brief stint and in a security/development capacity for most of my career; except for that brief stint, all of my work has been on the defensive/strategic side, not on the investigative side, and never with violent crimes of any kind. I simply enjoy security topics, in general, but if I've shown my ignorance in a few areas, my apologies and feel free to correct.
[0] Assuming this data is kept long enough; I am going to hazard a guess that it is a lot longer than most people think.
>SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase.
and to me it looks like somebody intentionally left breadcrumb trail leading to the guy. With cloud paying so nice these days nobody is going to risk that way for the paltry $2M (ie. less than 3-4 years earnings in Bay Area for the people like this). It looks like the stock price drop is the real "follow the money" trailhead, and that doesn't lead to the guy.
And given that it were about Ubiquiti customer databases - the value of [stealth] access to those customers may possibly dwarf those few billions of valuation drop - so even the stock drop may have been a smoke screen. I mean Ubiquiti as a target reminds me of SolarWinds.
Those comments back then is also interestingly predictive https://news.ycombinator.com/item?id=26692987 - having a fall back guy kind of absolves the company from architectural and operational sins which allowed the hack and pacifies the customers who otherwise would feel unease of being possibly hacked by somebody serious.
Damn. I remember reading about the original "hack" here and getting very concerned about the level of access ascertained by the attacker. I'm almost relieved it was a foolishly clumsy inside job and some of the initial hypotheses about rogue nation state root access to UI devices did not materialize. Brazen, indeed, for him to also have been on the team tasked with cleaning it up.
He could've prevent all of this by a) making sure his traffic was blackholed when the VPN went down and b) adding another layer from a free service (like TOR or a proxy or another VPN). He also should've been actively using the VPN so his traffic patterns wouldn't stand out as much, and so his purchase would be justifiable. If he really did buy the VPN 6 months ahead then he was a fool to leave the subscription dormant. If he wanted a fire and forget VPN subscription, he also could've bought the subscription with stolen credit cards. He would've had to make sure to only connect to the VPN through something like TOR, but credit card fraud is pretty difficult to trace if you do it right.
Had he put in a little more thought and preparation then I still don't know if he would've gotten away with it, but at least he'd be in a better position. He wouldn't have to lie to the FBI agents and they probably would've had to catch him by going after the source of the place where the data was leaked instead.
Opsec is hard, but this is just embarrassing for someone in the know trying to steal 50 bitcoin. I'm also not sure why he did it. Suddenly owning a few million in crypto would be noticed, unless he didn't spend any of it, ever. What was his plan, just quit his job and move away right after the hack?
Because the youtube videos I watch / podcasts I listen to say I NEED a VPN to keep my IP safe from being spied on.
But also starbucks / any shop / cafe / restraunt / apple store - or going for a drive and finding an open WiFi. Kinda wondering now how these places all handle their wifi being abused for crimes ...
I really dislike theses kinds of comments in theses kind of posts. This is just bragging.
I would like the bad people to be caught and you are just giving away free advice to any future thief like him and also kind of encouraging other people which is kind of worrisome.
Privacy is a double edge sword and this is case that I happy that he was caught because of his lack of knowledge.
I don't think I'm saying anything the criminals don't already know. This guy was the head of cloud operations, he knew what a VPN is, how TOR works and how crypto works.
If you're a criminal reading my comments and learning anything new from them, let me tell you this: if you needed this info, you're not smart enough to evade the FBI. Go find a real job or something.
I'm glad the ass got caught and I hope he'll get what he deserves. However, I believe that the common modus operandi for criminals shouldn't be a secret because it will get out anyway. The "solutions" I propose are obvious and basically handed to criminals by the FBI analysis.
Good opsec for crime is incredibly hard, which is great in cases like these. I don't think I've heard of some super smart hacker that's managed to stay away from the authorities unless they live outside the relevant jurisdiction. Even then the FBI will find ways to get you into a country where they can arrest you, legally or otherwise.
A lot of "crime" in some countries, like China or Russia, is just doing the right thing in my opinion. You might very well need this kind of opsec if your goal is to help teenagers learn about homosexuality in many of the more bigoted countries, for example, or get the truth out about COVID without suddenly finding yourself falling out of a window.
I don't think the "true crime" style comments help criminals in any way. Documentaries about how murdered got caught aren't very good manuals and the advice of random people who've been in contact with the police aren't either. If they're dumb enough to follow the advice of some random guy here on orange reddit, their criminal career won't last very long.
But such information can also serve as an advice for potential victims. For example, many people don't think about the fact that if they credit card info gets stolen, it not only may lead to losing money (which may be not much if a card has access to little funds), but may also allow someone to use it in a criminal context. Demonstrating a scenario where it can be used in a serious crime can increase awareness.
For what its worth, most online sites will not accept gift visa/mastercard cards any more. It would be nice if there was a site that listed all the sites that do still accept them.
I do that that the media that breathlessly amplified this persons attack should learn from it. In particular, As much as I like and appreciate his reporting, Brian Krebs was the key person amplifying this message - which makes him a unwitting accomplice to many billions of dollars of damage to ubiquiti shareholders.
Brian Krebs isn't a good reporter or a good person. He has a history of doxxing people without basis (or for the basis of leaving bad reviews on his books).
It disappoints me that he has the audience he does.
This provides an excellent case study as well, as his original post on this doesn't seem to produce any corroboration at all, so the "reporting" boils down to: "I got an e-mail from someone making a bunch of claims, so I'll regurgitate those." Including an update/follow-up that was added later, by the same person.
At best, it's shoddy journalism. He was taken for a ride and should bear some public shame for that.
I doubt he'll get sued for it but a lot of people lost money because of him, so I wouldn't be surprised if someone tried.
The stock definitely was at a peak, and fell dramatically on the release of that news and stayed low. That part is absolutely correct. Now you can argue that it wasn't a permanent loss, but the damage was done by the hacker and the journalist.
It has also stayed relatively in that range afterwards - but you can definitely argue that this is due to the supply chain problems that the entire world is dealing with - but it's a pretty straight line to say that billions in shareholder value were wiped out.
Readit News
Nick had his hands in everything from GitHub to Slack and we could never understand why or how. He rose to power in the company by claiming to find a vulnerability that let him access the CEO's personal system, but nobody I spoke to ever knew what the vulnerability was. I discussed this with another ex-Ubiquiti person in an old thread [1] Now I'm positive he faked the security issue as a power move, just as he faked this attack for extortion purposes.
He would also harass people and use his control over Slack and GitHub against the people he didn't like. Many people left around this time partially because Nick made everything so difficult at the company. What a terribly depressing series of events.
[1] https://news.ycombinator.com/item?id=26694945
(My issue is that I understand that most users are clueless, heck I started in support for Win3.1 for an ISP, but the stuff in the debug clearly was a statement that I understood what I was say, and even as a Jr. engineer 30 years ago, I would have read it and said "hum, this dude knows his stuff, maybe I should ask at the next level").
Now... submit a ticket. Frustrating/pointless UI changes. Breaking system upgrades. Backed up your configuration? Doesn't matter, you're going to need to reset this update... disappointing. I still have hope they'll turn it around because they have the best UI of any network gear I've used for getting small/mid size networks up and done.
Personally, I would argue that Ubiquiti handled the pandemic much better than other companies. Take the Cloud Key firmware: Back when it was first released, the thing was so unstable it had to be reset every few weeks. Every firmware update required a factory reset. Nowadays, it's solid. Even flashing beta builds is a smooth, issue-free process. Features like person and vehicle detection in their Protect lineup are a much welcome addition, as is the revamp of the Protect app. All of this happened during the pandemic.
I know people whine about how Ubiquiti unified everything under a global login, but come on.. if it works, it works. It's hardly a reason to bash Ubiquiti because you're upset you temporarily have to sign into ui.com.
Now, maybe they are putting more effort into Protect than they are into the network side of things. I don't know, because I primarily use them for Protect. With that being said, I'm fairly satisfied.
Deleted Comment
But IMO the truly depressing event here is management refusing to do anything until it was too late. What are they even paid for?
Also, extortion. I'm always amazed at what people will say over Slack DMs, seemingly not realizing that it all is accessible by the company.
Deleted Comment
Do you mean he got promotions cause he found a non existent vuln? Surely whoever handed out those promotions is to blame here?
Actually not unusual.
Lots of the Highest Ranked Sys Admins in larger companies are quite "invulnerable" due to the implication, that they might know everyones mail & the companies dirt.
To me, this seems like a classic example. To quote the press release: "During the execution of that search, SHARP made numerous false statements to FBI agents, including, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. When confronted with records demonstrating that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase."
This man was a senior developer yet this quote sounds like it comes from a nine year-old. Not to mention "hire a lawyer, don't talk to the police" has always been pretty solid advice.
He now faces significant prison time, and the strong potential for a dismal life.
When faced correcting a false reality you have created, it can be quite hard to decide to phase change into telling the truth. The lies that come out come from not being prepared and not being a very good liar. For people who lie like this, a good way to think about it is as though it were a disease.
Actually intelligent people just don't do things like this, even if they have nefarious intent. There are quite smarter ways to accomplish substantially the same thing that this crime does not reflect.
I'm not convinced that this person was particularly intelligent in the first place.
Or just don’t talk to the police and lawyer up. I agree the best thing is to not do the crime, but if you are a criminal then the intelligent and simple thing is to use a lawyer.
Are you really claiming that intelligent people don’t commit crime or don’t lie? That seems incredibly naive.
I've been seriously bitten by this, and find it more scary than fascinating. Growing up, I thought people who followed cult leaders and charismatic narcissists were so stupid (still do), it appeared so transparent to me. Later, in my professional and adult life I found myself to be equally gullible when intelligent people were abusive or outright dumb in other areas. This has been a challenge to unlearn, like learning an old dog to sit. Basically, our proxies for predicting people's character range from bad to terrible.
Hell I grew up in Normandy and was 16 when some Americans became so mad we refused to follow their war in Iraq they called us ungrateful. Talk about the fall of an idol :D So all that freedom we were supposed to be grateful for was only ever supposed to be used when deciding between buying a coca cola or a pepsi cola, but never for real big boy decision ? Thanks I guess ?
Rules have no intrinsic meaning, authorities are there by luck and circumstances and not their mystical ability to always lead towards the right direction, people try their best and often fail and nobody truly is intelligent in all circumstances.
oh I am 100% with you on this. I tried to elaborate but I just sound bitter and twisted, and that's probably true. But I've spent the last few years unlearning things I thought I knew. It has been a painful and expensive set of lessons.
long story short: I think we judge people's reaction to a situation by projecting how we would act... but that's not how people actually act.
Tech has a contempt culture problem, and this can be one manifestation of it: feeling that being moderately bright about getting computers to do things makes you a tremendous intellect, and everyone else around you an easily hoodwinked moron.
Perhaps the most extreme example was Hans Reiser. Anyone who followed the twists and turns of the case against him for murdering his wife will remember how many trivially disproved lies he told, apparently under the illusion that he was a mastermind who could put one over on the courts based on his faulty understanding of ideas like reasonable doubt.
https://www.theregister.com/2008/07/10/reiser_rejected_volun...
It actually takes explicit training and practice, as it goes against every social habit and "instinct" we have developed throughout our entire adult lives.
A big part of the lawyers job is to question people. Their stories fell apart pretty quickly.
I knew a senior developer doing advanced R&D at a big tech company, who also kept getting suckered into MLM scams.
Dude, let's not be generous. Could he write code? Yes. But this is a guy who wrote everything in Node, but absolutely _refused_ to use any existing libraries except for ones he personally wrote. He didn't "trust" them.
He wasn't even hired on as a dev, he was hired to be the "Cloud guy", essentially a sysadmin for AWS, and basically spooked the CEO into giving him the keys to the castle.
Sounds like the single sensible thing he did. Have you seen the npm ecosystem?
When the FBI knock at the door you totally do the whole "no comment/talk to my lawyer" thing. But what happens next if you're actually part of an investigation is they hand you a grand jury subpoena (which they were going to do anyway, even if you just talked willingly, because they have already gone to the trouble of asking a judge to issue one and have it with them by the time they ring your doorbell)
That subpoena is likely to require you to hand over any digital records you have related to the investigation (you can't plead 5th on that) and turn up at a time and place to be interviewed (you have to turn up, even if it's on the other side of the country eg in the Southern District of NY in Manhattan and you live in SF Bay Area). BTW I don't think people widely realize the government has the power to compel you to hand over EVERY piece of material you have on a given subject they are investigating - eg search and share anything from every email you have ever received since you signed up for GMail in 2004, etc.
You can plead 5th during the interview but if you have material information (or are actually guilty) and knowing they have all of the documentation subpoenaed and whatever other evidence from other subjects/targets/witnesses, it will likely help you at that point to be cooperative via guidance from your attorney. Remaining silent at that point is just going to leave you at the mercy of whatever other witnesses/subjects/targets convey and their own conclusions from the subpoenas.
If you are on a visa or green card you almost certainly can't plead the 5th because they can leverage your right to remain in the US.
So, that's why people typically talk to the FBI. It's not at the doorstep when they first engage you, it's once you have been compelled to participate.
Related/useful: https://www.natlawreview.com/article/you-received-grand-jury...
Source: happened to me a number of years ago, although I wasn't guilty of anything. Lawyered up, cooperated, no further action. Wasn't pleasant.
IANAL, not legal advice
guidance from your attorney seems to be the critical bit of that - it's okay to talk, but with your lawyer present.
https://www.youtube.com/watch?v=d-7o9xYp7eE
For a crime like this -- as serious as this was, with the damages involved, the company and its internal resources/practices -- he probably had no prayer of getting away with it and in a Dunning-Kruger-like manner, he not only didn't know what he didn't know, I don't think there's any way he could have known enough about his adversary's capabilities to get away with it long term.
If a criminal wishes to be successful in getting away with a serious crime without getting caught over their lifetime, that criminal must successfully thwart detection from all current and future technologies. I mention serious because those crimes often do not have a statute of limitations these days. I'm assuming a perfect law enforcement body that similarly makes no mistakes, so a "luck factor" weighs in, but given a (not too) high-profile crime with motivation, budget, competent investigators and expanding technology, I'll law enforcement is gong to rank higher in the luck category.
It's not enough to look at what they're capable of currently. Consider this scenario: A murderer with Type O+ blood (with other common properties) strangles a man with a wire in 1980 leaving behind only that wire as evidence. In the struggle, the wire also cut the murderers hand and deposited a tiny drop of their blood on it. Being that it was a small item stored for an open case and was well preserved, it's still there, today. Luck. Back in 1980, it was of little evidentiary value. Today, that drop has a good chance of producing a DNA profile. Has the murderer been arrested (not convicted) of a felony in the last few decades? They'll probably be caught. Did a family member use certain (do they all do this?) consumer DNA services? Their family might be found, which will narrow the suspect down to a pool of people. Forget drawing suspicions by getting warrants, because it takes so little biological material and you deposit it everywhere you go, the police just wait for garbage day or follow you around town, grab something that came into contact with your mouth and they've get a profile (which will be used to get an easy warrant for a blood sample to confirm it).
Budding criminals, are you storing all of your secret plans on your drive in a bullet-proof encrypted manner and ensuring that it is airgapped? Are you doing all of your secret research on a similarly configured device, but configured to ensure all networking only works via Tor? Are you sure you didn't make a mistake that couldn't rise to the standards required to get a warrant to image your drive/take your equipment (that's hopefully turned off)? That bullet-proof encryption is rotting, and 30 years from now could represent a small hurdle above plain text.
And what happens when the time required to investigate crimes is reduced further? "We'll get around to bike theft when we're done solving all of the murders." But what if solving a small percentage of the bike thefts went from "complaint" to "likely suspect" almost instantly if certain circumstances were right. For instance, imagine law enforcement could automate geo-fence style warrant requests (requests to get "people in a location at a certain time" from Gooble/Apple/mobile phone provider histories[0]) for every bike theft where the bike was stolen from an area infrequently traveled where and the time of the theft is known to within an hour. For any where the there was exactly one person logged, you have a person of interest -- probably the thief. Not enough evidence to prove a crime, but enough to scare some of the petty thieves into giving up more evidence through questioning (or maybe just give up). It's a stretch, on purpose -- but as technology make solving crimes less costly, less serious crimes will be prosecuted more frequently/reliably.
Full disclosure: My only credentials in this area are working in Corporate Security at a multi-national (large) telecom company for a brief stint and in a security/development capacity for most of my career; except for that brief stint, all of my work has been on the defensive/strategic side, not on the investigative side, and never with violent crimes of any kind. I simply enjoy security topics, in general, but if I've shown my ignorance in a few areas, my apologies and feel free to correct.
[0] Assuming this data is kept long enough; I am going to hazard a guess that it is a lot longer than most people think.
and to me it looks like somebody intentionally left breadcrumb trail leading to the guy. With cloud paying so nice these days nobody is going to risk that way for the paltry $2M (ie. less than 3-4 years earnings in Bay Area for the people like this). It looks like the stock price drop is the real "follow the money" trailhead, and that doesn't lead to the guy.
And given that it were about Ubiquiti customer databases - the value of [stealth] access to those customers may possibly dwarf those few billions of valuation drop - so even the stock drop may have been a smoke screen. I mean Ubiquiti as a target reminds me of SolarWinds.
Those comments back then is also interestingly predictive https://news.ycombinator.com/item?id=26692987 - having a fall back guy kind of absolves the company from architectural and operational sins which allowed the hack and pacifies the customers who otherwise would feel unease of being possibly hacked by somebody serious.
Had he put in a little more thought and preparation then I still don't know if he would've gotten away with it, but at least he'd be in a better position. He wouldn't have to lie to the FBI agents and they probably would've had to catch him by going after the source of the place where the data was leaked instead.
Opsec is hard, but this is just embarrassing for someone in the know trying to steal 50 bitcoin. I'm also not sure why he did it. Suddenly owning a few million in crypto would be noticed, unless he didn't spend any of it, ever. What was his plan, just quit his job and move away right after the hack?
Now they're looking at you from two angels.
Instead of all this jumping through hoops with anonymous VPN and payment methods, why not just do it from Starbucks?
But also starbucks / any shop / cafe / restraunt / apple store - or going for a drive and finding an open WiFi. Kinda wondering now how these places all handle their wifi being abused for crimes ...
I would like the bad people to be caught and you are just giving away free advice to any future thief like him and also kind of encouraging other people which is kind of worrisome.
Privacy is a double edge sword and this is case that I happy that he was caught because of his lack of knowledge.
If you're a criminal reading my comments and learning anything new from them, let me tell you this: if you needed this info, you're not smart enough to evade the FBI. Go find a real job or something.
I'm glad the ass got caught and I hope he'll get what he deserves. However, I believe that the common modus operandi for criminals shouldn't be a secret because it will get out anyway. The "solutions" I propose are obvious and basically handed to criminals by the FBI analysis.
Good opsec for crime is incredibly hard, which is great in cases like these. I don't think I've heard of some super smart hacker that's managed to stay away from the authorities unless they live outside the relevant jurisdiction. Even then the FBI will find ways to get you into a country where they can arrest you, legally or otherwise.
A lot of "crime" in some countries, like China or Russia, is just doing the right thing in my opinion. You might very well need this kind of opsec if your goal is to help teenagers learn about homosexuality in many of the more bigoted countries, for example, or get the truth out about COVID without suddenly finding yourself falling out of a window.
I don't think the "true crime" style comments help criminals in any way. Documentaries about how murdered got caught aren't very good manuals and the advice of random people who've been in contact with the police aren't either. If they're dumb enough to follow the advice of some random guy here on orange reddit, their criminal career won't last very long.
He was probably just overconfident in his knowledge; you kind of have to be somewhat nuts to try to pull this off so it's not too surprising.
Responsible disclosure exists for a reason.
It disappoints me that he has the audience he does.
At best, it's shoddy journalism. He was taken for a ride and should bear some public shame for that.
I doubt he'll get sued for it but a lot of people lost money because of him, so I wouldn't be surprised if someone tried.
It has also stayed relatively in that range afterwards - but you can definitely argue that this is due to the supply chain problems that the entire world is dealing with - but it's a pretty straight line to say that billions in shareholder value were wiped out.
Deleted Comment