This will be controversial, but wouldn’t one be able to say there is a benefit to the society of having kids hacking systems, doing pranks, even collecting ransomware, and not fearing ridiculing their subjects in contrast to having national state attackers that harvest and sell secrets? The first type of attacker would pressure security to be taken seriously, whereas the second type of attack would rarely be noticed and disclosed.
A clear distinction should be made, this isn't kids hacking companies for 'fun' or some kind of Kevin Mitnick-esque story where the thrill was having something they shouldn't or bypassing systems. These people wanted money and notoriety and got it by any means necessary, yet it took THREE arrests to finally put an end to it. They weren't just targetting multibillion dollar corporations, either.
Meanwhile in the very same country, the teenage criminal who helped ransom MGM casinos and London's transportation (twice arrested) is also free and likely actively deploying ransomware and sim swapping as we speak. I get that they're legally "children", but it's not like they're 9 year olds being tricked into do other peoples bidding, these are quite literally criminal masterminds working for themselves, and should be charged as one. "I promise I won't go online again" and supervision for a couple months obviously isn't working when you have companies getting hacked from a hotel room.
They don't end nation-state attacks, but public exposure from teenagers hacking corporate computer systems can make them do their homework of fixing low-hanging vulnerabilities. As a result, the attacks from nation-state attackers could become more expensive.
What your basically describing is HackerOne but for kids. And I actually don't think it's a bad idea, they could consider doing a teenager version or do some program aimed at high schoolers. I'm sure it would be very well received, I would have thought it was the coolest thing ever.
I do believe in leniency towards juveniles so as not to discourage curiosity and learning. However, many attacks can be severely damaging. It seems this individual had many second chances but hasn't changed. Some intervention is necessary.
I think you could generalize the OP's point to extend past children and still consider their question. I think you're focusing on the children part and ignoring the point.
Plus you're not "utilizing children" in the way you would with child labor. This is more "children are doing things, could we utilize this natural behavior to improve our society?" That's no exploitive of children unless you pressure them into hacking. It's also reasonable that we consider children are less likely to be severely punished because kids are, in fact, pretty dumb (which does not mean they also aren't pretty smart. Context matters ;)
Anyways, that's all besides the point of OP's question:
Can we see hackers as a valuable tool for society? Since they put pressure on corporations to improve their security. Whereas when nation state hackers do similar things it is all kept quiet and so the knowledge of what needs to be fixed is less wide spread.
I think yes. As an analogy I think hackers in this way can be seen like a virus and the human immune system. Low exposures and in healthy systems allows the body to develop antibodies and fight off bigger attacks and/or when the body is weaker. But too much and the host is permanently damaged. But no viruses and the immune system becomes weak and fragile too.
Personally, I think if we want to get the former immunity boosting we should be promoting ways for people to hack on systems in non-malicious ways. Bug bounty programs. Clear paths to responsible disclosure. All that jazz. Accidents will happen and some will go too far, but intent does matter. But we also hear on HN about how people have found vulns, reported it, and the response is to sue the person disclosing for hacking. Even if this is exclusively untrue (lol), if it is widely believed then what incentive does someone have to report a vuln if they find it? Because they sure have incentives to do malicious things with that information.
I'm big on morals and sticking to them. But at the same time I don't think we can have a functional society where people's only incentive to do the right thing is that warm and fuzzy feeling inside, especially when there are incentives to do the wrong thing. Maybe we should reward good behavior instead of bad behavior...
>He said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19.
Indeed. So why is it that these billion-valued-companies can so easily be hacked by teenagers? Who would win: a trillion dollar industry of cyber security, or a bunch of bored outcast teenagers?
No - I think it has much more to do with the fact that anyone smart enough to be doing this is going to be gainfully employed by the time they're an adult - but as an adolescent, you are bored, talented, and unrecognized - not a good combination.
This is exactly my story and I doubt it is very unique.
Because properly securing your systems is hard, especially if the attack surface is large. The attacker only needs to find a single weakness.
Furthermore, you don't hear from all the teenagers trying to find vulnerabilities across the web, just when there's headlines.
Yes it's hard and also not done well. Most companies don't fund security as much as they should. At best they'll hire an occasional consultant for the purposes of compliance with a supplier agreement or industry regulation they have to meet.
As a former bored teen, who went after similar sized companies (and was eventually caught), I’d say you’ve already got your answer - boredom, being a tad neurotypical helps too.
Most of the things I pulled could have been prevented if everything was checked against the OWASP top 10.
Then the other multiplier is how old the company is, at a certain stage there’s a digital footprint that isn’t properly documented internally.
It sounds to me like that's more of a teenager trait than an autistic one. Not to say that every teenager would find humor in putting dicks in unexpected places, or even that only a teenager would, but it's pretty on brand for boys in that general age bracket.
Teenagers are also biologically predisposed to occasionally making bad decisions. The kid in this article had a brain whose prefrontal cortex wouldn't finish developing for nearly another decade. I suspect that had a lot more to do with posting links to a penis in Uber's internal chats than autism did.
No, autism is an explanation for not saying "wow this guy is a real stain on society" and being reluctant to put him behind bars.
That being said I don't like infantilizing people who have autism without more profound disabilities in cognition (I am speaking as someone who has "mild" schizophrenia). Kurtaj seems to have normal intelligence and is not so disconnected from society as to be unaware what he allegedly did was wrong. In particular his alleged motivations and mental state during all this are not that different from a angry teenager with few friends and terrible judgment.
There are other factors that are important for sentencing. Unlike the angry teen, it sounds like Kurtaj might have trouble holding down a job even if he gave his best effort at emotional and occupational therapy. But when people with autism seem perfectly capable of making moral choices, their diagnosis should inform your empathy. Turning that into an exoneration not only excuses certain bad people, but also denies that certain good people actually understand they're doing the right thing. It's totally dehumanizing.
Readit News
Meanwhile in the very same country, the teenage criminal who helped ransom MGM casinos and London's transportation (twice arrested) is also free and likely actively deploying ransomware and sim swapping as we speak. I get that they're legally "children", but it's not like they're 9 year olds being tricked into do other peoples bidding, these are quite literally criminal masterminds working for themselves, and should be charged as one. "I promise I won't go online again" and supervision for a couple months obviously isn't working when you have companies getting hacked from a hotel room.
Which ignores the point
Plus you're not "utilizing children" in the way you would with child labor. This is more "children are doing things, could we utilize this natural behavior to improve our society?" That's no exploitive of children unless you pressure them into hacking. It's also reasonable that we consider children are less likely to be severely punished because kids are, in fact, pretty dumb (which does not mean they also aren't pretty smart. Context matters ;)
Anyways, that's all besides the point of OP's question:
I think yes. As an analogy I think hackers in this way can be seen like a virus and the human immune system. Low exposures and in healthy systems allows the body to develop antibodies and fight off bigger attacks and/or when the body is weaker. But too much and the host is permanently damaged. But no viruses and the immune system becomes weak and fragile too.Personally, I think if we want to get the former immunity boosting we should be promoting ways for people to hack on systems in non-malicious ways. Bug bounty programs. Clear paths to responsible disclosure. All that jazz. Accidents will happen and some will go too far, but intent does matter. But we also hear on HN about how people have found vulns, reported it, and the response is to sue the person disclosing for hacking. Even if this is exclusively untrue (lol), if it is widely believed then what incentive does someone have to report a vuln if they find it? Because they sure have incentives to do malicious things with that information.
I'm big on morals and sticking to them. But at the same time I don't think we can have a functional society where people's only incentive to do the right thing is that warm and fuzzy feeling inside, especially when there are incentives to do the wrong thing. Maybe we should reward good behavior instead of bad behavior...
Indeed. So why is it that these billion-valued-companies can so easily be hacked by teenagers? Who would win: a trillion dollar industry of cyber security, or a bunch of bored outcast teenagers?
This is exactly my story and I doubt it is very unique.
Most of the things I pulled could have been prevented if everything was checked against the OWASP top 10.
Then the other multiplier is how old the company is, at a certain stage there’s a digital footprint that isn’t properly documented internally.
Would love to hear more.
In other words: lying to, manipulating, and exploiting trusting folks, rather than finding technical flaws. Much less noble in my opinion.
(Newer headline, and useful for indexing the names)
Teenagers are also biologically predisposed to occasionally making bad decisions. The kid in this article had a brain whose prefrontal cortex wouldn't finish developing for nearly another decade. I suspect that had a lot more to do with posting links to a penis in Uber's internal chats than autism did.
humans are
Just a reminder: the autism spectrum is wide, and two autistic people are likely to be more different from each other than a neurotypical person.
That being said I don't like infantilizing people who have autism without more profound disabilities in cognition (I am speaking as someone who has "mild" schizophrenia). Kurtaj seems to have normal intelligence and is not so disconnected from society as to be unaware what he allegedly did was wrong. In particular his alleged motivations and mental state during all this are not that different from a angry teenager with few friends and terrible judgment.
There are other factors that are important for sentencing. Unlike the angry teen, it sounds like Kurtaj might have trouble holding down a job even if he gave his best effort at emotional and occupational therapy. But when people with autism seem perfectly capable of making moral choices, their diagnosis should inform your empathy. Turning that into an exoneration not only excuses certain bad people, but also denies that certain good people actually understand they're doing the right thing. It's totally dehumanizing.
Did it not occur to this legend that concealing ones identity when breaking the law is an important step?