I think people are still severely under-estimating how dangerous this was.
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
It's almost as if web services that let people post whatever they want at any time, vulnerable to whatever security flaws may be present, shouldn't be used as a reliable source for up-to-the-minute information about literally anything important at all.
Apparently the "fallout" was an exaggeration that Orson went along with because it gave him more publicity. From the Wikipedia:
>"The supposed panic was so tiny as to be practically immeasurable on the night of the broadcast. ... Radio had siphoned off advertising revenue from print during the Depression, badly damaging the newspaper industry. So the papers seized the opportunity presented by Welles’ program to discredit radio as a source of news. The newspaper industry sensationalized the panic to prove to advertisers, and regulators, that radio management was irresponsible and not to be trusted."
and
"Welles later embraced the story as part of his personal myth. "Houses were emptying, churches were filling up; from Nashville to Minneapolis there was wailing in the streets and the rending of garments," he told Peter Bogdanovich years later."
"CBS, too, found reports ultimately useful in promoting the strength of its influence. radio management was irresponsible and not to be trusted."
I loved to ask my grandmother about this because she recalled listening to the original broadcast. She said the station would take commercial breaks to interrupt the story, and they reminded listeners it was a fictitious broadcast when taking these breaks. She didn't believe that anyone could be fooled by it, at least not to the extent that was reported.
According to family folk lore, during WWII when they had double summer time, my grandmother managed to put the clocks 2 hours forwards instead of 2 hours back. So woke up in the small hours and turned on radio to BBC and heard German (they transmitted to Germany as propaganda, and during night used channels normally broadcasting in English). Immediately wakes whole household - "we've been invaded - the Germans have taken over the BBC"!
This is true about how the events unfolded in the US, but the “War of the Worlds” story was translated and re-broadcast in Latin America where it had a much more devastating effect. In Ecuador, even the army and the police were rushed to the site where the invasion was supposedly taking place, intensifying the panic for average citizens. Never underestimate the potential power of a fictional story that is irresponsibly disclosed.
Fascinating - thanks for sharing. Newspapers always play the same dirty tricks - they're doing the same now with the tech reporting because they're losing ad revenue to the tech companies.
It's not feasible for every trusted source of knowledge to have their own radio station, so the sources utilize existing stations, and consumers have no choice but to tune into those stations.
It's perfectly feasible for every trusted source of knowledge to run a web server, and they actually do it, so it's sad that consumers don't connect directly to those servers and instead use middlemen.
I know we're not supposed to discuss downvotes, but there's a sibling comment that makes the point I wanted to make, but it's dead. It seems fine, and the user's history is filled with dead comments that mostly also seem fine.
Regardless, if anyone has a response to a bunch of websites being a worse security model than one giant platform, you can reply to me instead.
Also, if you look through their comment history, you can often find the comment(s) that got them shadow-banned. And if their ~recent comment history is good, with many vouched comments, you can ask dang to un-ban them.
> People are not looking for trusted sources of knowledge. They are looking for entertainment.
Which people? Whose people? This is not a statement of psychological truth. It may however describe a societal truth.
But it is not true that people in all countries want above all to be entertained. People struggle in undemocratic countries. Education makes democracy strong. It also breeds rebels.
Public discourse reflects education. A society conditions its citizens to think a certain way. The typical conditioning involves protecting the society. The flag, the anthem, the history, the current power structure and its wars.
It's sad to see journalism collapse in a democracy. It's sad and perhaps fatal for democracy if people have been conditioned to be infantile and their implanted desire for gratification has overwhelmed their thinking and speech.
What people trust is generally what fits their worldview which is increasingly reinforced by the filter bubbles provided by tech companies. The increasing polarisation and tribalism is made worse by the traditional network programming and now algorithms that present what the audience is comfortable to see and hear.
I like using DDG because it doesn't filter, but at the same time I hate wading through utter crap and being the filter.
Twitter for all its flaws is pretty good at giving everyone a voice so you can read something and then the criticisms without having to aggregate that from multiple sites.
How often do you need to be the filter? I’m genuinely curious because your experience is very different from my own, where I’ve been using DDG for years and I only notice poor results roughly 1 in 100 of the times, and then I’m just a quick “g! <search term>” away from slightly higher quality results.
Political news. G! does a better job of pushing smaller regional papers and more left/right leaning outlets and blogs down the rankings so the mainstream media gets more of a look in.
What prevents those trusted sources from being similarly hacked once they're now the main arbiters of important information? I'd even argue this may be more dangerous especially if tech and security are not their core focus.
I think radio is probably a better source than Twitter as a whole, however they did air (still air?) Coast to Coast AM for decades.
Though Art Bell said the show was "pure entertainment", anyone who tuned in without that context heard what sounded like a serious news talk program about aliens, crystal healing, reptilians, etc, etc.
There's a documentary I saw that explains that the hubbub around Welles' "War of the Worlds" broadcast was just to cover up the arrival of Red Lectroids.
Bingo. Information should always be confirmed with at least one other (hopefully) independent source. The more sources, the merrier. If there aren't independent sources then don't jump to conclusions.
That's partially because the sources formally seen as primary, at least in the US, have started to be viewed as biased and unreliable.
This is largely through their own actions. Examples are legion, but a recent one is debacle at NYT over an op-ed. The news-consuming public was able to view the shenanigans of NYT reporters and staffers, which would formerly been done being the scenes.
Many eyes were opened, and I'm certain I wasn't the only one thinking "These are the people in supposed to be trusting for my news and analysis?"
>That's partially because the sources formally seen as primary...
Newspapers and news outlets aren't actually "primary source". If you read a quoted tweet from Obama in the New York Times, the NYT isn't the "primary source" - Obama is. The NYT is a secondary source that is quoting from primary source.
In that sense, Twitter is actually primary source, because Obama wrote the tweet. Well, except when Twitter is hacked, which is what makes this such a significant event.
(But I agree with your general comment, especially having been interviewed a few times and seen how most reporters work. There are a handful of good ones out there though.)
Or it could be the result of a decades long effort to attack credible authoritative institutions by forces that take a dim view of transparency and accountability.
Possible explanation. But I think it is more like someone took advantage of the situation after the news have been undermining their own credibility for decades.
It's also because these "credible" mainstream media sources started reporting non-credible information as factual. Much of this inaccurate information originates from Twitter.
If 200 people on Twitter are angry at politician X over something trivial, we are served a news headline of Person X accused of Y - Public calls for resignation.
An anonymous person on social media recently made a claim of sexual assault against Justin Bieber with no evidence whatsoever, and the media reports it as Justin Bieber accused of sexual assault. He was fortunate to immediately whip out numerous receipts countering the claims, but what if he couldn't? We would still be reading headlines about this baseless accusation.
I agree. I have been following the rule of not trusting any such significant news for 48 hours and sometimes even a week because often, news gets debunked or more info comes out.
But is that really new? Other than scale and reach (quantitative difference), how is that any different qualitatively from the old grapevine/gossip network? "My dad's co-worker's, girlfriend's uncle works at ... and said..."
That didn't get disseminated and diffused to tens of millions. If something was published they'd look for official sources or corroborating sources and or secondary evidence. If AP, EFE, UPI, Kyodo, Interfax etc all get their news from one source [Twitter] that's just laziness.
“ A lie can travel halfway around the world before the truth can get its boots on” has been a cliche for a hundred years. I don’t think internet social networks are a difference in kind, but they probably are a difference in degree.
Agreed but I said "apart from scale and reach". The point I was trying to make was that people have always found it fairly easy to believe non-credible sources. In this sense, social media is not qualitatively different. Only quantitatively different.
A large quantitative change is indistinguishable from a qualitative change: what's the difference between light rain and a flood, between some small waves and a tsunami?
What I meant, is that in the eyes/ears of those RECEIVING the information (and believing it uncritically), there's no difference. People have always had a predisposition to uncritically accepting information from those "in the tribe", whether that be extended family, or an internet echo chamber. Presumably this was a survival optimisation. Trust those "close", and distrust "others".
What you're saying makes some sense - a television broadcast, say, requires effort from a lot of people to produce - and, previously, expensive special equipment to broadcast, though now TV content is often streamed over the web - so it has a level of credibility, the TV news at least can't be spoofed by one person in their bedroom on the other side of the world. (Note that deepfakes may be changing this).
But the world we live in is full of "web services that let people post whatever they want at any time". News from Twitter may be weird but many people want to get their news from the BBC website, or the New York Times, or Reuters or whatever. Or their own government's websites. Just web services that people post from - presumably with levels of editing and checking but all presumably with security flaws that could bypass them.
It's not clear exactly what you're asking for. A technological solution involving careful checking of cryptographic signatures? Or some sort of super-expensive-to-spoof source of all important news?
This is unfair. You are talking about a nation of 330 million people.
But it is fair to say that there is no sane channel of information. The channels of public discourse in the US, once controlled by a few "loyal, patriotic" corporate owners fed by advertising revenue, are now channels controlled by unprincipled corporatism that supports a two-party system of untalented puppets.
While I am 10000% onboard with decentralizing communication, I am not sure if that would help in cases like this though. Back in 2013, only a single news outlet AP's twitter was hacked and had similar consequences. Decentralizing wouldn't have helped there I think.
Then you need to make sure people cannot under any circumstances be sloppy with securing private keys, since once they can, some important people will, and then such things happen again, any maybe they'll have actual consequences, people die, markets collapse, economies collapse, wars break out ...
And then? Doing damage control on a fake post by the CEO of Supercorp saying they're faltering financially, or whatever, when it has that green badge of crypto-authenticity, and you've spun your marketing in such a way to tell people "if that's there, it is 100% authentic, just look for that badge" ... that would be a nightmare. It's an issue with "verified" already, but cryptography is essentially magic; many in tech believe they get the nuances but don't really, and most outside of tech don't even begin to get the nuances. Would that damage people's trust in cryptography in general? Maybe?
After all, most people don't know, understand and/or care that their Whatsapp E2E is effectively broken for police and similar actors when they enable backups, because most people care about the details of these things about as much as I care about the exact things my hairdresser does to make my hair look good, which is pretty much not at all unless they want to use a chainsaw or something. If that were to be abused in a major way, that'd probably make big headlines.
I don't think that, at this point, cryptography is even generally helpful with fundamentally social problems like these, because it tends to be incredibly hard to build a product and UX around it that works for everyone and fails in a way that is somewhat understandable and actionable – the amount of work that HTTPS has required and still requires to mostly get there has been and still is huge.
It shouldn't be, but the bleeding edge of markets have always relied on having the latest data from anywhere that can indicate a shift and I don't expect it to change anytime soon.
Exactly. Twitter only succeeds because it's an authoritative source for who a tweet is from. It'll surely be questioned in the future since this is huge, but any other platform getting hacked like YouTube or Facebook would have similar consequences.
Nay, Sir, our brave corporations that regularly sell themselves out to low-cost labour markets will surely defend democracy here and around the world when we call upon them!
Remedy is painfully obvious: make an example of Twitter and pass laws that holds platform operators liable. That should fix all sorts of security problems.
Company X presents the public with communications of known public figure. Company X assures the public, via a blue checkmark, that said communications are from a "verified" account.
Shouldn't company X be liable if someone other than the known figure is making public statements?
It seems logical, fair, and a societal 'good thing', that company X should either let go of the pretense of "verified" communications, or get its act together, or pay the legal price.
So true. it's a toilet. A few months back I told myself no more, I resigned my account and haven't missed it at all. massive time sink, and utterly pointless. It isn't a conversation, it's yelling at a brick wall, then yelling louder when you don't get an answer.
Because the conversation was about Americans taking Twitter too seriously, not Twitter's discourse being dominated by Americans. The relevant metric seems to be the percentage of each population using twitter.
Financial markets do. Where acting faster than your competition is essential you don't have a lot of choice.
As for the blackmail and war starting you probably couldn't do much with public tweets (nobody is going to go to war over a tweet without fact checking it) but access to private messages is an entirely different story.
Bismarck released his carefully worded readout in the evening of Thursday, 14 July 1870. Assuming the french were "making the bridge" for Bastille Day, they would have had one working day (Monday, 18 July 1870) to fact check, but I don't know if they took even that, because according to https://en.wikipedia.org/wiki/Causes_of_the_Franco-Prussian_... , on 19 July 1870 "Le Sourd, the French Chargé d'Affaires, delivered Napoleon [III]'s declaration of war at the Foreign Office" in Berlin.
https://scholar.dominican.edu/cgi/viewcontent.cgi?article=11... suggests the french were already mobilising on 14 July itself, and that while telegraph use may technically have been possible, US diplomats were still communicating by snail mail with State.
That emotion won over fact checking is supported by Ch. I p.3
> Washburne dismissed the accuracy of the Ems telegram because it had been challenged by King Wilhelm. "There is no truth in the reports concerning the indignity which the King of the North German Confederation offered to Benedetti, the Envoy of France." Washburne based this statement on a published denial by the King which he had read in Cologne while returning to Paris. Though he questioned the veracity of the Ems telegram, Washburne still credited it with arousing the French Chamber of Deputies to vote for war.
(the war vote was Friday, 15 July. It might be interesting to see if any french papers had carried Wilhelm's version of events.)
> As for the blackmail and war starting you probably couldn't do much with public tweets
Depends how tense the situation already was. A well-timed tweet could be enough to tip things over the edge if both sides were already on the edge, and I don't think we're too far away from that.
It would be interesting to know what percentage of journalists/new people, are active on Twitter. I would expect them to be over represented given the amount of reports based or citing tweets, but I don’t know.
Frankly the biggest problem with twitter is journalists taking it seriously and abjuring their actual jobs of explaining what's going on in the world in favor of low effort no-information bullshit like "person X said Y on twitter." Literally nobody else with a life and a day job does. It's the comments section they removed from their websites.
The "muh stock market" argument is stupid; there are punters who take it seriously, and obviously, it's a great vola signal for automated traders. So what? Rumors were propagated before twitter and will be propagated long after it goes the way of other useless companies like pets dot com.
People keep saying it could have started a war. Excuse me for being naive but come on—really? This is total sensationalism. What party wouldn’t verify something on twitter through diplomatic channels before going to war?
Wars start from smaller conflicts, which come about through escalation of smaller conflicts, lies, or misunderstandings. I think all that is necessary to start a war is a geopolitical event of sufficient severity to provoke a retaliation; once the first retaliation happens, there is high risk of further escalation.
So the question is whether a deception on Twitter could trigger a real-world event significant enough to provoke a retaliation. It might be hard to do that with a single message, but they had access to multiple accounts. These tweets were stupidly obvious scams. You could create a huge amount of panic with a series of posts from different influential accounts if they were designed to be believable.
Exactly! Nothing major could have come out of this.
If you disagree, please let me try to convince you;
Tweets were about bitcoin, therefore broad public was not the target of the attack.
Hence Twitter just prevented verified accounts from posting and deleted some messages. Had president's account been hijacked and threats of imminent nuclear strike etc. were thrown around, DoD would have been quick to contact to Twitter and they would have been disabled the whole account, put notifications about hijack for everyone to see (like these COVID notifications) or maybe even take the whole platform offline until they fix it.
You would click a link to go to the said tweet, but you'd only see president's account is not there, and there's a huge warning saying it has been hijacked, and devs are working to get it back. That's it.
Now please try to convince me otherwise, I'd love to be challenged on this.
> Tweets were about bitcoin, therefore broad public was not the target of the attack.
No. Bitcoin was used because it's the only way to get money without being tracked (hence why drug dealers and even hitmen use it).
The rest of your argument is all speculation. Nobody knows what would've happened, so you can't convince anyone you're right, just like no one can convince you you're wrong.
I will just say that with the current distrust of Russia/China and in recent years, the US becoming an "unreliable" ally for Europe, a few tweets from a President and perhaps some other senior members of Government could easily have started a disastrous series of events (if unlikely to cause war directly).
> and they would have been disabled the whole account, put notifications about hijack for everyone to see (like these COVID notifications) or maybe even take the whole platform offline until they fix it.
This hack had been going on for over two hours, with new high-stakes accounts being steadily taken over (and possibly have their DMs siphoned) and their only action was to disable posting for verified accounts. I think we can safely say that IF Twitter had the possibility to effectively pull the plug, we would've seen that on Wednesday.
This hack simply proved that a lot bigger things are possible. They could have (maybe they did) read private messages which could simply be used for blackmail. A top defense official getting blackmailed is pretty easy step to escalation to broken diplomacy.
A top defence official or the president private messaging someone could contain information able to break diplomatic relations. Obtaining information required to blackmail one could trigger a minor incident which escalates.
Get Trump's account, and tweet something like, "I've ordered a NUCLEAR STRIKE on China! The missiles are already in the air. The DEEP STATE is trying to take me out. They will try to silence me and delete these tweets and use deep fakes to say this was a hoax! The storm is here, Q is real, it's time to take up arms and kill democrats."
Then continue tweeting escalating things over the next half hour (since apparently the hackers couldn't be stopped for a while).
Not to mention hijacking other accounts that would plausibly say things along the same lines as "proof" that the statement is real.
Even after dozens of high profile accounts were hacked many were still commenting that they didn't think it was possible for it to be a twitter vulnerability, but rather individual accounts being compromised or a 3rd party. If you only tweeted plausible things about war and corroborated it from multiple accounts at the same time you can reinforce things pretty easily.
Considering that they got Obama's account as well, you could very well create a narrative and counter narrative using the POTUS and ex-POTUS accounts. For the sake of fiction, you could have Obama tweet that he is, indeed, taking over, and arresting Trump. Maybe not war, but it could exacerbate the lack of trust across political divides.
What could be dangerous about it is that CNNFOX et al would copy-paste the story without fact checking, inflate it, and make as much money from it as they can.
In SF author Neal Stephenson's latest book, Fall; or, Dodge in Hell there is a hoax to convince people that Moab, Utah has been destroyed by a nuclear weapon. A cyberattack takes the city's communications offline, paid actors describe seeing the flash and mushroom cloud from passenger planes, etc.
Twenty years later, a substantial part of American society is still insisting Moab really was nuked, drives around with "Remember Moab" bumper stickers, and considers the purported continued existence of Moab to be something like a Deep State plot.
>By August 14, the recording of Reagan's joke had become world news. On August 15, someone who the National Security Agency described to US Representative Michael D. Barnes as "a wayward operator in the Soviet Far Eastern command" sent a coded message from Vladivostok that said, in part, "We now embark on military action against the U.S. forces." Japanese and US intelligence decoded the message and raised the alert state in that part of the world; Soviet naval vessels in the North Pacific, on the other hand, contacted Vladivostok in confusion. The US never saw any evidence of Soviet attack preparations, and the alert status as promulgated by Vladivostok was canceled within 30 minutes.[3]
>Initially, on August 13, the deputy minister of Soviet foreign affairs (Valentin Kamenev) told reporters, "I have nothing to say."[5] By the next day, though, President Reagan's leaked comments were denounced by the Soviet government, Pravda, Izvestia, and TASS as "unprecedentedly hostile," as evidence of the United States' insincerity at trying to improve Soviet Union–United States relations, and as abuse of the office of the president. "Western diplomats" described the Soviet response as over-the-top, suggesting it was an effort to give themselves more collateral at the negotiating table with the US.[7] US officials were compelled to mollify the Soviet Union and assure the United States' Cold War adversary that "Reagan’s offhand remark did not reflect White House policies or U.S. military intentions."[8]
As dumb as Reagan was it was so out of character for him to say that that people clued in to it being a joke. In Trump's case it is not so far out that it might be believed.
Conspiracy nuts don't need much to set them off, see 'pizzagate'.
And then you need to people to read that nonsense. You need a Twitter account to be able to read that.
Only few people have Twitter accounts, it's a walled garden. Almost nobody cares what people shout in 140 chars, and likewise nobody cares about people streaming video on Twitch or YouTube in 20 min, what could be written publicly and read in 10 seconds.
Well let’s see...since all countries with ICBMs also have technology in place to detect or verify via satellite a nuclear launch, absolutely nothing would happen. If a real launch had taken place, they would have known about it far before they heard about a post on Twitter. The alarmism here on HN is really disappointing. This is the kind of foolishness usually reserved for Reddit.
The intended audience of such tweets wouldn’t be Russia or China, it would be the conspiracy-minded wingnuts who might take that as their sign. Who knows what they might try. At the very least it would fuel further social division.
With tensions already high and military maneuvers are beeing held closes to each other ... such a twitter comment for sure would have had an effect.
No one would have pushed any red button because of that, but fighter jets on both sides would have been put on alarm and in the air and close to each other(as well as submarines, warships, tanks on the border..) , with a high chance of clashes. Which could have increased the escalation to the point, that someone would feel forced to put the red button.
I think brainstorming about combinations of variables that could plausibly lead to a black swan event is worthwhile, and an excellent application for the collective mental processing powers of HN. I would advocate for a new kind of discussion class for threads, to focus on discrete perspectives and goals, risk being one of the most important kinds. Smart casual conversation is excellent, but there are other types that are also excellent, but in a different way.
I think plenty could have happened. Compare with the false nuclear attack alarm in Hawaii the other year. Panic can cause all kinds of unforseeable consequences.
Right, but I think the point is that panic is the only real danger this hack could've caused. That's important in it's own right, but hacking twitter is not going to cause nuclear war. DoD has a ... tentative relationship with social media. They are not making strategic deployment decisions based off of tweets (thank God).
> since all countries with ICBMs also have technology in place to detect or verify via satellite a nuclear launch
It's lucky that those kinds of things never go wron...
"On 26 September 1983, the nuclear early-warning system of the Soviet Union reported the launch of multiple intercontinental ballistic missiles from bases in the United States."
Indeed! Where do people think USD 2tn/year for global military go? Weapons, yes, but also military intelligence, missile detecting and defense systems, radars, sonars, spy satellites, communication efficiency and disaster prevention.
Military is not _exactly_ ran-out-of-diazepam Dave with his hunting rifle and tinfoil hat.
Nothing would happend from this. China and other might raise their alarm, but nobody would raise their own weapons without proof for something really happning outside of twitter.
In the meanwhile Trump would appear after some minutes on TV, youtube, and whatever other channel they have around, proofing that he is not sending the tweets, while twitter would do their stuff.
You are an optimist. We only need one mistake for things to get out of control. The history of known close calls is eye opening[1]. Similarly with this particular China example, it only takes one person to make a miscalculation.
I'm a realist. This list proofes that people are not as stupid as alarmists make them. At the end of the line, there are always people asking the relevant questions, because it's their f*ing job to do that.
War is perhaps an exaggeration, but if its wrong its wrong quantitatively, not qualitatively. In other words, lives unquestionably hung in the balance.
I dont even have a twitter, facebook, instagram, or... anything i think. just you people : )
“Unquestionably” you’ve got to at least give an example. How did lives hang in the balance? I’m not saying the likelihood is 0, it’s best not to be irresponsible like this obviously, but come on, it’s not even 0.5.
i will not. affected persons included biden, kanye, obama, musk, bezos, gates and others. this is an audience in the 100's of millions (if not over a billion, i didnt count). do you honestly think theres no possible tweet that directly leads to someone's death, and likely many deaths?
im not sure an outright war is > 50% possible, but i am sure it is > 0.0%
A war from hacked Tweets? What would these tweets say? “Premier Xi’s wife is ugly?” I mean Trump already tweets totally insane things regularly. “Rocket man” etc. what could joe Biden, bill gates or anyone possibly say on Twitter to start a war or even lead to some such mass death incident. Even “irresponsible” state actors like Iran would use intelligence channels to confirm things. Even the taliban doesn’t actually act irrationally. Maybe we need to agree to disagree here?
This is ridiculous, there is ample room for criticism against Trump. This wouldn't fit at all. I guess you can blame him on Turkeys reaction in Syria, his staunch anti-Iranian policies that made talks more difficult. But the criticism of him starting random wars comes from an emotional corner beyond reality in my opinion.
He's just seen (at least by the ROTW) as very unstable and prone to lashing out. He might not order a war but his inability to govern with rationality and diplomacy does give credence to the side effect of relations worsening to the point of armed conflict.
It's ironic that our kids in the future reading wikipedia there will be a table of numbers killed overseas by US presidents. Trump will be listed as one of the most peaceful in that table.
It's ironic because his image today is of violence and instability and that the opponents of him don't consider violence overseas or international peace as that important.
It's things happening at home which counts politically in a present time.
Trump will kill less than Obama but Obama gets the noble peace prize.
I looked it up and from what I could tell, drone strkes are actually up under Trump. I thought they were down, but looks like they just not being reported as much.
A president can’t just “start a war”, muchless order air strikes. dozens of people are involved. Donald Trump yells and hollers all the time and people send Jared to calm him down. There have already been documented instances of this in the Trump admin, and it wasn’t over tweets.
Whether the military would actually carry out those orders when no one else has ICBMs in the air is debatable, but the president's defined role as the commander-in-chief and the sole arbiter of when to open the gates of hell on earth is not.
> Whether the military would actually carry out those orders when no one else has ICBMs in the air is debatable
It's not merely debatable, it's highly debatable. People aren't just going to launch nuclear weapons willy nilly, no matter who the president is, muchless for Donald J. Trump, who few people in his administration take seriously.
Trump couldn't even get Mark Esper to deploy troops domestically. Now imagine the hurdles he'd face trying to deploy troops to another country.
He ordered it, and it was executed methodically with over a year of preparation. Everyone was on board, or at least enough people were convinced.
On the contrary, take what happened when Trump wanted to bomb Syria, and people basically didn't let him. Presidents, especially weak, un-respected ones like Trump, can't just do things like that.
Then there's reality. And in reality, not many people respect Trump and are willing to follow his orders. This happens constantly in the news. His own cabinet members openly work against him all the time.
Most recently consider how Mark Esper publically publicly rejected using the Insurrection Act, right over top of Trump.
Now you could say—what if we had some other president? Well, the same social rules would apply to that person as well. Even if they were incredibly charismatic and well-liked and respected, they'd need to clear many social and political hurdles before the airplanes took off.
The president is the commander in chief. In the armed forces following the chain of command is kind of a big deal and there are severe consequences for ignoring a direct moral order from a higher ranked officer.
To me, this means that too much trust is placed in social media, rather than we need to police/secure social media more. Social engineering will always be successful to hack into accounts, and hackers are always 1-step ahead of whatever security measures are in place. It is the trust that our society has placed in social media for news/announcements/politics that is the issue.
That market value was recovered in 5 minutes. It sucks for anyone with stop orders, or anyone who got a margin call; but to say it could start wars is really not giving any credit to the humans in the loop.
Given that Donald Trump basically does policy-making in the open on Twitter these days and foreign countries now treat his account that way, there's an argument to be made that a false tweet on his account could at least push us in the direction of a war.
Thankfully, his account is under special 'lock and key' protection, so a regular CS rep can't hijack it.
I believe they are referring to the fact that they could have theoretically tweeted the wrong thing from the wrong account that could have caused a war. It isn't extremely likely but not comically unrealistic. Definitely within the realm of possibility.
How do you envision that happening? I mean the actual chain of events. A tweet is seen and some general launches all ICBMs? They pour their country’s military might into a war because of a tweet that is known to be fake within 3 minutes? No, it is not within the realm of possibility.
Imagine that this tool could give the attackers access to several primary sources (realdonaldtrump, POTUS, whitehouse) along with a couple news outlets such as Fox News. It would be possible to quickly stir up social unrest and start a lot of local skirmishes that'd take some time to deal with.
And, with conspiracy theorists, imagine the consequences of Trump's account tweeting a distress message that he was attacked and replaced by a clone controlled by QAnon.
In the aggregate sense, it eventually netted out. But a lot of people who sold when it looked like prices were collapsing sure got a pretty decent chunk of their bank accounts "erased".
For a market to move, people need to buy and sell. So while value might not be erased on a global scale if the market recovers to the original position, lots of people will lose (and gain) large amounts of money.
I don't know about many. I don't know of any retail investors that do, and if I did I would have guessed that they'd be buying when prices drop, not selling.
Parent did say “sell / buy” (perhaps they ninja edited). A limit buy order is a basic tool of retail investors (like me :) ) and may have been what parent was thinking of. That said, I don’t agree with parent or great grandparent that the destructive impact is large.
What you call value is really speculations. There is really no association between the value generated by corporations and what the traders think they'll make off trading its stock.
I really think that world leaders twitter accounts should be on completely separate systems from the twitter world. Like a twitter.gov service. It should be insanely locked down, and twitter employees don't have access to it unless they are certified and thoroughly trained. It's just become that important to the stock market and world policy.
They should realize that being too vigilant has its own downsides. Autosell is no magic. It fails to see into the future, it might as well go up the second the shares are sold. Tough luck...
To be honest, I think that would indicate a dysfunction of equity markets, not necessarily a problem of Twitter. I would like Twitter to be not that important. For politics and other topics.
> This twitter hack could have literally destroyed economies, started a war [...etc.]
Woah, slow your roll man, it takes a lot to start a war. And temporary glitches in the market are just that-- temporary glitches. If someone loses their shirt over that they deserve it.
It's not hackers which are the true danger, "legit" people abusing media (whatever it may be) are the threat, a good example would be the Stable Genius.
I don't want to be glib about this, but I will say that it takes a lot to stop a war once it starts, but starting it.. humans have not been known to be most rational actors[1].
The only people who lost money during the bid dry-up during that uncertainty were the people greedy enough to sell. I have no sympathy for people who try to time the market on bad news. Fake headlines is part of the bargain.
To be clear, that value wasn’t erased. The market makers just lowered their willing bid during the uncertainty.
This. It almost seems like a proof of concept for someone selling services to a bigger player, using the Bitcoin angle as a smokescreen.
Something like this right before the election or after could wreak havoc if targeted to the right accounts. I imagine certain state sponsors would pay handsomely for that.
That was my thought as well. A big stunt to show they can take over some of the largest names on Twitter/world as a proof of concept. Think of what they can do if they fan this out at scale to millions of normal accounts.
One way to look at this problem is to ask "how to secure Twitter". Another way to look at this problem is to ask whether people should trust Twitter as an official source of information.
I think there is a big organisational difference between the AP and Twitter, but that's just me. Twitter does not employ journalists. Twitter is not the press.
People who have been interviewed by journalists know they regularly get things wrong, like a game of Telephone Whispers. Journalists are not experts in the topic and get things wrong even when they don't mean to - it might be as simple as mishearing the interviewed person, or rounding up a number that they shouldn't. Sometimes it's far more egregious.
At least when Twitter is secure, you see the exact words that were typed, and not through the filter of a reporter who may have misread.
I've personally been misquoted in media interviews. Not a major thing, but I could now use that newspaper article to claim I've done more than I really have, because hey, the newspapers said I did! It must be true!
(I didn't downvote you though, I think the downvotes are unfair.)
Or maybe it could be seen as a helpful reminder for idiots to not act based on a single source. If some guy on the stock market sells millions of dollar's worth of stock based on a single Tweet, they deserve the consequences.
Or used a more believable scam? They took over coinbase’s Twitter. They could have announced some new trading system and to reserve your spot in the line for the beta deposit $100 worth of bitcoin to this address.
This would potentially add a lot of friction for those users, but maybe that is a fine thing.
Unless we hear more details, it sounds like this attack was able to get around the 2fa for the authentication, so it seems likely they could get around it for posting. Not sure how much would be added with this 2nd level 2fa.
Well, it was just a Bitcoin scam... it had the potential to be huge like the AP hack but the hackers didn't use the exploit to its full potential. Why, I have no idea. Imagine if a raft of prominent blue ticked accounts started tweeting about a disaster. The market would have tanked.
Agreed. This was most likely a "shot across the bow" by a state actor. I have no proof of this. But it's highly public nature would seem to argue against a black-hat commercial interest (e.g. proof of potential to a possible buyer) as it would/will draw too much scrutiny. Also, the crystal clear implication that the damage done could have been far worse, would seem to indicate someone was sending a message. From whom and to whom can only be the subject of speculation, but again, whoever did this must have known that the it would be interpreted as an attack from China to the USA. So either they didn't care because making that obvious was the whole point (ergo, attacker probably China), or the misdirection was the whole point (ergo, attacker probably a power that would stand to benefit from increased tension between USA and China).
>Agreed. This was most likely a "shot across the bow" by a state actor.
The hack would have been a powerful weapon if used in a more strategic way. A "shot across the bow" as a tactic is useless when the weapon can only be used a single time and never again. The code will be patched now.
>Also, the crystal clear implication that the damage done could have been far worse, would seem to indicate someone was sending a message.
That's hindsight knowledge. To me it looks more like an un-sophisticated actor that stumbled over a critical vulnerability and had to use it haphazardly before it somehow becomes obsolete with code update.
>From whom and to whom can only be the subject of speculation, but again, whoever did this must have known that the it would be interpreted as an attack from China to the USA. So either they didn't care because making that obvious was the whole point (ergo, attacker probably China), or the misdirection was the whole point (ergo, attacker probably a power that would stand to benefit from increased tension between USA and China).
Actually I don't see much speculation that China is behind the hack other than from the people who are quick to blame China anyway. The sloppy execution actually speaks against a nation-state actor. The loss of trust in Twitter only plays into Trump's hand regarding his personal feud with the platform.
> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
My understanding is the hackers used the admin panel to change the email addresses of the accounts, which means they could reset passwords and perform full account takeover [what about 2fa?]. That means they could login as the user, and so it means they could read the user's direct messages. (Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.)
>> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
It is not as much money as pundits probably think it is worth. And also, trying to negotiate a blackmail is time consuming and opens the risk of being caught especially if it a high profile target, with no guarantee of being paid. Do you really think someone like elon musk will pay a bitcoin ransom assuming there is anything incriminating? Paying off a blackmailer is an admission of guilt and does no good if the info is released anyway.
It also depends on how sophisticated the thief was. Did he have everything automated to dump anything everything from the inboxes while automating the posting of the spam tweets, or was he frantically doing all his postings by hand before twitter could shut it down. If the thief is not sophisticated his main priority would probably be making as much money as possible with the posts and ignore the private messages
They grossly overestimated their leverage in that story though.
Anything illegal might've been actually good for black mail purposes, but dick pics? As if someone would actually look for that or even take a business decision based on that.
Indeed, it's a powerful weapon against anyone who depends on general public popularity for their power (for example many/most elected officials). This is in fact one of the things that is highly investigated for getting TS/SCI US government clearance. They don't want to employ anyone who possibly has dirt against them in the open.
For a public official I can see why it would give them some leverage, but Jeff Bezos/Elon Musk/any rich dude doesn't really have to care. Did the "fappening" damage anyone's career?
> Do you really think someone like elon musk will pay a bitcoin ransom assuming there is anything incriminating?
Maybe? I mean I certainly don't dismiss the idea out of hand. The one strong counter-argument I can think of is that very few things would actually embarrass Musk at this point.
The thief did not appear to be too sophisticated. Obviously sophisticated enough to pull off the twitter hack, but we don't really know how much sophistication that required just yet (the exploit may have been trivial). But, they didn't disseminate this message anywhere other than twitter? That seems very shortsighted.
They used different approaches on different twitter accounts, some suggested a coin return, others suggested a charitable donation match, etc. But, they all used the same bitcoin address. If they were sophisticated, they would have used a different bitcoin address for each to evaluate the more profitable messages for a future scam.
My guess was frantic copy pasta. Since the reset password emails went to both him and the OG twitter user. Plus wouldn’t you need an API key per user and set that all up? I think that takes more time than spamming a tweet.
You don't need API's if you just use the web interface. Headless chrome would be a seriously easy way to automate this without having to mess with API keys.
True. Considering the level of access the hackers have gained, a case can be made that the attackers themselves fabricated the content in these user accounts.
If you're already logged in to a Twitter account you can deactivate 2FA by disabling the account (aka deleting with a 30 day window) and then re-enabling the account.
Yup. The interesting thing is that this 2FA exploit was posted to hacker news two days before the twitter hack. It's possible someone seized the opportunity before it was fixed.
My apologies, perhaps my memory was failing me. I can't find what I was thinking of and may have been incorrectly remembering this as twitter instead of google: https://news.ycombinator.com/item?id=23792767
> Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.
Sure helps keep down on the public effect though... feels mostly like a PR move.
Yep or else none of this could happen. I work at a company that we need at least two methods to authenticate you to remove MFA through the admin console so this wouldn’t have happened.
Is this a part of your company’s product or internal tooling, or is this 2FA part of a software you use? If it’s the latter, please give a recommendation if it’s good!
I'm curious about this, too. I have to believe, though, that if some bumbling sim swappers were able to get in, then it doesn't require a leap to assume sophisticated state-level actors have similar access. Granted this attack leaves a swath of evidence, but with access to internal tooling, it really is just a factor of how much information is accessible via those tools (and others like them).
I'm sure it's been said before, but I just continue to be surprised that the admin panel used to carry out this attack wasn't locked behind a VPN.
I've worked for multiple fully-remote companies that were easily able to protect tools like this from the outside world.
The company I currently work for (fully remote) has tons of internal services that our engineers (who we trust) can access as needed in order to debug problems and help our clients. None of it is accessible from the Internet.
Internal networks only accessible via VPN is considered an anti-pattern now in terms of security. It puts authorization firmly on the VPN. If the account with VPN access is compromised, then the attacker has full access to these sensitive systems.
This hack probably underscores the importance of zero trust. Although if the system is compromised from within (like this hack is) then there is not much you can do.
I would be curious as to who is citing that using a vpn is some "anti-pattern", to what? Not protecting your network accessible assets?
If you have the means, certainly use a corporate/smb/personal vpn. It is one layer in a multitude of layers you should be using to protect your network.
Its not as if once you achieve vpn access you have no other authz gates to internal applications. Its a "great filter" to help narrow the possible avenues of attack and it works. If your inner layer of authz fails its not the vpn's fault.
Whats your alternative? Just make every application and network endpoint publicly accessibly on the internet?
Yes, basically you should consider all networks untrusted including your internal network. You can still have a VPN but it shouldn't be the thing that protects the services inside your corp net because if it is then any breach means the intruder gets access to all your stuff.
This thread is a bit confusing to me. Have we moved past layered security for some reason?
The purpose of a VPN was never supposed to be the authentication layer to internal services. It's just a layer of security that makes it more difficult to carry out some types of attacks; thus increasing security defenses of an organization. Assuming that it has been breached is good practice, but doesn't mean that there's no point to it.... Unless layered security has been overturned?
The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network. The BeyondCorp model makes you explicitly specify "John can access support.corp.com but not admin.corp.com", while setting up these explicit checks is the exception for VPN-based access, not the norm (and sometimes it isn't even done right - eg. relying on DNS filtering).
> The issue is that, for any company without thousands of employees (heck, probably even some of these are guilty), the VPN is often the only barrier to the entire network.
Sorry, but what? I've worked in multiple small companies where the we where less than 5 system administrators and inside the vpn we had encrypted traffic and ldap auth on everything. It's a few days job for a single person to set everything up this way with open source tools that are extremely well known and documented.
For real, no wonder security is such a crap fest, when we have people repeating this BS that "VPN is an antipattern"
I'm all for debate but some things are close and shut. Yes, don't trust your user just because they are in the internal network, but no, that doesn't mean everything has to be visible from the outside.
If the "layers" of your security use the same factors are they really layers or are they simply a time sink for you permitted users, and another thing to break?
My visceral reaction was "you got to have a VPN" as well but the more I thought about it the more I was convinced you don't _need_ a VPN.
Effectively are you saying: if I hacked your account I hacked your VPN username/password too? It's still an extra step that might trigger some sketchy senses of some people.
Not sure if it still doesn't work effectively for that.
Or if your threat model accounts for the prevalence of stolen credentials and end-point compromise vs. the vulnerability of your exposed application attack surface.
> Have we moved past layered security for some reason?
Yes, yes we (more accurately "they") did. I don't know which schmuck with a blog came up with this idea that VPN is a thing of the past and a lot of people followed suit.
I bet there are IT shops out there that rely solely on VPN and the schmuck worked there, but that's like seeing somebody not lock their door and concluding doors are bad model for security and we should get rid of them.
oh come on. Competent companies regard their internal networks untrusted with or without a vpn access solution. If your an incompetent company then there is no argument for a vpn vs no vpn because your incompetent, and will eventually succumb to the horrors of your insecurities regardless if your applications and network endpoints are directly exposed to the internet or behind a vpn solution.
your beyondcorp link has nothing to do with a well implemented vpn solution + standard access controls to network endpoints like the link suggests. Your clearly supporting a false dichotomy in which having a well constructed vpn solution is "wrong" and does not add to your overall security posture. Shenanigans.
vpn or not you still need to authorize/authenticate your network endpoints. But hey, you don't want a vpn so give me a list of your internet accessible ssh hosts and well see how well your "zero trust" gets you if you can't keep up with best practices. Good luck!
That’s a shockingly dumb approach in the context of security today where zero days have to be included in your threat model. A VPN should be requisite to even get network connectivity to such critical services. Then on top of that, you should still have to auth to access them.
Does it though? Using a VPN for access to internal infrastructure doesn't mean said internal infrastructure is insecure or authless itself. As in, defense in layers.
Exactly, assume zero trust but VPN with MFA provides another layer of security. Given the weekly volume of package vulns Github notifies me about I don't want to miss a 0day and get scanned. Perimeterless is fine if you're only using SaaS or you have an army of SecOps, but I don't want an internal app rumbled.
Nobody is saying VPN is a replacement. Users should still have to authenticate against an IDP once they're inside the perimeter. VPN + MFA protects apps from drive-by attacks while they're waiting to be patched.
Yes, in a perfect world everyone would have an army of SecOps ninjas pentesting and patching all systems 24/7, but this is the Real World™
The rhetoric of this statement is far more of an "anti-pattern" than VPN will ever be. If VPN is your only line of defense, then it's not secure at all - not because of VPN, but because of poor security practices in general.
VPN and IP restrictions in general is a very good tool to limit the attack surface. That does not mean that Karen from accounting should be able to log into the production environment servers.
Exactly. We have application level authentication on top of various network level security policies. Karen from accounting can't even see servers that she doesn't need, and anything she does need has additional authentication requirements. Even if someone mistakenly gave her access to something at one of these layers, she would need that same mistake at multiple layers to actually get in.
> Internal networks only accessible via VPN is considered an anti-pattern now in terms of security. It puts authorization firmly on the VPN.
How do you jump from "VPN is not authorization" to "VPN is an anti-patern"? It's at a completely different layer than authorization ffs! You don't give up on seat-belts because they don't stop bullets coming through the windshield.
Who says its an antipattern? VPN Authentication is additional to authentication on internal systems. VPN is a requirement in most security frameworks like NIST.
> Internal networks only accessible via VPN is considered an anti-pattern now in terms of security.
I could be wrong, but I think they mean that access to the internal site should have been behind VPN (whether at the IP network level or via an HTTP proxy) even when accessed over the internal network. That is, the internal network should not be trusted any more than the network at the cafe down the street.
Using VPN as a layer of security is basically like 2FA, where the second factor are credentials to enter the VPN. Wouldn't it be easier to just have any other additional factor, like a physical security key, or some (additional) authenticator mobile app?
Entering a VPN is usually multi factor by default, because you need both a certificate and a login. Also, there's often a token as a third factor. So you're adding many more levels of security that way.
This could be even some malcious browser extension running on one highly privileged employee computer.
Security is arms race and tradeoffs game, even computers never connected to the Internet are at risk (see Stuxnet story)
Web authentication technology (eg U2F) is much more advanced and safe than VPN authentication technology (key files or strings sitting unencrypted on disk).
Additionally, TLS1.3 is better than most VPNs from a cryptographic standpoint.
Social media was praised so much for its contribution to conflicts outside western world, like middle east and North Africa. In the beginning of Syrian civil war for example; Twitter was the place where propaganda was streamed and extremists from all over the world would leave homes to join other extremists behading heads somewhere.
Now, we see the potential of social media to be a tool for coordinated attacks against the western world. Just imagine this attack during the protests last month in the same narrative that started civil wars in other parts of the world. When tens of people start shooting and killing eachother, nobody would discuss what triggered the chain of events.
This is a simple test that reveals how fragile is society in contrast to how much attention they pay
to Twitter. The worst, the value we get from social media is also unclear. Low quality, unreliable bits of information turned millions to pigeons jumping from there to there and those who own the seeds can control the mass.
The less conspiratorial take on this is that social media simply exacerbates and foments conflict, period. Maybe some of these involved significant coordinated propaganda efforts, but I doubt they all did. The mistake the western world made was thinking that this social media generated conflict was a result of some coherent "positive" motivation, when perhaps it was simply blind social media outrage that coincided with revolutions in places we thought were bad somehow.
It exacerbated it first in the middle east, maybe because those societies were close to conflict to start with, but the western world doesn't seem that far behind.
I found it very interesting how Facebook et al got so much flak right after the 2016 U.S. presidential election. It was as if the DoD finally realized their little weapon could be turned against them and took action to reassert dominance.
I don’t really think he should be naming who his unnamed sources “think” is behind an attack on this scale, especially with full name, city of origin, Instagram, suggested current location, age, etc. It feels a very, very small step away from doxxing to me.
Added to which he has somebody in the comments essentially calling for the death penalty over this. If he has this personal information and evidence, pass it to the relevant authorities and don’t sensationalise it on a blog. Technical details fine, but people’s personal information feels like it’s crossing a line on something like this.
I was personally unaware of these stories, and am slightly disgusted by the fact that I used to think Krebs was a fairly stand-up guy.
Doxxing someone because of a bad book review? I guess I shouldn't be surprised he's now doxxing someone based on a loose thread with no evidence.
I would have thought someone who has been swatted before would realize the dangers of releasing someones personal address to outrage-hungry vigilantes.
He also doxxed a guy who registered a bunch of domains defensively. He didn't even really apologize, just updated the story a few days later. [1] I called it out here prior to the update. [2]
> Researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organization.
It's not one step away from doxxing at all -- in this case Lucky225 is not an unnamed source, that is actually his real legal name per his twitter [1] and the FCC database entry for his ham radio license (not linking that)
Well, I think they meant doxxing Joe, but also seems to be doxxing Lucky225 as you noted.
Once you look at Lucky225's Ham then you get an address. Of course, what is somewhat interesting is their listed address actually is located at Colorado's Division of Central Services building, which very interestingly is a way to obtain a confidential mail forwarding address. It says it is only to be used by victims of stalking/violence/harassment but who knows how well that is enforced: https://www.colorado.gov/pacific/dcs/acp-faq
Either way, I think SexyCyborg (well-known Maker) is quite right to call out HAM license as a vector for getting doxxed.
I lost a lot of respect for krebs a while ago when he doxxed a minor. I haven't followed him much since, so I don't know how repeatedly he has offended, but this doesn't surprise me.
100% right. Krebs is useful but an attention whore and an asshole to boot. He couldn't resist the temptation. All he should have done is share his findings with investigators but hey: clicks and the mortgage > ethics.
> Added to which he has somebody in the comments essentially calling for the death penalty over this
Don't feed the trolls. If anything we've seen a lot of praise for this person. That has probably been the most responsible hack when you think about it.
On the off-chance that you're serious - doxxing someone who is suspected to be linked to a crime is staggeringly irresponsible, because you are then effectively convicting them in the court of public opinion. If they are innocent, but you have not only levelled accusations at them, but provided ways to access them, then you are partially responsible for what others choose to do with that information.
And by the way, even if the suspect is guilty, he/she might be a small cog in a much bigger engine, and by doxxing him/her the minds behind the fraud would be alerted then enter lowest profile mode, shutting everything down and making them extremely difficult to capture.
Doxxing can be a good thing only when authorities can't be trusted, which is the case for example of police violence and racism, where they're clearly protected by a corrupt system; in this case making their actions public becomes a public service. But in the above and other similar cases, think twice before publishing information that could undermine an investigation, even though they're properly checked and accurate.
Three examples from the front page of the NY post right now.
I am having a hard time figuring out how to distinguish this and the OP doxxing. The organizationS fact-checking process? Solidness of the evidence?
> Allegations were made against longtime radio broadcaster Larry Michael (retired Wednesday), director of pro personnel Alex Santos (fired last week), assistant director of pro personnel Richard Mann II (fired last week), former COO Mitch Gershman (left in 2015) and former president of business operations Dennis Greene (left in 2018).
> Chanice Reyes, 24, was busted around 5 a.m. Thursday, sources said, when cops investigated a strong smell of marijuana coming from a car near City Hall, where anti-police activists have been gathering in recent weeks.
> Tory Lanez, whose real name is Daystar Peterson, was the person who allegedly shot Megan Thee Stallion following a dispute inside his vehicle Sunday morning, Page Six has learned.
There isn't a difference. Newspapers seem to dox people with impunity. It doesn't make it right, nor desirable, nor an excuse for others to follow suit.
The number of lives ruined by false allegations that have been amplified through press/journalists is disgusting.
It is in the United States. In other countries until conviction only initials are used. This to avoid ruining people's lives (or even endangering them) in case an allegation turns out not to be true.
One difference is that these people are being accused by civil authorities --not some "rando" who moonlights as cyberpolice. He's not acting in an official capacity and doesn't have the imprimatur of the state.
I didn’t look closely but the first example I think is a non-state accusation. But interesting line to attempt to draw.
I look at the media as a counter to the power of the state. So I worry about an arrangement where media can’t name people without state approval. But perhaps my view is archaic?
I get what you're saying but the state here is often the official record for things. These kinds of government records are open and searchable in most cases. And to some extent they answer to the governed. You can get a new DA, mayor, etc. You can't fire an internet sleuth.
Maybe because the person he is pointing to may herself become a target of attacks/harassment other. If he (or she) is really the perpetrator, he should ideally be arrested and convicted. But it may also not be him.
I never understood the whole doxing thing... the actions you take in this world are real. You can't take them back. You don't get to be anonymous just because you wish to be or because you frequent hacker sub-cults where doxing is some holy transgression. Bad op sec is bad op sec. Nothing more, nothing less.
If Krebs got it wrong, well, he can suffer the consequences of that, too.
>If Krebs got it wrong, well, he can suffer the consequences of that, too.
And, if he got it wrong, the innocent person he doxxed has to suffer the (potentially much more harsh) consequences of someone else's irresponsible actions. While Krebs begins working on his next story, and if we're lucky, posts an "oopsie" comment.
If you believe the story, the people who are pointed to were already being looked for for arrest. Don't buy the poor innocent narrative too quickly.
It just happens that their last actions affected powerful figures and the US government so they might actually be some real international effort to arrest them now.
People's home addresses and names should not be released to the public until a legal conviction has been ascertained. This has nothing to do with "innocent narrative". It has everything to do with due process, which is a foundation many countries entire law systems are founded upon.
The legal process is innocent until proven guilty. You seem to be advocating for guilty until proven innocent, with a side of public vigilante justice as the punishment.
If doxxing innocent (reminder: you are innocent until /proven/ guilty) people is the norm... And allowing vigilante justice is okay... We are in a very dangerous place.
You don't have to look far for numerous cases of innocent people having their lives ruined, or sometimes literally snuffed out, due to situations exactly like this.
Doxxing is not a crime, that's my point. And I am in no way interested in making it one. Innocent people should remain innocent until proven guilty and the rest of our god-forsaken species should figure out how to grow up and treat people with compassion and respect.
If what Krebs is doing in this case impacts the dude in any tangible and negative way he should sue Krebs for liable. That would be interesting.
But regardless, harassment is harassment. If the public starts harassing the dude, even if he is guilty, they're just as guilty of their own offenses. Two wrongs don't make a right.
I don't want a mob to condemn anyone. A mob should not be condemning anyone, ever. Why is the baseline assumption that a public accusation must be followed by swift and undue internet mob justice? That's what's fucked up if you ask me.
He has in the past, and his response has been to delete the tweets but not offer an apology, or retraction. So when those tweets are re-posted, and/or screenshotted, there is no way to tell that the information is incorrect.
The problem is that the named person will also suffer if Krebs got it wrong. Furthermore it isn't uncommon these days for people to overreact and mob up against the person. We have a justice system to deal with this. We shouldn't have thousands of random people on the internet punishing them based on loose evidence.
I guess I just don't think we should plan society around the assumption that the internet will overreact and take justice into its own hands, which is not in fact justice. Why can't we hold people on the internet accountable for harassment?
That is an orthogonal concern. We should hold people accountable harassment. But I don't see the need to put someone in a position where they are likely to be harassed. The upsides of putting someones name out there seem tiny and the downsides are obvious, so why do it?
because you put ppl at risk without any benefit. you could easily as said I believe I know who did this and I've turned that information over to the authorities.
what does the public or kerp gain by putting it out in public when you dont know.
yes he (kerp) can be held accountable (and should be hit immediately with a defamation lawsuit if hes wrong) but not everyone has the resources to do that.
look at reddit and boston bomber the person they accused killed himself..
> look at reddit and boston bomber the person they accused killed himself..
Do we know this was due to the Reddit misidentification? His body was found on April 23, after being accused on April 18, but he had been missing since March 16. I've never seen a definitive order of events given.
(I've no doubt such accusations _could_ lead to such horrible outcomes, but I'm not sure if we know they did here with certainty)
Like a lot of terms doxing can mean different things. Sometimes it means holding people accountable and sometimes it means releasing the home address and workplace of a person misidentified as a wrongdoer by an internet mob.
A recent example was the biker misidentified as a man who assaulted a child putting up posters.
And I would hold the people who acted on partial information accountable for their actions. Harassment is wrong regardless of whether you think someone is guilty of something or not. The internet needs to grow up.
Out of curiosity.. “the people who acted on partial information” who you say you would hold accountable. Does that include the people who chose to publicly dox him based upon an incorrect identification?
You're missing the nuance. Doxxing is not a crime nor is it a call to action. Do news stations censor the names of alleged criminals or even suspects out of some juvenile fear that a mob is going to rise up and take swift extra-judicial action? No. People are free to allege whatever they want. And in the case of Krebs, it happens to be his job. Reasonable citizens should not harass, threaten, or otherwise harm an innocent-until-proven-guilty person. Taking up an internet moniker does not enter you into some sacred contract with society whereby you shall never be exposed. I'm sick of treating issues like the rest of the world is a cesspool of ravenous lunatics and they can't be trusted to act like adults. Like there's a global expectation of ill intent. I know recent times have demonstrated otherwise but it's no excuse. We need to hold people who actually abuse others accountable for their actions not tread lightly around them because they are scary. Full disclosure for all. Full accountability for all. Confront the boggy-people.
since you think personal privacy is useless and your fine with personal information being out there can I get your real name, address and phone number plz?
The actions you take in this world are real yes, but the scale at which the internet enables retribution is unprecedented. If you punch someone in the street maybe three people will beat you up. If you punch someone online, tens of thousands of people might pile on and start kicking.
There's a certain symmetry to that, though. You fuck up on the world stage then you suffer a world of consequences. Anyway, I would sincerely hope people are more mature than to start harassing a dude that some security has-been decided to name as the perpetrator. You're not allow to harass and threaten someone just because they're suspected of being guilty of some crime.
Uhh.. have you ever been on Twitter? That's like half the activity there, people dog piling on others based on circumstantial, if any, evidence of perceived slights or wrongdoing.
Sure, people _shouldn't_, but they overwhelmingly _do_, which has real, tragic consequences. People with platforms must take care or they cause tangible harm to others.
Yes. This is called liable and it's illegal in the US. I don't know about international liable laws.. but if such a concept exists, the kid should sue Krebs if he experiences tangible negative consequences of Krebs' accusations.
But the risk to the target outweighs the potential benefit to the doxxer. Consequences can be unequal. And if the doxee ends up being the perpetrator, then the bad things were already on their way via the legal system.
The among taken in this scam is chump change compared to the YouTube scammers. YouTube is a vastly bigger website than twitter and way slower to respond to accounts begin stolen by scammers. I remember seeing an Ripple giveaway scam that in a single day made 100k with just a single account ,. And fake bill gates one made 40k. the list goes on and on. My guess is the total taken is in the $3-5 million range from youtube alone.
And you don't even need to steal an account. When the Playstation 5 launch event was happening I searched for it on Youtube, clicked the top result and it turned out to be a scammer restreaming the real live event with graphics added saying Sony would double your BTC - just send to this address ___.
Good point, I hadn't considered that. Seems it was actually some hours after the real live event[0]. I spot a different channel using the same name[1] that still has a short scam video online from 3 weeks ago.
Ive seen what this previous poster has talked about. They overlay graphics in the actual video stream promoting btc payments. Happened with a Nasa stream right after the first spacex manned mission.
Youtube served me the Bill Gates bitcoin scam on Monday, 2 days before the Twitter hack, as opening ad for a video from their recommendation algorithm. The ad's site clearly perpetuated the scam for at least a couple days before changing the website to an innocent iframe link to Bill's foundation page.
The first one I saw was a Rip of a SpaceX livestream. I watched it for a bit then noticed all the BitCoin references and got confused then realized it was a scam account. How they get promoted basically to the front page is the issue.
A solution as simple as just hiring someone for $10/hour to periodically scan youtube for crypto keywords and disable the scam videos and accounts would have prevented millions of dollars of theft.
I think this is a good solution, but maybe not viable. Going past Crypto this could apply to so many issues needed to be reviewed on YouTube. But at that scale, the human cost is something YouTube refuses to pay.
it would be a stopgap measure until the algos are refined to filter out the videos without the need for human intervention. YouTube is being sued by Brad Garlinghouse for not taking action fast enough. My guess is my $10/hour solution is cheaper than $1000/hour lawyers.
What are examples of keywords that would have a low false positive (and ideally, low false negative) rate, such that a minimum wage worker could efficiently disable videos with little context or time?
it is not the keywords but the content of the videos. anything that involves a livestream and a pitch to send X to get 2x-10x back. very easy to train someone to identify what these scam look like with zero low false positive rate
Funny that Krebs refers to Lucky225 as a longtime friend of Adrian Lamo.
I thought it was very well-known that Lucky225 made that story up as a cover to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM swap hack himself, and also took control of Lamo’s Facebook in order to hijack ownership of the 2600 Magazine group on Facebook.
It's a very awkward thread where Lucky225 accidentally demonstrates that he has indeed taken over Adrian Lamo's email account. Note this doesn't say anything about whether they were or weren't friends. They definitely had overlapping interests.
I knew Adrian but I didn't know Lucky. Adrian was always good at compartmentalizing his relationships. Why don't you think he'd want Lucky to have them?
To be clear, they definitely knew each other, I just don’t believe Adrian wanted Lucky to be custodian of his accounts.
Lucky would criticize Adrian behind his back all the time, and Adrian knew about it. They were rivals at best, and frenemies who barely tolerated each other in public at worst. Lucky’s the kind of guy who’ll toss someone right under the bus as soon as they’re no longer useful to him, but feign friendship until then.
The thing I'm most concerned about is that if Brian Krebs is right and they had access to their DM's, that the very obvious crypto scam they ran was just a facade, some kind of distraction because they knew they would have been noticed, but the true goal were the DM's.
Imagine a celebrity saying some 'not so politically correct' things to a friend in private 8 years ago, and now imagine this becoming public while the Twitter cancel culture is in full force. There's a lot of money and power in having that information.
I don't want to argue about what's wrong or not, I just want to point out what I find really concerning about the hack.
Why are you so concerned about some celebs being called out on stuff they said? To me, the most concerning is innocent people having lost money to a scammer, not some celebrity's public image being hurt by something they actually wrote.
man who falls for this stuff. i've been seeing "send me money to this account to get double that" scam for like 20 years, its hard to believe there are people who still don't know better.
I think they could have done a lot better by having Elon tweet out a new product preorder page (limited edition Tesla merch?), which accepts payments in crypto. Really anything other than give me X so I can give you 2X, which has been done to death already. 100k is chump change, historically for this class of scam.
Another idea is, hijack customer service request DM's from crypto exchanges, and lead customer to phishing login page. Perhaps could athorize API access to the account, and then change email back to original, without the owner realizing account breach.
The traffic burst would be huge for the Tesla tweet. That type of scam introduces more complexity, such as requiring hosting for millions of visitors in an hour, which can leave a traceable trail.
Hosting for millions of visitors/hour isn't that hard. Maybe the cloud companies want to make you think otherwise, but a handful of bare metal servers around the world should be enough to handle that kind of load unless you're streaming video or running a really heavy web framework. Those can easily be obtained for free if you're already a criminal and have access to compromised servers or stolen credit cards to buy them with.
The point isn't tech scalability - the point is that scaling to that many visitors requires payment, and many cloud providers have anti-fraud mechanisms in place to prevent scammers from doing this quickly and easily without being traceable.
Compromised aws or similar accounts shouldn't be that hard for someone to get hold of at that point though?
You could probably make the whole site fairly convincing with just static files & some js which would be super easy to scale up with just a free cloudflare account or something along those lines
Bitcoin isn't just for "technical" people anymore. The 2017 craze caused a ton of non-techies to hear about Bitcoin and get involved. It was front page CNN a decent amount. Coinbase made it their mission to make Bitcoin as accessible as just downloading an app and giving it your credit card info, and IIRC at one point Coinbase was the most downloaded app on the App Store.
There's an argument to be made that the only reason Bitcoin became popular the last few years is because of the amount of non-techies who have been falling for all the same, tired "join my ICO and get rich!" scams.
Wishful thinking is a powerful drug. The same technique is used on dating apps, where a beautiful "girl", explicitly seeking sex, sends you a link to some paid service, to "verify" your account or some nonsense.
Consider this: i'd argue that the fundamental feature of twitter isn't tweets. It is the underlying certainty that the tweeted content belongs to the person with the blue checkmark.
My friends in social media positions heard about the twitter hack from me, not the other way around. Given how this info disseminated, combined with the breaking of twitters fundamental feature, i'm surprised more people didn't fall for the scam. A commenter yesterday claimed Coinbase had blacklisted the wallet very early on. I assume Gemini and Binance had similar reactions. Without this swift action, i'd wager the actual haul could have been many times the ~13 BTC they ended up with.
makes me wonder why they did the scam in the afternoon PST when everyone is at work. why not wait until midnight. bitcoin is as popular overseas as in america.
The trick is the scale at which you teach people. You only need a few people who are new to Bitcoin and stupid, intoxicated or otherwise not at their best in that moment and you made a profit that's significant in many countries. If you reach 100k+ people your odds should be good.
The funny thing is you could create an ethereum smart contract that verifiably will double any money you send to it, and send it back, at least until its own funding pile runs out.
yeah but add verified twitter accounts from authority figures, add nice graphics, livestreams, etc. and it is very convincing for at least enough people to keep the scams going. Twitter and YouTube have millions of users. If just a tiny fraction of them send some BTC, that is a lot of $ given how valuable BTC is.
I believe it's got a lot to do with the Dunning-Kruger effect because this scam gives the illusion to the victim that they are the one who's actually doing the scamming. When victims of this kind of scam see an opportunity that they'd be making money off of a "very stupid" offer they jump on it. In some cases though the scammer is forced to employ tactics to speak to victim's emotions by inducing guilt or pity but otherwise it's just plain stupidity powered by internalized intelligence.
It will be interesting to see how the access was gained. I wonder how well this administrative system was protected. Did they have basic controls like:
1) Accessible via corporate VPN only (requiring 2fa)
2) Admin panel protected by 2fa plus necessary authentication+authorization controls
3) Audit trails
Short of cooperative access (device handover), I could only see an outsider gaining access to the system due to poor security practices or a remote access trojan getting installed. Though more likely, Twitter lacked these basic controls.
Verified accounts could probably be subject to 2nd person controls so IF someone were to modify an account via admin panel, then a 2nd support person (preferably in a different location), would have to vet the change.
Many startups and hip companies don't do VPNs anymore - unfortunately they also dont do Zero Trust (which would require machine certs for everything and be enforced) - so stuff is often available over Internet with password auth + maybe MFA. Attacker who gets hold of cookie or bearer token wins.
And the best part, support personnel often doesnt have MFA, because its outsourced to countries where smart phones with Authenticator apps are not as common to own for the regular person. I'm not joking.
Really stupid question. A key employee leaves, with their personal 2FA. Is there a standardized corporate solution for this yet? Sorry if that’s weirdly worded
There are various vendor products that support automated deprovisioning when an employee is terminated in the master HR system. You're 1000x more likely to see them in a corporate setting than a startup.
My previous startup had a bit of both. My access to things like mail and Atlassian stuff was automatically revoked, while I could still access the production database months later.
Disabling their account or altering their first factor makes the second factor irrelevant. Who cares if I have a TOTP code for my old account, if the account is deactivated and/or its password changed?
Yes, you're most likely right. While physical tokens are relatively cheap, MFA setup can be not the most straightforward outlay. Still a lot simpler given the many SSO companies out there these days.
That said, tokens are probably simpler than zero trust network setup. Even if you had a zero trust network, you'd still want tokens in case an employee machine is compromised.
Yep, I'm actually not saying that VPNs are the right or only (no way) solution I just wanted to highlight that auth is complex and there are often loopholes.
With everyone working from home due to the pandemic I think these admin tools have never been more vulnerable. I would bet these tools were unavailable outside of a twitter office building until now.
But now these tools are accessible from the homes of twitter admins. How many of them are running behind compromised home routers, etc? Everyone in the house has access - spouses, partners, teens, visitors.
I bet twitter doesn't have a lot of extra security on their admin tools. They probably write straight to the production database. Those safeguards would really slow down day to day support and be expensive to build, and they probably assumed the physical security of the office building was good enough.
I think the most like cause was a disgruntled employee working from home plus a little bribery.
Yes, given increased working from home I'd expect more breaches to come. Especially if companies allow non-corporate machines to connect to their VPNs (or other once internal systems are on the open internet). Putting an admin tool on the internet places a lot of trust on your users and developers to be perfect. That also assumes any 3rd party dependencies are free of issues.
Putting VPN and MFA on shouldn't slow down people much. They'd just have to spend a bit more time logging in each day. Annoying? Yes, but that's better than a breach.
Isn't it strange all the work we put into securing networks etc... while we're engineers working from home and all it would take is someone figuring out where I live via Linkedin or whatnot.. and all this goes away with my physical security being pretty much non-existent.
Sure, but the vast majority of computer-focused attackers are unwilling to do show up in person. They want to operate from behind a computer. So you're not at risk of a physical attack from them unless they hire someone to conduct the physical attack. But they tend to be bad at hiring physical attackers, see how DPR hired hitmen but they turned out to be scammers.
If you're facing a government though, you do need to be wary of physical attacks.
Ultimately it doesn’t matter what really happened.
The most important aspect to the American people is that the largest real estate holder in San Francisco and employs roughly 5,000 employees can’t figure out how to secure their platform. Which means they are a joke of company.
Similar to Google who can’t figure out how to provide customer service when they employ roughly 119,000 employees. Yes, that’s hundreds of thousands of employees and they haven’t figured out how to provide support when their “bots”, which is really their outsourced India techs that cancel their corporate customer accounts on a whim.
Again, this is Google, that distributes malware on their Google Store for months and years at at a time.
Seriously, the ridiculous interview bullshit we’ve all heard about regarding Google and not one smart person ever recommended taking some of Google’s billions and offering customer service or figuring out how not to distribute malware through their official store.
We shouldn’t forget that Google engineers that have access to everyone’s email have also been caught and it’s only a matter of time before Google gets hacked in the same ways Twitter has.
Anyways, Twitter is a cesspool.
Google is also a cesspool that can’t even get search right these days.
It’s a shame that America has these joke of companies on its soil.
There is a healthy contingency of Google and Twitter employees on HN, so I expect the down votes. However, I know there are a ton of people out there that share my message.
"within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user."
How is this acceptable? That's practically (thus effectively) identity theft.
I've been seeing similar scams in Elon's replies, they just copy his profile picture and name and reply with a different account. You might have seen that one
I couldn't find any screenshots, archive.org link, or browser history for the tweet I saw. So, unfortunately I have no evidence that the scam tweets started before Wednesday. We'll see what Twitter finds.
The tweets didn't come from his handle. They were using the same image and name but what really caught my attention was that those accounts had a blue verified badge.
Yep, the newest strategy of the Twitter crypto scammers is to hack verified accounts of lesser-known users, then change the account name and profile picture to that of the user they wish to imitate.
> “This is NOT a method, you will be given a full refund if for any reason you aren’t given the email/@, however if it is revered/suspended I will not be held accountable,” Chaewon wrote in their sales thread, which was titled “Pulling email for any Twitter/Taking Requests.”
If access were being sold via message board, I wonder if the thread contains stipulations on which accounts are off-limits for being hacked. My theory to why we didn't see any active government officials accounts get pranked is because the hackers, no matter how confident they were about covering their tracks, still might have worried that such a breach would almost guarantee FBI/NSA-level involvement.
After a Twitter employee suspended Trump's account on their last day of work in 2017, I expect access to his account to do anything at all is much more highly restricted within Twitter's internal tools.
So is Kanye West and Taylor Swift, who, like Obama, can do things like work full time as a registered lobbyist, and not have to publicly disclose financial investments or otherwise ever publicly respond to the public, and many other things that regular citizens are allowed to do.
Neither Obama nor Biden nor Bloomberg are "active government officials". They have no power to conduct U.S. government business, thus an intrusion on their private social media accounts is not going to be an obvious or immediate threat to the security of the U.S. government.
Former presidents are still privy to a lot of information (e.g. they receive national security briefings still). Hacking their technology accounts is absolutely a threat to the security of the US govt, and is one reason the Secret Service specifically monitors their technology usage.
I'd bet a lot of money the inclusion of people like Obama and Biden all but guaranteed the FBI/NSA get involved now, or at the very least the Secret Service.
It's not just about access to information, but actual power and perceived power; the chances that the average rational person will be fooled and react to "The U.S. Treasury has been ordered to fast-track the evaluation and adoption of Bitcoin as an option for official government transactions" is much higher coming from Trump, Pence, Mnuchin, McConnell, or any number of the official social media accounts of U.S. agencies than it is for Obama or Biden. Sure, the latter could most definitely fool people, but that's possible with any famous account, like Elon Musk's or Kanye's.
I think you're incorrect about the perceived power of a former US president, but regardless I don't think perceived power has any impact on whether the FBI chooses to investigate or not.
That might be a fairy tale some black hats tell themselves, but it seems clear to me that compromising a former president's accounts has serious security implications for the US govt. Obama's access to information (both past and present) is such an overriding concern that his level of perceived power is basically an after-thought.
The FBI often helps out with major breaches of all varieties, let alone ones that involve former heads of state. It's extremely unlikely they're not already involved in this one.
While it may sound ridiculous that anyone would be fooled into sending bitcoin in response to these tweets, an analysis of the BTC wallet promoted by many of the hacked Twitter profiles shows that on July 15 the account processed 383 transactions and received almost 13 bitcoin on July 15 — or approximately USD $117,000.
This could be mostly the attackers’ own money. It’s impossible to tell, but I haven’t seen anyone explicitly mention this.
Possibly. The only reason this would be stupid is because Bitcoin has rapidly been centralizing. I suspect many exchanges might start blacklisting any wallet that has any transactions from this wallet.
On the other hand, they can’t really do that. At that point the attackers would be able to poison any wallet just by sending a small amount of BTC to it. Therefore it seems like the only penalty is that they’d have to re-wash their coins.
Random, totally not thought all the way through, idea. Could a decentralized nullifier be put in the blockchain? Allow the consensus algorithm to "vote" for when an address should be marked as invalid and miners would reject transactions with it. It would work by someone submitting an "anti-coin" transaction and wagering their own coin. Miners would provide PoW to confirm the transaction but instead of the miners collecting a reward they pay a fraction of the initial wager. Once enough blocks with a confirmation of the anti-coin are mined to pay back the wager it's accepted as permanent. Now the only way to use that address would be to fork the blockchain. On the other hand, if the anti-coin is not accepted the submitter loses their wager, so it becomes expensive to attempt to destroy coins without cause.
But I don't know nearly enough crypto to even guess at whether or not this is a really stupid idea. Don't torch me for being foolish.
You can do this on a technical level but on a practical one it creates pathways for abuse which defeat much of the purpose of using crypto in the first place.
And attackers like the one in the twitter attack would just choose to use cryptocurrencies where this isn't possible.
It's bizarre to me that someone pulled off an account takeover of this magnitude and the end result was random people being scammed out of ~$100K in Bitcoin (that too allegedly). A single well-crafted Tweet from one of these accounts is probably worth more. Heck Twitter would have paid that much or more just in bug bounties for reporting this.
There's no bug bounty for "get an employee to reset an account for you."
"You can update the email address of any Twitter user, [...] without sending any kind of notification to the user" sounds like a bug, but if your repro starts with "get access to the internal dashboard" it'll get rejected out of hand.
I don't buy the stock market argument. People open short positions worth more than $100K every day, especially against companies like Tesla. There would be nothing suspicious about a few such trades.
But really, my point is that pulling off a sophisticated exploit involving major celebrities, politicians and CEOs, social engineering/bribery, internal access at a top company etc. doesn't really seem worth the risk if at the end it nets you $100K.
But you can't make those trades anonymously. So everyone who even remotely profited from the stock movement gets put on the suspect list, and the FBI just went from needing to investigate literally anyone to maybe a few hundred people at most. The FBI is more than capable of going through a list like that and narrowing it down quickly.
> People open short positions worth more than $100K every day
Yes, but you'd need to open one worth $1m to make $100k on a 10% move. $1m is still not "much" in the grand scheme of things, but it's still significant.
You can use variety of instruments to get a lot more then 10%
If you have a million to play with you could probably get something on the order of 10-20million or a lot more I guess depending on time you have to prepare
> There would be nothing suspicious about a few such trades.
Not on it's own, and not if you're starting the investigation with a large pool of trade data
But if you have 5, 10 or even 100 suspects from various forums and then join in any trading data along with a time window of opening/closing trades you very quickly end up with a suspect, a search warrant, an indictment, etc.
There would be afterwards though, so the question would be could the money from the trades settle and be exfiltrated to a private non-traceable account before the SEC thought something was amiss and started looking at impacted stocks and suspicious associated trades by timing.
Find nefarious politician’s new fixer, offer to post a deep fake of Biden from Biden’s account expressing grief at finding out his son had acted in bad faith and that he was withdrawing from the election.
Post deep fake from Gates account saying that he did create coronavirus and he’s going to release the antidote. No masks needed. Open the country up.
The chaos and distrust alone would be worth more than 100k.
I keep saying phone numbers for 2FA is dumb but entire industry thinks this is a good idea for some reason. The problem here is that it's not even used as 2FA, it's just one factor and these services think it's sufficient to prove identity.
Discord wants my phone number for forums about sexual topics that could get me killed if I was in certain countries. Obviously I don't want to give them something which actually identifies me.
Why would the hackers gain this level of access, and do something that nets them so little money(relative to the amount they could have gained), when they can't even spend without having law enforcement outside their door?
You are assuming the kids doing this don’t think just getting 100k is a lot of money. They most likely originally got the backdoor solely to get original usernames and someone had the idea “we could phish bitcoin with this”. I doubt they went into it with a big plan
1. For the lulz
2. For a disgruntled twitter admin who thinks they won't get caught 100k is a good haul. If you steal 1MM dollars and you have a 80k/year job you're in trouble. 100k in btc cashed out over a year or two - less of a problem.
3. I can't think of how you could make more, at least not without putting yourself at huge risk.
4. Maybe these tweets were just to serve as proof you did something else we don't know about yet, and you are getting paid for that.
5. Maybe you are a Russian operative, and your job wasn't to make money, but to try and find dirt in the DMs of Trump's political opponents.
The hack was epic and strange. But also epic and strange is how Twitter stock value hasn't taken a prolonged hit. Is there really so much trust on Twitter that this was an isolated incident?
Doesn't really surprise me much. Internal tools get 0.00001% of the UI design effort that production tools do. It looks like an old version of Bootstrap too.
POSSE is a great model. One of the problems is that there is no platform that reduces the friction of implementation. I have the technical ability to implement this myself on my own website, but I don't have the free time to set it all up and maintain all of the integrations with various platforms. And syndication is the creation side of the problem, but on the consumption side there's the issue of aggregating your friend's posts on other platforms into one place so you can keep up with everyone without remembering to check several different websites. That's arguably the more challenging part of making this model work at scale, and social networks actively prevent this by blocking API access and making it difficult to programmaticly access data within their platforms. I can't even subscribe to 2/3 of my content sources via RSS anymore.
It's not a hack when an employee holds the door open and gives use of an admin management tool to a third party.
Likewise, it's not a bitcoin scam when bitcoin is the method of transfer, just like it's not a US-dollar scam every other time dollars are used in theft.
It's not real hacking unless it's chopping with an ax.
I think simple account takeovers started being called "hacks" jokingly on Facebook, when a friend would find your phone or computer unlocked and logged in.
To use your analogy, it literally is still burglary when an employee holds the door open to the office for you to enter and steal things. The attackers took over accounts by technical means. This is a perfectly reasonable usage of “hack.”
Opening a CMD and executing an "echo YOU HAVE VIRUSES", or repeatedly executing TREE command, are used in practice to bait people into paying for "malware removal" and "anti-hacker protection".
My personal theory on this is that it was an attack to stop Trumps' incessant tweeting to America. Inside access, leaving his account untouched, then all the screaming about how bad it could have been so we should never use direct, un-channeled, unfiltered communication by state leaders on social media.
As much as folks here on HN extol Firefox, it just feels somewhat sluggish and buggy compared to Chrome. I try to use Firefox Developer edition sometimes but just can't because primarily it feels tangibly slower than Chrome.
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
This twitter hack could have literally destroyed economies, started a war, potential for black mailing politicians and others etc.
This really needs to be looked at with much bigger eyes. This wasn't just a bitcoin scam.