Hacker News new | ask | show | jobs
by uwuwuwu 2149 days ago
Very alienating how they disclose names even before their guilt is proven in court.

Also, I read they're considered adults because the crime was so serious. Come on. Just send the BTC back and that's it. This shit is a proof-of-concept and we should be thankful nobody started world war 3 on Twitter.

There's zero harm, just improved security at Twitter.
2 comments
SahAssar 2149 days ago
They willingly impersonated multiple people and tried to scam people based on that. That is not zero harm. Are you really saying that someone that executes a spearphishing attack on a company then uses that to take over accounts within that companies services and then uses that to try to scam people should just get a slap on the wrist?

There are at least two or three levels of this where any reasonable person would have thought "This is getting really fucking criminal"

link
aeternum 2148 days ago
This was likely a net benefit to US citizens. Much better that this kid exposed these security holes. Imagine how bad it would be if a nation state did this close to the election.

Spearphishing is a real problem and tech companies have no answer. An annual employee training program isn't going to solve the problem. Simply making it illegal isn't going to solve the problem.

link
SahAssar 2147 days ago
> Much better that this kid exposed these security holes.

That's why we have responsible disclosure. It does not make it okay to exploit security holes for profit.

> Spearphishing is a real problem and tech companies have no answer.

That does not make it okay to exploit it.

link
aeternum 2147 days ago
>That's why we have responsible disclosure. It does not make it okay to exploit security holes for profit.

I'm not aware of any bug-bounty or responsible disclosure method that allows spear-phishing as the attack requires impersonation/fraud. Is there one?

link
SahAssar 2146 days ago
Responsible disclosure does not equal bug bounty. Just because you found a security hole does not mean you are entitled to a payout.

The responsible way to do this would be to prove the access to twitters security team and not exploit it for personal gain. You can even just post it publicly, just don't try to scam people and profit based on the exploit.

Do you think that just because there isn't a bug bounty for a specific exploit that gives you a free pass to exploit it for personal gain?

link
dsamarin 2149 days ago
Send back the BTC with interest or no?
link
luckylion 2149 days ago
Twitter should cover that as a bug bounty.
link
kohtatsu 2149 days ago
I think this is a solid idea.

It's not much for Twitter, and they can see exactly who needs to be remunerated for how much.

link