[HN Gopher] Hacker in Snowflake extortions may be a U.S. soldier
___________________________________________________________________
Hacker in Snowflake extortions may be a U.S. soldier
Author : todsacerdoti
Score : 329 points
Date : 2024-11-27 00:53 UTC (22 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| antihero wrote:
| Couldn't literally all of this just be a bunch of misdirection?
| mikeyouse wrote:
| In theory, sure, in reality it's almost always much more benign
| and they have terrible Opsec over time that allows people to
| piece together their identity. Especially if they reuse
| usernames across services.
| JohnMakin wrote:
| It's always crappy opsec that gets people otherwise very
| savvy.
| raffraffraff wrote:
| Kinda like how the big mastermind criminals like Capone get
| away with murder and racketeering but get fucked on tax
| evasion.
|
| Reading this guy's posts, his ego is the biggest issue, and
| it will be his downfall. The "I literally can't get caught"
| mentality inevitably leads to carelessness and
| blabbermouthing.
| kortilla wrote:
| That's a little different. It wasn't that Capone couldn't
| handle taxes, it was that until that point nobody used it
| as a serious mechanism to take town criminals. It was
| only validated as a good approach by the Supreme Court a
| few years before. In fact, one of the primary pieces of
| evidence of his tax evasion were from communications from
| his lawyer about how much tax to pay to make his tax
| history legit in light of the recent effectiveness of tax
| convictions.
|
| Now major criminals launder money to avoid that.
| brcmthrowaway wrote:
| It appears the government at times invents laws so they
| can go after criminal gangs (see RICO)
| duxup wrote:
| I feel like leaving a bunch of misdirection would also risk
| potentially just leave real traces behind that in some ways.
|
| At least in my mind leaving some false trails behind, when I
| run through scenarios, seems like it could leave actual trails
| / to the point of not being worth the extra risk.
| brookst wrote:
| Yeah. If you have a choice of giving an adversary no
| information or false information, no information seems safer.
| The choice of false information _is_ information. Same way
| that people are terrible at picking random numbers and
| fraudsters are often caught because they avoid round numbers.
| antihero wrote:
| It would make sense if doing something illegal to do the
| former, but also leave "slip ups" that are complete red
| herrings, create trails to people that seem like opsec
| fails but are actually just framing others, etc.
|
| All about plausible deniability. Layers and layers and
| layers of dead ends that seem real.
|
| In this way, if you do actually slip up, it becomes near
| impossible to distinguish the real slip-ups with the
| orchestrated ones.
| brookst wrote:
| The problem is that false "slip ups" provide information.
| Sure, you waste investigator's time, but once they rule
| out the false lead they have a bunch of information:
|
| - if the false slip-up used only public information
| about, you likely don't have access to confidential
| information about that space. If it used confidential
| information, you do.
|
| - The geography and demographics of the false lead are
| probably not near-misses. The point of misdirection is to
| misdirect, so you likely won't frame a coworker that will
| bring investigators to your own door.
|
| - Any mistakes in the false slip-up, from spelling to
| factual to timing, may reveal info.
|
| IMO this is a "too clever by half" scenario: leaving any
| trace at all is information. Leaving none is wiser.
|
| Example: you're a master hacker. You're going to
| repeatedly access a compromised system. Is it better to
| set an alarm for 3am each time to suggest you're in a
| different time zone, or to use a RNG to close an alarm
| time?
|
| I say the RNG is better. Using 3am gives psychographics.
| Random isn't clear if there's any planning at all, or if
| you travel, etc.
| alsetmusic wrote:
| > Kiberphant0m denied being in the U.S. Army or ever being in
| South Korea, and said all of that was a lengthy ruse designed to
| create a fictitious persona.
|
| >
|
| > "Epic opsec troll," they claimed.
|
| If this were really a fictitious persona meant to lead
| investigators away from their true identity, they'd never admit
| to such. This sounds like someone trying to deflect upon being
| found out. I'd wager that this person is going to be caught.
|
| Krebs has an image of a mind-map at the end of the article
| showing links between the aliases.
| rudolph9 wrote:
| Or it's part of the troll.
| uoaei wrote:
| Bothsidesism has crept into ... US counterintel agitprop?
| horeszko wrote:
| > Kiberphant0m denied being in the U.S. Army or ever being in
| South Korea, and said all of that was a lengthy ruse designed
| to create a fictitious persona. "Epic opsec troll," they
| claimed.
|
| This is called a "double cover story", a classic deflection
| when someone is caught or exposed.
| asimjalis wrote:
| It could be a triple cover story. The faked double cover
| story is meant to deflect.
| tedunangst wrote:
| Maybe even skipping the quadruple cover story and going
| straight to the quintuple. A true pro.
| function_seven wrote:
| I always play the (2n+1) game myself. (Or do I??)
| the_af wrote:
| That's what _they_... er, _you_... er, _somebody_ wants
| you to think?
| formerly_proven wrote:
| That's my secret... I never think.
| _carbyau_ wrote:
| "Fuck everything, we're doing five covers." ... "Put
| another misdirect on that fucker, too."
| Mtinie wrote:
| That reminds me of the escalating "trace buster" scene in
| "The Big Hit."
|
| https://youtu.be/2VY_xxL2jL0?si=9hf6ibvtHFCGuCNL
| pnut wrote:
| Context https://theonion.com/fuck-everything-were-doing-
| five-blades-...
| labster wrote:
| Good luck, I'm behind seven cover stories
| blitzar wrote:
| Gotta pump those numbers up. Those are rookie numbers in
| this racket. I myself, I have fourteen cover stories with
| an infinite loop at number 10 that directs you back to 4.
| oefnak wrote:
| Where do you use 11-14 for?
| Mtinie wrote:
| Higher dimensional investigations.
| avn2109 wrote:
| Plot twist, I'm actually undercover as you.
| the_af wrote:
| I know linking to videos on a tangent joke is frowned
| upon here, but I'll risk the downvotes for a worthy
| cause:
|
| You really need to watch this Key & Peele & Rocket Jump
| colaboration: https://www.youtube.com/watch?v=IHQr0HCIN2w
|
| Actually, since I'm actually undercover as you, and I've
| already watched it...
| edzillion wrote:
| I know comments commending the previous post are also
| frowned upon but that is one of the funniest sketches
| I've ever seen. Hilarity ad absurdum
| PittleyDunkin wrote:
| Eh; let's wait and see. For any claim for insight there's an
| equivalent claim for fabrication. any such analysis that relies
| on this is inherently flimsy.
| johndhi wrote:
| It also seems like a bad opsec if he creates multiple aliases
| for the same theme. Wouldn't you want to have one us soldier,
| one Russian, one African, etc. if you are trying to create red
| herrings?
| XorNot wrote:
| Even the soldier persona is consistent though. The trouble
| with opsec like this is (1) you always have to win and (2)
| almost everything - even _total randomness_ tends to create a
| pattern (since you the negative space of trying not to stand
| out itself tends to make you stand out).
| asimjalis wrote:
| Maybe he is operating at the next level. He is deflecting
| because the investigators will think that he is trying to lead
| them away from this true identity and become even more
| convinced of it, which is exactly what he wants.
| CoastalCoder wrote:
| _Truly_ next level would be for him to be one of the
| investigators.
| chefandy wrote:
| But little did he know the other instigators were
| investigating him... or _so they thought..._
| Tepix wrote:
| Let's skip of this step and go the next: It's a rogue AI.
| dookahku wrote:
| > This sounds like someone trying to deflect upon being found
| out. I'd wager that this person is going to be caught.
|
| that's what a _super_ epic opsec troll would want you to think
| Terr_ wrote:
| "You fell victim to one of the classic blunders! The most
| famous is 'never get involved in a(nother) land-war in Asia',
| but only _slightly_ less well-known is this: Never go up
| against a once-Korean-resident when _death_ is on the line!
| Aha-haha-hahaha! "
|
| https://www.youtube.com/watch?v=pRJ8CrTSSR0
| gostsamo wrote:
| Let's just not believe anything said by an untrustworthy
| person. What they say should not calculate in what we believe
| to be true, but only evidence we can verify.
| skybrian wrote:
| Well yes, but I doubt that Krebs is really posting this data
| dump for random Internet readers like us. Some other
| investigator might find some useful hints in it, though.
| Y_Y wrote:
| I respectively disagree. If someone is shown to be unreliable
| then of course you won't take what they say at face value,
| but there's still information there. A deliberate lie may
| still contain something useful and reveal something about the
| person.
|
| In fact assuming someone to be truthful isn't a good prior,
| knowing that they may be "untrustworthy" doesn't tell me
| much, since I didn't start off thinking otherwise.
| gostsamo wrote:
| You can analyze a lie only if you know that the speaker is
| trying to convince you into performing an action. Binary
| statements about facts cannot be judged without knowing the
| truth. They could be used only for self-analysis of the
| analyzer and maybe if you want to exercise some tail
| chasing.
|
| Watch The Princess Bride and you will find a wonderful
| scene about choosing the right cup there.
| laborcontract wrote:
| von Neumann proved that you can extract fair results from
| a biased coin without knowing the bias. No truth needed.
|
| While it doesn't really apply to this situation, it's all
| to say that i disagree with you saying there's only
| information in the truth.. There's information in
| everything.
| red-iron-pine wrote:
| but then we're not "trusting" what they're saying, just
| analyzing a statement for unintentional or partial truths.
| the assumption is not one of credibility. everything this
| person is doing is dubious as hell. this means every
| statement or action must be analyzed with the assumption is
| bunk, and then you pick out possible truths.
|
| the picture of the army gear, for example, consists of gear
| that could be purchased at any surplus store. I'm not in
| the US but I could easy acquire that, and I know enough
| about exif data to be able to alter an image to use GPS
| coordinates at a US Army barracks in SK.
|
| meanwhile if they were showing a picture of them sitting
| with, say, a 240B MG, or something that actually proves
| they're in the US Army I might believe them.
|
| while bartending back in the day I used to have a coworker
| who, after a few drinks one night, eventually confessed she
| was a camgirl for a while. she went by April, who was
| really Stefani -- nether of which were her real names, but
| were just layers to keep stalkers off of her back. she had
| friends on the other side of the country take pictures of
| their dorm to help further the story. I totally believe a
| serious cracker would take similar precautions; OPSEC on
| OPSEC
| Y_Y wrote:
| I agree and liked your comment. I just want to add that I
| was specifically disagreeing with this:
|
| > What they say should not calculate in what we believe
| to be true
|
| rather than thinking about definitions of trust.
| sourcepluck wrote:
| I can't help myself: is this the famous logic by which tech
| people don't trust apple, microsoft, amazon, meta, or google
| products?
|
| Or does it not apply to corporations? What's the distinction,
| if so? It certainly seems common to not to apply it to
| corporations.
|
| Not sniping here, I actually think this is solid logic, maybe
| with some exceptions but generally applicable. I feel like
| it's so commonly and happily not applied when it comes to the
| above companies (and others) that I find it stunning to see
| it stated so clearly here.
| cherryteastain wrote:
| We already have direct evidence through Snowden leaks that
| US big tech corps are US intelligence assets.
| gostsamo wrote:
| This FAANG stuff is coming a bit from left field here. I
| have my thoughts on their involvement with the US
| government, but I cannot testify if those thoughts are the
| same for any other tech person on this platform. Lots of
| other stuff to say, but generally, I tend to apply the same
| mental tools to everyone. You should ask everyone else for
| their opinions individually though.
| Y_Y wrote:
| Personally my prior is that companies are always trying to
| manipulate you, and people only sometimes. On the other
| hand it can be easier to get away with false statements
| when you don't have a large audience and deep pockets.
| leptons wrote:
| Well it certainly doesn't apply to politics, 70+ million
| people believed every lie their cult leader told them (and
| it was a lot of lies).
| kgeist wrote:
| Interestingly, Kiber- is how a Russian would transliterate
| "Cyber-". At first I thought he must be Russian, by the
| nickname alone (I'm a Russian speaker).
| ANewFormation wrote:
| Something I don't understand is why people don't appreciate
| /expect misdirection.
|
| For instance, a malicious actor, of even basic
| sophistication, coming from a Russian ip and occasionally
| using Cyrillic and missing grammatic artcles is probably not
| Russian. Similarly a malcious actor with a pseudonym
| including the term patriot, coming from a US IP and using
| terms like howdy probably is not American.
|
| False attribution is a core lesson in malice 101.
| andrewflnr wrote:
| There's a case to be made for expecting misdirection more
| often, but the fact remains that most people, including
| malicious actors, don't have the foresight and skill to
| pull it off. You do need both. Unless you plan a consistent
| fake story from the very start of an identity, execute it
| consistently, and hermetically isolate it from any others,
| you'll leave clues.
| ykonstant wrote:
| Spot on, chap.
| johnnyanmac wrote:
| Not that it's necessarily the case here, but you'd be
| surprised how many grand capers were only busted because
| the actor made an embarrassingly dumb mistake in leaving
| some obvious trail.
|
| It's not unheard of to apply some occam's razor just in
| case while keeping misdirection in mind. Even masterminds
| aren't perfectly rational actors that cross all their t's.
| rightbyte wrote:
| Doubly so since warmongerers will defend your persona and
| corparations will use the persona as a politically
| palatable scapegoat.
| strken wrote:
| You need actual evidence to make claims like this and be
| believed. "Possibly not Russian/American" is self-evident
| due to how easy misdirection is, but "probably not
| Russian/American" is a matter of probability for which
| you've presented no meaningful data or argument.
| close04 wrote:
| > False attribution is a core lesson in malice 101
|
| I was always surprised to see security researchers
| _confidently_ attributing some attack to a specific group
| based on easily falsifiable things like localization,
| alphabet, time zone, coding "style", specific targets,
| etc.
|
| Even if researchers can undeniably link one attack to a
| certain group (like when they publicly take responsibility)
| and can label their style accordingly, all those indicators
| become at least semi-public. If the researchers have access
| to them, so do other other actors who are free to fake or
| imitate them. The confidence is probably more for the media
| reporting.
| lupusreal wrote:
| If your company just got pwned, you'll probably be thankful
| to have an excuse to tell your investors that it was a
| Russian/etc "state actor" and therefore they should feel
| sympathy for you being the victim of a foe that far
| outclasses your _assuredly_ reasonable and competent
| security measures.
|
| Looks a lot better than getting pwned by some jackass
| American teenager. So if the attack came from a Russian IP,
| or used some Cyrillic characters or something like that,
| there's a "face saving" incentive to take that probable
| misdirection at face value.
| pphysch wrote:
| This is right. So many incentives are stacked in favor of
| making false attributions, specifically to enemy state
| actors:
|
| - real attacker doesn't want to get caught
|
| - victim doesn't want to admit being pwned by a script
| kiddy or petty criminal
|
| - military-industrial complex needs foreign threat
| inflation to stay in business
|
| - media loves the intrigue
|
| The pushback would come from the foreign state being
| falsely slandered, but they never get a say anyways.
| red-iron-pine wrote:
| Attribution is _hard_ , and is a critical part of Threat
| Analysis.
|
| I generally agree with the quip about American patriot
| actors, mostly.
| RicoElectrico wrote:
| Forget about grammar. Eyless emoticons are the best
| predictor)))
| boohoo123 wrote:
| yea but 2 years prior he used the handle cyberphantom. So the
| switch is most likely him trying to throw people off.
| ARandomerDude wrote:
| I'm guessing any American military member in the Intel or
| Cyber business would know that these days though.
|
| Years ago when I was in the US military I knew many Russian
| weapons systems better than their US/NATO counterparts and
| had developed a decent working vocabulary of Russian words
| and prefixes in that specific area because it was my job to
| study Russian equipment.
| hilbert42 wrote:
| Right, there's something odd about this. That image from 2022
| of a person's legs [Kiberphant0m?] in army fatigues ought to be
| a dead giveaway. For starters why would anyone be stupid enough
| to do that, second I'd recon the floor pattern alone might be
| enough to reveal the person, again why do that? Surely those
| involved would have have thought of that? Alternately they're
| on the room-temperature side of dumb.
|
| Of course, that doesn't include the image being a ruse for
| other schema.
| bayindirh wrote:
| > Alternately they're on the room-temperature side of dumb.
|
| When combined with the uses the claimed for their botnet, the
| person we're talking about leaves an impression of having
| emotional maturity of a 10 year old.
|
| So, you might not be very far when it comes to non-technical
| skills.
| scotty79 wrote:
| > leaves an impression of having emotional maturity of a 10
| year old
|
| That fits well with the position of US president or the
| currently richest person on Earth.
| hilbert42 wrote:
| I dare not comment, the thread would be deleted. ;-)
| krisoft wrote:
| > why would anyone be stupid enough to do that
|
| To prove their "credentials" that they are a real world
| "though guy", in the hopes of gaining social clout in among
| their peers.
|
| Same reason why some posts classified information on Discord
| or War Thunder.
| seanhunter wrote:
| Yes. I'm pretty sure if you spoke to an intelligence analyst
| they would tell you there's no such thing as an opsec troll.
|
| Everything your target does (including misdirection) gives or
| risks giving away information, and there's no way someone who
| is actually in control of events would blow a cover because
| even if you were 99% certain it was false, you would have to
| continually waste resources trying to confirm that. In
| particular if they invested a lot in building this persona and
| you were on to them it's much more likely they would just go
| dark, wait and plan how to pick up with a new persona.
| InDubioProRubio wrote:
| There are robots for everything social now- including
| manufacturing personas.
| datadrivenangel wrote:
| It's not about the volume of manufactured personas, it's
| about the tool-marks that can be analyzed.
| Oarch wrote:
| You'll never catch me!
| gregw2 wrote:
| Any insight based on histogram of the timing of this person's
| posts, particularly ones responding to a just slightly earlier
| post? (ie was clearly awake and not an artificially-delayed
| response).
|
| Krebs knows about this timezone analysis technique, wonder if he
| didn't check this or it was inconclusive?
| t-3 wrote:
| Is that effective for people who aren't literally being paid a
| salary to do this stuff 9-5? A lot of people who spend too much
| time on computers have totally out of wack sleep schedules that
| would look like they're operating from very different
| timezones.
| alwayslikethis wrote:
| You can also schedule your posts, commits, etc to go out at
| some fixed hours each day.
| sundarurfriend wrote:
| You can, but a lot of these pattern analyses work out
| because people get sloppy and overconfident over time, and
| don't use these measures even if their lives are on the
| line.
| aaron695 wrote:
| Police raids in long sieges happen ~ 3:30-4:30am
|
| People have wacky schedules but it's about when you never
| work
|
| You could do an analysis on HN comments.
|
| It's very hard to fake, you'd have to schedule on all
| channels. For instance don't look at all of a users HN
| comment's just ones posted less than a hour after it was on
| the front page.
|
| I always set the time zone on my PC to a fake one. It cause's
| havoc sometimes and it's not even close to enough. It's hard
| once someone is after you.
| duxup wrote:
| >'BUTTHOLIO'
|
| These guys always seem to have the most stereotypical or corny
| hacker handles. Is that expected / desirable in that community?
| taspeotis wrote:
| I believe the hacker known as 4chan once explained they choose
| their handles "for the lulz"
| Apocryphon wrote:
| Legion of Doom / Masters of Deception would like a word.
| tedunangst wrote:
| Phiber Optik just doesn't have the same haha you said
| peepee vibe.
| Apocryphon wrote:
| I do think it's funny how that might be a character revealing
| moment, suggesting the hacker is Gen X or at least elder
| millennial age.
| A4ET8a8uTh0 wrote:
| I did toy with the idea of trying do analysis of HN aliases
| and keywords. It never went anywhere, because I forgot about
| it, but a longer weekend is coming:D But yeah, language
| betrays, who we are in references alone.
| gopher_space wrote:
| There's no way you could determine how old a person is or
| what technologies they enjoyed way back in college solely
| from a username.
| willvarfar wrote:
| Are you just trying to goad them into showing they can?
| :D
| kasey_junk wrote:
| -gopher- space made the comment you are replying to.
| oefrha wrote:
| Have fun analyzing the alias I pulled from /dev/urandom!
| imp0cat wrote:
| Knows of the existence of /dev/urandom, must be old! ;)
| aaronbrethorst wrote:
| _corny_
|
| I see what you did there.
| heromal wrote:
| Yes
| juunpp wrote:
| The real question is: who calls their company "Snowflake"? It's
| just crying to get stomped on.
| Der_Einzige wrote:
| Snowflake did the biggest epic fail of the ZIRP era. They
| bought streamlit (a python GUI front end for ML demos) for
| 800 MILLION dollars.
|
| https://techcrunch.com/2022/03/02/snowflake-acquires-
| streaml...
|
| Huggingface bought its biggest competitor, Gradio (still used
| more than Streamlit) for an "undisclosed" amount of money a
| year or so before hand. I'd wager HF paid on the orders of
| 1-5 million.
| bagels wrote:
| That is amazing! What a coup. I thought streamlit was
| pretty cool, but surely it wasn't $800m cool.
| rawgabbit wrote:
| Salesforce purchased Mulesoft for $6.5 billion. Mulesoft
| was so successful they decided to buy a different ETL tool
| Informatica. But the deal fell through. Mulesoft has about
| 1500 clients vs 9500 clients for Informatica.
| rajamaka wrote:
| Comparing a disclosed sale price to an unknown theoretical
| sale price is a bit unfair though. Maybe it was 801
| million.
| Der_Einzige wrote:
| No way, HF didn't have anywhere near that kind of money
| when they acquired Gradio. I think they did it back in
| 2020 or 2019. I know for a fact it was a tiny sum.
| wodenokoto wrote:
| I doubt Gradio is used more than streamlit. And so does
| Google [1]
|
| I know that's not exact, but if more people used Gradio,
| you'd expect at least a somewhat similar number of people
| searching for it online. Gradio is not even in the same
| ballpark as Streamlit here.
|
| [1] https://trends.google.com/trends/explore?date=now%201-d
| &q=%2...
| Der_Einzige wrote:
| I don't know what to say except that the overwhelming
| majority of HF spaces are made as Gradio demos and that
| gradio's whole design makes it far easier to do async
| things unrelated to reloading the webpage - which is a
| huge thing for ML/AI demos.
|
| I don't claim you're wrong, but I claim that gradio is
| far more effectively profitable to know than streamlit is
| - i.e. Gradio demos are used far more for a top AI paper
| demo (i.e. NeurIPS system demos) than Streamlit is.
| mulmen wrote:
| Snowflake is a type of multidimensional schema. It's a
| normalized star schema. Both named for the appearance of
| their entity relationship diagrams.
| chatmasta wrote:
| Snowflake schema is _obviously_ the etymology, but the
| official story is that the founders "really like skiing."
| It's always aggravated me. I just assume the CEO told them
| to go with that instead.
| internet101010 wrote:
| Give them a break. They need tp.
| ethbr1 wrote:
| Why would they need tp?
| mikeyouse wrote:
| The bungholio name is a reference to the bevis and butthead
| name where they'd say, "I am cornholio, I need TP for my
| bunghole". You _really_ had to be there.
|
| https://m.youtube.com/watch?v=LHv2dIM3t9I
| ethbr1 wrote:
| Oh, I was there. heeheeBUNGholeheehee
| BeFlatXIII wrote:
| The unregistered hyper cam 2 banner ties the whole
| compilation together.
| red-iron-pine wrote:
| tth_tth
|
| edit: okay fine I'll bite -- because of chicken piccata
| ChumpGPT wrote:
| Seems like the guy has been fucking around for a while. No wonder
| none of our allies want to share intelligence or plans with us.
| The US Military is a liability when it comes to keeping shit
| secret, they leak like a sieve. They need to get a handle on this
| shit, who knows what this guy has given to the Russians or
| Chinese.
| 6510 wrote:
| "pay-to-play"
| excalibur wrote:
| > Immediately after Kiberphant0m logged on to the Dstat channel,
| another user wrote "hi buttholio," to which Kiberphant0m replied
| with an affirmative greeting "wsg," or "what's good."
|
| It's kind of unfortunate for him that he didn't do a better job
| of referencing Beavis and Butthead. If his username was
| "Cornholio" or even "Bungholio", it could read as someone
| directly referencing the show and potentially unrelated to the
| other account, making his deniability a bit more plausible.
| boomskats wrote:
| A true opsec troll is saving those references for the final
| standoff, for when they start really threatening him.
| red-iron-pine wrote:
| yeah that's 3 or 4 layers in. until then convince them you're
| Iranian and Chinese first
| fnord77 wrote:
| Being a high-stakes criminal is too difficult. One slip-up and
| you're compromised. There's a million opportunities for slip ups
| and there's a million opportunities for investigators to get
| lucky.
| alwayslikethis wrote:
| True, but you only hear about the ones who slipped up. I wonder
| what is the actual proportion of criminals being caught due to
| poor opsec.
| brookst wrote:
| To turn it around: what percentage of people are capable of
| perfect opsec forever?
| flextheruler wrote:
| For internet crimes? Almost none in perpetuity. I'd think
| you'd need to go off the grid totally for a few years and
| come back without any reference to a prior life. For
| physical crime, my gut says quite a few people have avoided
| identification for decades until they were essentially
| caught by turning themselves in. Ted Kaczynski comes to
| mind, but there must be a few others.
|
| Perfect OPSEC to me, means near total isolation from
| socialization. Not something most people are capable of.
|
| If you're a professional criminal of any kind you weigh the
| risks knowing that perfection is impossible. The government
| is a business with a monopoly on violence. The goal is to
| keep their ROI for catching you as low as possible. Every
| single man hour spent finding you is costing money and
| there's a man upstairs who wants to see some results that
| reflect the money spent.
|
| Once you understand that premise, it's easy to understand
| the why and how criminals are caught. The ones who are
| caught are always the ones who don't know when to fold.
| Always the ones not to cash in and retire.
|
| The ones who get away with it, they fold they retire and
| society forgets about them and the ROI drops precipitously
| on catching them. Research statistics on cold cases.
| ethbr1 wrote:
| There's a line at the beginning of Ocean's 11 to the effect
| of "the house always wins in the long run... unless you bet
| it all on a great hand, win, and then walk away."
| mxuribe wrote:
| > ...and then walk away.
|
| I think that's the key right there! ;-)
| juunpp wrote:
| I guess we'll soon find out how well the NSA normalizes its
| databases. Bring on that schema, folks.
| teractiveodular wrote:
| > _"Type 'kiberphant0m' on google with the quotes," Buttholio
| told another user. "I'll wait. Go ahead. Over 50 articles. 15+
| telecoms breached. I got the IMSI number to every single person
| that's ever registered in Verizon, Tmobile, ATNT and Verifone."_
|
| SBF levels of self-pwning right there. When, not if, they catch
| him, the Feds are going to hang this clown out to dry.
| tgsovlerkhgsel wrote:
| I'd rather see them hang out to dry the 15+ telecoms who gave
| away "the IMSI number to every single person that's ever
| registered in..." because doing so was cheaper than investing
| in security.
| atoav wrote:
| The only data you can't leak is the data you don't have.
|
| Therefore some data should either not be stored at all or
| deleted after it served its purpose.
| dfedbeef wrote:
| Probably hard for a telecom company to not keep IMSI ->
| account association somewhere
| mschuster91 wrote:
| Yeah, _in separate databases on separate systems_. The
| network plane of a phone provider should only be able to
| access a database mapping IMSI - > account ID, and the
| billing/customer service department should only be able
| to access a database mapping account ID -> actual account
| data.
|
| Unfortunately, anything involving phones is based on
| literally _decades_ of stuff that was made in a time
| where every participant in the network was trusted by
| default, and bringing up the legacy compatibility stuff
| to modern standards is all but impossible.
| kube-system wrote:
| > decades
|
| ss7 was developed almost a half-century ago, wasn't it?
| red-iron-pine wrote:
| randomized IDs and linked lists, which correspond to
| entries in DBs elsewhere.
|
| IMEI 123456789 has ID sjkadnasf8uywjerhsdu, and then in
| the hyper locked down Mongo instance used by billing
| knows that sjkadnasf8uywjerhsdu relates to John Smith,
| credit card number xxxx xxxx xxxx xxxx
|
| make it so you have to crack all of em, instead of just
| nailing one and walking out w/ all the crown jewels
| nkrisc wrote:
| Why not both?
| benreesman wrote:
| Anthropic levels of getting seed funding from SBF and ending up
| a power unto themselves.
| markus_zhang wrote:
| My two cents:
|
| - The "hacker" (I'm reluctant to use this term" seems to be too
| high profile for some reasons;
|
| - We should discard Telegram
| shdh wrote:
| What does "discarding" Telegram mean?
| markus_zhang wrote:
| We should not use Telegram -- sort of. I wonder whether
| Signal is better.
| xvector wrote:
| Signal is absolutely better. Telegram is e2ee in name only
| autoexec wrote:
| Not recommending Telegram, but personally, I suspect that
| signal is compromised. They've been permanently storing
| sensitive user data in the cloud for a long time time
| (https://community.signalusers.org/t/proper-secure-value-
| secu...) but the very first sentence of their Terms and
| Privacy page still claims "Signal is designed to never
| collect or store any sensitive information." and they've
| been asked multiple times but refuse to update their
| privacy policy. I suspect that lie is being kept there as
| a giant dead canary.
|
| Making the change to start keeping exactly the data that
| the government has been asking them to turn over isn't a
| very good look. "Securing" user's data with something as
| week as a PIN isn't great either.
| https://www.vice.com/en/article/pkyzek/signal-new-pin-
| featur... Note that the "solution" of disabling pins
| mentioned at the end of the article was later shown to
| not prevent the collection and storage of sensitive user
| data. It was just giving users a false sense of security.
| To this day there is no way to opt out of the data
| collection.
| xvector wrote:
| Oh wow. Yeah. This changes my opinion on Signal.
|
| Why the fuck did they make such terrible insecure
| defaults for backups? IMO they should not even be doing
| backups at all by default, what the fuck.
| wffurr wrote:
| Not sure Signal would have made a difference for this
| criminal. All the data on them I saw in the article was
| likely captured by someone in the channel / group message.
|
| It's just plain poor opsec, but I kind of expect that from
| someone with poor enough judgement to be a criminal.
| 71bw wrote:
| >We should not use Telegram
|
| But why? There is no better platform for private and small
| chats.
| JTyQZSnP3cQGa8B wrote:
| Telegram is not E2E encrypted by default, and even if it
| changed, I wouldn't trust them. It's not private.
| assanineass wrote:
| They already arrested them right?
| sans_souse wrote:
| No they arrested two others.
| IAmGraydon wrote:
| This seems like it would be rather easy for the government to
| narrow down. Check the logs of who applied for an NSA job on or
| around the date the screenshot was posted and cross reference any
| that are/were located in South Korea. I would think that would
| produce a rather short list that a bit more investigation would
| crack.
|
| The guy seems arrogant, and arrogant = sloppy. He'll get caught.
| readyplayernull wrote:
| He knows he's about to get caught, reason why he hurried to
| knock NSA's door. They might let him in after all.
| lukan wrote:
| But probably after they arrested him, to help with
| negotiations.
|
| And to pop that bubble of false confidence.
|
| The way he acted, would be a very red flag for me, if I were
| to hire him. Maybe skillfull, but careless. And that is not
| acceptable in that line of work. (Neither it is in the
| military)
| ilaksh wrote:
| You might be able to get a rough show size and height/weight
| range from that photo.
| lph wrote:
| I wonder how unique those floor tile patterns are? If that's
| taken on a military base in Korea, it might be possible to find
| the exact location of the photo.
| hn_user82179 wrote:
| what a great article, I loved seeing the links that Krebs
| (?)/Unit 221B (?) dug up and all the info they managed to
| connect. It felt like I was reading a detective story. It sounds
| like this guy is doomed, the NSA application date alone basically
| identifies him
| Tepix wrote:
| If you have enough data, i wonder how much of this digging can
| be automated these days with good LLM prompts. Doing it
| manually is very time-consuming.
| jamestimmins wrote:
| I think this whenever I read a modern detective novel
| (Bosch). So much of their work seems to be looking up data
| from different databases and trying to make connections or
| recognize patterns.
|
| I assume the FBI or whomever has automated this to some
| degree already, and I really hope someone does a great
| writeup of how LLMs/agents can do even more.
| CharlieDigital wrote:
| The real work doesn't happen in the LLM.
|
| Having worked with LLMs over the past year+ trying to get
| them to do useful things in various contexts, the real work
| is typically pretty boring data acquisition (e.g. scraping) +
| ETL and then making that data available to the LLM.
| polyvisual wrote:
| 221B is 221B Baker Street, where Sherlock Holmes lived.
| benreesman wrote:
| Jesus. Let's tick another box on our late capitalism bingo card:
| our soldiers are so desperate for cash and so cynical around
| institutions that they've started doing mercenary crime.
|
| I can't be the only person who has read of such situations
| throughout history.
| kortilla wrote:
| What does this have to do with late capitalism? This has
| happened all throughout history and you just said you read
| about it yourself
| benreesman wrote:
| The root of all failure at the level of the society is the
| fungibility of inherited wealth into political power, which
| rapidly gets deployed to impoverish everyone else including
| soldiers, and on its way it tramples institutions once
| revered.
| laborcontract wrote:
| they could have just had an alcoholic parent.
| benreesman wrote:
| I'm a pretty easy going guy in general but others might
| take offense.
| causal wrote:
| > The root of all failure at the level of the society is
| ...
|
| Or maybe the real root is our tendency to fixate on
| simplistic reductions.
| Simon_ORourke wrote:
| Doesn't that just mean they won't ever to subject to prosecution
| by the International Criminal Court?
| paganel wrote:
| This Krebs guy is a doxxer through and through, I wouldn't take
| anything that he writes down as being serious. If he thinks he
| knows something and he has palpable proof for it then he should
| contact the relevant authorities.
| richbell wrote:
| > This Krebs guy is a doxxer through and through, I wouldn't
| take anything that he writes down as being serious.
|
| Can you explain your definition of "doxxing" and why you
| believe that means nothing he writes is serious?
| paganel wrote:
| > Can you explain your definition of "doxxing"
|
| Revealing people names and addresses and implying that they
| have done something illegal, while the person doing that
| (this Krebs guy) does not represent the Law/the relevant
| authorities. See the Boston bombings debacle on this very
| website.
|
| > why you believe that means nothing he writes is serious?
|
| See the Boston bombings debacle on this very website.
| richbell wrote:
| > See the Boston bombings debacle on this very website.
|
| I'm familiar. I don't see the relevance considering that
| the linked article does not reveal anyone's names or
| addresses.
| paganel wrote:
| He did that in the past.
| richbell wrote:
| Falsely?
| mtlynch wrote:
| I'm overall a fan of Krebs' work, but he has done some
| questionable things to reveal people's identities that feel
| more like immature spite, sometimes outside the context of
| any crime he's accusing the person of committing:
|
| https://itwire.com/business-it-
| news/security/86867-infosec-r...
| richbell wrote:
| Thanks for sharing context. That definitely reflects poorly
| on him and hurts his credibility.
|
| When I read "an investigative journalist is publishing
| information alleging criminal activity" my reaction was "so
| what?" What you linked is not that.
| Bengalilol wrote:
| I don't get how such people could be as verbose as shown in this
| quite precise article. And I'm not even getting into the idea
| that he could be a US soldier ...
| red-iron-pine wrote:
| he's not. it's gear you can order online or get at any local
| surplus store. I'm not even in the US and a quick look shows
| it's trivial to get.
|
| it's another layer of obfuscation. strippers telling you their
| name is April (but then whispering to you that their real name
| is Stefani)... but their real name is actually Angela, and it's
| just another deflection to keep off the stalkers.
|
| same idea with IT OPSEC
| cedws wrote:
| It's a good thing that independent cybercriminals like this are
| so arrogant that they make the most basic opsec mistakes and
| expose themselves.
| victorbjorklund wrote:
| It is always really bad opsec that gets them. Always.
| 0xDEAFBEAD wrote:
| I noticed he seems to have posted a photo of his camouflage
| uniform? Pretty sure those are unique to every soldier...
| bityard wrote:
| No, they are a very standard pattern.
| andrewflnr wrote:
| Maybe GP was thinking about lining up specific pattern
| features with e.g. pockets and seams to identify a particular
| uniform.
| 0xDEAFBEAD wrote:
| Can you show me an image where 2 soldiers, both wearing
| fatigues, have an identical camouflage pattern? Every image I
| find on Google Images has a distinct pattern per soldier.
| therealfiona wrote:
| It isn't a per-soldier thing. It's just pieces of fabric
| that are all cut differently. They aren't out there making
| sure one person has a specific pattern that matches every
| single one of their uniforms, and doesn't match someone
| else's.
|
| I get the line of thinking, and I tend to agree that if
| they really wanted to, they could figure out a way to match
| the pattern of a uniform to the person if the person had
| published a picture of themselves wearing the article on
| something like Facebook.
|
| But that's a big if. When I was in the military, I think I
| posted like one picture of me in camo and the resolution
| was so low that you probably didn't have enough detail to
| come to any conclusions.
| 0xDEAFBEAD wrote:
| The US has about 24K soldiers in Korea. That's not _that_
| many. Presumably they stand at attention every so often
| anyways. So photograph them all standing at attention and
| match the camo.
| gosub100 wrote:
| The floor tiles (particularly the edges) might be able to
| locate which building he was in which could further narrow it
| down
| mft_ wrote:
| They'd better hope Rainbolt doesn't take on the challenge...
| nonameiguess wrote:
| They aren't issued to you. You just buy them at the post
| exchange. You can buy one pair or 30. You can buy new ones
| every three years or every three weeks. The Army has no
| database mapping every specific pants pattern ever sold to a
| particular buyer, let alone a particular wearer, as junior
| enlisted who aren't married live in shared barracks and are
| perfectly able to share clothing if they wear the same size.
| bityard wrote:
| Some serious testicular fortitude in that guy.
|
| If a civilian gets caught doing something illegal, they are
| entitled to a fair trial with a jury of their peers. If a
| military member gets caught doing the same thing, the court
| martial is a mere formality, they just more or less go straight
| to jail for a very long time.
| brcmthrowaway wrote:
| Wait, you give up civil rights to be in the military? Is this
| outlined to people when they sign up?
| LeftHandPath wrote:
| Yes. See the Uniform Code of Military Justice (UCMJ): https:/
| /en.wikipedia.org/wiki/Uniform_Code_of_Military_Justi...
| throwup238 wrote:
| Yes it's made very clear in the enlistment contract (the
| military equivalent of an employment agreement) that they're
| waiving certain rights and submit themselves to military
| jurisdiction for offenses covered under the UCMJ.
|
| This topic has been litigated a lot in front of SCOTUS like
| with Standard Form 86 (where one waives the right to free
| speech for security clearance) so there's certain language
| they have to contain to be valid.
| gzer0 wrote:
| Wow, TIL that if you're _drafted_ (and forced to serve
| against your will), the government can subject you to
| military law (UCMJ), which limits many of your rights, like
| the right to a civilian trial by jury.
|
| Courts have upheld this because Congress has the power to
| regulate the military, but it still feels like a huge shift
| in rights for someone forced to serve.
|
| It feels... intuitively unjust that the government could
| compel service and then subject individuals to a system that
| limits their constitutional rights.
| pas wrote:
| seems very logical considering the last centuries. nation
| state needs military, military needs people to STFU and do
| what needs to be done.
|
| and unfair, considering that rich people always found ways
| to dodge the draft or serve in armchair positions, but
| taking this into account it's just even more obvious that
| special interests did what they usually do.
___________________________________________________________________
(page generated 2024-11-27 23:01 UTC)