Brian Krebs Investigates Internet's Most Vicious Hackers–From a Secret Location(wsj.com)
wsj.com
Brian Krebs Investigates Internet's Most Vicious Hackers–From a Secret Location
https://www.wsj.com/tech/cybersecurity/hacking-brian-krebs-snowflake-waifu-49b87fce
49 comments
gift link: https://www.wsj.com/tech/cybersecurity/hacking-brian-krebs-s...
Thank you! That was a good, smooth thread. Well worth five minutes.
Archive / paywall: <https://archive.is/CpeKQ>
I archived the archive.is link on megalodon.jp so people don't need to go through cloudflare and don't need javascript
https://megalodon.jp/ref/2024-1208-1618-52/https://archive.i...
(You might have to zoom using ctrl and + and arrow keys to get the view size right. You might also need to remove some overlaping html elements but hey no javascript ;)))
https://megalodon.jp/ref/2024-1208-1618-52/https://archive.i...
(You might have to zoom using ctrl and + and arrow keys to get the view size right. You might also need to remove some overlaping html elements but hey no javascript ;)))
This link seems to redirect until failure for me.
Thanks. HN stance of paywalled article is really annoying, since it means opening unreadable articles quite often.
Brian Krebs is great. Back in 2018, I discovered a flaw in a website enabling anyone to track any US cellphone’s location without consent, and I contacted US-CERT and Krebs to break the news (https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...). After checking the locations of several numbers he provided, I remember discussing his need for location privacy - and his shock when he found it was so easy to break. His opsec might be very strict, but when every cellular carrier is eager to sell off your location data, that level of security is absolutely justified.
> but when every cellular carrier is eager to sell off your location data, that level of security is absolutely justified.
Before everyone gets scared: this is mostly a US thing.
Before everyone gets scared: this is mostly a US thing.
> [...] any US cellphone’s location [...] I contacted US-CERT and Krebs [an American] to break the news
I know we all like to score free points by dunking on the US, but I'm pretty sure everyone understood that "this is mostly a US thing" already.
I know we all like to score free points by dunking on the US, but I'm pretty sure everyone understood that "this is mostly a US thing" already.
I'll be honest, I just assumed it was everywhere. Is this also true of Canada?
No, he’s not. He’s threatened to dox people who leave bad reviews on his books; he should not be promoted or praised. It’s purely an ego thing.
It saddens me to see his links posted to aggregators. Most people only know his carefully cultivated image.
It saddens me to see his links posted to aggregators. Most people only know his carefully cultivated image.
According to the WSJ article, he makes his living from advertising on his website. That's perfectly legitimate, but whether he did it or not, he has every incentive to embellish things.
Got any sources to back that up? First I've ever heard about this.
I did a quick internet search and found
https://itwire.com/business-it-news/security/krebs-accused-o...
And while not doxxing, I think it's relevant: https://en.wikipedia.org/wiki/Brian_Krebs#Allegations_of_def...
And while not doxxing, I think it's relevant: https://en.wikipedia.org/wiki/Brian_Krebs#Allegations_of_def...
[deleted]
I worked with a guy a few years ago, a React dev, who would do this in serious meetings. A bunch of us would find it pretty amusing. It was like that scene from Supertroopers. His Slack avatar was also Nyan Cat.
>One hint some of the accounts belonged to Waifu: He liked to use animated cats as avatars. Other aliases included Meowist, Catist and Scarlet the Meow Cat, according to court filings. “He would say meow all the time. I don’t really know what that’s about,” Krebs said.
I don't think it was Waifu. This was in Austalia after all.
>One hint some of the accounts belonged to Waifu: He liked to use animated cats as avatars. Other aliases included Meowist, Catist and Scarlet the Meow Cat, according to court filings. “He would say meow all the time. I don’t really know what that’s about,” Krebs said.
I don't think it was Waifu. This was in Austalia after all.
These hackers and scammers take so much risk for little $. The crypto doubling scam on youtube and twitter earns far more and no arrests. One stream made 1 million of BTC in a week with it...deepfake elon video or something like that. AFIK these crypto scams never lead to arrest or investigation. The mistake these hackers make is breaking into corporations. That always leads to an investigation. Crypto streamers target users, not the actual corporation.
The wheels of justice turn slowly. And scamming so publicly is just begging to be caught eventually.
It's not about the money?
It’s immoral to let a sucker keep his money.
Can't put a price on the lulz
One thing that really surprises me is the average age of these criminals. Where from and how do they get the knowledge to break in these places being so young?
> Where from and how do they get the knowledge to break in these places being so young?
There's a reason they're doing that and someone like Theo de Raadt is bringing us OpenSSH (and OpenBSD).
In computer security defending is much harder than attacking. It's not even comparable seen how gigantic the gap is.
(dark side) Hacking is easy (and, yes, I did it when I was late teenager/early twenty-ager). Protecting stuff is the hard part.
There's a reason they're doing that and someone like Theo de Raadt is bringing us OpenSSH (and OpenBSD).
In computer security defending is much harder than attacking. It's not even comparable seen how gigantic the gap is.
(dark side) Hacking is easy (and, yes, I did it when I was late teenager/early twenty-ager). Protecting stuff is the hard part.
People actually good at offensive security (not just script kiddies) are paid much higher salaries than people on the defensive side.
Defense isn't actually that difficult. 99% is keeping your software updated and configured correctly with industry standards.
Most employees at larger companies are lazy and don't want to take the extra time to make something secure.
Defense isn't actually that difficult. 99% is keeping your software updated and configured correctly with industry standards.
Most employees at larger companies are lazy and don't want to take the extra time to make something secure.
For every script kiddie there is a box-ticker of a security professional.
The actually talented are few and far between.
The actually talented are few and far between.
Yes, the attacker only has to find one weak point, but the defender must find and fix all weak points.
Discord groups and telegram groups are the main places these days? No different than previous generations hanging out on IRC or before that BBSes. It is how I got my start in coding at a young age.
You underestimate what kids are capable of.
Computers are particularly easy for that age group to learn about, all you really need is internet access to read articles or possibly (pirated) ebooks, and your own computer to experiment on. A lot of kids have both.
Other industries aren't like that, some require expensive and uncommon equipment (biology, chemistry, now AI), some are a lot more dangerous (electronics, DIY), some require interactions with other people to practice (law, medicine, foreign languages), and nobody treats kids seriously enough to interact with them in that way, some have legal restrictions (medicine, driving cars) etc.
It also helps that, to a clueless parent, a kid learning to code is indistinguishable from a kid using their computer to play games, and plenty of kids do that.
Society doesn't let kids get a real programming job, even if they're perfectly capable of doing so, so hacking is often the next best thing. The fact that it's "cool" and that you can do it to impress your peers doesn't help either.
Incidentally, this is also why kids are such good drug dealers.
Computers are particularly easy for that age group to learn about, all you really need is internet access to read articles or possibly (pirated) ebooks, and your own computer to experiment on. A lot of kids have both.
Other industries aren't like that, some require expensive and uncommon equipment (biology, chemistry, now AI), some are a lot more dangerous (electronics, DIY), some require interactions with other people to practice (law, medicine, foreign languages), and nobody treats kids seriously enough to interact with them in that way, some have legal restrictions (medicine, driving cars) etc.
It also helps that, to a clueless parent, a kid learning to code is indistinguishable from a kid using their computer to play games, and plenty of kids do that.
Society doesn't let kids get a real programming job, even if they're perfectly capable of doing so, so hacking is often the next best thing. The fact that it's "cool" and that you can do it to impress your peers doesn't help either.
Incidentally, this is also why kids are such good drug dealers.
It's not just a matter of skill. Kids also have a lot less impulse control, and less to lose (from their perspective anyway). So it's more likely that they'll endeavor to do crazy, dangerous, and illegal things than a far more capable adult in that area would.
Adults launder their crime through kids — the same as any gang.
Or to be topical, Lulzsec and Sabu.
Or to be topical, Lulzsec and Sabu.
This is a good podcast on the topic
https://risky.biz/BTN103/
Kids start hacking into gaming accounts...and then one person figures out how to do SIM swapping..and it escalates from there
https://risky.biz/BTN103/
Kids start hacking into gaming accounts...and then one person figures out how to do SIM swapping..and it escalates from there
What's the average age? The perpetrator described in the article is in his mid-20s.
Potentially unpopular opinion here, but one explanation for how youngsters are able to this stuff is that it’s not actually that hard to do these sorts of attacks.
It’s hard to do these attacks and get away with it, but actually many of these kids do not get away with it, at least if they are based in Western nations that actually try to stop it. But investigations move slowly and so there is a time gap where it looks like they did.
In other words I think the explanation is as much “young men overestimate their abilities” as it is talent for doing this type of work. Specifically their ability to get away with it.
It’s hard to do these attacks and get away with it, but actually many of these kids do not get away with it, at least if they are based in Western nations that actually try to stop it. But investigations move slowly and so there is a time gap where it looks like they did.
In other words I think the explanation is as much “young men overestimate their abilities” as it is talent for doing this type of work. Specifically their ability to get away with it.
I was thinking not only about what you said but maybe it's just kids that have access to exploits/tools/techniques but not a very deep knowledge to put all these things just by themselves... Sort of script kiddies on batteries, but is just a guess/opinion of my own and could be wrong.
With the level of opsec described, I'd honestly be surprised if his legal name was Brian Krebs
I think the opsec measures started after his identity was already known.
He certainly could change it, or has.
Random aside: after reading this article I for one am grateful to know that the site is called Krebs On Security; my mushed up brain has thought since forever that it was in fact Krebson Security.
That’s funny. I suppose the logo probably added to the confusion.
I wonder if the elections and Russia encouraged those people to commit crime.
I really hate cyber security, you would need to pay me a lot of money to work in this field.
I really hate cyber security, you would need to pay me a lot of money to work in this field.
>I really hate cyber security, you would need to pay me a lot of money to work in this field.
that phrasing is odd. "cyber security" is a good thing, no?
that phrasing is odd. "cyber security" is a good thing, no?
Well, it's a very well paying field so...
These criminals aren't very bright. It doesn't take much effort to be a ghost online.
They may also have numerous executive function impairments. Such things tend to be orthogonal to IQ.
We probably never read about the competent criminals. Or we do because they framed a "state actor".
They may also have numerous executive function impairments. Such things tend to be orthogonal to IQ.
We probably never read about the competent criminals. Or we do because they framed a "state actor".
Probably easier than you think to slip up, but arrogance and loose lips definitely don’t help.
I reckon some investigators use stylometry to deanon people.
I reckon some investigators use stylometry to deanon people.
[deleted]
But did they play chess?
No.
> That September morning, Krebs didn’t take up Waifu’s chess challenge. “What am I going to do, play him at chess?” he said. “He would have just screenshot what I said and send it to his friends.”
> That September morning, Krebs didn’t take up Waifu’s chess challenge. “What am I going to do, play him at chess?” he said. “He would have just screenshot what I said and send it to his friends.”