Remember when I covered the not-amazing Twitter hack last month and I suggested that maybe whoever did it just really sucked at crime? Because who would blow up that absolute gold mine of access and information so fast and in the light of day. Yep, that.
So the OPSEC Dumbass Of The Year award goes to... Florida Man. I mean, Florida Boy. Hop on the boat: we're touring Dipshit Island.
When Twitter's "hack" happened, thought Leader Infosec Twitter went nuclear rumoring nation-state attacks. Brian Krebs got so hard he doxed the wrong guy. (Again.) But one shared truth across the board was that those Bitcoin transactions were going to be traced. I mean, only Senators and extremely dull / probably drunk children still believe that Bitcoin is anonymous. Also? Everyone knows Coinbase is a snitch. [...]
Anyway, let's step back for perspective. In a cascading series of unfuckingbelieveable lifelong OPSEC fails, busted Twitter "hacker" Graham David Clark started out as a petty Minecraft scammer whose debut in the major crimes department -- an amateur SIM-swap for Bitcoin theft -- got him busted right out of the gate last year.
Upon getting caught and having the Secret Service seize 100 of his Bitcoins, Clark interpreted it as a sign he should immediately:
- Deck out his Tampa apartment with overpriced gaming gear, drive a white BMW 3 Series around Florida, while flaunting on Instagram with crap like designer sneakers and a gem-encrusted Rolex, plus;
- Two weeks later start criming on Twitter employees
Truly Clark is a prize pony when it comes to being the ringleader of any "sophisticated" hack attack. It speaks volumes about his accomplices' risk-assessment skillset. But it also meant that every goddamn time New York Times called Clark a "mastermind" (along with other outlets that pay reporters upward of NYT's six figure salaries) I was caught in an endless loop of spit takes that soaked my laptop in coffee and my entire apartment in vodka sodas.
Anyway, I'm sure by the end of the year Graham Ivan Clark will be making seven figures advising Zoom on security.
I know there are no Moriartys, but come on, isn't there some mid-level mobster out there who understands how leverage works?
PS: Where's the pee tape.
Previously, previously, previously, previously, previously, previously, previously.
Weird as the media coverage of the perps is, surely Twitter's OPSEC deserves to be ridiculed first and most.
It's just impossible to believe that they aren't fully compromised by every state actor from China and Russia all the way down through Liechtenstein.
I'm waiting for the Principality of Sealand to make their move.
Yeah, what absolutely kills me is that the coverage seems to be mostly about how this kid is some kind of supervillain hacking terrorist and "no ordinary 17 year old boy" when really if your National Security Critical Infrastructure is ran by a company whose security process is so bad it eventually falls over when enough random dipshits blow at it hard enough, maybe you have some major issues you need to address.
Security is apparently expensive. At first I didn't really understand what that means, after all a Yubico Security Key is similar price to fancy coffee in San Francisco. But then I realised this is like when safety is expensive. Any price is too high, any steps needed will be recast as insurmountable obstacles. Twitter doesn't want to do security, and it has learned it's important to have an excuse for that rather than just saying, "Fuck you we don't care".
One thing we can do about "security is expensive" is make it free at point of use, which is what was done about certificates in the Web PKI. Some people who actually were somehow blocked by how "expensive" it is will enthusiastically embrace the opportunity to do it now, and at least those who were just looking for an excuse will need a new excuse. So I'm somewhat hopeful that a bunch of systems that currently rely on hoping underpaid staff are magically immune to phishing will get WebAuthn because it has a cool Apple demo in iOS 14 and "require staff to own a current iPhone"† magically isn't expensive whereas "Buy staff a $10 Security Key" is just too much to ask.
† Or a Pixel, or dozens of cheaper devices, but obviously the Apple demo doesn't show anybody using non-Apple products and I won't be surprised if company policies likewise ignore this fact.