Additional comments here,
https://news.ycombinator.com/item?id=42251799 ("Hacker in Snowflake extortions may be a U.S. soldier (krebsonsecurity.com)"; 34 days ago, 195 comments)
Funny looking back on all the comments about how it was potentially a false flag.
Which comments are you looking at? By a brief scan, the vast majority of comments, including practically all the top-voted ones, are calling out his "opsec troll" as a deflection strategy, which appears to have been confirmed now. Even if there are some that bought his story, your comment does not seem like an adequate reflection of the general tone of that thread.
>your comment does not seem like an adequate reflection of the general tone of that thread.
I don't think they were trying to capture the "general tone" but a pervasive idea that kept coming up in the comments. When I saw the headline, the first thing I thought about was this thread and "all the comments" talking about 3D chess false flag moves. Not the majority, not the overall sentiment, but just a significant number of eye rolling comments.
Yeah, like this comment confidently stating that he's not a US soldier and the fatigues aren't military-issue...
It's not like military-issue fatigues would even be hard to come by. People's conspiracy theory gotchas always seem awkward / unlikely at best.
> It's not like military-issue fatigues would even be hard to come by.
That is exactly the point the linked comment makes. It is in agreement with you on that. Fatigues like the one on the image he shared are easy to come by. This is what the comment says and this is what you say.
> People's conspiracy theory gotchas
There is no conspiracy theory in the linked comment. It just says that they believe the perpatrator is not really in the military just pretending to be. That is hardly a conspiracy theory.
False flag theories always seem so much more complicated than necessary / actually would seem to introduce MORE risk of being uncovered because of the complexity.
“Law Enforcement wants to put you in jail for a very long time”
The CFAA[1][2] is an arcane and ancient piece of legislation that could use an overhaul, especially with some of the vague language it contains. A person would definitely want to make sure they are authorized prior to touching a computer or even data that may not have authorization for.
Unauthorized use of a computer is the easiest felony to commit accidentally it would seem. Although in this case I don’t think that’s a legitimate argument to be made. This person or persons knew they were committing crimes.
I’m not defending the hacker either, the quote at the end of the article rings true.
[1] https://www.justice.gov/jm/jm-9-48000-computer-fraud
[2] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
> The CFAA[1][2] is an arcane and ancient piece of legislation that could use an overhaul, especially with some of the vague language it contains.
I imagine that this is the reason why the charge is "unlawful transfer of confidential phone records", which is something much more specific.
From PACER, it's also stated that he filled out the CJA23 financial affidavit to demonstrate his inability to afford a lawyer (it's quite something to get caught like this and not even manage to earn enough to pay for a lawyer).
Additionally, "the defendant waives the rights provided by Rule 5 and/or Rule 32.1 of the Federal Rules of Criminal Procedure" means that he is choosing to streamline the initial procedures and is waiving supervised release or probation, suggesting that the prosecution's case is strong and that he is opting for an expedited process.
One fun thing is personal recording isn't a protected right in the military and has to be stated if you're recording in an office for personal reasons. (official recording is usually stated as a usage agreement), or literally put on the device as a sticker.
He's also a low level enlisted so its not surprising he was unable to afford a lawyer.
In Illinois it is specifically a criminal act to violate the terms of service of a web site under the Computer Tampering law:
(720 ILCS 5/17-51) (was 720 ILCS 5/16D-3) Sec. 17-51. Computer tampering.
https://www.ilga.gov/legislation/ilcs/ilcs4.asp?DocName=0720...
(it starts as a misdemeanor, but rises to a felony if you do it multiple times)
Archaic? Yes, but its typically pretty easy to prove if its not required within their job to use. Unauthorized use is basically the "did anyone say you could or couldn't do this" in written/signed form. Basically accidental breaking of it has to fail the intent and purpose reason most of the time.
Telegram users spinning up their own honeypots and blindly trusting a client/server message encryption system is never not a great idea for new grass root criminal enterprises.
I find that some folks who know just a little about security are some of the worst at it. Their ability to confidently make terrible choices and inexplicably expose themselves to more risk than some rando citizen is amazing. It's like their strong enthusiasm / personal beliefs drive them head long into inexplicable choices and now their eggs are all in one insecure basket and they put a lot of foolish things there.
In contrast a more nervous / unknowing person might think "oh man I better not talk about this anywhere, I don't know who could be listening".
It's like that classic bell curve troll meme - "oh man I better not talk about this anywhere, I don't know who could be listening" is a correct instinct, especially in a western country. Doing anything on the web, whether it be crimes and ecommerce, is absolutely not anonymous. They re-use handles or emails that have personally identifying information, they don't use clean workstations, they brag (dumbest opsec thing ever, giving away information for absolutely no reason than your big ego), they taunt law enforcement. Osama bin Laden basically vanished off the face of the planet when much of the world's most powerful intelligence and militaries were hunting him, and he wasn't hiding in a cave, but he was not connected to the internet in any way whatsoever and communicated via courier, which still got got. The only reason you are anonymous or think you are anonymous is because no one powerful or determined enough has gone looking yet. This is a fact I am convinced of, and I am much more fearful of successful obfuscation tactics and red herrings left on purpose rather than a 20 year old kid engaging in a fantasy that he's so l33t he'll never get caught.
The other thing I'd say to any aspiring criminals out there is it's usually much less stressful and still profitable to get gainful employment if you are actually a talented hacker. Most of these guys seem like script kiddies, that do not understand the ramifications of what they are doing. Some of these breaches will be felt and cleaned up for decades, all so they could get a laugh and a few shekels and their e-peens stroked by other criminals.
>especially in a western country
I'm not really convinced this is a distinction that matters.
To me it does, in terms of data privacy and isolation if your goal is to remain undetected by anyone you wish not to be - it's the wild west, even if you believe the GDPR has been effective. Even if you do believe it's just as bad in the rest of the world, we're heading into some sort of crisis when sufficiently powerful computing becomes commercially available (if it isn't already somewhere in a lab) and all the data these countries have been hoovering up and storing for who knows how long becomes decrypted, I would much rather be living in other parts of the world in terms of my privacy if/when that day comes.
Are you under the impression things are somehow better in e.g. Saudi Arabia or Russia or China? Maybe if the qualification was "developed countries", because developing ones might not have the budget, but "the west" is just wrong.
I'm not sure I understand.
I guess I was saying that I don't see "especially" the west as far as privacy goes.
By grass root you mean not state sponsored? Agreed it’s not a good idea using Telegram as a server, people forget bots have chat history you can replay too
So what was his opsec mistake so that we can learn something from this case?
He committed the oldest opsec mistake of all - bragging about what he did.
"He who would keep a secret must keep secret that he has a secret to keep" - Sir Humphrey Appleby but I think he was paraphrasing Goethe
That said, opsec is (to all practical intents and purposes) impossible in the long run in the face of a very determined adversary. If they want to find you, you will have done something to give someone a lead and there will be enough pieces to put the picture together.
"He that would keep a secret must keep it secret,
that he hath the secret to keep."
Who said that?
It was Sir Humphrey.
- Who said it originally?
- Francis Bacon, wasn't it?
Best show ever
Still perfectly relevant today as well.
The only way you can tell it wasn't made today is that nobody has a laptop or phone.
Human nature never changes
I read an OpSec manual around the time of GamerGate. One truly basic thing: never do anything to link two accounts together. Never mention it, never promote it. I doubt many people know who I am on reddit but I 100% know that anyone sufficiently inclined could identify me.
Next: obviously avoid biographical details. People can compile a lot of information about you online.
Quite a while ago somebody shared some post analysis tool that would try to pair up the accounts of multi-account users. Used some cosine distance magic IIRC. Anyway, can’t remember the link, but it seemed to impress folks (I have only one account so wasn’t able to test it myself).
I wouldn’t be surprised if anybody you wanted to do opsec against had a much better version of that tool…
I do sort of wonder where that sort of stuff will go. In one hand, we’re all mostly just shitposting anyway so we don’t really need privacy. On the other, I dunno, we all enjoy being able to explore ideas pseudonymously, right? I wonder if we’ll all end up having to pass our arguments into LLMs to get any sort of pseudonymity in the future.
https://news.ycombinator.com/item?id=33755016 (offline now, though).
if your profiles are not filled with random made up data that is never the same across accounts, you're doing it wrong :)
As a former president of the United States, I’m inclined to agree but the random made up data needs to be subtle enough not to warrant suspicion.
I totally concur, Mr President. Now I must steal back my spaceship from the Russian embassy before moon fall tomorrow night or I won't get my deposit back!
I wonder if that really works / throws anything off?
Every time we see someone caught it is one very solid and clear link that triggers the rest of pieces to fall into place. It almost never seems like it's a bunch of minor bits making up the whole.
Profiles with random data stand out and get extra attention. What’s the same between your accounts? Random data.
A person in Alaska is fishing. A person in China is sleeping.
Those two people are the same person.
How does that work?
It doesn't
The main takeaway for me is the following. Everything you post online will end up in a public archive. That includes everything you post to supposedly private or semi-private venues, like Telegram channels. Everything you posted when you were a dumb kid will be there too, however long ago that was. So, if you’re gonna be a cybercrminal, make absolutely sure that you start with a clean slate. No one can know the connections to your past, because even if you’re careful, other idiots can let slip (like using your old moniker to address you) at any time. And don’t post fucking photos, ever.
Hilarious case in point
https://www.cbsnews.com/news/carl-stewart-drug-dealer-identi...
Remember when the NYT published a high-res, straight-on photo of the TSA luggage master key? Good times.
It's not like you can't find them on Amazon for cheap. There's also more than one master key it's a whole set. That said, when the lock picking lawyer bought a bunch of TSA locks, they all used master key #7 I think.
Eh. Wasn’t a big deal honestly.
It takes little effort to reproduce the key by disassembling the lock to get access to the plug.
I assume the original was a lot higher resolution, else that stinks of parallel reconstruction.
The article also mentioned the whole platform he was using was cracked by police. They might have been able to get the metadata but not want to explain that to others still using that platform.
The BBC made a good podcast about the busting of Enchrochat.
https://www.bbc.co.uk/programmes/m001v9ds
Possibly/probably only available to UK IP addresses.
Here's a direct podcast URL you can add via your favorite podcast app:
I think most audio-only BBC programmes are available globally, even if they sometimes have ads inserted into them which aren't present if you're in the UK.
Plays fine in France.
The ads under that article are about as funny as the article itself. Lots of hilariously bad AI generated images and stuff
You don't run an adblocker?
Clearly they don’t.
Maybe his comment is an opsec deflection strategy.
I don't buy that they got his fingerprints and palm prints from that photo.
Why not? Seems like a pretty clear shot of three of his fingers and a good partial print of his thumb. I assume the original was higher resolution than the version in the article.
The CCC made a point a couple years ago by publishing finger prints of high ranking German government officials extracted from photos
I think they went even further and 3d printed their thumbprint and unlocked their phone with it, if I remember correctly.
Just change your thumbprint after a leak, no problem.
A dedicated criminal wouldn’t have fingerprints.
Fingerprint tech is ridiculously advanced. I saw a documentary where they lifted a print off a pillow case decades later.
I did fingerprints from a digital photo in 2012 maybe earlier. Old mate was holding up drugs to be photographed. Bit of contrast, blew it up, sent it to fingerprint bureau and what would you know, we had those prints on file. Not the crime of the century and not absolute proof, but a damn good start for a case from a simple post on socials. More useful than most intel/hearsay that ends up in crimestoppers or similar channels.
No longer a friend?
"Old mate" is an Australian/NZ colloquial term for someone who you either don't know or don't want to name.
This reminds me of things that I've read about intelligence agencies increasingly finding it impossible to give agents fake identities for cover; everyone now has just left too much of a trail of data behind them. And if you find or create someone with no such trail, that stands out as being suspicious.
As an aside, this is a paradox that has fascinated me for a while. Potentially any step that we take to be more private or anonymous makes us stand out more, thus easier to track and re-identify, because we end up in a smaller crowd (i.e. anonymity set).
I would imagine they just buy old accounts on black hat sites and reuse them? Or use leaked login credentials for abandoned accounts.
And don't brag about your crimes after the fact online, or anywhere else either.
Boasting is required in his line of work, that's how they build street rep, sell their products/services, and recruit people. (Contrast this to spycraft where the acceptable amount of boasting is zero.)
What did him in was boasting from a non-clean slate identity among other things. He needed strict separation between big time jobs which require an absolute clean slate because all the attention will be there, small time jobs that are likely numerous and sloppier but no one will bother to investigate, and pleasure. He didn't have that.
Remember kids, only break one law at a time. And once you're done, shut the hell up!!
I'm worried this new "level up" of communication and record keeping technology at a time when fundamental ideological differences between groups in the western world are causing problems is going to result in a repeat of 1500s europe.
That's not enough. Even the best people and teams, can make mistakes and they do so all the time.
That is exactly how the Silk Road guy was finally identified and caught.
I once read a detailed account of how he was caught. It seemed like the kind of clues that you could only connect post-hoc.
It seemed like parallel construction [1] to me. Considering that the NSA is known to give the DEA "tips" [2], and has a division specifically to start parallel construction investigations [3], and this was a high profile drug case, it would be odd that they didn't use parallel construction techniques.
[1] https://en.wikipedia.org/wiki/Parallel_construction
[2] https://arstechnica.com/tech-policy/2013/08/us-drug-agency-g...
[3] https://www.reuters.com/article/world/exclusive-u-s-directs-...
I read the book about it, and it was actually an IRS agent who found a super old forum post where the guy announced he had created the Silk Road using a username that was easily linked to his real name.
The IRS guy figured it out and nobody would act on it because they all figured the FBI would know better and they should wait for the FBI to do it right. ... but actually he nailed it.
But how are they to be tied together? If you don't use the same name, or talk about very specific or correlateable things, then it's hard for me to imagine how you're tying my old IRC chats to my facebooks groups to my Telegram conspiracies. As far as I'm aware the really useful metadata is rarely available since only the site operator had that and most likely deleted it or threw it in a drawer.
You might want to give the prior Krebs post on this guy a read - https://krebsonsecurity.com/2024/11/hacker-in-snowflake-exto...
It shows how small bits of information from several sources are used to tie this guy's aliases together.
Thanks, that's exactly what I was looking for.
The previous Krebs article [1] on this walks through the opsec mistake(s) but it always comes down to email address re-use and nickname/ handle re-usage. As more data breaches happen the likelihood of an opsec mistake increases. Once a handle is burned it’s best to never re-use it again… ever. Even if it’s been a decade.
Also, the reuse of email or any form of contact information on a service/ web hosting or DNS registration is another common opsec oopsie
[1] https://krebsonsecurity.com/2024/11/hacker-in-snowflake-exto...
He expressed negative sentiments about South Korea and showed he accessed a particular website at a given time.
Don’t post anything on the internet if you wish to remain anonymous. Don’t express opinions about anything.
We’ve had a few different posts on HN demonstrating that it is trivial to link aliases based on writing style. To avoid this you’d have to pipe everything you write through an LLM. And then you have another potential data point.
I will consciously alter the way in which I write wordz on le intranetz to make it more difficult to single me out as a Vietnamese female. I’m guessing not everyone puts this much thought into making words for posterity :-)
I already have this filter applied to HN.
See e.g. https://idiomreplacex.de/ (German language)
It used to be a fun lab prank to set text filters on browsers of unattended laptops, like swapping all gendered words. A colleague spent a week in an alternate universe before he realized something was amiss when he read a movie review for "The Lady of the Rings".
I will say that, because this is so trivial, I wish there was at least a way to delete ones profile here.
It wouldn't imply deleting the content too, the username could just be `[deleted]` or `ghost` or something.
> I wish there was at least a way to delete ones profile here.
Not that will help much, because all 1013 of your comments[1] are likely archived in at multiple indexes: search engines, hn.algolia.com, the internet archive and half a dozen AI project by HNers
1. https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
From the FAQ link at the bottom of the page: https://news.ycombinator.com/newsfaq.html#:~:text=Can%20I%20...
Yeah, deleting comments doesn't work because of the threaded nature of conversations here. Deleting the user, though... you might suggest this to dang (hn@ycombinator.com).
If you click through the FAQ link, there's a link to a comment from dang that says they'll reassign comments to throwaway accounts on request, or even change your distance to something random, which will in effect delete your account, but keep all your comments attributable to a single "anonymous" entity.
I think allowing for account deletion line reddit does (with all comments attributed to "[deleted]") is bad for following a conversation after the fact. I'm fine with HN's policy here and think they've struck a decent balance. I think this should be a case of "if you're not ok with this, don't post on HN".
Reddit has threads and allows deleting comments. It's quite annoying when reading historical [deleted]
Yeah spammers and non serious trolls use that method a lot, it's a bummer.
[dead]
> We’ve had a few different posts on HN demonstrating that it is trivial to link aliases based on writing style.
Do you have a link? I wasn't able to find it...
Someone created a tool two years ago that does this, https://stylometry.net but it appears to be offline. The creator at the time said:
This site lets you put in a username and get the users with the most similar writing style to that user. It confirmed several users who I suspected were alts and after informally asking around has identified abandoned accounts of people I know from many years ago. I made this site mostly to show how easy this is and how it can erode online privacy. If some guy with a little bit of Python, and $8 to rent a decent dedicated server for a day can make this, imagine what a company with millions of dollars and a couple dozen PhD linguists could do.
https://news.ycombinator.com/item?id=33755016
It's also possible to eyeball similar writing styles, although not at scale. That's how "Fake Steve Jobs" was uncovered in 2007:
Last year, his agent showed the manuscript to several book publishers and told them the anonymous author was a published novelist and writer for a major business magazine. The New York Times found Mr. Lyons by looking for writers who fit those two criteria, and then by comparing the writing of “Fake Steve” to a blog Mr. Lyons writes in his own name, called Floating Point
https://www.nytimes.com/2007/08/06/technology/06steve.html#:....
In spite of every programmer at work following the same styling guidelines and programming patterns, I can quite easily identify the author of a pull request by reading their code alone. The commenter's claim seems plausible to me.
I might actually have an easier time identifying authors by commit messages/patterns rather than their content since the styling guidelines are mostly handled by linters.
This sounds like an advice for living in a crazy authoritarian country, not in the West.
It's astonishing how people are supposed to have freedom of speech and freedom from being spied on, since they live in the West and not in a Stasi controlled state, but they are given an advice not to talk too much, or the Big Brother is going to get them.
You can say whatever you want as a citizen, the advice is for criminals to avoid identification.
That freedom may disappear in the future. And you won’t be able to delete your trails then.
Well Big Brother is going to get you if you're a criminal. This advice was for cybercriminals who don't want to get caught, not some random person disagreeing with the government on the internet.
I do think there is some danger in writing anything publicly. Our next government could decide to jail you based on something you said. Society could decide that some widely held opinion you once had is now forbidden. Anything you write could be used by nuts to dox you and expose you to harm.
You might as well say there is some danger to going outside because any random person could just stab you in the street. There is some danger to eating because anything you eat may have been poisoned. Yes, theoretically, everything but the laws of physics are arbitrary, anything is possible, and everything is dangerous. But this isn't an insightful or interesting observation to make.
In a vacuum you might be right, but come next month the serial stabbers and food-poisoners will be in charge of the executive branch of the US government. So it’s correct to be concerned about it, if you live there.
That was advice for a criminal who wants to avoid getting caught, not what you are talking about.
Just follow the advice of The Wire and don't take notes on your criminal conspiracy, much less post them to the internet.
I have watched a Defcon tall about a drug dealer and his opsec was already pretty good (fake name and address, yagi for wifi, etc.) but he still got caught because of one of the guys he used to launder Bitcoin was caught.
So I think the point is not to get into the bullseye of the state.
it we're thinking of the same one it's this:
https://www.youtube.com/watch?v=01oeaBb85Xc
DEF CON 30 - Sam Bent - Tor - Darknet Opsec By a Veteran Darknet Vendor
Yep that's him!
I can't help but recall a NYC robbery around 20-30 years ago where the perps took photos of each other with a Polaroid camera they found at the scene and left the Polaroids behind.
> So what was his opsec mistake so that we can learn something from this case?
From the article:
"Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals"
> On November 26, KrebsOnSecurity published a story that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea
Read the article, There is a link in that sentence.
Loose lips, sink ships. Based on the articles he brags too much.
So this person, “kiberphant0m”, was just a middleman to sell the data? At best, he is a skid and low level foot soldier.
Government using this to send a loud message to future skiddies - “don’t fuck with us”
“I know that young people involved in cybercrime will read these articles,” Nixon said. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”
I think law enforcement types are just built differently. Fearless even when threats are being made against them.
"Allison Nixon has three passions, tracking down bad guys, growing tomatoes, and making puns." - https://www.unit221b.com/leadership
i think i could have guessed 2 and 3 at a glace. if Allison speaks like this all the time she needs her own tv show
Curious: What happens to a military service member who does this? Punished within the military and then booted out (and with what kind of discharge?) Or booted out first (with what kind of discharge?) and then punished in the regular civilian system? Or possibly even retained in the military?
They are generally under the jurisdiction of the Uniform Code of Military Justice. So usually punished and sentenced within the military and eventually separated with a bad conduct or other-than-honorable discharge. Dishonorable discharge is exceedingly rare.
If he was on base, probably UCMJ.
If the crimes were committed entirely off base against non military victims, then probably civilian court, followed by additional UCMJ punishments and discharge.
I had a roommate who got drunk and assaulted a cop (it went very badly for him). He remained in the military for his surgery and court time while confined to quarters, reduction to e-1, and forfeiture of pay. He had a civilian trial and was convicted and served 90 days. Then came back to be discharged. Oddly, I don't even know what discharge he received -- he was my roommate when he went out that night, and wasn't after that.
This is a serious NatSec/intelligence issue though… not punching a cop?
My mention was that civilian prosecution is absolutely possible. Legal from both sides will work together on this. Given a guilty plea, both jurisdictions may agree for that to occur in one location or another. You'll see this a lot with DUI cases where it will be handled under UCMJ because it can be wrapped up in a week (with a plea).
> leaking sensitive customer call records stolen earlier this year from AT&T and Verizon
It says he was arrested for "two criminal counts of unlawful transfer of confidential phone records". This would seem to refer to "selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon". No mention of arrest for the NSA hacking claims.
Not much info in the article about lots of things which could impact this.
First, it's in South Korea -- on base or off?
Personal computer or government furnished equipment?
What are the treaties in place for South Korea with regard to this?
What is the location of the victims' data for this?
Big things which could make this a UCMJ case would be (in my completely non-professional guess): He did it from somewhere on base. The victims were other military personnel. He used government equipment to do this. The US wants to assert jurisdiction according to a treaty.
All of this said, with the NSA issue hanging over it, there may be efforts to use the more easily proved crime to negotiate everything they can learn about the NSA claims.
tl;dnr - they can choose the jurisdiction. One side may assert priority and win (probably the feds).
The only thing I'm certain of is that every enlisted member will be brought in for a safety brief.
> are generally under the jurisdiction of the Uniform Code of Military Justice
Which, notably, are Article II powers. Your usual Constitutional rights are abridged or suspended.
The UCMJ is enacted under Congressional powers, therefore not an Executive power. Meaning it’s power flows from Article I. Further, it does not somehow supersede the Supremacy Clause of Article VI, meaning it must still operate within the framework of the Constitution.
The USMJ limits some rights but also expands others. For example, a “jury of your peers” can more accurately reflect the accused, you receive Miranda rights earlier, you can request summary judgment for criminal matters, etc. On the flip side, free speech is more constrained due to the societal need for an impartial military, and this has been upheld by the Supreme Court on multiple occasions.
Probably sent here: https://en.m.wikipedia.org/wiki/United_States_Disciplinary_B... (Leavenworth)
Depends on length, if he's convicted for greater than I think 90 days, he'll be there, less it'll be base confinement usually to his dorms/barracks. They will likely just do a quick boot and access removal since it sounds like he was just a middleman. and a BCD discharge at worst, or other-than-honorable discharge.
It’s called a court martial.
Courts martial, its weirdly plural since its a title/noun of something specific.
It's a court martial, since the use was singular.
If this dink were Chinese, he'd be called a "state-sponsored hacking group"
Am I the only one who feels that Brian's tendency to include lots of personal details (of suspects and people he doesn't like) in his articles is weird and creepy?
His reporting looks more and more like the Daily Mail of cybersecurity.
Occasionally very good investigative journalism, yet always aggressively devoid of class.
Yes, not sure what it adds to the articles either. The only thing that it ends up doing is making any miss from his end a much more serious thing, because he basically can't get stuff wrong without more or less defaming someone (which has happened in the past)
Could you be more specific about the personal details he's including that you find creepy? Are they things a major newspaper would include? That's Krebs' background.
Pretty much everything. From his name, to his mother name and birthplace, photos of him as a teen, etc.
Especially for young people the decent thing to do is to not name them in this kind of reporting.
Now not only he, but also is his mother, have to live with this article being the first result when you google either of their names. What did his mother do to deserve this? Should something he (possibly) did as a teen haunt him for the rest of his life, even assuming he is found guilty and served his sentence? It's absolutely disgusting and despicable.
> Are they things a major newspaper would include?
Yes. If they're the Daily Mail, which is the bottom of the barrel. There's a special place in hell for some of those journalists.
The position you're taking here is that "young" suspects in crime reporting should be unnamed? If so, what's an example of a newspaper that respects that norm?
Nearly every news organization in Germany (even for adult suspects and convicts)[1] will rarely publish names, and also many of the more reputable ones in Britain will weigh public interest against privacy as a matter of policy. At least in Scotland it is even illegal to name suspects under 18.
You'll find mention of the issue in many journalistic ethics codes, and many newspaper's policies. For a US example from the SPJ's Code of Ethics[2]:
> Balance the public’s need for information against potential harm or discomfort. Pursuit of the news is not a license for arrogance or undue intrusiveness.
> Show compassion for those who may be affected by news coverage. Use heightened sensitivity when dealing with juveniles, [..]
> Realize that private people have a greater right to control information about themselves than public figures and others who seek power, influence or attention. Weigh the consequences of publishing or broadcasting personal information.
> Avoid pandering to lurid curiosity, even if others do.
> Consider the long-term implications of the extended reach and permanence of publication.
In the UK, for radio and TV, the Ofcom Broadcasting Code contains similar guidelines in less straightforward language.
I think I'm on safe ground saying printing the names of criminal suspects is a longstanding norm in American print journalism.
It’s actually an open discussion in journalism ethics.
Many news organizations won’t name juveniles even in jurisdictions where it is allowed.
Other guides will be based on the nature of the crime.
Most wire services for instance now don’t name suspects for “minor crimes”. Here is the ap announcement on the topic: https://www.ap.org/the-definitive-source/behind-the-news/why...
Note that their argument tends to be around the biasing impact on the persons life. As they are unlikely to follow up on the criminal outcome there won’t be a chance to clear the persons name.
In this case I think Krebs is on solid ground as it’s a) not a minor crime b) he can later follow up.
But it’s certainly not an area that is black & white.
Right, sorry, I was (correctly, right?) assuming this wasn't a minor.
Just to be clear, the minor crimes announcement I linked to wasn’t about crimes by minors, it was about the seriousness of the crime.
I confusingly talked about both. My broader point was that the norm is changing in the us towards not naming suspects. And there are ethics conversations around this in the industry.
But I think krebs is on solid footing for this particular case. He’s well within the norm.
Yes, correctly.
The article reports that the fellow is 20, and that the reporter talked to the fellow's mother. It seems very unlikely that Krebs fucked up and the fellow is actually 17. (He couldn't be any younger than that because he wouldn't have been able to enlist.)
It is. Comparatively it is even very common in most of the Anglosphere, however not for lack of trying by more ethical journalists. If you search for "the juvenile suspect" on google news, you'll get plenty of hits for US newspapers (and occasionally police) applying some consideration.
In the west, English speaking countries are the odd ones out: For example in Germany, Poland, Sweden, the Netherlands, Finland, Switzerland, Austria, and France, identifying suspects (not just juvenile ones) is either uncommon or even forbidden by law.
You’re right. They do generally add a “suspected of committing” or “who appeared to attempt” or some other qualifier.
He’s 20, right?
Likely 18 and 19 when most of this happened, but him barely not being legally considered a minor doesn't make the ethics of this much better.
I guess you're just unaccustomed to America's loooooooooooooooooooongstanding free speech regs.
Many people in more restrictive countries (like Germany and the UK) are pretty shocked by what USians are permitted to say. Similarly, many USians are shocked by what folks in more restrictive countries are NOT permitted to say.
Krebs is an American journalist, living in America, writing for an American publication. The standard to use here is an American one, not any others.
> I guess you're just unaccustomed to America's loooooooooooooooooooongstanding free speech regs.
I'm reasonably certain that I know the extents of what you can and can't legally say in the US better than most people who live there. National differences in these things happens to be one of my areas of interest, but that is besides the point.
I'm viewing this through an ethical lens. Legality doesn't enter into it beyond recognizing that laws that deal with crime are often informed by morality.
chmod775 point is about ethics, not legality. (Though perhaps by "publication standard", you're saying that what's considered ethical is also judged by American standards?)
By "publication standard" I mean "standard" (with a side of "my brain is swiss cheese and repeats or erases words frighteningly frequently").
I'll update the post.
And yeah, when it comes to talking about things being discussed in the Public Square in America, the ethical standard should also be American.
> And yeah, when it comes to talking about things being discussed in the Public Square in America, the ethical standard should also be American.
I strongly take issue with this. The morality of something does not change based on where it occurs. If something is wrong, it is wrong.
We're likely both going to agree that executing gay people is not okay even if it happens in Saudi Arabia.
If you want to defend the practice, you'll have to make a proper argument. It being a local "standard" is not one.
> The morality of something does not change based on where it occurs.
Morals and ethics aren't the same thing. What is considered to be moral varies from person to person and from culture to culture.
Ethics is the study of morality. And while you're correct that people have subjective ideas of morality, it absolutely does not matter for the sake of this conversation. You are detracting.
Just because in some place a practice is considered to be okay (morally, whatever), does not mean it is okay, has to be tolerated without comment, and is beyond criticism by those with differing views.
Just based on the value of fairness and that punishment should be decided in an actual court, not the court of public opinion or handed out by some guy named Brian, it is wrong regardless of where it occurs and I've made my reasoning for that pretty clear in this thread. I stand by that and you are still free to make some actual argument to the contrary. If the argument is just "in this country a lot of people feel it is fine", that's okay, just not very convincing to anyone I would imagine.
> Just because in some place a practice is considered to be okay (morally, whatever), does not mean ... [that it] has to be tolerated without comment...
Sure, I agree. If you were USian, I would defend to the death your right to speak openly and publicly about your concerns. [0]
And just because you feel strongly about your incorrect opinion about a widely-held-to-be-acceptable practice in USian journalism doesn't mean that I have to let that incorrect opinion pass by without comment.
It's a big world, and there are differing opinions on many, many things... morals (and the formation of explanatory systems overtop of the same) included.
[0] Whereas if you're in a more draconian jurisdiction that would prohibit such comments, I'll be publicly miffed about it and express my deep displeasure.
The article claims that this is true, yeah:
> Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m...
The article also claims to have spoken on the record with the accused's mother, so I have no reason to doubt the article's claim about the fellow's age.
Sorry, but what about the shitebag he's reporting about? You think this guy actually deserves a break? If so please explain why?
If it would harm a case against him then that's different. I would hate to harm a case against this turd.
> Am I the only one
Nope, I've heard others mention it before as well. I subscribed to the newsletter at one point and I don't think I've gotten a single useful technical article (which is fair, that's not necessarily his niche), but I have gotten a bunch of emails that just doxx random people.
Perhaps he believes that humiliating criminals and exposing their related actions is a good way to dissuade others from committing such crimes. (We'll never know what he prevented, so it can never be proved.)
> humiliating criminals
More widely, the US "justice" system is wild and much more concerned with vengeance than actual justice. What criminals? We have someone who was indicted. The guy might be completely innocent, but his name will forever be plastered around the internet as a "criminal" to be humiliated.
In other developed countries, there is a presumption of innocence which also applies publicly. You're kept (pseudo) anonymous until sentencing, to make sure no innocent people get labeled as criminals.
> vengeance than actual justice
Retribution (not vengeance) is a legitimate component of justice. Not the only one.
But if there is a singular summary of the last decade’s failed attempts at criminal-justice reform, it’s in ignoring the very human need for retribution in resolving injustice.
> there is a presumption of innocence which also applies publicly
This is never universally applied. Particularly when it comes to crimes of corruption, which this case approaches.
> Retribution (not vengeance) is a legitimate component of justice. ...
> if there is a singular summary of the last decade’s failed attempts at criminal-justice reform, it’s in ignoring the very human need for retribution in resolving injustice
Many people would agree with you, imho, but it's not a truth universally acknowledged. I don't see what good it does: is it more than some good feeling for the injured party? That seems not worth the costs and risks, including promotion of violence (in some form) as a solution to problems, rationalization of personal retribution and vengence (probably few distinguish between those terms), and possible harm to an innocent person (if the wrong person is convicted).
If retribution only benefits the injured party and not the state, and if I'm the injured one and don't want it, can I opt out of it?
I do value deterrence and being made whole, and sometimes those overlap with retribution. And I'll say this about retribution: it could make it possible for the criminal and victim to move forward, including if they know each other. The criminal has paid their debt to the victim and guilt is absolved. Insufficient payment might undermine that.
> it's not a truth universally acknowledged. I don't see what good it does
It keeps people from taking the law into their own hands. We can debate the merits of retribution, but not that it’s a seemingly-innate part of human nature. (It’s an open question if we can condition it out of ourselves. But that’s pretty serious social engineering that, to my knowledge, no society has achieved. We aren’t bonobos.)
> If retribution only benefits the injured party and not the state, and if I'm the injured one and don't want it, can I opt out of it?
Our sense of retribution is more than transactional. There is a perception of collective harm that’s explicit in our system of public prosection—it’s the people versus a criminal, not the victim.
> It keeps people from taking the law into their own hands.
Definitely an upside, though the punishment of trial (and the victim being heard), conviction, repayment, etc. may be sufficient for that.
> We can debate the merits of retribution, but not that it’s a seemingly-innate part of human nature. (It’s an open question if we can condition it out of ourselves. But that’s pretty serious social engineering that, to my knowledge, no society has achieved.
Here I think you overstate it. I believe a large number of people, maybe the majority, do not choose retribution.
'Innate' has become a loaded word, and one used (not necessarily in this case) politically to make the speaker's argument into something inevitable. Stepping back from that:
Lots of things are 'innate'; people focus on the more harsh ones, but so are goodness, a desire for justice, fairness, love, hunger, laziness, sleepiness, etc. And innate drives are not all-powerful or determinative; some are barely noticeable and some powerful, often the same one varying greatly (consider sex drive, for example). And of course our actions depend, very much, on our will and reason and choice.
> This is never universally applied
It is in other countries, is my point. In the US, anyone arrested has their mugshot and name plastered for everyone to see, regardless of merit
> It is in other countries, is my point
Give me one example. Where e.g. a public figure or terrorist suspect is kept under wraps until they’re found guilty.
The Christchurch terrorist in New Zealand. Unlike in the US, his name and mugshot were never plastered around media, and his name is still popularly unknown.
Multiple footballers in the UK who were accused of sexual harassment. People tried guessing who they are, but all police released was "a footballer in his 20s from Manchester is under investigation for sexual harassment/assault/etc".
> Christchurch terrorist in New Zealand. Unlike in the US, his name and mugshot were never plastered around media, and his name is still popularly unknown
Not one example of it being done properly. One country. (I’ll grant New Zealand as a likely candidate.)
How many days have passed since he last doxxed the wrong person by accident?
> tendency to include lots of personal details (of suspects and people he doesn't like) in his articles is weird and creepy?
I think it's weird and creepy when LEO eagerly distribute suspects' personal details (via PR, website, etc). Which they seem to do at every possibility - even if doing so doesn't advance community safety in a demonstrable way.
Journalists, however, have a duty to honor their extra 1A protections by holding the powerful to account. I believe a default position of including identities in a story helps insure that the powerful are known when they behave badly.
It's an imperfect default but I think it's better than every alternative.
I don't see how you're going to catch people like this without doxxing them. They rely on opsec and misdirection to avoid getting caught. Do you have examples where the information was gratuitous?
I'm specifically speaking of what he chooses to include in his articles.
The following isn't really directed at you, but are more general questions for the folks who are throwing around doxxing claims:
When the has-never-been-sealed Federal Grand Jury indictment that the article links to has the fellow's full name and alleged area of operation during the alleged crime, is publishing their full name in your article doxing them?
If it isn't, is providing screenshots of their publicly-available Facebook profile photos doxxing?
Is providing the presumably-willingly-given-for-publication name of the person's mother who you performed an on-the-record interview for the topic of the article doxxing?
Is it doxxing to provide details from previous investigative articles that you've done into folks who use their handles to credibly publicly declare that they've committed noteworthy computer crimes?
Yep. Fuck them.
Agreed:
> The profile photo on Wagenius’ Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier
Translation: "People pay attention to me!"
I don't get that at all. I understand this to point to an attempt at scrubbing information that could lead back to him personally -- but done poorly as Krebs pointed out that other personal photos continued to exist on the Facebook account afterwards.
[dead]
[flagged]
[flagged]
Thank god EU is going to take this in consideration next time ChatControl is being proposed.
/s
Thanks flying Spaghetti monster EU is more free than US.
For some reason I find this kind of sad. This kid seems like a Dunning Kruger effect poster boy.
I mean, when I was younger I would have been gleeful about some bragging idiot getting busted but now, *shrug*, everyone just has some "condition".
That bold font needs to die in a fire.
Here's the tragedy: the free world actually needs people with his skills working on their side.
According to the article he attempted to sell data that a different person obtained. He didn't retrieve the data himself, so I'm not so sure that he has any skills we need. He isn't even a good salesman, apparently.
>Judische said he had no interest in selling the data he’d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.
No we don’t lol..
That’s like saying we need plumbers and electricians who come into your house and steal everything.
Make no mistake, he will be forced into hacking for the NSA for the rest of his life under threat of child porn offenses.
Sure I’ll make no mistake on this if you can share some evidence
That's not how it works, they don't want people who have broke laws anymore especially due to the prior hacker leaks (Snowden).
what an odd comment
I first heard about this dude many months ago. Why did it take so long to bring him in? He was pretty open about who he is and what he is doing.
The article establishing his identity was only published a month ago[1] and the security expert seems to be impressed with how fast it took to bring him in.
”Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she said.
[1] https://krebsonsecurity.com/2024/11/hacker-in-snowflake-exto...
By the time kerb published his story this has being going on for a long long while. He was openly bragging about being in army and stationed in SK.
I mean, didn't army or some agency start investigating this before Kerb?
> I mean, didn't army or some agency start investigating this before Kerb?
How do we know that they didn't?
So does anyone know whether he did the full Cornholio impression when they arrested him?
So an army soldier who was clearly part of military intelligence services goes rogue and does some hacking on his own. I've always wondered what it would look like if an NSA-type went rogue. Now we know.
It sounds like he was more of a comm/IT guy, not MI
i don’t think that’s correct, it seems from the article he was mostly involved in reselling the data.
i don’t think we generally deploy our actual good hackers abroad (i’m also not sure how many of them are directly employed by the govt vs contractors)
From the dawn of cyber operations elements within the US military, and continuing today, I think there has been a culture of trying to push them out to the "tactical edge." Basically, senior leaders have always been wary of them becoming totally disjoint from the rest of the force. So I wouldn't assume that they don't deploy abroad.
However, I would be skeptical that the people in uniform are the "actual good hackers." Unfortunately, uniformed career paths (set by law, in many cases, and certainly long tradition) are not conducive to anyone developing any deep, technical expertise. I think we have cyber operators in uniform largely to do the things that legally can't be done by someone who's not in uniform. I think they are backed by a lot of civil servants and contractors (including academics on loan or moonlighting) with the deeper expertise. I think this is true for a lot of the more technical military systems, by the way, not just a cyber thing, e.g. aviation, air defense, nuclear stuff.
Did you forget about Edward Snowden?
The hero who revealed to the American public that their own government was secretly treating them like hostile foreigners and lying about it to our faces? And that everyone who collaborated to build the collection infrastructure violated the oath they swore to uphold the constitution, given that the mere collection itself was ruled unconstitutional by a federal judge?
That's not going rogue, that was the most heroic and patriotic thing anyone in his shoes could possibly do.
I could have told you everything Snowden told you back in 2001. It was no secret that every phone call and every txt along with all your mail was being scanned and archived.
Everything he revealed was already revealed years earlier, it's just no one really cared or was paying attention in 2000-2001.
Snowdon is a traitor and a coward. Where is he living these days?
I don't think he's a traitor, especially if you consider the intent of his disclosures and the care he took to make sure that only the info that needed to be disclosed was. I suppose we can agree to disagree on that topic.
But "cowardice" - that claim is just mind-boggling. What he did, even if you disagree with his motivations, required self sacrifice and bravery. Fleeing (what he believes to be) unjust laws that would punish him for his work is not at all cowardly.
I agree. Snowden's most traitorous act IMHO seems to have been mistakenly assuming that Beijing and the government of Hong Kong could afford to antagonize the national-security establishment in Washington to the extent of letting him reside in Hong Kong.
Where can he live anyways? Every other country will extradite his ass back to US, be real.
In the country he was transiting through en-route to his final destination in South America, before POTUS deliberately and specifically revoked his passport after ensuring Snowden had landed at his layover airport, in order to construct and disseminate the false narrative you're currently regurgitating.
In hindsight, given what happened to Julian Assange, it turns out to have been a very lucky thing for Snowden that the US State Department revoked his passport before he was able to actually arrive in Ecuador.
While the State Department stranding him in Russia means that chronically uniformed folks will forever call the guy names like "Russian plant", at least he's very unlikely to ever be extradited.
Fair point. The US Federal Government certainly hasn't had any moral qualms with shadowy assassination plots, to say nothing of blatantly covering up illegal, geneva-convention-violating murders conducted by US Federal Government employees in Vietnam, Iraq, Afghanistan, Syria, etc.
He did break the law and all, means to an end isn't a good path unfortnately when you have no power. There were options to take to whistle blow the surveillance of citizens and it's illegal under NSA's own policy that they ignored illegally, and there's a technically independent section/organization for leaking these issues to OCA. Though I'm not sure if it was around in Snowden's time, it could literally have been made due to his concerns ironically.
> There were options to take to whistle blow the surveillance of citizens...
You should read Snowden's statements on the official channels he attempted to use, and those he disregarded. You should also go read up on what Daniel Ellsberg thought of Snowden's chances for getting a fair trial after publicly blowing the whistle on the long-running violation of federal domestic spying law. [0]
[0] In the mid-1970's, FedGov treated whistleblowers who released classified information very, very poorly. These days (and back in the mid 2000's), FedGov fucking crucifies such people behind closed doors.
He never attempted to use official channels.
> “As a legal matter, during his time with NSA, Edward Snowden did not use whistleblower procedures under either law or regulation to raise his objections to U.S. intelligence activities, and thus, is not considered a whistleblower under current law.” (p. 18)
https://intelligence.house.gov/news/documentsingle.aspx?Docu...
You should give these docs a skim, I'd be curious what your thoughts are. I used to sympathize with Snowden (and Assange) until I read into what actually went down.
> He never attempted to use official channels.
From [0], which links to a now-paywalled Vanity Fair article:
> The N.S.A. at this point not only knows I raised complaints, but that there is evidence that I made my concerns known to the N.S.A.’s lawyers, because I did some of it through e-mail. I directly challenge the N.S.A. to deny that I contacted N.S.A. oversight and compliance bodies directly via e-mail and that I specifically expressed concerns about their suspect interpretation of the law, and I welcome members of Congress to request a written answer to this question [from the N.S.A.].
IIRC, Federal government contractors received approximately zero real protections under whistleblower law back in 2014.
When Daniel Ellsberg is publicly saying that Snowden did things the right way, and that had Ellsberg leaked the Pentagon Papers in 2014, he would have done it in much the same way Snowden did, you should strongly consider the possibility that the official channels that went disused were ignored for very good reasons.
> I used to sympathize with ...Assange...
If you're talking about Wikileaks, then the objective of Wikileaks was to spread secrets that were verified to be reasonably genuine (and generally harmless to human life if revealed) as far and wide as possible. Wikileaks' mission meant that it just wouldn't be using Federal whistleblower channels for its reporting.
[0] <https://www.techdirt.com/2014/04/08/snowden-says-nsa-is-lyin...>
Why do you take Snowden at his word yet ignore a bipartisan intel committee investigation? Have you even skimmed the docs? I'm disappointed in myself for engaging in these fruitless discussions time and again.
You're expecting Americans to trust members of congress, and not only members of congress, but specifically the ones who specialize in keeping secrets, many of which were secrets that are now known to have violated the constitution, federal law, and international law? For real?
What's the steel-man version of your position here, "members of Congress are generally competent, trustworthy, honest people who rarely lie"?
Are we talking about two different Snowdens and two different governments or something?
Are you a federal government employee or contractor who's economic livelihood depends on towing the party line and white knighting for the NSA, an agency that flagrantly violated federal law to illegally surveil domestic communications between American citizens, an act that was specifically and explicitly forbidden of them from their very inception, and remains that way (legally) today?
Are you trying to sway public opinion such that the perpetrators of this treason will continue to not face criminal prosecution for their crimes against the citizens of this country within their lifetimes?
> Have you even skimmed the docs?
Yup.
Any committee that will leave entirely unpunished being lied to, directly, in person, by the fellow in charge of the biggest agency the committee is supposed to be overseeing isn't worth a damn.
Any committee that won't raise a big public stink about that agency's lawyers lying to the US Supreme Court? Same thing.
It's entirely possible to be both bipartisan and a Congressional committee but still be largely worthless to the public.
> Why do you take Snowden at his word yet ignore a bipartisan intel committee...
Snowden risked his ass (and is currently living in exile) to alert the public about long-running, major violations of Federal law. The most we get out of the absolute best member of that committee is "Man. The American public would be fucking incensed if they heard some of the things that we've been told in our chambers. Someone should really do something about this.".
And yeah, I'm aware that that report was written by a scratch committee assembled in the House and is organizationally unrelated to the permanent Senate intelligence oversight committee on which Wyden and company sit. In a crisis situation, these folks absolutely carry the same water, regardless of where they are on the org chart. One only need look at the retroactive immunity granted to the telcos for their long-standing, obvious violation of Federal law caused by their participation in NSA's then-very-illegal wiretap program to understand that.
Now that I have some coffee in me, I'm reminded that you should go read what was publicly said about Daniel Ellsberg both through official government channels, and just more generally in plausibly-deniable public statements. (Hell, go look at what they did (and threatened to do) to MLK.) [0]
Character assassination is a tool that FedGov does not hesitate to use against people who cause it big trouble. And yes, putting "spin" on facts absolutely is character assassination. Snowden was a poor student. MLK cheated on his wife. So what? These facts have nothing to do with the ills and rot that these folks were exposing and leading us away from.
[0] You should also read up on how the Ellsberg case made it impossible for anyone facing an Espionage Act charge for leaking classified information to argue that their disclosure was justified. This is one big reason why Snowden's departure from the country was a very, very smart move.
I respect Ellsberg because he didn't flee the country.
And Ellsberg very, very loudly and publicly proclaims that Snowden did exactly the right thing by leaving the country... that (unlike Ellsberg) Snowden would have been muzzled, thrown into a deep hole until his trial date, and not have received a fair trial.
1) It's not the 1970s anymore. Things have changed.
2) Ellsberg walked out on bail and was able to speak publicly about why he did what he did. Snowden would be denied bail and visitors because of "national security" concerns.
2) In a novel application of law, Ellsberg was not permitted to raise a "my disclosure was justified because of very significant interest" defense. [0]
3) Ellsberg only walked free because Nixon's agents were caught breaking into Ellsberg's psychologist's office to search for more character-assassination material, and the judge found this conduct to be unconscionable. Had Nixon NOT done this, #2 above would have ensured Ellsberg had no choice but to go to jail.
4) Given the existence of the NSA wiretap program that Snowden revealed, FedGov would not have the opportunity to make the same blunder Nixon did... because they have an extensive secret database (that "happens" to contain information about US citizens) that they can make secret searches against to find all sorts of blackmail material.
[0] This right here is the REALLY BIG thing. It's my understanding that Ellsberg was expecting to be able to at least argue that his actions were justified by very significant public interest. While having that right stripped away is pretty normal in this day and age, it absolutely was not back then.
What did the report get wrong? If they're lying then prove it please.
I'll repeat a paragraph from I wrote four hours before you posted this question:
> Character assassination is a tool that FedGov does not hesitate to use against people who cause it big trouble. And yes, putting "spin" on facts absolutely is character assassination. Snowden was a poor student. MLK cheated on his wife. So what? These facts have nothing to do with the ills and rot that these folks were exposing and leading us away from.
Somewhere our beloved leaders can't arrest him and send him to a CIA black site for the rest of his life.
Well, on one hand I'm surprised to see this take on HN. OTOH it's nice that it's not strictly a hive-mind.
There's nothing inherently negative about going rogue and hacking - I think few would deny that that's what Snowden did.
Maybe I read this story wrong, but I wouldn't put Snowden in the same crowd as this person. Much more of a criminal in this case versus a whistleblower.
The recent arrest of a U.S. Army soldier accused of extorting AT&T and Verizon highlights a troubling misallocation of resources by law enforcement, especially when juxtaposed against critical nation-state cyber threats. While prosecuting such crimes is necessary, it diverts attention from larger systemic vulnerabilities, such as the recent breach of the U.S. Treasury Department and nine major American telecommunications companies by Chinese state actors. These breaches granted access to sensitive communications and revealed the glaring weaknesses in American cybersecurity infrastructure. Corporations like AT&T and Verizon, entrusted with protecting sensitive data, have often failed to implement robust defenses, leaving systems exposed to exploitation and forcing law enforcement into a reactive cleanup role.
This misdirected focus is particularly concerning given the escalating geopolitical tensions and the strategic importance of cybersecurity in national defense. Nation-state actors like China are leveraging advanced capabilities to outpace U.S. defenses, eroding trust in American institutions and diminishing global standing. With the potential for conflict over Taiwan and other critical flashpoints, resources spent on low-value cybercrime cases should instead fortify critical infrastructure and counter nation-state threats. A proactive approach is essential to prevent breaches, hold corporations accountable, and ensure the U.S. remains resilient in an increasingly volatile cyber landscape.