This will be controversial, but wouldn’t one be able to say there is a benefit to the society of having kids hacking systems, doing pranks, even collecting ransomware, and not fearing ridiculing their subjects in contrast to having national state attackers that harvest and sell secrets? The first type of attacker would pressure security to be taken seriously, whereas the second type of attack would rarely be noticed and disclosed.
A clear distinction should be made, this isn't kids hacking companies for 'fun' or some kind of Kevin Mitnick-esque story where the thrill was having something they shouldn't or bypassing systems. These people wanted money and notoriety and got it by any means necessary, yet it took THREE arrests to finally put an end to it. They weren't just targetting multibillion dollar corporations, either.
Meanwhile in the very same country, the teenage criminal who helped ransom MGM casinos and London's transportation (twice arrested) is also free and likely actively deploying ransomware and sim swapping as we speak. I get that they're legally "children", but it's not like they're 9 year olds being tricked into do other peoples bidding, these are quite literally criminal masterminds working for themselves, and should be charged as one. "I promise I won't go online again" and supervision for a couple months obviously isn't working when you have companies getting hacked from a hotel room.
They don't end nation-state attacks, but public exposure from teenagers hacking corporate computer systems can make them do their homework of fixing low-hanging vulnerabilities. As a result, the attacks from nation-state attackers could become more expensive.
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I think the volume of destructive activities outweighs the constructive ones, even if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies. Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
The entire history of hacking shows that kids will, do, and always have hacked corporate systems. They'll absolutely hack each other while they're at it, but much of that time will also involve hacking corporate systems. Even kids who hack video games are very often hacking corporate systems because it's corporations who control the game servers.
I would much rather have corporations and the countless third party companies/hardware/services they depend on all patching and hardening their stuff for fear of pesky children cheating in video games than let all those corporations become complacent. As it stands today corporations do only the bare minimum when it comes to security as repeatedly evidenced by the endless leaks and data breaches which rarely involve complex vulnerability chain attacks full of zero days and most often could have easily been avoided by protecting against threats that are very well known and for which solutions already exist.
The harm caused by trolls and cyberbullies is dwarfed by the harms these corporations would cause society if they had any less pressure to take even the most basic steps to protect our accounts and our data.
> I just see two problems in the world not "the lesser of two evils".
You're right about that. It's far from an ideal solution. I'd much rather if that pressure came from regulation that would consistently deliver severe consequences for any company that decides to cut costs/increase profits by neglecting their responsibility to protect our data and the systems and services we pay for and depend on. That way, all systems would be reasonably protected. We wouldn't have to worry as much about pranking teenagers causing disruptions and posting penis pictures, and it would still make it harder for the adult hackers to gain access and do much worse.
Kids absolutely do hack corporate systems. They do now, they did 10 years ago, and when I was hip deep in that scene in the early 1990s that's what they were doing. They also go after each other, but that's a side quest.
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I was a member of many video game communities as a kid
Your youth maintained your innocence, consider yourself lucky.
you may never hadn't a clue at the time, but those pre-release builds, firmware dumps, decryption keys, _______ source code, pii dumps, debugging symbols, and other general degeneracy facets were not reverse engineered in a white-room environment by 17 year olds, but rather compiled and scavenger hunted from the depths of google, re-used passwords, internal email dumps, physical intrusion (yes), blind XSS that phoned home an admin panel months later....I could go on, but that was nostalgic enough.
I think the volume of destructive activities outweighs the constructive ones,
You are essentially promoting "head in sand", if not directly.
if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies.
50%/50% drugs to success - The bell curves both ways. But remember the context, 10 years ago, emailing a bug report could get your door kicked in.
Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
This gets grey real fast.
After checking out your cart on a hypothetical web-store, you are redirected to the receipt page. Sharing the link with a cohort via email, you leave off a single digit in the r? parameter in the URL, causing a receipt from someone else to display.
It was a brisk fall dew-filled dawn the next morning when the State-Cyber-Police made their swift, immemorial performance. Donned with insignia "pastor sapientiae," they had long ago forgotten their purpose, aside from the prevention of the proliferation of the unwise and their defiance of authority.
That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
> That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
Improvements are expenses. The only unknown here seems to be whether nation-state attackers would recruit these gifted and experienced kids at a rate larger than corporations would be able to improve their security.
What your basically describing is HackerOne but for kids. And I actually don't think it's a bad idea, they could consider doing a teenager version or do some program aimed at high schoolers. I'm sure it would be very well received, I would have thought it was the coolest thing ever.
I do believe in leniency towards juveniles so as not to discourage curiosity and learning. However, many attacks can be severely damaging. It seems this individual had many second chances but hasn't changed. Some intervention is necessary.
I think you could generalize the OP's point to extend past children and still consider their question. I think you're focusing on the children part and ignoring the point.
Plus you're not "utilizing children" in the way you would with child labor. This is more "children are doing things, could we utilize this natural behavior to improve our society?" That's no exploitive of children unless you pressure them into hacking. It's also reasonable that we consider children are less likely to be severely punished because kids are, in fact, pretty dumb (which does not mean they also aren't pretty smart. Context matters ;)
Anyways, that's all besides the point of OP's question:
Can we see hackers as a valuable tool for society? Since they put pressure on corporations to improve their security. Whereas when nation state hackers do similar things it is all kept quiet and so the knowledge of what needs to be fixed is less wide spread.
I think yes. As an analogy I think hackers in this way can be seen like a virus and the human immune system. Low exposures and in healthy systems allows the body to develop antibodies and fight off bigger attacks and/or when the body is weaker. But too much and the host is permanently damaged. But no viruses and the immune system becomes weak and fragile too.
Personally, I think if we want to get the former immunity boosting we should be promoting ways for people to hack on systems in non-malicious ways. Bug bounty programs. Clear paths to responsible disclosure. All that jazz. Accidents will happen and some will go too far, but intent does matter. But we also hear on HN about how people have found vulns, reported it, and the response is to sue the person disclosing for hacking. Even if this is exclusively untrue (lol), if it is widely believed then what incentive does someone have to report a vuln if they find it? Because they sure have incentives to do malicious things with that information.
I'm big on morals and sticking to them. But at the same time I don't think we can have a functional society where people's only incentive to do the right thing is that warm and fuzzy feeling inside, especially when there are incentives to do the wrong thing. Maybe we should reward good behavior instead of bad behavior...
>He said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19.
Indeed. So why is it that these billion-valued-companies can so easily be hacked by teenagers? Who would win: a trillion dollar industry of cyber security, or a bunch of bored outcast teenagers?
No - I think it has much more to do with the fact that anyone smart enough to be doing this is going to be gainfully employed by the time they're an adult - but as an adolescent, you are bored, talented, and unrecognized - not a good combination.
This is exactly my story and I doubt it is very unique.
Because properly securing your systems is hard, especially if the attack surface is large. The attacker only needs to find a single weakness.
Furthermore, you don't hear from all the teenagers trying to find vulnerabilities across the web, just when there's headlines.
Yes it's hard and also not done well. Most companies don't fund security as much as they should. At best they'll hire an occasional consultant for the purposes of compliance with a supplier agreement or industry regulation they have to meet.
As a former bored teen, who went after similar sized companies (and was eventually caught), I’d say you’ve already got your answer - boredom, being a tad neurotypical helps too.
Most of the things I pulled could have been prevented if everything was checked against the OWASP top 10.
Then the other multiplier is how old the company is, at a certain stage there’s a digital footprint that isn’t properly documented internally.
It sounds to me like that's more of a teenager trait than an autistic one. Not to say that every teenager would find humor in putting dicks in unexpected places, or even that only a teenager would, but it's pretty on brand for boys in that general age bracket.
Teenagers are also biologically predisposed to occasionally making bad decisions. The kid in this article had a brain whose prefrontal cortex wouldn't finish developing for nearly another decade. I suspect that had a lot more to do with posting links to a penis in Uber's internal chats than autism did.
True, but it's a lot worse for folks who haven't fully developed the part of their brain that is responsible for things like complex planning, impulse control, emotional regulation, logical thinking, the evaluation of risk and the awareness and careful consideration of long-term consequences.
Not that I'm saying that teenagers can never do those things or that adults always will, but because their brains are still developing teenagers are, on average, going to make mistakes and take risks much more often than adults past their mid 20s, and that's without even taking into account the flood of hormones and the additional stress of adolescence. Making mistakes and taking risks is just a normal part of growing up, and some people feel that it's even advantageous for young adults to be prone to recklessness.
Agreed. Also, look who they're learning from. Growing up in the 90s, I had my everyday IRL friends but also some BBS friends. In that latter peer group--pseudo anonymous and extremely online--edgelord morality prevailed.
No, autism is an explanation for not saying "wow this guy is a real stain on society" and being reluctant to put him behind bars.
That being said I don't like infantilizing people who have autism without more profound disabilities in cognition (I am speaking as someone who has "mild" schizophrenia). Kurtaj seems to have normal intelligence and is not so disconnected from society as to be unaware what he allegedly did was wrong. In particular his alleged motivations and mental state during all this are not that different from a angry teenager with few friends and terrible judgment.
There are other factors that are important for sentencing. Unlike the angry teen, it sounds like Kurtaj might have trouble holding down a job even if he gave his best effort at emotional and occupational therapy. But when people with autism seem perfectly capable of making moral choices, their diagnosis should inform your empathy. Turning that into an exoneration not only excuses certain bad people, but also denies that certain good people actually understand they're doing the right thing. It's totally dehumanizing.
> The judge ultimately handed Kurtaj a sentence that his lawyers have called out of proportion with the crimes he stood accused of. The family declined to be interviewed.
Doesn't actually mention what the sentence was until the end of the article:
> The judge gave Kurtaj an indefinite hospital order—a sentence confining him to a secure mental-health ward until doctors and U.K. officials decide he is no longer a danger to the public. He was 18 years old. [. . .] People in Kurtaj’s situation can apply for a review of their detention once a year. Otherwise, their detention is subject to government review once every three years, according to the Ministry of Justice.
> Kurtaj’s lawyers and some experts on autism have said a potential lifetime of incarceration isn’t appropriate for a teenager like Kurtaj.
Thing is, there's basically a zero percent likelihood that it's actually a lifetime of incarceration. I haven't seen the statistics on this, but I'd bet that the average person incarcerated under such an order is out in a couple of years, and the vast majority are out within ten.
What's more, it's not a prison.
> It’s up to his doctors whether Kurtaj can access the internet. He was sent to a medium-security hospital ward, where in the common areas shared with other patients, he was surrounded by tablets, phones and computers.
Come on, now. That sentence is neither as harsh (in terms of conditions) nor as draconian (in terms of duration) as the article wants us to feel. In the US, he be tried as an adult and he'd have it much worse...
The punishment rarely fits the crime, but I think that the system did okay with this one.
> The number of admissions has fluctuated between 1,500 and 1,700 since 2008.
And
> The number of discharges and disposals has fluctuated between 1,350 and 1,550 since 2011
One can extrapolate that up to a couple hundred new admissions each year are staying in essentially indefinitely, as the discharge rate is generally always lower than the admissions rate.
If I (autistic) had something I was good at and made me not feel like human garbage I wouldn't stop doing it. It wouldn't surprise me if a company hires him. This is something he's good at, but just seems to need some direction and oversight.
I'm sick and tired of the "the evil attacker attacked this harmless company" rhetoric.
Take some responsibility for your actions!
I loathe that you can apparently get away by telling reporters that it must have been a nation state actor. Oh it was just one kid in a hotel room? Well then he must have autism! Hey have you seen Rain Man? Yeah, must have been that kind of super power autism!
It's revolting. Get your act together and stop blaming kids. If a kid can unlock your door by entering the Konami code on your door bell, that's on you.
Locks are a social contract. We all know they can be bypassed, but doing so is illegal. Kids and adults should be held accountable for repeatedly breaking the law.
https://archive.ph/nupuG
This will be controversial, but wouldn’t one be able to say there is a benefit to the society of having kids hacking systems, doing pranks, even collecting ransomware, and not fearing ridiculing their subjects in contrast to having national state attackers that harvest and sell secrets? The first type of attacker would pressure security to be taken seriously, whereas the second type of attack would rarely be noticed and disclosed.
A clear distinction should be made, this isn't kids hacking companies for 'fun' or some kind of Kevin Mitnick-esque story where the thrill was having something they shouldn't or bypassing systems. These people wanted money and notoriety and got it by any means necessary, yet it took THREE arrests to finally put an end to it. They weren't just targetting multibillion dollar corporations, either.
Meanwhile in the very same country, the teenage criminal who helped ransom MGM casinos and London's transportation (twice arrested) is also free and likely actively deploying ransomware and sim swapping as we speak. I get that they're legally "children", but it's not like they're 9 year olds being tricked into do other peoples bidding, these are quite literally criminal masterminds working for themselves, and should be charged as one. "I promise I won't go online again" and supervision for a couple months obviously isn't working when you have companies getting hacked from a hotel room.
That's a false dichotomy. Having a few smart kids hack around doesn't end nation state attacks.
They don't end nation-state attacks, but public exposure from teenagers hacking corporate computer systems can make them do their homework of fixing low-hanging vulnerabilities. As a result, the attacks from nation-state attackers could become more expensive.
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I think the volume of destructive activities outweighs the constructive ones, even if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies. Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
> Kids won't hack corporate systems.
The entire history of hacking shows that kids will, do, and always have hacked corporate systems. They'll absolutely hack each other while they're at it, but much of that time will also involve hacking corporate systems. Even kids who hack video games are very often hacking corporate systems because it's corporations who control the game servers.
I would much rather have corporations and the countless third party companies/hardware/services they depend on all patching and hardening their stuff for fear of pesky children cheating in video games than let all those corporations become complacent. As it stands today corporations do only the bare minimum when it comes to security as repeatedly evidenced by the endless leaks and data breaches which rarely involve complex vulnerability chain attacks full of zero days and most often could have easily been avoided by protecting against threats that are very well known and for which solutions already exist.
The harm caused by trolls and cyberbullies is dwarfed by the harms these corporations would cause society if they had any less pressure to take even the most basic steps to protect our accounts and our data.
Well do you see it helping out the way you're suggesting? I just see two problems in the world not "the lesser of two evils".
> I just see two problems in the world not "the lesser of two evils".
You're right about that. It's far from an ideal solution. I'd much rather if that pressure came from regulation that would consistently deliver severe consequences for any company that decides to cut costs/increase profits by neglecting their responsibility to protect our data and the systems and services we pay for and depend on. That way, all systems would be reasonably protected. We wouldn't have to worry as much about pranking teenagers causing disruptions and posting penis pictures, and it would still make it harder for the adult hackers to gain access and do much worse.
Kids absolutely do hack corporate systems. They do now, they did 10 years ago, and when I was hip deep in that scene in the early 1990s that's what they were doing. They also go after each other, but that's a side quest.
My experience is that going after other groups and/or normal folk who you know is the main purpose. Everything else is just for funsies.
Specifically, targeting people in the real world who make your actual life difficult.
That's from the late 90's/, early 00's.
The article mentions NVidia as an example of a ransomware attack. This seems to be a corporate threat.
> I was a member of many video game communities as a kid and DDOS attacks
I agree here that this is a destructive activity with no benefit. Securing games against DDOS attacks seems like a wasted effort.
you may never hadn't a clue at the time, but those pre-release builds, firmware dumps, decryption keys, _______ source code, pii dumps, debugging symbols, and other general degeneracy facets were not reverse engineered in a white-room environment by 17 year olds, but rather compiled and scavenger hunted from the depths of google, re-used passwords, internal email dumps, physical intrusion (yes), blind XSS that phoned home an admin panel months later....I could go on, but that was nostalgic enough.
You are essentially promoting "head in sand", if not directly. 50%/50% drugs to success - The bell curves both ways. But remember the context, 10 years ago, emailing a bug report could get your door kicked in. This gets grey real fast.After checking out your cart on a hypothetical web-store, you are redirected to the receipt page. Sharing the link with a cohort via email, you leave off a single digit in the r? parameter in the URL, causing a receipt from someone else to display.
It was a brisk fall dew-filled dawn the next morning when the State-Cyber-Police made their swift, immemorial performance. Donned with insignia "pastor sapientiae," they had long ago forgotten their purpose, aside from the prevention of the proliferation of the unwise and their defiance of authority.
That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
> That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
Improvements are expenses. The only unknown here seems to be whether nation-state attackers would recruit these gifted and experienced kids at a rate larger than corporations would be able to improve their security.
What your basically describing is HackerOne but for kids. And I actually don't think it's a bad idea, they could consider doing a teenager version or do some program aimed at high schoolers. I'm sure it would be very well received, I would have thought it was the coolest thing ever.
I do believe in leniency towards juveniles so as not to discourage curiosity and learning. However, many attacks can be severely damaging. It seems this individual had many second chances but hasn't changed. Some intervention is necessary.
What would be the benefit, exactly?
It is controversial because you are utilizing childhood rebellion
Which ignores the point
I think you could generalize the OP's point to extend past children and still consider their question. I think you're focusing on the children part and ignoring the point.
Plus you're not "utilizing children" in the way you would with child labor. This is more "children are doing things, could we utilize this natural behavior to improve our society?" That's no exploitive of children unless you pressure them into hacking. It's also reasonable that we consider children are less likely to be severely punished because kids are, in fact, pretty dumb (which does not mean they also aren't pretty smart. Context matters ;)
Anyways, that's all besides the point of OP's question:
I think yes. As an analogy I think hackers in this way can be seen like a virus and the human immune system. Low exposures and in healthy systems allows the body to develop antibodies and fight off bigger attacks and/or when the body is weaker. But too much and the host is permanently damaged. But no viruses and the immune system becomes weak and fragile too.Personally, I think if we want to get the former immunity boosting we should be promoting ways for people to hack on systems in non-malicious ways. Bug bounty programs. Clear paths to responsible disclosure. All that jazz. Accidents will happen and some will go too far, but intent does matter. But we also hear on HN about how people have found vulns, reported it, and the response is to sue the person disclosing for hacking. Even if this is exclusively untrue (lol), if it is widely believed then what incentive does someone have to report a vuln if they find it? Because they sure have incentives to do malicious things with that information.
I'm big on morals and sticking to them. But at the same time I don't think we can have a functional society where people's only incentive to do the right thing is that warm and fuzzy feeling inside, especially when there are incentives to do the wrong thing. Maybe we should reward good behavior instead of bad behavior...
>He said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19.
Indeed. So why is it that these billion-valued-companies can so easily be hacked by teenagers? Who would win: a trillion dollar industry of cyber security, or a bunch of bored outcast teenagers?
The reason the average age is so young is because they are the ones getting caught.
No - I think it has much more to do with the fact that anyone smart enough to be doing this is going to be gainfully employed by the time they're an adult - but as an adolescent, you are bored, talented, and unrecognized - not a good combination.
This is exactly my story and I doubt it is very unique.
What you mean no? That's exactly what GP said.
I think it's more that older people are getting paid to do this work legally.
Loosely agree with this, although greed can blur some people’s judgment
It's like the airplane with the dots!
Because properly securing your systems is hard, especially if the attack surface is large. The attacker only needs to find a single weakness. Furthermore, you don't hear from all the teenagers trying to find vulnerabilities across the web, just when there's headlines.
Yes it's hard and also not done well. Most companies don't fund security as much as they should. At best they'll hire an occasional consultant for the purposes of compliance with a supplier agreement or industry regulation they have to meet.
As a former bored teen, who went after similar sized companies (and was eventually caught), I’d say you’ve already got your answer - boredom, being a tad neurotypical helps too.
Most of the things I pulled could have been prevented if everything was checked against the OWASP top 10.
Then the other multiplier is how old the company is, at a certain stage there’s a digital footprint that isn’t properly documented internally.
>and was eventually caught
Would love to hear more.
"GTA 6 Hacker Arion Kurtaj Became a Legend Attacking Companies. Then His Rivals Attacked Him." - WSJ
(Newer headline, and useful for indexing the names)
Do people feel autism is an explanation for shitty behavior like posting sexually explicit images on internal company slack channels?
It sounds to me like that's more of a teenager trait than an autistic one. Not to say that every teenager would find humor in putting dicks in unexpected places, or even that only a teenager would, but it's pretty on brand for boys in that general age bracket.
Teenagers are also biologically predisposed to occasionally making bad decisions. The kid in this article had a brain whose prefrontal cortex wouldn't finish developing for nearly another decade. I suspect that had a lot more to do with posting links to a penis in Uber's internal chats than autism did.
> Teenagers are also biologically predisposed to occasionally making bad decisions.
humans are
True, but it's a lot worse for folks who haven't fully developed the part of their brain that is responsible for things like complex planning, impulse control, emotional regulation, logical thinking, the evaluation of risk and the awareness and careful consideration of long-term consequences.
Not that I'm saying that teenagers can never do those things or that adults always will, but because their brains are still developing teenagers are, on average, going to make mistakes and take risks much more often than adults past their mid 20s, and that's without even taking into account the flood of hormones and the additional stress of adolescence. Making mistakes and taking risks is just a normal part of growing up, and some people feel that it's even advantageous for young adults to be prone to recklessness.
Agreed. Also, look who they're learning from. Growing up in the 90s, I had my everyday IRL friends but also some BBS friends. In that latter peer group--pseudo anonymous and extremely online--edgelord morality prevailed.
Depends on the human...either the one making the 'biologically predisposed' bad decision, or the one judging it.
I think you completely missed GP's point. Teenagers ARE much more likely to make a bad decision than other groups.
No, autism is an explanation for not saying "wow this guy is a real stain on society" and being reluctant to put him behind bars.
That being said I don't like infantilizing people who have autism without more profound disabilities in cognition (I am speaking as someone who has "mild" schizophrenia). Kurtaj seems to have normal intelligence and is not so disconnected from society as to be unaware what he allegedly did was wrong. In particular his alleged motivations and mental state during all this are not that different from a angry teenager with few friends and terrible judgment.
There are other factors that are important for sentencing. Unlike the angry teen, it sounds like Kurtaj might have trouble holding down a job even if he gave his best effort at emotional and occupational therapy. But when people with autism seem perfectly capable of making moral choices, their diagnosis should inform your empathy. Turning that into an exoneration not only excuses certain bad people, but also denies that certain good people actually understand they're doing the right thing. It's totally dehumanizing.
An explanation, sure. A justification, no.
Just a reminder: the autism spectrum is wide, and two autistic people are likely to be more different from each other than a neurotypical person.
No, the explanation is that it's hilarious.
https://www.wsj.com/tech/cybersecurity/arion-kurtaj-hacker-4...
I admittedly only grazed the article, but fighting back almost is what you desire as a teenage offensive hacker.
[dead]
From what I gather from the article he's doing social engineering, not technical hacking.
In other words: lying to, manipulating, and exploiting trusting folks, rather than finding technical flaws. Much less noble in my opinion.
The what you do after social engineering and knowing what to ask for and pivot is very technical
In other words, all the things that politicians, CEOs, and Silicon Valley visionaries do?
Article opens with:
> The judge ultimately handed Kurtaj a sentence that his lawyers have called out of proportion with the crimes he stood accused of. The family declined to be interviewed.
Doesn't actually mention what the sentence was until the end of the article:
> The judge gave Kurtaj an indefinite hospital order—a sentence confining him to a secure mental-health ward until doctors and U.K. officials decide he is no longer a danger to the public. He was 18 years old. [. . .] People in Kurtaj’s situation can apply for a review of their detention once a year. Otherwise, their detention is subject to government review once every three years, according to the Ministry of Justice.
> Kurtaj’s lawyers and some experts on autism have said a potential lifetime of incarceration isn’t appropriate for a teenager like Kurtaj.
Thing is, there's basically a zero percent likelihood that it's actually a lifetime of incarceration. I haven't seen the statistics on this, but I'd bet that the average person incarcerated under such an order is out in a couple of years, and the vast majority are out within ten.
What's more, it's not a prison.
> It’s up to his doctors whether Kurtaj can access the internet. He was sent to a medium-security hospital ward, where in the common areas shared with other patients, he was surrounded by tablets, phones and computers.
Come on, now. That sentence is neither as harsh (in terms of conditions) nor as draconian (in terms of duration) as the article wants us to feel. In the US, he be tried as an adult and he'd have it much worse...
The punishment rarely fits the crime, but I think that the system did okay with this one.
While there aren't many statistics on this sort of sentencing, I did find some here: https://forum.mentalhealthlaw.co.uk/t/section-37-41-data-spe...
And based on the following:
> The number of admissions has fluctuated between 1,500 and 1,700 since 2008.
And
> The number of discharges and disposals has fluctuated between 1,350 and 1,550 since 2011
One can extrapolate that up to a couple hundred new admissions each year are staying in essentially indefinitely, as the discharge rate is generally always lower than the admissions rate.
If I (autistic) had something I was good at and made me not feel like human garbage I wouldn't stop doing it. It wouldn't surprise me if a company hires him. This is something he's good at, but just seems to need some direction and oversight.
Seems ridiculously disproportionate to be sentenced with no end date? Even if 'in practice' it usually ends after some amount of non-determinate time.
I'm sick and tired of the "the evil attacker attacked this harmless company" rhetoric.
Take some responsibility for your actions!
I loathe that you can apparently get away by telling reporters that it must have been a nation state actor. Oh it was just one kid in a hotel room? Well then he must have autism! Hey have you seen Rain Man? Yeah, must have been that kind of super power autism!
It's revolting. Get your act together and stop blaming kids. If a kid can unlock your door by entering the Konami code on your door bell, that's on you.
Locks are a social contract. We all know they can be bypassed, but doing so is illegal. Kids and adults should be held accountable for repeatedly breaking the law.
computer security isn't comparable to physical security and should be held to a higher standard because it can be.
When you expose a computer to a global computer network, you are exposing it to others with no shared social contract.
Well they should've picked a more "global" target then, not people who can get them caught.
He was such a legend that they were able to catch him, monitor his online activity and his rivals were able to Doxx him.
Did it not occur to this legend that concealing ones identity when breaking the law is an important step?
Finally news about a hacker on hacker news
The word "Hacker" in Hacker News does not mean cracker https://en.wikipedia.org/wiki/Hacker_culture
[flagged]