Teenage hacker became a legend attacking companies, then his rivals attacked him

50 points by fortran77 4 hours ago | 27 comments

neonate 4 hours ago |
https://archive.ph/nupuG
smcin 2 hours ago |
"GTA 6 Hacker Arion Kurtaj Became a Legend Attacking Companies. Then His Rivals Attacked Him." - WSJ
(Newer headline, and useful for indexing the names)
A_D_E_P_T 2 hours ago |
Article opens with:
> The judge ultimately handed Kurtaj a sentence that his lawyers have called out of proportion with the crimes he stood accused of. The family declined to be interviewed.
Doesn't actually mention what the sentence was until the end of the article:
> The judge gave Kurtaj an indefinite hospital order—a sentence confining him to a secure mental-health ward until doctors and U.K. officials decide he is no longer a danger to the public. He was 18 years old. [. . .] People in Kurtaj’s situation can apply for a review of their detention once a year. Otherwise, their detention is subject to government review once every three years, according to the Ministry of Justice.
> Kurtaj’s lawyers and some experts on autism have said a potential lifetime of incarceration isn’t appropriate for a teenager like Kurtaj.
Thing is, there's basically a zero percent likelihood that it's actually a lifetime of incarceration. I haven't seen the statistics on this, but I'd bet that the average person incarcerated under such an order is out in a couple of years, and the vast majority are out within ten.
What's more, it's not a prison.
> It’s up to his doctors whether Kurtaj can access the internet. He was sent to a medium-security hospital ward, where in the common areas shared with other patients, he was surrounded by tablets, phones and computers.
Come on, now. That sentence is neither as harsh (in terms of conditions) nor as draconian (in terms of duration) as the article wants us to feel. In the US, he be tried as an adult and he'd have it much worse...
The punishment rarely fits the crime, but I think that the system did okay with this one.
giantg2 an hour ago |
If I (autistic) had something I was good at and made me not feel like human garbage I wouldn't stop doing it. It wouldn't surprise me if a company hires him. This is something he's good at, but just seems to need some direction and oversight.
Firerouge an hour ago |
While there aren't many statistics on this sort of sentencing, I did find some here: https://forum.mentalhealthlaw.co.uk/t/section-37-41-data-spe...
And based on the following:
> The number of admissions has fluctuated between 1,500 and 1,700 since 2008.
And
> The number of discharges and disposals has fluctuated between 1,350 and 1,550 since 2011
One can extrapolate that up to a couple hundred new admissions each year are staying in essentially indefinitely, as the discharge rate is generally always lower than the admissions rate.
JanisErdmanis 2 hours ago |
This will be controversial, but wouldn’t one be able to say there is a benefit to the society of having kids hacking systems, doing pranks, even collecting ransomware, and not fearing ridiculing their subjects in contrast to having national state attackers that harvest and sell secrets? The first type of attacker would pressure security to be taken seriously, whereas the second type of attack would rarely be noticed and disclosed.
Denvercoder9 an hour ago |
That's a false dichotomy. Having a few smart kids hack around doesn't end nation state attacks.
JanisErdmanis an hour ago |
They don't end nation-state attacks, but public exposure from teenagers hacking corporate computer systems can make them do their homework of fixing low-hanging vulnerabilities. As a result, the attacks from nation-state attackers could become more expensive.
tmpz22 an hour ago |
Kids won't hack corporate systems. They'll hack each other, they'll hack and share nudes, they'll embarrass one another, harass, troll, and bully.
I was a member of many video game communities as a kid and DDOS attacks to disrupt game play, RATs and other tools to steal and sell virtual currencies, happened frequent and often.
I think the volume of destructive activities outweighs the constructive ones, even if many such perpetrators went on to become Software Engineers and Pen Testers for Meta, Google, and other companies. Like others I don't think they should be arrested for the less harmful examples - but there are lines that cause significant societal harm that should end in proportional punishments.
JanisErdmanis an hour ago |
The article mentions NVidia as an example of a ransomware attack. This seems to be a corporate threat.
> I was a member of many video game communities as a kid and DDOS attacks
I agree here that this is a destructive activity with no benefit. Securing games against DDOS attacks seems like a wasted effort.
autoexec 39 minutes ago |
> Kids won't hack corporate systems.
The entire history of hacking shows that kids will, do, and always have hacked corporate systems. They'll absolutely hack each other while they're at it, but much of that time will also involve hacking corporate systems. Even kids who hack video games are very often hacking corporate systems because it's corporations who control the game servers.
I would much rather have corporations and the countless third party companies/hardware/services they depend on all patching and hardening their stuff for fear of pesky children cheating in video games than let all those corporations become complacent. As it stands today corporations do only the bare minimum when it comes to security as repeatedly evidenced by the endless leaks and data breaches which rarely involve complex vulnerability chain attacks full of zero days and most often could have easily been avoided by protecting against threats that are very well known and for which solutions already exist.
The harm caused by trolls and cyberbullies is dwarfed by the harms these corporations would cause society if they had any less pressure to take even the most basic steps to protect our accounts and our data.
tptacek 38 minutes ago |
Kids absolutely do hack corporate systems. They do now, they did 10 years ago, and when I was hip deep in that scene in the early 1990s that's what they were doing. They also go after each other, but that's a side quest.
Denvercoder9 an hour ago |
That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
JanisErdmanis an hour ago |
> That only holds if you believe that will (intrinsic or resulting from a cost/benefit analysis) is what's holding back organizations from improving their cybersecurity.
Improvements are expenses. The only unknown here seems to be whether nation-state attackers would recruit these gifted and experienced kids at a rate larger than corporations would be able to improve their security.
giantg2 an hour ago |
I do believe in leniency towards juveniles so as not to discourage curiosity and learning. However, many attacks can be severely damaging. It seems this individual had many second chances but hasn't changed. Some intervention is necessary.
hackable_sand 31 minutes ago |
It is controversial because you are utilizing childhood rebellion
Which ignores the point
ChumpGPT 2 hours ago |
He was such a legend that they were able to catch him, monitor his online activity and his rivals were able to Doxx him.
Did it not occur to this legend that concealing ones identity when breaking the law is an important step?
arealaccount an hour ago |
I admittedly only grazed the article, but fighting back almost is what you desire as a teenage offensive hacker.
mmsc an hour ago |
>He said the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19.
Indeed. So why is it that these billion-valued-companies can so easily be hacked by teenagers? Who would win: a trillion dollar industry of cyber security, or a bunch of bored outcast teenagers?
andsens an hour ago |
The reason the average age is so young is because they are the ones getting caught.
trox an hour ago |
Because properly securing your systems is hard, especially if the attack surface is large. The attacker only needs to find a single weakness. Furthermore, you don't hear from all the teenagers trying to find vulnerabilities across the web, just when there's headlines.
protastus an hour ago |
Yes it's hard and also not done well. Most companies don't fund security as much as they should. At best they'll hire an occasional consultant for the purposes of compliance with a supplier agreement or industry regulation they have to meet.
jabuticaba an hour ago |
Finally news about a hacker on hacker news
RobRivera 39 minutes ago |
Do people feel autism is an explanation for shitty behavior like posting sexually explicit images on internal company slack channels?
labster 33 minutes ago |
An explanation, sure. A justification, no.
Just a reminder: the autism spectrum is wide, and two autistic people are likely to be more different from each other than a neurotypical person.
autoexec 18 minutes ago |
It sounds to me like that's more of a teenager trait than an autistic one. Not to say that every teenager would find humor in putting dicks in unexpected places, or even that only a teenager would, but it's pretty on brand for boys in that general age bracket.
Teenagers are also biologically predisposed to occasionally making bad decisions. The kid in this article had a brain whose prefrontal cortex wouldn't finish developing for nearly another decade. I suspect that had a lot more to do with posting links to a penis in Uber's internal chats than autism did.
fefe23 13 minutes ago |
I'm sick and tired of the "the evil attacker attacked this harmless company" rhetoric.
Take some responsibility for your actions!
I loathe that you can apparently get away by telling reporters that it must have been a nation state actor. Oh it was just one kid in a hotel room? Well then he must have autism! Hey have you seen Rain Man? Yeah, must have been that kind of super power autism!
It's revolting. Get your act together and stop blaming kids. If a kid can unlock your door by entering the Konami code on your door bell, that's on you.