Charges for LastPass, MailChimp, Okta, and Twilio hacks
November 26, 2024 10:30 AM Subscribe
Brian Krebs: Federal prosecutors in Los Angeles this week unsealed criminal charges against five men aged 20 to 25, alleged to be members of "Scattered Spider," a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.
Yesterday was incident-response day in my human-factors-infosec class. One thing I tell them about incident PR is never, ever to use the phrase "sophisticated attacker(s)," because you never know when it's a script kiddie... or what Scattered Spider and their ilk are currently being called in the infosec community, "Advanced Persistent Teenagers."
(For folks not steeped in infosec, that's a play on "Advanced Persistent Threat," a rather silly phrase with an elastic definition that usually boils down to "a skilled, well-resourced, and relentless attacker.")
posted by humbug at 10:56 AM on November 26 [8 favorites]
(For folks not steeped in infosec, that's a play on "Advanced Persistent Threat," a rather silly phrase with an elastic definition that usually boils down to "a skilled, well-resourced, and relentless attacker.")
posted by humbug at 10:56 AM on November 26 [8 favorites]
Yesterday was incident-response day in my human-factors-infosec class. One thing I tell them about incident PR is never, ever to use the phrase "sophisticated attacker(s)," because you never know when it's a script kiddie... or what Scattered Spider and their ilk are currently being called in the infosec community, "Advanced Persistent Teenagers."
And this is the sort of attitude that is why white collar crime isn't taken seriously. Never mind that they did real damage to actual victims (and even in one case had actual violence visited on them), we'll use language that dismisses their actual threat.
posted by NoxAeternum at 11:59 AM on November 26 [2 favorites]
And this is the sort of attitude that is why white collar crime isn't taken seriously. Never mind that they did real damage to actual victims (and even in one case had actual violence visited on them), we'll use language that dismisses their actual threat.
posted by NoxAeternum at 11:59 AM on November 26 [2 favorites]
My sense is that within infosec it's rueful rather than dismissive -- "security sucks so bad that yeah, we can get pwned by J Random Teen" -- but I can definitely see how it reads differently splashed across a headline.
But what to do about hackers is a longstanding question. Plenty of them eventually go straight and turn into infosec stalwarts. The younger they are, the more likely this outcome seems to be. And once they've gone straight -- well, see the Marcus "Stopped WannaCry Singlehanded, Promptly Got Arrested" Hutchins story for how being punitive with infosec pros over a less-than-licit past can get really senseless really fast.
There's also The Mirai Confessions from Wired, previously featured on the blue.
I don't have any orthodoxy here. There are serious questions about restorative justice; even hackers who go straight don't typically make their earlier victims whole.
posted by humbug at 1:19 PM on November 26 [6 favorites]
But what to do about hackers is a longstanding question. Plenty of them eventually go straight and turn into infosec stalwarts. The younger they are, the more likely this outcome seems to be. And once they've gone straight -- well, see the Marcus "Stopped WannaCry Singlehanded, Promptly Got Arrested" Hutchins story for how being punitive with infosec pros over a less-than-licit past can get really senseless really fast.
There's also The Mirai Confessions from Wired, previously featured on the blue.
I don't have any orthodoxy here. There are serious questions about restorative justice; even hackers who go straight don't typically make their earlier victims whole.
posted by humbug at 1:19 PM on November 26 [6 favorites]
And this is the sort of attitude that is why white collar crime isn't taken seriously.
White collar crime isn’t taken seriously because of the wealth and status of the people doing it, or of the institutions that are supposed to protect people from it (but do not). Computer security has plenty of cultural problems, and people having an ego about their skills is one of them, but I don’t think the kind of people who banter about stuff like this are usually the weak links when it comes to taking security seriously enough.
posted by atoxyl at 2:01 PM on November 26 [3 favorites]
White collar crime isn’t taken seriously because of the wealth and status of the people doing it, or of the institutions that are supposed to protect people from it (but do not). Computer security has plenty of cultural problems, and people having an ego about their skills is one of them, but I don’t think the kind of people who banter about stuff like this are usually the weak links when it comes to taking security seriously enough.
posted by atoxyl at 2:01 PM on November 26 [3 favorites]
« Older Bad Influence | A pop song in classical dress Newer »
The grift that keeps on grifting
posted by chavenet at 10:55 AM on November 26 [3 favorites]