
Marcus Hutchins spared US jail sentence over malware charges - timthorn
https://www.bbc.co.uk/news/technology-49127569
======
atsushin
Hutchin's contributions to information security have definitely benefited
many. While it was "good" that he faced responsibility for his actions (well,
not really -- a forced extended stay in the U.S. away from his family and
dealing with X months of court bullshit is horrendous and should __not
__happen), I 'm glad he was spared from a decade in the U.S. prison system.

~~~
loteck
_extended stay in the U.S. away from his family and dealing with X months of
court bullshit is horrendous and should not happen_

Curious, how do you think we should deal with crimes of this type, if not (at
minimum) restraining suspects from leaving the country and having a judge
preside over the legal proceedings?

~~~
viraptor
Have a framework of handing over cases like that and the person back to their
country of residence. Unless the case can be handled in less than a week.

Otherwise it's basically: Have you got access to lots of money, or are you
going to spend years in prison? He was really lucky that he knew people who
could offer him place to stay, contact lawyers, help with bail. Majority of
people would be completely screwed in that situation.

~~~
bin0
I doubt handing over would always work. England has a decent coirt system, but
what about, say, a chinese spy? Maybe you could then elect to hand over an
Englishman but detain a chinaman? It works in some cases, but not necessarily
as a general framework.

~~~
wiremaus
'Chinaman' is generally considered quite offensive and dated. I'd switch up
the noun there.

~~~
bin0
How? I used Englishman too. I've never heard it used that way.

~~~
grzm
\-
[https://en.wikipedia.org/wiki/Chinaman_(term)](https://en.wikipedia.org/wiki/Chinaman_\(term\))

\- [https://www.merriam-webster.com/dictionary/chinaman](https://www.merriam-
webster.com/dictionary/chinaman)

\-
[https://www.ahdictionary.com/word/search.html?q=chinaman](https://www.ahdictionary.com/word/search.html?q=chinaman)

------
andremat
In spite of the district court's merciful sentence, he has committed an
aggravated felony in the eyes of immigration law and so is barred from ever
entering the US again. For life.

~~~
mieseratte
> he has committed an aggravated felony in the eyes of immigration law and so
> is barred from ever entering the US again. For life.

IANAL but it sounds like he may be able to appeal based on a recent SCOTUS
ruling[0].

> The result is that people convicted of certain crimes -- such as the
> California crime of burglary -- that are not by definition necessarily
> violent, may not be deportable.

[0] - [https://www.shouselaw.com/immigration/aggravated-
felonies](https://www.shouselaw.com/immigration/aggravated-felonies)

~~~
skissane
> IANAL but it sounds like he may be able to appeal based on a recent SCOTUS
> ruling[0].

For entry into the US on visa-waiver (ESTA) or visas (without a green card),
you generally can't appeal to the courts, and court rulings about deportation
aren't really relevant.

It is up to the discretion of CBP (and also the State Department for visa
issuance). They can decide to disregard a criminal conviction - they are more
likely to do that if it is relatively minor, if there are some unusual/special
circumstances, if it is from many years ago, if a person shows evidence of
being of good character since then. But it is totally up to their discretion.

If they rule against you, there is no formal right of appeal. You can talk to
your own country's government, ask them to make diplomatic representations. If
your own government decides to do so (they are under no obligation to do so),
there is some chance they might change the US government's mind, but no
guarantee.

~~~
filoleg
I have no idea how exactly those kinds of decisions are made, but I feel like
the "evidence of good character since then" clause has a decent chance to work
here. The whole domain redirection thing he did definitely saved quite a lot
of pain for people and businesses worldwide.

~~~
sq_
He said on Twitter earlier that a big part of the judge's decision to sentence
him to time served was the character letters that a ton of people from the
infosec industry that know him sent.

That kind of thing could definitely be relevant for showing good character
since his bygone days as a malware creator rather than researcher.

~~~
OBLIQUE_PILLAR
Good character letters sometimes backfire. The judge in the Ross Ulbricht case
said that she sentenced him so harshly partly because she got many letters
attesting to his good character, so she decided she needed to set a very
public example.

~~~
BigJono
I think the difference is probably that in the eyes of the American
government, everything Ulbricht did was bad. Whereas Hutchins did some good at
some point that could be weighed against the crimes he committed. Character
letters don't mean anything if the acts that gave that person their standing
in the community are seen as wrong by the court.

------
komali2
I'm having a hard time finding out why they actually arrested him - for a long
time it seemed that they were kangaroo-accusing him of somehow being
responsible for wannacry because he registered the domain it pointed to. This
article is saying it's because of malware he created in 2014?

~~~
Derek_MK
It was definitely for the banking trojan he created and sold, that would later
become Kronos. That said, he also became sort of a public figure in the field
due to stopping the initial strain of Wannacry, so news articles were popping
up talking about how he was at least tangentially related to Wannacry, and was
recently arrested for malware charges. People saw that and started drawing the
false conclusion that he created Wannacry.

------
ratsmack
It seems that sensible judgements in cases like are few and far between.
Hopefully we will see a trend in this direction instead of the hysteria
usually surrounding hacking where the perpetrator is viewed in the same
category as a mass murderer.

~~~
stebann
He helped with the building of a banking trojan, that's not mass murder, but
it is a big crime...

------
ggg3
to sum it up, the US jails teenagers who deface websites (and foreigner
journalists because why not). But if you created hacking tools specifically to
steal money and provided support for those tools, you are in the clear?

------
Derek_MK
TLDR/Background:

* Hutchins (MalwareTech on social media) used to be a black hat, and developed/sold a banking trojan that would become Kronos.

* Since then, he's given up black hat activity and began reverse-engineering malware and providing educational material along the same lines.

* He came into the spotlight when he realized that the Wannacry ransomware was attempting to contact a particular web domain that was unregistered. He registered it to see what they were trying to send and why, and found out that it was a global killswitch, fully shutting down the initial strain of the malware.

* After Def Con 2017, he was arrested at the airport when attempting to leave the US. He was being charged with devleoping Kronos, and prosecutors were effectively adding new charges in retaliation every time he refused to plead guilty.

* He eventually caved and plead guilty, and today was sentenced to a year of supervised release, with no jail time (Though he likely won't be able to enter the US again). The judge strongly indicated that the lenient sentence was due to the fact that he stopped breaking the law of his own volition, and started using his skills to better the world.

* This article doesn't mention it, but the judge also suggested that he and his legal counsel seek a pardon, which could potentially allow him to enter the US again. They are planning to go forward with that path.

~~~
lawnchair_larry
That wasn’t _quite_ how it went.

He initially told everyone that he was peripherally involved in writing some
code as a teenager that, unbenknownst to him, ended up in some malware.

The feds unraveled his lies and showed beyond a doubt that not only did he
work on that into his 20s, but he and his partner were actively involved in
the business of selling a purpose-built banking trojan. They had logs of a
“business dispute” between him and his parter from only 2 years prior to his
arrest.

He had bad opsec, and many folks online exposed a lot of this. The feds had
chat logs showing he was directly involved. It’s all in the court documents.
He had no choice but to plea guilty.

[https://www.courtlistener.com/recap/gov.uscourts.wied.77855/...](https://www.courtlistener.com/recap/gov.uscourts.wied.77855/gov.uscourts.wied.77855.124.0.pdf)

~~~
sq_
In my mind, it does count for something that he seems to have turned
everything around from being a black hat towards doing proper security
research and generally trying to work towards the common good.

~~~
lawnchair_larry
Maybe. I don’t know if I think he should be punished further or not and don’t
have strong feelings on this outcome one way or another. I generally think
hacking crimes are treated disproportionately harsh.

All that aside, I do not appreciate that he rallied support from the security
community and raised legal defense money by convincing sympathetic folks that
it was all untrue and he was being set up, when he was actually guilty the
whole time.

Manipulate the legal system all you want for all I care, but manipulating good
natured people in the community who put their own reputation and money on the
line is not exactly a class act. I didn’t give him money, but I did fall for
his original story.

------
failrate
Finally!

------
lone_haxx0r
What's the thought process for writing/selling malware to be illegal? What if
the buyers wanted to test their own systems? What if they simply bought it to
study it? Hutchins didn't necessarily know that it was going to be used
illegaly. Should nmap, aircrack-ng et al be illegal too?

~~~
rayiner
It is, in general, not illegal to write/sell something that can be used to
commit a crime. What’s illegal is creating or selling tools to knowingly
knowingly facilitate crimes. (Selling guns isn’t illegal, and indeed is
constitutionally protected. Selling a gun to known mobsters under
circumstances where one can reasonably conclude you knew they were going to
use it to commit crimes, that’s illegal.)

In this case, Hutchins created Malware capable of stealing banking information
and worked with a friend to market it to people who would use it to steal
banking information: [https://arstechnica.com/tech-policy/2019/07/wannacry-
slayer-...](https://arstechnica.com/tech-policy/2019/07/wannacry-slayer-
malware-author-marcus-hutchins-sentenced-to-time-served).

~~~
pvg
Maybe the cases of the secret car compartment makers are a good example as
well - the 'tool' there is thoroughly harmless in itself.

