
Arrest of WannaCry researcher sends chill through security community - rbanffy
http://thehill.com/policy/cybersecurity/345337-wannacry-hero-chills-security-community
======
watty
I've read a few articles but I feel like I'm missing something. What's with
the sensational quotes like "I had folks afraid that their own involvement in
investigating WannaCry would get them arrested."?

Everything I've read points that he created banking Malware "Kronos" which was
sold on various "underground forums" (whatever that means). What's with the
WannaCry conspiracies? He wasn't arrested for being a security research, he
was arrested for being a malware creator selling malware. Why is this "sending
a chill through the security community"?

~~~
NateyJay
The concern is that a lot of behaviour that a security researcher would do in
the course of their research, taking over C&C server addresses such as with
Wannacry, soliciting for samples of malware, such as Hutchins did with the
Kronos trojan, and having contacts with black-hat hackers, might look to the
DOJ as if he is the culprit who created the malware.

People think that an innocent white hat hacker could get swept up in this kind
of arrest, and there has been so little evidence released, nobody knows what
actually happened.

~~~
tptacek
Hutchins is accused of _creating_ the Kronos trojan, and of working closely
with someone who _sold_ the trojan. The lines the DOJ is saying were crossed
are pretty bright.

~~~
natch
It bears mentioning that accused does not mean convicted. The DOJ record as
far as accusations turning out to be grounded in reality is not unblemished.

>Hutchins is accused of creating the Kronos trojan, and of working closely
with someone who sold the trojan. The lines the DOJ is saying were crossed are
pretty bright.

You say that as though you are contradicting NateJay.

But the fear NateJay is highlighting is exactly that a white hat is being
accused. And that (whether ultimately borne out in this case, or not) this
kind of thing could happen to people who are conducting innocent security
research.

~~~
notatoad
A white hat is being accused of black hat behaviour. There is no indication
that the government is seeking to charge him with any activities related to
behaviour that could be interpreted as "white hat" in any way. He's accused of
creating and distributing malware. He may be found innocent of that, but the
crimes he is accused of are very definitely crimes, and he shouldn't get a
pass just because he's been publicly acting as a white hat.

If the government has evidence, he should be charged and tried. And that
appears to be what's happening here.

~~~
AnthonyMouse
> There is no indication that the government is seeking to charge him with any
> activities related to behaviour that could be interpreted as "white hat" in
> any way.

There is only the thinnest of lines between the two.

White hats have to traffic in malware and exploits because it's necessary to
understand a threat in order to defend against it, and in order to test that
your defenses are effective. In may even be necessary to infiltrate black hat
collectives.

The clearest way to tell the difference is that a real black hat will be
breaking _some other law_. Committing credit card fraud or misappropriation of
trade secrets or something like that.

But that doesn't appear to be the case here. And the fear is that because the
law around this is so uncertain, if the government is going to use it in cases
like this without any independent bad acts then nobody knows where the line is
supposed to be.

~~~
tptacek
"White hats" do not in fact routinely sell software intended almost solely to
harvest financial information from botnets.

People on this thread have a lot of strange ideas about what infosec people do
in their jobs.

~~~
AnthonyMouse
> "White hats" do not in fact routinely sell software intended almost solely
> to harvest financial information from botnets.

The indictment doesn't allege that the defendant sold it, only that he wrote
it and someone else sold it.

And as you know, white hats create proof of concept code all the time. And
give it to various people (including, in the end, anyone) for various
meritorious reasons.

~~~
tptacek
For the Nth time in this thread: watch the video of the software we're talking
about. "White hats" do not build things like that all the time.

~~~
natch
So, to make an analogy representing your position:

Watch the video of this horrendous deadly baseball bat attack. Baseball
players do not bludgeon people to death with bats all the time. Therefore,
baseball players should never worry that they might be falsely accused of an
attack. Oh, and the crime was horrible, so that means the evidence must be
pretty good. Q.E.D.

~~~
ganoushoreilly
That's not analogous as the Bat was not developed for Bludgeoning. This was
software designed to steal money / cause issues regardless of whom sold it. I
don't know anyone in infosec that regularly creates fully functional and
marketable platforms. It's also different than exploit proof of concepts, as
again, this is designed to steal.

~~~
natch
We don't know that he created the malware. He is accused of creating it. How
hard is it to understand the difference between being accused and being
guilty? It's been explained to death here that they are not the same thing.

------
Jtsummers
I feel like no one here remembers when Dmitry Sklyarov was arrested under
similar circumstances. The US government has no obligation to seek out every
potential arrestee no matter where they are in the world for every single
crime that the US has laws for. But if the target of an investigation (whether
they know it or not) sets foot in the US, then we shouldn't be surprised when
they are arrested. And this is just another case with Def Con (so no, it's
probably not moving out of the US, it didn't 15 years ago), I'm quite certain
that these sorts of things happen frequently for other crimes of (relatively)
low priority that are just outside our primary focus on this forum
(technology).

And is the US any worse for this than other nations? Probably not. They just
get more publicity when it happens. But every nation that has a legal system
will do the same thing. If the Russians or the Brits or the Germans or the
Swiss decide that Jtsummers is a suspect in a crime, and I visit and they
realize it, I shouldn't be surprised to find myself arrested and barred from
leaving the country.

[0] [https://www.cnet.com/g00/news/russian-crypto-expert-
arrested...](https://www.cnet.com/g00/news/russian-crypto-expert-arrested-at-
def-con/) \- may not be the best article, it's the first one that came up on
Google for me.

~~~
kbody
Iceland would be great place if you want freedom, but I doubt the willingness
from the current majority of attendees.

------
chasil
Realistically, DEF CON should move to the Caribbean.

Marcus Hutchins is a British citizen. Extradition before the event was
feasible and would have been a far more honorable path than the snatch and
grab that transpired.

British security experts might insist on Grand Cayman for any further
conferences in the Americas.

~~~
tptacek
You think the FBI is going to interdict a computer criminal _before_ they
spend a week in Las Vegas associating with computer security professionals,
any of whom could be criminal co-conspirators?†

That would be exceptionally nice of them, but also extremely poor
investigative practice.

I will say, though, as one of the many people in my field that is bone-tired
of schlepping out to the worst place in the United States every damn year for
these events, _any other location in the world would be fine for me_ , and I
endorse the actual suggestion you're making.

† _(Yes, obviously, I know virtually nobody who attends Defcon is a
criminal)._

~~~
numbsafari
You forgot to mention having the opportunities to electronically surveil his
activities while he's physically located in the United States, to attempt to
possibly catch him soliciting a plant, bragging to a stripper while drunk, or
attempt to catch him in some other questionable activities that they could use
as the basis of an arrest or further warrants without having to play their
hand as to what they think he's actually guilty of (and therefore being able
to possibly turn him as an informant).

There's a brazillion reasons not to arrest someone the minute you think you've
got them.

~~~
tptacek
"Basis of an arrest"? They had an arrest warrant. The complaint I'm addressing
is "why did they not arrest him sooner???".

~~~
numbsafari
I'm agreeing with you (go figure?).

The point I was making RE: "basis of an arrest" is that if you wait for him to
do something stupid, like get arrested by local LEO for drunk and disorderly,
that gives you cover to approach him in an interrogation and threaten him with
prosecution over the malware... unless he agrees to be a witness/informant.
Because he's in with local LEO for something innocuous, there's cover.

In the end, they indict him for the malware, which pretty much ruins him from
that perspective. Or, perhaps, they already figured he wasn't worth using and
it's not above a US Attorney to go after someone well known in order to
further their own career...

------
devhead
If your code is used in an exploit and that is now a punishable crime, maybe
next the NSA will be in the hot seat since the code that was used in wanacry
was their own. Or perhaps Israel for their effort in Stuxnet. I hope he takes
it to trial and we find out what is really happening here. Pretty suspicious
that this happens years after the fact and only weeks after he helped prevent
the further spread of wannaCry. WannaCry being created on top of the leaked
NSA exploits they held on to instead of responsibly disclosing to Microsoft.

~~~
pyroinferno
Yes, take this for an example, if someone were to deliberately sell firearms
to someone that they knew would attempt to murder someone with their firearm,
do you think they should be partially liable for the murder?

~~~
comicjk
Yes, the seller would legally be an accessory to the murder, having had
knowledge that the crime would be committed and having helped the murderer
commit it.

[https://en.wikipedia.org/wiki/Accessory_(legal_term)](https://en.wikipedia.org/wiki/Accessory_\(legal_term\))

~~~
meowface
Then shouldn't Hutchins legally be an accessory to uses of the malware to
steal money, surveil unsuspecting victims, etc. if it is true that he
knowingly sold it to people who do such things?

~~~
comicjk
He might be able to get out of it by arguing that he didn't know about any
particular crime they would commit, or that he thought they had good faith
reasons to buy the software despite being criminals in general. I think this
hinges on exactly what he knew.

~~~
meowface
Yes, absolutely. The burden is on the government to prove he knew who he was
selling it to and that he knew what they were very likely going to use it for.

------
mnarayan01
As someone who's not sure where I stand on this, I feel like Hutchins
supporters are doing themselves a disservice by overly-conflating this with
WannaCry. I think there's potentially a good argument to be made along the
lines of "Hutchins good work w.r.t. WannaCry is the _only_ reason that anyone
(including law enforcement) is aware of semi-historical Kronos, so going after
him for Kronos is equivalent to going after him for WannaCry." Additionally,
there may well be other arguments in his favor that I'm not even thinking of.

But those arguments need to be _made_ (and the one I outlined would need
decent factual details). That said...maybe glossing over (or even totally
ignoring) Kronos is the best way for Hutchins supporters to go...but if it is,
that seems an unfortunate reflection on society.

~~~
jxcole
I don't think that's what these researchers are saying. I think they are
saying more along the lines of: "Hutchins has shown that he is a security
researcher through his work on wannacry. As a security researcher, he probably
has researched other problems as well, possibly including Kronos. The fact
that he was arrested with little to no evidence could be showing that the DOJ
is willing to arrest people who have copies of virus source code on their
computers, even if they only accessed it for research purposes. In fact he may
have updated Kronos code or written some part of Kronos as part of research to
validate a hypothesis or test a theory. Such actions are ordinary actions for
researchers, so this puts at risk most computer security research across the
world."

~~~
Ajedi32
> The fact that he was arrested with little to no evidence

How do you know what evidence does or doesn't exist? The case hasn't even been
brought to trial yet.

------
icpmacdo
Another piece of information that seems very shady from the US is they tried
to say he was breaking felony gun laws going to the shooting ranges on the
strip and using that as a reason to stop his bail

[https://twitter.com/ChristyNews3LV/status/893603855266492416](https://twitter.com/ChristyNews3LV/status/893603855266492416)

------
ajarmst
Why? The arrest of a mall cop who was also doing burglaries wouldn't send a
chill through the security guard community, except perhaps for those who were
moonlighting as burglars.

~~~
wwweston
If he was arrested for burglarizing a mall he worked in, though, and you
didn't have any evidence other than the claim of the arresting authorities
that he wasn't merely _present_ in the mall (as security guards are wont to
be) where a burglary had taken place, you might be somewhat concerned.

~~~
ajarmst
Fair enough, but I don't think that the FBI conspires to frame people for
crimes all that often, nor that many security researchers believe that they
do. Also, the fact that a grand jury handed down an indictment indicates that
there _is_ evidence that will be shared at trial. Unless the grand jury is
also part of the conspiracy, of course.

------
calafrax
> The indictment does not say Hutchins designed Kronos or sold Kronos. Rather,
> it says that he provided computer code to a second party to update Kronos.

> Overt Acts in Furtherance of the Conspiracy

> a. Defendant MARCUS HUTCHINS created the Kronos malware.

[https://www.documentcloud.org/documents/3912524-Kronos-
Indic...](https://www.documentcloud.org/documents/3912524-Kronos-
Indictment-R.html)

------
loteck
Lot's of comments about moving DEFCON out of US jurisdiction. DEFCON
officially flaunts the fact that both criminals and law enforcement attend the
event.[0] If that is the approach of the con, this interaction is built-in.

This isn't about DEFCON.

[0] [https://defcon.org/html/links/dc-faq/dc-
faq.html](https://defcon.org/html/links/dc-faq/dc-faq.html)

------
wepple
> It is unclear from the indictment if Hutchins would have been aware his work
> was being used maliciously

The indictment specifically states he sold the malware. Unless he was
completely convinced the buyers of Kronos were using it for research into
browser malware, it's pretty damned obvious.

I'd be interested to talk to malware researchers that are genuinely scared
about this.

~~~
syshum
We dont know what was actually sold, or what was paid for, or who paid for it.

Of course the government in a government indictment will states "he sold
malware" but the government is known to lie, exaggerate, and use terms
incorrectly or out of context when talking about technology.

Taking the indictment at face value is IMO extremely naive

~~~
wepple
Don't get me wrong, I'm not taking the US government's word here. I just
disagree with a journalist stating that the indictment is unclear. It's very
clear what the FBI are trying to argue.

------
noshbrinken
Individual known for benevolent acts arrested on charges of other, malevolent
acts chills community of benevolent actors?

------
DomreiRoam
Why didn't the FBI ask for an extradition to the UK? If the case was solid
they should use the proper channel to deal with foreign (supposed) criminals.

When you use this strategy, you deprive the arrested of the right he would
have in his country and you add the crazy cost to defend yourself in a US
court. So it's possible that the case is not that solid or need some Parallel
construction. It's pure speculation but it seems fishy to me.

I can understand the use of shenanigans to arrest previous dictators or very
powerful crime lords as a last resort for Justice but here it seems very
unfair.

I think we may see a drop of attendee to US conference and/or a drop in
tourism.

------
thomble
There's so much strange hand-wringing in a loud subset of the security
community. The DoJ has a 93% conviction rate because they pursue strong cases
that usually end in a plea-bargain. The FBI aren't spooks. The evidence will
become public. If this guy profited off of banking trojans then I, for one,
hope he ends up in the clink.

~~~
reactor4
The DoJ has a 93% conviction rate because they pressure any target into a plea
bargain so they don't have to pursue strong cases.

------
qaq
I think one factor not being accounted for is cybersecurity is a fairly big
priority for law enforcement yet in a very large number of cases they are
never able to find or prosecute people responsible. So they need to "make the
numbers" to show that they are being effective and the easiest strategy is to
go for easy targets.

------
duxup
I guess I get the concern but it seems clear the accusation are unrelated to
WannaCry and his involvement in another event.

We've seen bumbling investigations and misguided legal threats before... that
didn't stop people and this one doesn't seem to yet be either of those.

------
betaby
No need to do any malice in order to be arrested on Def Con

[https://www.cnet.com/news/russian-crypto-expert-arrested-
at-...](https://www.cnet.com/news/russian-crypto-expert-arrested-at-def-con/)

------
flipp3r
Sad to see it confirmed that it's not worth the risk going to America to visit
DEFCON. I hope they'll host it in Europe someday.. To see no statement by
DEFCON on this whole thing is almost equally sad.

~~~
watty
Can you elaborate? Have you been creating malware (banking trojans) and
selling it online?

~~~
flipp3r
No I haven't created or sold malware.

But i have this; A middle-eastern last name, I use Tor, I use Linux, and I use
Telegram, I am active in the field of IT and especially enjoy IT security.

I know that I can be held indefinitely if I visit the USA. In the USA you're
guilty until proven innocent, unlike the rest of the western world. Simply
going to the USA is more risk than it is for practically every other country.
Well, for me, and a lot of people like me.

That's what my comment was about.

EDIT: How is it relevant to the article? Well, he is an IT security specialist
who wanted to visit DEFCON. Yes, I understand what he did was wrong, it was
his own risk.

~~~
eridius
You're commenting on an article about how the FBI arrested someone for
creating malware. If you haven't been creating malware, then I don't see how
this article has anything to do with the issues you face as someone with a
middle-eastern last who uses privacy tools like Tor. Hutchins wasn't targeted
because of CBP's stance on things it associates with terrorism. He was
targeted because the FBI believes he authored malware.

~~~
mintplant
Believe it or not, it's possible to be suspected or even accused of something
you didn't actually do, whether through a misunderstanding or otherwise. And
factors such as ethnicity and personal associations can influence the chance
of this occurring.

~~~
eridius
Hutchens is a British man, not someone of an ethnicity that makes people wary.
The arrest of Hutchens shouldn't have any relevance whatsoever to worries
about being flagged for ethnicity.

------
throw2016
The lines between security researcher and malware creator is becoming
increasingly murky.

When is it research, pretending to be a bad egg to get more info or actually
being one?

As long as its was fun and games no one really minded, but now malware is used
to hold schools and hospitals to ransom. Even criminals don't go after schools
and hospitals. Extreme greed and criminality can't be minimized away as
'hacking'.

The infosec community likes to be edgy but they need to clean up their act and
not give airtime and cover to criminals, and its difficult to believe they
don't know who these are.

------
tryingagainbro
Is it me or the DOJ so the flight manifest and then went to a grand jury to
indict? He did what he did in 2014-2015 and the charges were filed in July
2017, a couple of weeks before Defcon...

~~~
thehardsphere
If that is the case, it would not be remarkable. Prosecutors have a
responsibility to only pursue cases that are likely to result in conviction.
If extradition was considered impossible, then there would not be much point
in pursing an indictment.

~~~
saalweachter
I honestly assume that there's a "list of foreigners we'd like to prosecute"
that the US gov't checks visa applications against.

~~~
tryingagainbro
I totally agree, and I think it's in different categories, depending on the
crime. This guy might have escaped unless he came to USA for example, as
extradition might mean a lot of work, for another they will leave no stone un-
turned.

USA probably gets all the flight reservation data and take it from there. If
you're a Russian criminal mastermind dying to spend some of that cash in Greek
islands, they'll find out. (Better stay in Russia and pay Igor @ Russian Gov
his share :) )

------
throwme_1980
Please read his indictment application, there is clearly a reason why he was
arrested. If 'researchers" are allegedly selling malware then yes they should
worry. Simple

------
csomar
The article is light on details and leave an important question's answer very
vague: Did Hutchins sell his product in an underground market to an unknown
identity? How much was the compensation?

These questions answered would make the case a "clear-cut".

And there is a big difference between selling your code in an underground
market for $250k* with bitcoin, and open sourcing it for free.

*I come up with this number as an example.

------
mirimir
Leaving aside the particulars of this case, I must say that anyone who does
anything that might plausibly be prosecuted ought to remain anonymous, and
practice good OPSEC. In researching an article about such issues, just about
every bust was the result of carelessness.

------
shoefly
I hope they go easy on him. He's done some bad, but recently some good.

------
purpleidea
Time to move the conference out of the United States to somewhere more
Neutral. Canada would be a good suggestions. Montreal is excellent.

------
cagey_vet
what bothers me actually is how these correlations were made, and by what
process of deduction, if its not a snitch related frame

------
sqldba
It's a bit odd you can make a knife or gun and sell it but if you sell malware
that's illegal.

~~~
darksim905
What? This makes no sense: you can write software legally & sell it too. But
conspiracy is a completely different matter. If you made a gun with a feature
to make it a full auto weapon & just assumed people knew what it was, then
sold it THAT is more akin to selling malware that was intended to do harm. The
bits aren't the issue here, the conspiracy to cause damage with the bits is.

------
known
Isn't he arrested for selling illegal key logger software?

------
thrillgore
I would not be shocked if Defcon moved out of the US.

~~~
differentView
To where?

~~~
6footgeek
Germany!

------
bdcravens
Shouldn't it be "Arrest of malware creator sends chill through security
community"?

------
olegkikin
I hope it goes to trial, and he is not found guilty. Should be a relatively
easy case to win.

~~~
emodendroket
Based on the information to be found in this article it's not at all clear
whether it will be an easy case to win.

------
DINKDINK
I wonder if the location of the arrest influenced the prosecutors' decision:
"We 'caught' him at a _hacker_ convention where they broke a voting machine!"

------
vkou
He's not indicted for doing security research, he's indicted for stealing
people's bank accounts.

The indictment may end up being bullshit, but it has not been for any of his
white-hat, or grey-hat activities.

~~~
eugeneionesco
I don't defend him in any way but he is not indicted for stealing people's
bank account just for writing software that does that, please don't spread
disinformation about this.

~~~
andylei
and also selling that software

