
Indictment of Marcus Hutchins aka "Malwaretech" - ryanlol
https://www.documentcloud.org/documents/3912520-Marcus-Hutchinson-Indictment.html
======
syshum
Outside of the clear concerns about if this person is falsely accused of
creating malware for the purposes of victimizing people one concern I still
have not seen addressed widely is the issue of US enforcing laws on an
international level

Even if all of the charges are true, these "crimes" would have taken place in
the UK or where ever this person is living outside the US, so how then can the
US justify charging them with violation of US law.

I know this is not the first time this has happened, nor will it be the last
time this happens, but it is increasingly concerning that crimes completely
committed online are open to US Jurisdiction and sets a TERRIBLE precedent.

As a US Citizen I do not want to be held to another nations laws, laws I may
not be familiar with, because of my online activities.

It is only a matter of time before a EU nation attempts to extradite or arrest
a US Citizen traveling abroad for a hate speech law violation or some other
violation that occurred online from the US which is not a violation of US law
but is a violation of EU Law.

~~~
ubernostrum
_I still have not seen addressed widely is the issue of US enforcing laws on
an international level_

It's simple: if you do something which causes something illegal-in-the-US to
happen on computers-located-in-the-US, you can be prosecuted by the US for it.
There is nothing new, radical, revolutionary, terrifying, unprecedented, etc.
about this idea. There wasn't anything new about it recently when some bitcoin
people were busted because they laundered their proceeds through US
institutions. There isn't anything new about it when someone in another
country hacks a US company's systems.

"The internet" is not a magical extra-territorial location which wipes away
all concept of countries having jurisdiction. As long as a computer in one
country can cause things to happen to/on a computer in another country,
there's an opportunity for either country, or both, or others in between them
on the network, to have jurisdiction over things that go wrong.

And your "only a matter of time" slippery slope has already happened: several
EU nations have taken legal action against US-based online retail/auction
sites to require compliance with laws against selling Nazi symbols or
memorabilia. And I hope you'd understand that no matter how much you might
argue "but I wasn't even _in_ Germany", Germany will come after you if you
offer to sell and ship items to Germany which are illegal to sell/ship there.

~~~
chx
The problem here, as I wrote above, is arresting a UK citizen in the USA. If
they would've issued a warrant and the UK police decides to arrest him and
then extradite him, that's fine.

But this sort of thing... this could potentially halt international travel. I
am not kidding: how do you dare to travel anywhere if you can be arrested for
something you did years ago which very well might have been legal in the
country you resided in but not in the country you travel to?

~~~
mysterydip
If I went on travel to a foreign country and committed a crime, I would expect
to be arrested there. Where the damage was done is the key, not where I was at
the time. If I create some malware that takes out UK servers, I would expect
to be arrested for that if I ever set foot on UK soil.

~~~
chx
If you ever posted a sickle-and-hammer to the web, visible to the Hungarian
public -- distributing it -- then you possibly could be fined for it. If you
visit Hungary and you got fined, would you consider it just? Here's the
Hungarian Criminal Code article in question:

Article 335(1). Any person who a) distributes; b) uses in public; c) exhibits
in public; a swastika, the SS sign, an arrow-cross, a hammer and sickle, a
five-pointed red star or a symbol depicting the above, – unless a graver crime
is realised – commits a misdemeanour, and shall be liable to punishment with a
fine. (2) The person who uses a symbol of despotism for the purposes of the
dissemination of knowledge, education, science, or art, or with the purpose of
information about the events of history or the present time shall not be
punishable. (3) The provisions of subsections (1) and (2) do not extend to the
official symbols of states in force.

~~~
ubernostrum
As I've already noted, Germany and other countries have enforced their no-
Nazi-stuff laws against US-based entities.

If you do a thing that's illegal in Hungary, and then put yourself on
Hungarian soil, I'm not going to be surprised when you get arrested. In other
words, this is not the knock-down "that'll really show _him_!" counterexample
you're looking for.

~~~
vageli
This seems untenable. Now, to travel to another country for holiday, I need to
look back on everything I've ever done, (even something so minute as
distribute an image of a hammer and sickle) _and_ pore over the laws of that
country and determine I have not ever been in violation of _any_ of them?

~~~
talmand
I don't think most people would say that's how it should be, it's just the way
it currently is. Law enforcement typically does not care about your
convenience.

------
danso
The Guardian has some more context (for those of us not keeping track of
previous events, such as AlphaBay's takedown a few weeks ago):
[https://www.theguardian.com/technology/2017/aug/03/researche...](https://www.theguardian.com/technology/2017/aug/03/researcher-
who-stopped-wannacry-ransomware-detained-in-us)

~~~
ballenf
I'm amazed and slightly confused at the idea that the act of writing a piece
of software can in and of itself be illegal.

Do the laws require distribution or showing of intent to harm or simply
writing malware?

Is there any precedent to democracies jailing a person over reducing to
writing an idea or algorithm?

~~~
cm2187
Well, that's the "it's not guns that kill, it's the people who use them"
argument. Which I have some sympathy for. But many disagree.

~~~
wvh
Except that a handgun's primary purpose is just that; it's a pretty blunt
tool. But software can have many purposes, even if it is security related:
research, practice, proof-of-concept, curiosity, ...

We better hope they have some real evidence beyond just some random code; if
mere possession is enough, they can throw all of us security people in jail,
together with anybody who has any DRM circumvention or file-sharing software
and whatnot. Seems any computer could contain something to detain just about
anybody if twisted around enough.

I guess only the future will bring clarity if this is gross overreach or if
they really have substantial evidence that he is both the source and had the
intent.

~~~
talmand
A gun's primary purpose is not to kill a human being by default.

A gun is designed to fire bullets, the bullet is designed to inflict intended
levels of damage upon the target of choice. A single gun can have ammunition
that ranges from no damage whatsoever to any target up to beyond lethal to a
living target.

In other words, your gun's primary purpose is what you decide it is.

------
imroot
Even for an indictment, this is...surprisingly bare.

(For example, this is an Alphabay seller who was selling and distributing
fentanyl in Cincinnati two months ago).

[https://www.dropbox.com/s/sbsiebzsd6r0f28/bozworth-grace-
arr...](https://www.dropbox.com/s/sbsiebzsd6r0f28/bozworth-grace-
arrest.pdf?dl=0)

It looks like they put together the minimum needed to indict, put together a
grand jury, indicted and arrested. This was the prosecutor's "ham sandwich" of
the week.

~~~
stevecalifornia
FYI, that file has the name, social security number, and address of the person
being indicted. It says it's supposed to be redacted-- but there it is.

~~~
imroot
Good catch.

I didn't see that when I downloaded the file from PACER. I've since uploaded a
redacted version to dropbox.

~~~
occams_chainsaw
so i can get the non-redacted version from pacer? thanks

------
ajarmst
Given that the Alphabay takedown (and law enforcement's control of the servers
for at least six weeks) was more than a month ago, Huthchins' blithely
travelling to the States for Blackhat seems a level of confidence completely
at odds with known facts and the apparent allegations of the indictment.

~~~
Buge
I don't see why Alphabay getting taken down would really put him at risk. He
wouldn't have put his bank account or credit card on the site. This isn't even
like drugs where physical mailing addresses are involved. The worst would be
the money in his account getting seized.

~~~
ajarmst
No, it could be much worse than that. Law enforcement didn't immediately shut
Alphabay down---they let it run compromised for several weeks, gathering
evidence. If Hutchins made transactions during that period, he was at
signficant risk, especially if he was under surveilance at the time---simple
traffic analysis would be enough to connect him to activity on the site. It's
very hard to hide the content of a conversation from one of its participants.

~~~
Buge
I would think that when operating any type of illegal online enterprise, you
should always operate under the assumption that everyone you're talking to is
a government agent. So you should never reveal anything about yourself. The
government is obviously making many undercover purchases.

Traffic analysis is a risk, but questionable. If it was used in this case, I
want to follow this case closely to see more details. Because I haven't heard
of a case of the government using traffic analysis to identify users except
extremely basic stuff such as "we saw him walk into his house, then saw some
Tor traffic, then saw a post appear on the forums".

~~~
wepple
Unfortunately there will likely be a nice parallel construction to ensure we
never find out exact how they snared him

------
r721
"This raises an interesting legal question: Is it a crime to create and sell
malware?

The indictment asserts that Hutchins created the malware and an unnamed co-
conspirator took the lead in selling it. The indictment charges a slew of
different crimes for that: (1) conspiracy to violate the Computer Fraud and
Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits
selling and advertising wiretapping devices; (3) a count of wiretapping; and
(4) a count of violating the Computer Fraud and Abuse Act through accomplice
liability — basically, aiding and abetting a hacking crime.

Do the charges hold up? Just based on a first look at the case, my sense is
that the government’s theory of the case is fairly aggressive. It will lead to
some significant legal challenges. It’s hard to say, at this point, how those
challenges will play out. The indictment is pretty bare bones, and we don’t
have all the facts or even what the government thinks are the facts. So while
we can’t say that this indictment is clearly an overreach, we can say that the
government is pushing the envelope in some ways and may or may not have the
facts it needs to make its case. As always, we’ll have to stay tuned.

Here’s an overview of the six counts in the indictment, together with my
tentative thoughts on them."

[https://www.washingtonpost.com/news/volokh-
conspiracy/wp/201...](https://www.washingtonpost.com/news/volokh-
conspiracy/wp/2017/08/03/the-kronos-indictment-it-a-crime-to-create-and-sell-
malware/)

------
outworlder
We can't know anything at this stage, but from the looks of it, it doesn't
seem like the guy wasn't anything but a white hat.

There's also this:

> Hutchins’ employer, cybersecurity firm Kryptos Logic, had been working
> closely with the US authorities to help them investigate the WannaCry
> malware. Hutchins handed over information on the kill switch to the FBI the
> day after he discovered it, and the chief executive of the firm, Salim
> Neino, testified in from of the US House of Representatives Committee on
> Science, Space & Technology the following month.

If true, then the guy would have to be incredibly stupid and naive to live
such a double life. Not to mention traveling to the US.

Anything is possible, of course. The problem is that the guy has become well-
known, and retracting such a mistake would be politically costly. This guy
will probably have the book thrown at him.

It's also a very bad thing for cyber security if researchers cannot do their
jobs out of fear.

~~~
hota_mazi
> We can't know anything at this stage, but from the looks of it, it doesn't
> seem like the guy wasn't anything but a white hat.

Yes, we can know. Did you even bother reading the indictment?

He broke six US cyber laws in 2014, and that's why he was arrested.

> If true, then the guy would have to be incredibly stupid and naive to live
> such a double life. Not to mention traveling to the US.

Yes, I think you nailed that one. He's certainly not as smart as he thought
for flying to the US after breaking US cyber laws just three years ago and
thinking the US law enforcement would not notice.

> It's also a very bad thing for cyber security if researchers cannot do their
> jobs out of fear.

What are you talking about? He broke US law.

Felonies don't go away just because you do one good deed.

~~~
whipoodle
He is alleged to have broken the law, we don't know if he did things he is
indicted for.

------
benevol
It makes one wonder why anyone who has cyber dirt on their hands would step
foot on US ground, after the Snowden/NSA revelations which made it clear to
everybody on this planet that the NSA is literally everywhere.

~~~
tptacek
Because, really, who among us hasn't built and sold software used to harvest
Amazon logins, bank account logins, and credit card numbers from botnets?

~~~
jacquesm
Or crawled a webpage outside of the TOS, shared files through torrents,
alerted some website that they had a security hole, ran a business legal
abroad but illegal in the United States that had US customers, ran afoul of
any one of the US laws without knowing about it and in places not normally
under US jurisdiction and so on.

~~~
tptacek
That is a non-sequitur response, as this person has not been arrested for
violating terms of service, sharing files through torrents, alerting people to
security flaws, selling Canadian pharmaceuticals, or trafficking in undersized
lobsters.

They were arrested for building and selling software used to harvest Amazon
logins, bank account logins, and credit card numbers from botnets.

Your logic could just as easily be used to dismiss an indictment of _any_
crime, from undersized lobsters to murdering someone with an undersized
lobster.

~~~
nowo
While it's a different situation, it's still not a good one. The lack of
rights for foreigners, the NSAs reach, the willingness to prosecute citizens
of other countries, long detentions and harsh penalties for computer crimes
etc. puts people in a situation where the US government can make things very
uncomfortable for them. I do think some risks with e.g. mass surveillance have
been exaggerated, like being pursued on a basis of keywords. But if the US
government actually has evidence against you of things they consider illegal,
your legal protection against abuse will have weakened. So while it's unlikely
that the FBI has a list of dissidents that they've correlated with collected
evidence and are just waiting for people to cross the border, it's still not a
situation people should have to, or have to, accept.

~~~
empath75
Foreigners who are legally in the us are afforded the exact same due process
rights as Americans.

~~~
DaiPlusPlus
This is not true at all. There is no Due Process when you're under the purview
of USCIS/INS, CBP and ICE. This why visa holders in good standing can get
turned-away at the border or destination airport and sent back immediately,
even if they have done nothing wrong or violated the terms of their visa -
just on the suspicion or hunch of the immigration officer - and they can
extend their reach even after you pass through immigration. There's a reason
they're called "constitution-free zones": [https://www.aclu.org/know-your-
rights-governments-100-mile-b...](https://www.aclu.org/know-your-rights-
governments-100-mile-border-zone-map)

~~~
hueving
If you haven't made it through CBP, you aren't legally in the US yet.

~~~
irishasaurus
70% of Americans are under the purview of the CBP and their 100mile sphere of
influence.

[https://www.aclu.org/other/constitution-100-mile-border-
zone](https://www.aclu.org/other/constitution-100-mile-border-zone)

~~~
tptacek
This is false, and the ACLU should take this page down. In fact, in the 1970s,
the Border Patrol tried to rely on this notional "sphere of influence", and
was smacked down by the Supreme Court. Searches concomitant with the Border
Search Exemption must have some nexus to an actual, recent border crossing.

------
Powerofmene
When a website is seized off the dark web by the government, you can bet that
it is a treasure trove of information for new and existing investigations.
This is probably just the first of many indictments that we will see connected
to AlphaBay.

------
ngold
This does not make a lot of sense since he has been in the public eye for
awhile now. But who knows. I wonder if he had a presentation to give at
Defcon. So far his actions have been very whitehat.

~~~
ryanlol
Of course it does. He traveled to defcon repeatedly, last time they didn't
have the indictment ready so they waited for the next.

The US most certainly doesn't want to have _another_ ongoing extradition
battle for a British hacker in the UK.

~~~
sugersvoltet
Weren't you detained in a similar way when you traveled to the US to attend
Defcon (without the arrest part)? Are you able to discuss how that all went
down?

~~~
ryanlol
Hotel rooms searched before con by the FBI, seized some tech and left me
alone. Pretended to arrest a "friend" who was with me.

On my way back, switching planes at JFK there were a bunch of FBI agents
waiting in the tube whom served me a subpoena and suggested that I'd be
arrested if I tried to continue my trip.

Ended up being dropped off at the courtyard Marriott in Newark by the FBI
(after very little arguing they paid for it, rather strange). Stayed there
overnight, got interviewed in the morning about things I knew little about.

After the interview I got driven to JFK (maybe EWR, not sure) in a FBI car,
with the agent at the wheel demonstrating some impressive skills in the heavy
traffic, mostly going around it by driving on the shoulder.

Never going to the US again I guess, not voluntarily nor involuntarily.

~~~
DaiPlusPlus
Forgive my ignorance, but who are you and why was the FBI interested in you?

~~~
sugersvoltet
Google "Julius Kivimaki" / zeekill.
[http://www.bbc.com/news/technology-33442419](http://www.bbc.com/news/technology-33442419)

Member/associate of HTP and Lizard Squad, hacked Linode (at least once),
Lenovo, the Python wiki, some game companies; called in a bomb threat on a
plane a Sony executive was flying (might've just been a friend of his who did
that, can't remember), DDoSed video game services and 8chan for ages, possibly
involved with the creation of the GayFgt and Mirai botnets, and much more. Got
off scot free because he did it all before he turned 18.

I believe his use of ryan / ryanlol is a mocking reference to Ryan Cleary,
whom he hated and considered incompetent. (Could be wrong.) It may have an
(unintentional?) double meaning, since that's also the name of the
aforementioned "friend" who secretly snitched on him and led to his
detainment.

Nothing against the guy. He's intelligent and a good HN commenter. By sheer
coincidence I sat in many disparate IRC channels under different aliases over
the years that he would always seem to find his way into (probably not a
coincidence in retrospect; he just loves IRC). He was very open about most
things and generally appeared to be driven by e-cred, revenge/competition, and
comedy over financial gain. But some people say he was involved with carding,
too. No idea if that's true.

edit: Looks like he recently admitted to (light) carding as well:
[https://news.ycombinator.com/item?id=14884487](https://news.ycombinator.com/item?id=14884487)

~~~
j_s
tfw HN stops allowing/supporting delete.

See also: Coinbase on this month's "Who's Hiring" (flagged)

------
dang
Previous related discussion:
[https://news.ycombinator.com/item?id=14921018](https://news.ycombinator.com/item?id=14921018).

------
makomk
It's an oddly uninformative document. It says that they believe he created the
Kronos malware but gives absolutely no clue why they think that. All the other
overt acts listed appear to have been carried out by his unnamed alleged co-
conspirator alone. What makes this particularly bizarre is that he was begging
on Twitter for a sample of the malware in question at around the same time:
[https://twitter.com/MalwareTechBlog/status/48837379416825446...](https://twitter.com/MalwareTechBlog/status/488373794168254464)

~~~
dragonwriter
> It's an oddly uninformative document.

Indictments are lists of charges; expecting them to be informative for
questions other than “what is the defendant being charged with” is irrational.
(And “what is the evidence supporting the charges” is a separate question.)

> All the other overt acts listed appear to have been carried out by his
> unnamed alleged co-conspirator alone.

A conspiracy charge only requires _any_ of the conspirators to have taken an
overt act in furtherance of the conspiracy.

~~~
king_phil
Not sure how this works in the US, but "fair trial" means (at least in German
law) that the defendant has full access to all evidence brought against him
before it is brought to court, right?

~~~
ptyyy
Yes and that will be made available to his defense team through the discovery
process.

------
PhasmaFelis
> _The operation included the arrest on 5 July of of suspected AlphaBay
> founder Alexandre Cazes, a Canadian citizen detained on behalf of the US in
> Thailand. Cazes, 25, died a week later while in Thai custody._

What's this about? The US told Thailand to arrest a Canadian tourist, who they
subsequently murdered? People don't die by accident in police custody.

~~~
twodave
According to this article, it was an apparent suicide:
[https://www.washingtonpost.com/news/morning-
mix/wp/2017/07/1...](https://www.washingtonpost.com/news/morning-
mix/wp/2017/07/18/suspected-alphabay-founder-dies-in-bangkok-jail-while-
online-black-market-remains-closed/?utm_term=.b3106ad38170)

~~~
ineedasername
I imagine that, when you have been the mediator of a bunch of drug trade
transactions, "getting caught" can be something of an indirect act of suicide.

------
toyg
Why is DEFCON still hold in the US? At this point it's basically the biggest
IRL honeypot on the planet. It should probably be moved somewhere a bit safer,
like Toronto, shouldn't it?

~~~
zimpenfish
Even Toronto wouldn't necessarily be safe since a fair few people are going to
have to transit the US to get there - a quick search on Hipmunk suggests at
least 50-60% of the London to Toronto flights involve a US layover.

~~~
toyg
I expect most DEFCON people would gladly accept the inconvenience of a smaller
choice of flights, if it removed the possibility of being detained while
ensuring the conference is still well-attended. You can't realistically move
DEFCON too far, and the other options (Mexico, Caribbeans...) are not exactly
a step forward in terms of liberal rule of law.

I think the main problem will always be people who can't (or won't) cross the
US border at all, no matter how easy it is. I expect this number is
significant among the DEFCON crowd. Still, at some point, the organisers will
have to consider whether keeping those types around is worth putting all their
non-US guests at risk of draconian imprisonment.

------
betagiraffe
Ironic that some sources suspect he authored Kronos too, haha.

That's the best joke I've heard all day. Keep in mind MT is the guy who made a
blog article about HVNC and was like "yeah, sorry, can't release my own
implementation because.. reasons.. (hehe winkface; tips black fedora)" and
then links his GitHub, where a terrible example of CreateDesktop's usage can
be found. This guy's profession is to open up IDA Pro and use the pseudo-C
output plugin and then vaguely stay on-top of "threat intelligence". Here's my
threat intelligence for these people: don't run with scissors.

MT is a dreadful programmer. There's logs of MT in his IRC telling people "you
can't use the -> operator on references in C++!". He also said he's been
writing formgrabbers since before other members of the IRC were born
(seriously, nonchalantly). He's barely a programmer at all; never mind a
programmer capable of completing malware projects.

MT's past is pretty shady. He's been mixed around with other skids for years
with actual ill-intent and that's why this incident has happened.

The fact people take MT, and people in his league like MalwareUnicorn,
seriously is completely beyond me. They're all literal skids. It seems anyone
with a twitter handle and the ability to retweet real researchers' work is an
"infosec researcher". The 'profession' has devolved into something worthy of a
meme. And before you try defend these people, just remember that the
"whitepapers" people so often love to reference when defending such Twitter
skids are literally just 5 page pamphlets where they advertise their employer
and talk about things that were discovered in 2004.

Next thing you know, LinkCabin will be giving his rundown of the events. Every
moron likes to get involved when they know nothing of MT nor

Also, as far as the "TouchMyMalware" alias is concerned: that alias was taken
by someone else (who has no vested interests in malware) long after MT
abandoned it. So, any recent activity you see relevant to that alias isn't MT.
If you want MT's old aliases, you're gonna have to beat the real ones out of
him.

The state of information security is in total disarray. In 2017, security
research is just unskilled skids on Twitter engaging in a giant circle-jerk.
Shame, where did it all go wrong?

------
calafrax
Interesting that the WannaCry bitcoin account was emptied at about the same
time.

[https://qz.com/1045270/wannacry-update-the-hackers-behind-
ra...](https://qz.com/1045270/wannacry-update-the-hackers-behind-ransomware-
attack-finally-cashed-out-about-140000-in-bitcoin/)

Makes me wonder about this guy's real connection to that.

~~~
kakarot
I don't think he would have pulled the plug so early if he was making money
from it. Probably just a coincidence or someone got spooked by everything
going on.

~~~
phyller
The big stories at the time were that hospitals in the UK were getting shut
down by it. If whoever did it lived in the UK they may have had a change of
heart.

~~~
calafrax
yeah, the thing about shutting down hospitals is that instead of looking at
fraud and computer crimes that probably won't even be investigated you are
potentially looking at manslaughter.

------
banku_brougham
The confusing part for me is I thought malware was an establish (albeit evil)
business i which the US govt and many others did a brisk business. For example
Gamma Group [1].

So is this just someone without the right connections?

[1]:
[https://en.m.wikipedia.org/wiki/Gamma_Group](https://en.m.wikipedia.org/wiki/Gamma_Group)

~~~
grugq
If you sold 2000 glocks to the police you'd be fine.

If you sold 2 glocks to MS-13, you'd have problems.

It is someone without the right customers.

------
UK-AL
Mostly likely the US confusing investigation with being involved with the
criminal activity.

They probably didn't even know about his job or previous good deeds when they
arrested him. It's probably a blanket arrest based on communication metadata
and relationships between involved parties. They're probably trying save face
right now.

------
ryanlol
DoJ press release: [https://www.justice.gov/opa/pr/man-charged-his-role-
creating...](https://www.justice.gov/opa/pr/man-charged-his-role-creating-
kronos-banking-trojan)

------
always_good
This account kinda reeks of ryanlol.

I'm supposed to believe that someone registered an account just to brag about
ryanlol, their biggest fan?

~~~
dang
Please don't accuse other users of astroturfing or shilling unless you have
evidence. It degrades discussion, badly. In this case it even crosses into
personal attack, which we ban people for, so please don't.

We detached this subthread from
[https://news.ycombinator.com/item?id=14925431](https://news.ycombinator.com/item?id=14925431)
and marked it off-topic.

~~~
always_good
Yeah, I was out of line.

------
jgalt212
Count 5 sounds a lot like Kite's Atom plug-in.

> knowingly and inentionaly endeavored to intercept and procure certain
> electronic communications, namely computer keystrokes of others without the
> knowledge or consent of said others.

~~~
PrimHelios
You could argue that by installing an open source plugin, you consent to what
ever it does.

EDIT: Not that I like Kite, just bringing up plausible deniability

~~~
ineedasername
I think that would be a tough sell, and open too many undesirable side effects
to pass legal muster. It would provide any bad actor legal cover via open
sourcing.

With the validity of click-wrap license agreements, the water is muddied
further: If users are responsible for complying with their terms, a case could
be made that users are, for legal purposes, NOT responsible for being
compliant or cognizant of anything not in those terms or other explicitly
stated capabilities. For an open source package, that may only be a package
digest or readme.md file. (and of course the distribution license e.g. GPL
etc.)

