
Malware and Hacking Forum Darkode Is Shut Down; Dozens Arrested - ourmandave
http://www.npr.org/sections/thetwo-way/2015/07/15/423196810/malware-and-hacking-forum-darkode-is-shut-down-dozens-arrested
======
thrill
As someone who has crushed a hornet's nest in his hand (when he was about 10),
and well remembers the 36 stings afterwards (something of a record in these
parts) while running away bravely, I'm not sure that's the analogy they should
have chosen.

~~~
smaili
That's an amazing story. I thought hornets were poisonous?

~~~
hellbanner
They are, that's why their stings "sting"

------
junto
The really interesting part is the last paragraph:

    
    
      In a related case, Aleksandr Andreevich Panin, aka 
      Gribodemon, 26, of Tver, Russia; and Hamza Bendelladj, aka 
      Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28,
      2014, and June 26, 2015, respectively, in the Northern 
      District of Georgia in connection with developing, 
      distributing and controlling SpyEye, a malicious banking 
      trojan designed to steal unsuspecting victims' financial and
      personally identifiable information. Bendelladj and Panin
      advertised SpyEye to other members on Darkode.
    

Note that they were arrested in Georgia. Do they mean the country of Georgia,
enemy of the Russians and friend of the US? Or do they mean the state of
Georgia in the US?

Either way, the US has them in custody, which suggests an arrest on US soil
(come visit the US trap style) or a foreign arrest and extradition.

I'm guessing by the tone of that last paragraph that this is how the FBI got
in. They flipped them and offered them a pkea bargain. We'll find out at
sentencing.

~~~
crazypyro
I'd assume they mean the state Georgia, based on the fact that they
specifically refer to the "Northern District of Georgia" and the press release
came from the DoJ.

[http://www.gand.uscourts.gov/](http://www.gand.uscourts.gov/)

------
liviu-
One of the arrested ones is 20, and he allegedly created Dendroid — a malware
that can take remote control of an Android device. He designed, developed and
deployed this software (bypassing Google Play's malware detection system)
which seems to be quite complex and capable [0]. This proves that he possess a
certain set of marketable skills that are quite south after in the industry.

So I'm wondering - is this really bad news for them, or will it just bring
them enough spotlight to be contacted for some security roles that pay better
than what they were earning prior to the arrest?

[0]
[https://blog.lookout.com/blog/2014/03/06/dendroid/](https://blog.lookout.com/blog/2014/03/06/dendroid/)

~~~
dsacco
Many former criminals do lead successful careers, so it's quite possible.
However it should be noted that circumventing the Google Play store malware
detections is not particularly hard - it's definitely a start, and maybe even
a conference talk, but for real notoriety in the security industry you'd want
to be consistently discovering novel vulnerabilities in Android, not just
figuring out how to sneak malware onto the operating system.

Now, all that said, if you are a competent reverse engineer and can reliably
circumvent DRM/license protection, develop binary exploits for high-severity
vulnerabilities or perform advanced malware analysis, you can easily earn
north of half a million dollars a year in this industry. It is an extremely
lucrative time to be working in security.

You don't need to start out as a criminal though. If you want to do things
like this then work through CTFs like Microcorruption and OverTheWire and
learn how to develop privilege escalation and sandbox escape exploits on very
widely used software and operating systems.

~~~
liviu-
>It is an extremely lucrative time to be working in security.

Is it though? The average salary of a security engineer seems to be lower than
that of a software engineer, and there seem to be considerably fewer positions
available. Those very high paid positions seem few and far between.

~~~
sliverstorm
I wonder if the high power security positions just aren't publicly listed.
That seems like the sort of job you fill exclusively by recommendation or
pursuit of candidates, rather than a job listing on LinkedIn.

~~~
dsacco
Bingo. I'm not talking about "cybersecurity" positions. I'm talking about
people doing advanced work in exploitation, reverse engineering and
cryptography on a consulting basis or those who work in boutique shops.

I pass the $300k mark annually through AppSec consulting, and this is not at
maximum utilization, nor is it a particularly "hard" discipline in security.

------
randomfool
Not clear that the value of closing this outweighs the value of being able to
track exploits.

I assume that the Android rootkit mentioned uses known exploits- the companies
not pushing out fixes bear some responsibility as well.

~~~
joe_the_user
Nothing guarantees that they weren't monitoring this from the start. Nothing
guarantees they haven't set-up the successor to this board already themselves.

We know the FBI actually engages in systematic lying about how they gain
information about criminals - see "parallel construction".

We know that in efforts to end drug cartels, the DEA will enter into long term
alliances with one cartel to eliminate others.[1] We know the US tolerates the
rule of the drug-track caste in Afghanistan for the pursuit of "higher
ideals".

Just in general, the paradox of mafias, cartels and so-forth is that it easier
to use state power to take over such operations than to root them out.
Moreover, taking them over has many appealing aspects. The problem is that the
more the state moves into simply managing rackets, the greater the temptation
to corruption gets, for both the high policy makers and for the low level
operatives (you remember the FBI agent engaging in his own embezzlement etc
during the Silk Road investigation). But this problem has been around for a
long, the state by now are probably at a "steady state" in their corruption.

So it seems very possible that the FBI already knows what comes next but can
only tip it's hand when the next raid comes in another two years.

[1][http://www.businessinsider.com/the-us-government-and-the-
sin...](http://www.businessinsider.com/the-us-government-and-the-sinaloa-
cartel-2014-1)

~~~
Lawtonfogle
>The problem is that the more the state moves into simply managing rackets,
the greater the temptation to corruption gets, for both the high policy makers
and for the low level operatives

Well, that is if you ignore the far larger elephant in the room of the
government running an illegal operation. It reminds me of the times I hear of
the FBI taking over some TOR server hosting abusive images and continuing to
host it as a honeypot. By their own admission, looking at, hosting, sharing,
etc. those images constitutes concrete abuse of a child, yet they directly
engage in such. It would be like if the FBI busted up a brothel with children
and kept running it to catch more criminals. The ends in no way justify the
means.

~~~
joe_the_user
The ends don't justify the means, yet it is also useful to explain, to the
people who think they do, that _nefarious means generally only lead to
nefarious ends_.

------
fixxer
They should have just sold that stuff to the Feds and helped keep America safe
/s

~~~
mixologic
Why would the Feds pay for something they can just take?

------
TTPrograms
Is the current state of the law such that possession of these tools themselves
is illegal? I would have thought that possession of most "hacking" tools would
be legal i.e. for penetration testing and defense - usage against a non-
consenting entity would then be the illegal act. I guess I could see some of
the cell phone hacking stuff being illegal via FCC regulations...

~~~
tptacek
I don't think so, no. I think they also need overt acts in furtherance of a
conspiracy to use the tools. It's probably not as cut and dry as "you have to
actually use the tools to break into someone". It's a bit of a tightrope,
though, because if you're a predecessor on the graph of people involved in an
actual crime, sharing tools can drag you into a prosecution.

So far as I know (this is sort of my profession), there's no _federal_
"burglars tools" law regarding malware.

~~~
jjarmoc
> So far as I know (this is sort of my profession), there's no federal
> "burglars tools" law regarding malware.

To be fair, many "burglars tools" laws require possession of the tools _WITH
INTENT to perform a criminal action_. The intent piece is key. Merely
possessing lock picks is usually fine. But sulking around masked in bushes
outside an office building with a pickset, rope, and an empty duffel bag might
get you in trouble.

A good list of Lockpick laws collected and indexed state-by-state at
[http://toool.us/laws.html](http://toool.us/laws.html). You see that in most
jurisdictions intent is required.

While malware laws are still much less mature, I would hope that similarly
there'd be an intent requirement. Possessing malware for purposes of reverse
engineering to develop protections is obviously important, and clearly an
activity we would want to remain lawful (and hopefully unlicensed/regulated).

Conspiracy is probably the easier route to a conviction.

------
serve_yay
I always wonder about these sort of sites, exploit marketplaces, etc. Of
course since I'm nowhere near being in the loop on such matters (I don't even
know where the loop is or what it looks like), I probably would never even see
one before it's shut down and moved elsewhere.

------
gcmartinelli
Ah... these hackers just don't understand that hacking, invading people's
privacy and stealing their money is a government monopoly.

~~~
joeyspn
This could be an _arrest-hire_... who knows

~~~
mindcrime
"Work for us, or spend the rest of your life in the salt-mines".

Yeah, I can see how that would be a compelling argument. I wouldn't put it
past various government agencies to think of exactly something like that.

~~~
emodendroket
I'd say it would be pretty stupid to entrust people working under duress with
sensitive information but what do I know?

~~~
sliverstorm
Maybe, maybe not? I'd bet it depends on the people, depends on the job. Are
you an anarchist assigned government drudgework? Bad news. Are you a chaotic
neutral "forced" into fascinating meaningful government work? Might be great
for everyone even if you wouldn't have taken the job normally.

------
BrandonMarc
Because of the embarrassing back of the Office of Management and Budget, the
feds needed a high-profile "win" to give the voting public the appearance of
competence.

That's the story.

------
amouat
"...used his botnet to steal data from the users of those computers on
approximately 200,000,000 occasions"

Must have some fast fingers to use nearly anything 200 million times...

------
frozenport
Why not keep this website in China or Russia, beyond the reach of the law?

~~~
liviu-
The website was important only for facilitating the illegal activities.
Keeping the website alive while being under surveillance by FBI wouldn't be of
much benefit to the members of the community.

------
nblavoie
What strikes me is the fact that they are tracking visitors with the following
Google Analytics code: UA-51054600-7.

------
stephengillie
> Investigators say that while the forum's existence was widely known, they
> hadn't been able to penetrate it until recently. Darkode operated under
> password protections and required referrals to join. On Wednesday, the site
> consisted of an image saying that it had been seized by authorities.

> The arrests come after a two-year FBI undercover operation that infiltrated
> the forum, said FBI Special Agent in Charge Scott S. Smith. Wednesday's
> announcement reflects work in countries that range from Brazil and Costa
> Rica to Latvia and Macedonia, the Justice Department says.

For various meanings of the term "Recently". So they've been trying to get in
for 2 years and only just now got in, by pretending to be from Latvia?

~~~
wernercd
Where did you read they pretended to be from Latvia? They worked in multiple
countries, including Latvia.

~~~
stephengillie
In lieu of details, I assumed this from the article details.

Are you saying that they also pretended to be Macedonians?

~~~
nyolfen
they probably had a partner agency bust someone in one or more of those
countries and flipped them

~~~
stephengillie
So you're saying that they couldn't even get in on their own? They had to find
someone with what I'll call a "legitimate reason" for connecting to the
darkforum, and had to sneak in that way?

~~~
celticninja
Yes it would seem that way. Check out the top comment, it has a quite where it
looks like they turned someone in January and someone else in June. So the
first was the person who got them onto the board, probably just a user\low
level carder, the second was likely an admin with more privileges, perhaps
even access to PMs. Once they had the admin they were able to close it all
down.

~~~
stephengillie
Where are you seeing that? The top comment is the dumb one about hornets.

~~~
celticninja
Ctrl+f junto

The really interesting part is the last paragraph: In a related case,
Aleksandr Andreevich Panin, aka Gribodemon, 26, of Tver, Russia; and Hamza
Bendelladj, aka Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28,
2014, and June 26, 2015, respectively, in the Northern District of Georgia in
connection with developing, distributing and controlling SpyEye, a malicious
banking trojan designed to steal unsuspecting victims' financial and
personally identifiable information. Bendelladj and Panin advertised SpyEye to
other members on Darkode. Note that they were arrested in Georgia. Do they
mean the country of Georgia, enemy of the Russians and friend of the US? Or do
they mean the state of Georgia in the US? Either way, the US has them in
custody, which suggests an arrest on US soil (come visit the US trap style) or
a foreign arrest and extradition. I'm guessing by the tone of that last
paragraph that this is how the FBI got in. They flipped them and offered them
a pkea bargain. We'll find out at sentencing.

