Everything I've read points that he created banking Malware "Kronos" which was sold on various "underground forums" (whatever that means). What's with the WannaCry conspiracies? He wasn't arrested for being a security research, he was arrested for being a malware creator selling malware. Why is this "sending a chill through the security community"?
People think that an innocent white hat hacker could get swept up in this kind of arrest, and there has been so little evidence released, nobody knows what actually happened.
>Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.
You say that as though you are contradicting NateJay.
But the fear NateJay is highlighting is exactly that a white hat is being accused. And that (whether ultimately borne out in this case, or not) this kind of thing could happen to people who are conducting innocent security research.
If the government has evidence, he should be charged and tried. And that appears to be what's happening here.
Then why isn't there a chill sent every time anyone is arrested on accusations of black hat crimes? If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.
How do you know that it doesn't? White hats are counterintel agents effectively. If a counterintel agent is arrested for doing something that could be deemed as part of his job, why wouldn't it 'send a chill' through the community?
There is only the thinnest of lines between the two.
White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.
The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.
But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.
People on this thread have a lot of strange ideas about what infosec people do in their jobs.
The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.
And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.
Watch the video of this horrendous deadly baseball bat attack. Baseball players do not bludgeon people to death with bats all the time. Therefore, baseball players should never worry that they might be falsely accused of an attack. Oh, and the crime was horrible, so that means the evidence must be pretty good. Q.E.D.
And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?
The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.
There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.
Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.
There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.
Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.
To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?
I feel like you're changing the terminology here in order to confuse the pretty clear lines.
Obtaining and analysing != creating and selling.
Maybe there is a case that buying malware is a reasonable thing to do in some circumstances.
Selling your own malware is a different thing. That seems a pretty clear boundary.
A person he knew, or he was in touch with sold the said trojan. The indictment also doesn't say if he did gain financially from the sale or not.
So, he developed a trojan possibly for research, someone he knew sold it and he got arrested.
This thread gives the impression that people not in the field see some sort of mystique to malware research and development. Malware isn't vulnerability research or exploit development. Most of the malware deployed in the real world is code that virtually anyone on HN could develop, from first principles without any additional research.
That's not true of exploit development, which can be extraordinarily difficult and almost always depends on specialized insider knowledge. There's lots of research reasons to work on exploit code. But that's just not true for the kind of malware we're talking about in this case.
This is important to understand, because the premise of the story is that prosecution over banking trojan malware is having a chilling effect in the industry. It is not. Very few people in the industry build stupid-looking PHP interfaces to HTML injection on botnet victims, not because it's illegal but because it's pointless and dumb and you wouldn't learn anything from doing it.
How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?
There are a lot of logic jumps here that you have simply glossed over.
"Accused" just means someone said it, it doesn't make it true.
If not, you're all being targeted so you should grab a new career before you get feds at the door.
You can put up $30,000 Cash or some other asset as BAIL then that is returned to you in full after the trail
Or you can pay a Bails Bondsmen 10% of that, as a fee, they will put up the court a 30K BOND then assure the court they will make you appear or pay the court the 30K if skip
You as the individual however lose that $3k.
(Not because the evidence for Hutchins' involvement is thin, but because the law here is hazy.)
Orin Kerr's analysis is excellent and made me consider the accused party's intent and the difference between selling code versus using code.
If someone manufactures guns, doesn't register them, and knowingly sells them to street gangs, it kind of seems like they're aiding and abetting illegal activities for profit.
Of course there are instances of selling malware you created to parties who generally won't use it illegally, but that's not what's alleged here.
Whether Hutchins truly violated the law, I don't know, but if the allegations are true then he did something very unethical and something I feel should be illegal.
For an analogy, suppose you wanted to rehabilitate some drug addicts in a bad part of town, and as a result, frequented that part of town, and bought books on drug dosages. If that could get you arrested because the cops couldn't tell the difference between you wanting to help drug addicts and being a drug dealer, and arrested you based on frequently being in the wrong part of town and showing an interest in drug literature, then it would send a clear message to go no where near these people in need. And that would be a shame.
is there any indication that's the case here? the FBI isn't a bunch of complete incompetents. He could be found innocent, but what makes this case different than the presumption of innocence that every person charged with a crime is supposed to be given?
The FBI is human and therefor make mistakes, and they are a large organization and therefor have an structural inertia that occasionally directs a lot of power and effort at the wrong target.
Also, the price of democracy is eternal vigilance. Citizens have a duty to check the government's use of power. We should be worrying every time the government acts against a citizen until we also see proper due process including any necessary evidence.
> He could be found innocent
He is innocent until proven otherwise.
> what makes this case different
The government hasn't yet shown that they can handle this kind of case properly. That is partly due to the novel nature of situations involving new technology, but it is also from the government's own history of bad behavior. Their reputation means they do not get the benefit of the doubt, and until we see actual evidence that this case (regardless of the outcome) is being handled properly, it's prudent to worry that this might be an overreaching prosecutor (or worse).
It isn't a bunch of complete competents either, forensic hair analysis kerfuffle shows that much.
The attempt to divide the whole world into "people irrationally attacking 'hackers' and 'the good kind of hackers'" isn't doing anyone any favors.
If Hutchins has nothing to do with a criminal conspiracy to profit from a truly awful banking trojan, then his arrest and indictment is a travesty. But if he does have something to do with it, then his status as any kind of "hacker" should have nothing to do with anybody's take on the situation. I'm not sure how much lower you can go than deliberately making money by stealing bank logins from ordinary people, which is what he's accused of doing.
People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth. In every case like it, from NanoCore to Albert Gonzales and Stephen Watt, there's been a basis for the charges.
No? It is fairly common in Terrorism cases. I fail to see why they could not do it for Cyber Crime as well
Well, yes, since none of those are actually examples of the FBI framing anyone. Stings are not the same thing as framing, no matter how much sarcasm techdirt uses to describe them.
A sting is law enforcement creating a situation where someone can demonstrate clear evidence of their intent to break the law. Framing is law enforcement MANUFACTURING evidence that someone broke or intended to break the law.
In the terrorism cases, a sting would be the FBI giving someone a fake bomb and that person trying to blow people up. Framing would be the FBI arresting someone and falsely claiming they found a bomb and plans for the local stadium in the persons's house. It's an important distinction. In the former case, the person clearly tried to kill people while in the latter case they did not.
No that should be entrapment
A Sting is where they get a tip that criminal action might be happening and they are there to catch the criminals in the act
Not where the FBI creates the plan, induces people into the plan, provides support for the plan, provide materials for the plan, then arrests everyone.
That is or should be considered entrapment, which I also consider framing someone
If the FBI put cocaine in my car and then pulled me over, that’s framing.
I’m not entirely sure what either of these things have to do with getting arrested for creating and selling exploits.
The definition of "wouldn't normally" looks like some hairy case law, but it isn't as simple as you are saying. If they are offered a bomb for sale after a lengthy conversation about how great terrorism is and how important it would be for them to take the bomb, you could possibly have an entrapment case for example.
But as you say maybe that's another field. But still skepticism is not without basis imho.
I.e. not relevant.
> is there any indication that's the case here? the FBI isn't a bunch of complete incompetents.
if they arrested someone selling the malware (which they did), and to get free that person say they can deliver the author (which they did), but instead point to any random security researcher he found working on that malware (we dont know). now, this plus the person whitehat research, the circle is closed and it would take one lifetime and imense legal fees to prove otherwise.
That's bound to set off some alarm bells, somewhere some day, at some agency or bureau.
Now, Krebs keeps a relatively high profile pertaining to his work, so it's not improbable that they think twice when they read who he is, and see he's one of the "good guys" obviously.
But there's a lot of white hat researchers who aren't Internet-famous (in the tech world, not just security). Quite a few by choice, too.
So now they're worried if there's anything they might have done in the past that could get them into this kind of trouble. That is, being charged with something over having done (perhaps legally grey) security research. And yes they'll be given a fair trial, except that it seems that in the US proving one's innocence also depends on whether you have sufficient funds (I feel like I'm stereotyping here, but I see so many people casually mention these scenarios as if it's a given).
And then, being one of the "good guys"--by, say, single-handedly stopping the first wave of a global ransomware epidemic--doesn't seem to warrant a bit more considerate and less aggressive approach any more, either.
So now they're worried!
It seems to me that, if proven, the DOJ has a case here. They key point will be exactly what they can or cannot prove in court.
It's best not to get too riled up over preliminary things like this. We haven't heard most of what there is to hear until the closing arguments are given and I'd rather not make up my mind too far one way or another before I've heard everything there is to know. And I would be embarrassed to stake an opinion later proven ridiculous because I rushed to judgement.
Of course it does. But the subject here is whether the indictment should cause a "chill" in the security community. Nothing he did in his legitimate research is related to the indictment.
This is like saying Hans Reiser's arrest would have had filesystem authors afraid of the government.
In this case he was selling malware so I think this about a time when head gear was of a darker color...
That means it should be even less likely to be "send a chill through the security community"
They don't give you back your lawyer money if you're found innocent. They don't give you back any job that you may have lost, and they certainly don't give you back the money you would have earned during that time.
Only in the most exceptional cases is someone held without bail.
> They don't give you back your lawyer money if you're found innocent.
Federal courts can award legal costs "where the court finds that the position of the United States was 'vexatious, frivolous, or in bad faith.'" https://en.wikipedia.org/wiki/Hyde_Amendment_(1997)
But yes, your broader point is correct that it's certain to be a very bad experience.
There's a big disconnect because people seem to be associating this guy's arrest with his serendipitous Wannacry incident. But there's no correlation at all. He is alleged to have had a shady past (corroborated by many reputable HN commenters) and later turned white hat.
What I don't understand is why the FBI didn't just hand the evidence to the NCA in the UK and have them arrest him.
FBI is known for arresting, and indicted people with crimes that carry LARGE sentences to use that a leverage to turn those people into informants.
Extortion is a power tool used by the US Government
There are good reasons to be cautious, but this particular case is far from decided either way.
"He admitted he was the author of the code of Kronos malware and indicated he sold it," said Mr Cowhig.
The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money.
A general question not directly related to the case: Where exactly is the line between criminal conspiracy and writing software tools?
Certainly TOR is used by people to do bad things (and also good things), but almost everyone agrees that no criminal act has been committed by the creation of TOR. Plenty of legitimate businesses sell Remote Access Trojans (RATs) and go unarrested. On the other hand some developers that sell RATs have been arrested.
If someone pays you 2,000 grand to find an exploit have you committed a crime? What if then they use that exploit you sold them to commit a crime? What if you knew beyond all doubt that was their purpose but then the exploit isn't used? Does it matter if they bought an exploit from you or if you are a salaried employee of their company? What if instead of selling them an exploit you configured an email server for them?
On the other hand, if you think that the DOJ, while subject to making mistakes, does not often knowingly and deliberately falsely accuse people, then you look at the alleged behavior, and realize that it is well outside the bounds of whitehat behavior.
I can't speak to any other aspect of federal prosecution. My thoughts about computer crime prosecution definitely can't be extrapolated to my thoughts about criminal justice in general.
Wanncry was a massive black eye of the US Government, I think everyone believing there is zero connection between his involvement in that and this indictment is also naive.
I also fail to understand why you believe "computer crimes" are handled differently than any other type of crime, why you believe the DOJ would frame people for "other types of crimes" but never computer crimes, like there is some prohibition on entrapment when it comes to computers...
They come down hard and they come down heavy on the wrong people, ruining lives. They also pile ridiculous charges even on those who are guilty of minor crimes, threatening to bury them in an avalanche of charges unless they settle. They also seem to be really ignorant of technology, and show a deep suspicion of anything that they don't understand.
Whether this bullying is because they are out of their depth, have a culture of recklessness, or some other reason doesn't matter to those who end up in their crosshairs. If you are a bank fixing Libor, or money laundering (UBS), or are involved in any number of frauds in the financial crisis, you are treated with kid gloves. But if software or encryption is involved, then the sirens wail, SWAT teams gather, and the fear campaign begins.
I think the "selling" part is the problem, not the writing. Don't sell trojans and you won't go to jail. Seems pretty clear.
A lot of AC software runs in ring0 and behaves a lot like a Trojan. I remember nProtect specifically injecting DLLs into explorer.exe among other nasty "black hat" techniques.
i thought it was pretty clear
From the context, it looks like that particular snippet was posted as a counter to the notion that researchers should be concerned about false accusations happening due to the possibility of their work being misconstrued as the activities of a black hat hacker.
To post that as if to dismiss those concerns, is definitely tending toward the tone that piiie is talking about. While you are right to point out the word "accusation" is used, not guilt, the tone still comes through when you consider the context.
In this scenario I both wrote and explicitly sold the software with no idea of what the later applied tech would do. The computer laws referenced in the article seem to require direct knowledge of malicious intent of the software in the sale.
If you haven't already, listen to this podcast about Doug Williams and polygraphs: https://www.thisamericanlife.org/radio-archives/episode/618/...
There's a lot of parallels and how issues of intent can get very grey.
It seems like the arrest is a bit aggressive, but so is the response – clearly out of fear and uncertainty of the govt and general time we live in. Hopefully more transparency will bring light to the allegations and reassure the innocent of their safety
If they decide you are a problem for any reason or decide to put you in their sites, perhaps for their own political agenda, you will face an overwhelming range of charges and immediate legal expenses.
The goal isn't truth; the goal is to break you and so further their agenda.
I'm not saying there isn't legitimate law enforcement occurring within the mix.
But, in terms of the overall picture as opposed to court etiquette itself, "benefit of the doubt" seems to have long since gone out the window.
Now imagine being a foreigner, away from family and local support networks, and not knowing whether you've landed on some very political person's list (and prosecutors in the U.S. are very political creatures).
Imagine you work in an area engendering much controversy, such as computer systems security.
And finally, take it a step further, even sitting home or traveling in e.g. Europe: Just how far and pervasive are the FBI et al. willing to reach with politically aided extradition requests?
Political forces in the U.S. want to "stop" "cybercrime" by physically insisting that people they don't like "stop" doing those things. Not a technical solution. Not improving systems and systems management. Nope, get out the rubber hose.
And wield it based upon political calculation, more so than actual, (legally) substantiated fact.
They just caught another criminal hacker who was stupid and earned a lot of money from his Kronos hacks. The one chill is how stupid was he? Lamborghini? The second chill is how naive have I been when reading about the lone hacker fixing WannaCry and saving the world from his mom's house bedroom?
And renting a fancy car for a few days might not be that much money. I recently used Turo to rent a gold Cadillac for a trip up to Marin County. Pretty nice, huh? It cost less than renting a Nissan Altima from Budget. (I checked.)
A number of people have pointed out that would be taking the extremely ridiculously long game for an alibi - why would the author ask for a copy of his own code?
There's also little/no published information to back up the statement that he ever sold Kronos.
If I was greedy and in the security field, with identities (or middlemen) on both sides of the game, I would be terribly tempted to play those identities to support each other. For example when blackhat-me would be selling an exploit, whitehat-me could create buzz by talking about it. Later, when the exploit's market value drops towards zero (ip enforcement is weak on the darknet), whitehat-me could reap the glory of discovering all the details about the exploit, maybe even using some "mistakes" blackhat-me left in the code to facilitate plausible parallel construction.
What are all those ifs having to do with the WannaCry situation? Probably nothing, hopefully nothing. Or maybe hopefully a lot, because it would mean that the FBI did not lock up the wrong guy?
(That co-conspirator is unnamed to us, but most probably is someone clearly known to the DOJ).
The indictment itself is pretty bare. But an indictment isn't a trial; the DOJ will need to prove its charges to a jury with a considerable amount of evidence, and, as Orin Kerr pointed out last night, they have an uphill climb ahead of themselves, because the letter of the law is favorable to people who create and sell banking trojans.
not probably. the first line of the indictment is "Defendant [redacted] used the online aliases [redacted].
Of course I could be wrong, so time will tell. A good future indicator of this will be if the case is dropped as quietly as possible.
So to me, tweeting "I want a sample of Kronos" is indicative of nothing.
When he found his hooking code in a malware sample (presumably Kronos), he expressed his disappointment / frustration with this (ab)use of his work on twitter. Whether or not this is truthful or just public posturing remains to be seen.
None of this is recent news - it played out in early 2016, so his arrest now is a little odd, unless the DOJ has uncovered new details that have not been publicly disclosed.
If it turns out he is arrested for some of his public code in a piece of malware, it should worry both security researchers and open source developers a lot.
There's no reason he can't be both. We can both like him for stopping WannaCry, and dislike him for (if true) marketing/distributing malware based on Kronos.
Although I agree with your general sentiment, I'm confused as to why the security community is chilled by this. The court case should be public, so we'll be able to judge the evidence ourselves.
Well this is still the United States, so by law it will be. People are blowing this way out of proportion as if he were disappeared by the secret police or something.
Though I am not sure even if on bail if has access to his computers?
However, I do not doubt that a mix of fear & incompetence could have resulted in his arrest as much as any concrete evidence of his involvement in Kronos. I think there's (perhaps rightfully) a culture of distrust and paranoia around law enforcement's interaction with ethical hacking. It's difficult to detach from that when legitimate prosecution happens.
I really disagree with you on this. The problem is not the person who researches different exploits (ie who may /write/ the malware) but with the people who /use/ the malware to do bad things.
When we keep preventing white hat researchers from doing their job, there's no defense against black hats.
If he actually sold Kronos for the sole purpose of stealing, I agree that he should be prosecuted. If he only used it for research purposes, this is a complete witch hunt.
If I write a program that can steal banking info, what law have I broken? Isn't it only the actual theft that's a crime?
The FBI claim he created the software in July 2014, the exact month that he asked on twitter for a copy of the software. Now I am not saying he is innocent but I am also not assuming his guilt because the FBI said he was guilty.
What proof do you have that he is a malware creator selling malware?
I've read the indictment but we'll have to wait and see how the government argues its case when this comes to trial.
because a lot of legitimate security research when viewed through the myopic and cynical lens of a Federal Agent can be seen as illegal, this is an ongoing and ever present fear for people in the field.
The FBI claims he is a malware creator and arrested him for it, you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.
The government has routinely, time and time again, over extended and prosecuted several people wrongly under CFAA, which is a terrible and broad law that can be applied at will to many innocent every day computer actions.
The FBI could be wrong and that'd suck. I'm just assuming that the FBI and their resources have enough evidence to reasonably believe he's the creator.
And again, your last comment doesn't fit this article. They aren't overextending and arresting a security researcher (although he is one), they're arresting someone whom they believe is a malware creator and distributor.
So you generally believe people are guilty until proven innocent, and I always believe people are innocent until they are proven guilty. I never take the government word for anything, and generally assume the government is lying at all times. History supports my position.
I find it extremely alarming how quickly people just believe the FBI's assertions as fact with almost no actual evidence being presented
“Innocent until proven guilty” is a legal standard applied where “guilty” means having one’s liberty taken away. And in that context it’s a perfectly appropriate standard. But as mere spectators, where the harm caused by mistakenly believing he’s guilty is minimal, I think we should feel free to simply believe in the most likely possibility (aka preponderance of the evidence). You may disagree on that point, and that’s your right. However, if we agree to apply that standard, I don’t think it’s reasonable to believe that the FBI’s allegations being false is actually more likely than the alternative.
> I never take the government word for anything, and generally assume the government is lying at all times. History supports my position.
You have a peculiar interpretation of justice, one that makes you pretty much like those that liked to burn people on fire pyres on the basis of allegations made by socially relevant people.
Why is it the appropriate standard? Because as a society, we believe that taking away an innocent person's liberty is far worse than letting a guilty person go free. For the expected value (in the statistical sense) of the legal system's benefit to society to be positive, the prevalence of the former should be a tiny fraction of the prevalence of the latter. (How tiny that fraction actually is, in the US or anywhere else, is debatable - you could look at the number of convicts who were proved innocent upon the advent of DNA testing - but that's not the point.) Thus we should only convict if the apparent probability of guilt is extremely high.
But if I as a bystander believe an innocent person is guilty, it's not as big a deal. True, if a lot of people believe that, it causes some reputational damage, which can be bad. If someone with a connection to the person makes decisions disfavorable to them based on that belief, that's quite bad. But this risk is mitigated by the fact that soon enough the police will be required to present their evidence in court, which should help drive our assessments with more certainty to one possibility or the other. And in any case, these harms are far lesser than the harm of subjecting the person to prison, or worse punishments.
Perhaps I misstated the ideal standard for bystanders. Perhaps it should not be literally whichever possibility is more likely; perhaps we should give people some "benefit of the doubt", due to the above harms. But there's no need for the extreme standard demanded by the actual justice system. A reasonably high probability of guilt is enough, at least to treat guilt as a working hypothesis.
In a legal system such as the United States', "if the police took him" (specifically, indicted him), I'd say there's a high probability - at least 75% or so, probably higher - that there's a "good reason for that to happen". (At least in the sense of "he did what they say he did"; whether that thing ought to be illegal or not is typically more subjective.) It's not certain; there could be some sort of corruption or unethical behavior by the police, or they could simply be mistaken. But it's enough to form a working hypothesis, to use until we gain more information.
Innocent people have their lives for ever ruined with nothing more than false accusations, and not being found not guilty at trial does not change that.
Further I would like to see where you get your belief that police are correct 75% or more of the time.
It seems to me you have a very favorable opinion of the American legal System, this tells me you have very very limited first hand experience with it and like view of from rose colored world view never having known anyone personally that has been ground down to nothing by this system that is IMO largely unethical
it was the FBI that pointed the Media to him as a suspect.
Do you habitually eat food that has been left out for longer than government guidelines allow because you generally assume the government is lying at all times?
Do you increase your speed when you see a sign that says REDUCE SPEED, SHARP TURNS AHEAD because you generally assume the government is lying at all times?
Those are completely Voluntary and used for Stock Control not food safety
As to speed limits and sharp turns I drive for the road conditions for the most part, so no I do not always slow down around sharp turns unless there is a posted speed limit for the turn for which I would be subject to arrest or fine for violating.
Is indicting people for crimes they are alleged to have committed consistent with your position? Because that's all that's happened so far.
The FBI asserts that he created malware. He denies it. An indictment and a trial will figure out which of them is lying.
Another is that he might plead guilty and we'll never know whether he was guilty or innocent (but threatened with consequences he didn't feel he could risk).
Yes, that might happen. Taking that position to its logical conclusion, nobody should be indicted for anything.
There are serious problems with the US justice system. As far as I can tell, there is nothing at face value that's unreasonable about this indictment.
1. True malware creator and seller is sent to prison.
2. True malware creator and seller is not sent to prison.
Whether he pleads guilty or not has nothing to do with him being a security researcher. I'd much rather have more false positives than false negatives. You, and the rest of Europe, would too.
"it is better 100 guilty Persons should escape than that one innocent Person should suffer"
Also, you've got this wonderful dichotomy laid out, but there are other options too: for instance, that this guy is sent to prison but was not the creator of the malware, thus ending any chance of the true creator ever being caught.
Unless of course you're so mediocre that you'll never ever risk doing anything even remotely significant; in which case, whatever.
At least you admit that believing the FBI is crazy, maybe there is hope for you.
Randal Schwartz https://en.wikipedia.org/wiki/Randal_L._Schwartz
Rather ill-advisedly, the Perl-programming guru (who's written several books on the subject) tried to prove his worth by running a password cracking package after he'd left in order to produce evidence that security practices had deteriorated since his departure. Instead of re-hiring Schwartz, as he hoped, Intel called in the police and he was charged with hacking offences.
It's not the crime of the century, but it's not a case of someone doing benevolent security research getting caught. Nobody practicing today would backdoor a client computer, use the backdoor after their engagement had ended, and expect anyone to find that action defensible.
Seems to be clear example to me
- Weev’s harvesting and publication of iPad owners’ email addresses was far from benevolent, but it also wasn’t exactly hardcore hacking; IIRC he just changed a URL parameter. As you know, it’s not that far from what white hats sometimes do, in terms of probing public websites - with the obvious exception that they’d usually responsibly disclose the vulnerability to the site owner, rather than publishing people’s data!
- Barrett Brown was charged with (among other things) republishing a link to data someone else had leaked. That falls more into the category of journalism than research, and ultimately the charge was dropped, but it still fits a theme of overzealous use of <s>the CFAA</s>.
edit: that wasn’t the CFAA, but same idea.
What ever you think of the actual prosecutions here, neither of those are cases of security research being mistaken for something else. The most you can say, for instance, about Brown is that he is not as closely connected to an extraordinarily serious crime as the DOJ believed he was.
1. Someone physically breaks into factory, steals a list of customers for the purpose of (selling to competitors/personal interest)
2. Someone drives around the country and records locations of $company infrastructure, in an industry where optimal placement provides a major competitive advantage, for the purpose of (selling to competitors/personal interest)
In both cases, the person now has information that the target would rather keep private, and in both I would assume that their plans for the data would be irrelevant to the legality of gathering that data. (I'd assume case 1 would be illegal either way, and 2 legal either way) So if Weev's actions are akin to breaking into/hacking a system, then case 1 would apply - but if it was closer to looking at publicly exposed information, then the situation would be like case 2. But either way, I don't think his reasons for taking the actions (or after the fact plans on what to do with the data) would affect the legality of what he did.
Of course, IANAL and US computer law seems to be completely screwed up so maybe it would matter. I just don't see how.
Your first case has both prohibited conduct and intent (actually, with or without the intent to sell the data, I think deliberately breaking into a factory is itself criminal).
Your second case does not.
Murder is also rather easy, and we execute people for it.
It's certainly part of what he said:
>but it also wasn’t exactly hardcore hacking; IIRC he just changed a URL parameter.
The difficulty of carrying out an action is completely irrelevant to its legality.
This pressure I believe will lead them to over reach on CFAA like they have in the past in other "hacking" cases
So while I can not point to an example right now, that is simply because there is a general lack of case law in the field to begin with, nor does that support a position that the FBI is correct in this case, or would never go after a innocent security research, their history defies that completely.
While I tend to agree that this is possible, the parent's point was how unrelated this was to WC and to any research occurring in the field. It's strictly a case of "this guy wrote malware and sold it".
> you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.
I'm confused. The parent simply stated he was arrested for that. How does that translate into "Parent believes 100% what the FBI states with no room for the FBI to be wrong"?
And is the US any worse for this than other nations? Probably not. They just get more publicity when it happens. But every nation that has a legal system will do the same thing. If the Russians or the Brits or the Germans or the Swiss decide that Jtsummers is a suspect in a crime, and I visit and they realize it, I shouldn't be surprised to find myself arrested and barred from leaving the country.
 https://www.cnet.com/g00/news/russian-crypto-expert-arrested... - may not be the best article, it's the first one that came up on Google for me.
Marcus Hutchins is a British citizen. Extradition before the event was feasible and would have been a far more honorable path than the snatch and grab that transpired.
British security experts might insist on Grand Cayman for any further conferences in the Americas.
That would be exceptionally nice of them, but also extremely poor investigative practice.
I will say, though, as one of the many people in my field that is bone-tired of schlepping out to the worst place in the United States every damn year for these events, any other location in the world would be fine for me, and I endorse the actual suggestion you're making.
† (Yes, obviously, I know virtually nobody who attends Defcon is a criminal).
There's a brazillion reasons not to arrest someone the minute you think you've got them.
The point I was making RE: "basis of an arrest" is that if you wait for him to do something stupid, like get arrested by local LEO for drunk and disorderly, that gives you cover to approach him in an interrogation and threaten him with prosecution over the malware... unless he agrees to be a witness/informant. Because he's in with local LEO for something innocuous, there's cover.
In the end, they indict him for the malware, which pretty much ruins him from that perspective. Or, perhaps, they already figured he wasn't worth using and it's not above a US Attorney to go after someone well known in order to further their own career...
It's a minor networking hit for me, but a total win otherwise (and I can make up by networking elsewhere - I cannot get time spent in Vegas back).
Plus the fact that it works on a plurality of tourists coming through makes it sad.
I leave Vegas with less faith in humanity than I had when I came. It's been a few years though.
Hunter S. Thompson had it right: try to cram as many drugs into your body as possible, seek out the ghosts of America's dead dreams and you may come out with some semblance of spirit intact.
Plus it's in the middle of a desert, so options are pretty limited.
"good restaurants": (1) lots of top-tier cooks go there because money and it's cheap because Vegas, or (2) lots of off-strip places with good chefs trying to make it big.
"crappy, overpriced food": (1) Wolfgang Puck etc, or (2) Even off-strip food is bad and expensive because they can't afford water.
So in reality which is it?
However, there are also some of the best buffets in the world there (if you're into that). There are also some awesome high-end restaurants: https://www.tripsavvy.com/michelin-guide-rated-restaurants-l...
Because Vegas is a massive tourist destination where you are guaranteed to have a deep market of people eating out every day of the week, it attracts tons of restaurants so you do need to do a little research. Picking a random one will likely get you overpriced 'meh'.
We've gone off the strip for sushi, Korean bbq, Thai, and Ethiopian and had good luck; I don't know enough about greater Las Vegas to judge it. But the strip is bad.
Very particular definition of a word criminal I guess. Kevin Mitnick, James Clapper, veew, plenty of criminals attend/panel at defcon.
It doesn't make sense to move it to the Caribbean. That would cause attendance to drop by a lot, and some other organization would just start another conference in the US, and most people would go to that one.
The Bahamas might also be a reasonable choice, as they only declared independence from Britain in 1973.
But running a snatch and grab at a security research conference looks really bad, and is bound to have a much wider chilling effect on people's willingness to attend US conferences.
Is this just for alleged computer crimes, or would you apply that to all alleged crimes?
For example, suppose I run a fraudulent mail order business targeting people in, say, France, and this is a crime in France. Would you argue that if I visit France, and the French authorities want to arrest me and bring me to trial, they should let me go home and use extradition to try to force me back, rather than arrest me while I am in France?
But the alleged crime here is years old, and I have don't remember anything (or find anything in a google news search-by-date) to suggest there were charges or an arrest warrant before July 2017. That makes it seem like they didn't think the evidence was strong enough to get British cooperation, and waited to even mention it until they'd have have a chance to act alone.
Either that, or they really had nothing linking Hutchins to Kronos until very recently. If it turns this really was based on new information, and the timing really was coincidental, I'll be a lot more comfortable with how it was handled. But that's sure not what it looks like right now...
The pall which is descending over foreign attendees is a harbinger of either relocation or vastly reduced attendance.
I think we can all rest assured, unfortunately, that Black Hat isn't going anywhere.
Sure, so he was a suspect in a criminal investigation before attending DEF CON. The US doesn't try to extradite literally everyone suspected of a crime from every other country we have an extradition treaty with. Extradition is a pain in the ass so the DOJ decided that it probably wasn't worth their time. Then he comes to the US, he's flagged at immigration, and the DOJ is like "OK, now it's worth our time".
Seems completely acceptable to me.
If we want justice to be seen to be done, we shouldn't encourage "forum-shopping" by law-enforcement, letting them bring prosecutions in a country where the defendent will be artificially disadvantaged.
> Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States. U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam
Personally - I think in this Hutchins case they just wanted a new hire.
A case of smart people doing stupid things.
>Extradition before the event was feasible
It wasn't feasible for political reasons. By attempting to extradite yet another sympathetic character from the UK the US would have risked undermining the extradition treaty for no gain.
Anyway, I don't understand how extraditing him from the UK would've been any more honorable.
The law usually agrees with me, if that helps.
See I can not support the concept of 3rd party lability. I should only ever be responsible for my actions, not the actions of others, and I have no responsibility or obligation to stop any crime.
You don't have to ask someone if he wants to commit a crime, so that is not the problem. It is when someone explicitly asks for your help in commiting a crime and you think to yourself "yes I want to be complicit in this" that lands you in legal trouble.
If someone asks you for a handgun to kill someone you don't have to stop him, you just aren't allowed to aid him.
I really don't understand how you people seem to be under the impression that not going out of your way to help criminals takes more effort than not. I am more under the impression that you would pull the trigger on your on grandmother if it made you money, since it is not you but the blodloss that finally does her in - degrees of seperation and all that.
Instead most often these types of laws are used to prosecute people under a "should have known" scenario.
Examples of real situations of 3rd party liability that have been used to send people to prison
1. Jim takes a friend to a bank, the friend goes in and robs the bank. Jim though the friend was just withdrawing some money from his account but Jim is arrested and convicted of aiding his friend in the robbery
2. Jane does not have a license, a police officer attempts to stop Jane, Jane panics and runs from the police. The Police officer runs through a red light while in pursuit and kills a bystander, Jane is charged with murder.
if someone were to deliberately sell a pair of shoes to someone that they new would attempt to j-walk with their shoes, do you think they should be partially liable for the j-walking?
But those arguments need to be made (and the one I outlined would need decent factual details). That said...maybe glossing over (or even totally ignoring) Kronos is the best way for Hutchins supporters to go...but if it is, that seems an unfortunate reflection on society.
How do you know what evidence does or doesn't exist? The case hasn't even been brought to trial yet.
Do you really think they are loosely tying Marcus to Kronos with little to no evidence? Why go through all the trouble? Just because they haven't shared evidence in a sealed case doesn't mean they have no evidence. It's safe to assume there is evidence and it'll be interesting to see what it is.
W.r.t. the latter, I'm not saying that the DOJ should have had him arrested if it lacks serious evidence of his guilt. I'm saying that his arrest has happened; it's too late to stop it. The question is whether it should have happened, and, since we're highly unlikely to be able to change anything within a few days, it seems like it makes sense to wait a few days before asserting that the DOJ lacked evidence to support the arrest if only to avoid poising the well. If it turns out that they didn't have any evidence, then the arrest was a problem which needs to have consequences. But I think being over-eager at this point greatly lowers the probability of there being any such consequences.
> Overt Acts in Furtherance of the Conspiracy
> a. Defendant MARCUS HUTCHINS created the Kronos malware.
This isn't about DEFCON.
The indictment specifically states he sold the malware. Unless he was completely convinced the buyers of Kronos were using it for research into browser malware, it's pretty damned obvious.
I'd be interested to talk to malware researchers that are genuinely scared about this.
Of course the government in a government indictment will states "he sold malware" but the government is known to lie, exaggerate, and use terms incorrectly or out of context when talking about technology.
Taking the indictment at face value is IMO extremely naive
When you use this strategy, you deprive the arrested of the right he would have in his country and you add the crazy cost to defend yourself in a US court. So it's possible that the case is not that solid or need some Parallel construction. It's pure speculation but it seems fishy to me.
I can understand the use of shenanigans to arrest previous dictators or very powerful crime lords as a last resort for Justice but here it seems very unfair.
I think we may see a drop of attendee to US conference and/or a drop in tourism.
We've seen bumbling investigations and misguided legal threats before... that didn't stop people and this one doesn't seem to yet be either of those.
When is it research, pretending to be a bad egg to get more info or actually being one?
As long as its was fun and games no one really minded, but now malware is used to hold schools and hospitals to ransom. Even criminals don't go after schools and hospitals. Extreme greed and criminality can't be minimized away as 'hacking'.
The infosec community likes to be edgy but they need to clean up their act and not give airtime and cover to criminals, and its difficult to believe they don't know who these are.
But i have this; A middle-eastern last name, I use Tor, I use Linux, and I use Telegram, I am active in the field of IT and especially enjoy IT security.
I know that I can be held indefinitely if I visit the USA. In the USA you're guilty until proven innocent, unlike the rest of the western world. Simply going to the USA is more risk than it is for practically every other country. Well, for me, and a lot of people like me.
That's what my comment was about.
EDIT: How is it relevant to the article? Well, he is an IT security specialist who wanted to visit DEFCON. Yes, I understand what he did was wrong, it was his own risk.
He wasn't middle eastern, he wasn't arrested for using Tor, Linux, or Telegram.
It claims that Hutchins was part of a conspiracy to sell Kronos, and that defendant [redacted] sold Kronos, but doesn't state that Hutchins advertised or sold Kronos.
The only solid claim against Hutchins is that he created Kronos, which doesn't stack up with his tweet asking for a sample of Kronos.
The following claim is that Hutchins and [redacted] updated Kronos.
It's not exactly a smoking gun.
The underlying message for the community is "if you stand out in the way and go noticed, your identity will be disclosed and then you got owned". Keeping your real identity safe and your activity low-key on the other hand, will increase the probabilities to pass unnoticed and preserve your actual life and freedom.
Is the wrong message. Nobody will dare to try to be a hero the next time.
If that's the case, this is a pretty fast turnaround, actually.
And, given the tiny amounts of money I have seen being quoted (Kronos banking trojan sold for $3000? really?), they probably arrested him with the intention to get him to roll over on somebody much bigger.
The question is whether they've shot themselves in the foot. Did the FBI intend for this to be a quiet nab, but his celebrity from WannaCry hosed them up? Given how quickly they seem to be moving, it's certainly possible.
USA probably gets all the flight reservation data and take it from there. If you're a Russian criminal mastermind dying to spend some of that cash in Greek islands, they'll find out. (Better stay in Russia and pay Igor @ Russian Gov his share :) )
These questions answered would make the case a "clear-cut".
And there is a big difference between selling your code in an underground market for $250k* with bitcoin, and open sourcing it for free.
*I come up with this number as an example.
We've given you countless warnings about incivility. It's time you fixed this or stopped commenting here.
We detached this subthread from https://news.ycombinator.com/item?id=14931485 and marked it off-topic.
Any country that you set foot in, that has reason to arrest you and acts on it, can trap you within their legal/justice system effectively indefinitely. This is not a matter of right or wrong, it's just a fact.
If Argentina has a reason to arrest me, and I go there, I shouldn't be surprised if they do. Germany would do it. Switzerland would do it. Literally every nation.
Now, my rights within those nations with respect to duration of arrest, access to legal guidance, etc. may vary, and some will be better than others. But that someone is arrested for violating US law by US authorities while they happen to be in the US should not be a big surprise to anyone.
His arrest proves my thoughts for a while; the US is not a safe place to travel to - the legal system will destroy you should you be accused of any crime, and as a foreign person you have even fewer rights than a US citizen.
Finally even if “perfect” digital information exists, all of that can be faked perfectly and it’s certainly something I would think about doing (having a patsy) if I were in the position of creating something like this.
I'm honestly surprised by this reaction to his arrest. He may turn out to be innocent, but it's not like US authorities are grabbing random foreigners off the streets and applying arbitrary charges here. They (per the reporting so far) have evidence connecting him to Kronos in a criminal way (not as a researcher). He's in the US. They have enough to believe they can charge him and prove their case. Why would they not arrest him? Your country would almost certainly do the same to any foreigner who they believed violated their laws and still entered your country.
The responses are ridiculous.
- Muslim last names ??
- US happily arrests foreigners
- Plea deal or never see the outside world again
- White rich people are favoured
- Rich black people have a tough time
The indictment may end up being bullshit, but it has not been for any of his white-hat, or grey-hat activities.