Hacker News new | past | comments | ask | show | jobs | submit login
Arrest of WannaCry researcher sends chill through security community (thehill.com)
664 points by rbanffy on Aug 4, 2017 | hide | past | web | favorite | 334 comments

I've read a few articles but I feel like I'm missing something. What's with the sensational quotes like "I had folks afraid that their own involvement in investigating WannaCry would get them arrested."?

Everything I've read points that he created banking Malware "Kronos" which was sold on various "underground forums" (whatever that means). What's with the WannaCry conspiracies? He wasn't arrested for being a security research, he was arrested for being a malware creator selling malware. Why is this "sending a chill through the security community"?

The concern is that a lot of behaviour that a security researcher would do in the course of their research, taking over C&C server addresses such as with Wannacry, soliciting for samples of malware, such as Hutchins did with the Kronos trojan, and having contacts with black-hat hackers, might look to the DOJ as if he is the culprit who created the malware.

People think that an innocent white hat hacker could get swept up in this kind of arrest, and there has been so little evidence released, nobody knows what actually happened.

Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.

It bears mentioning that accused does not mean convicted. The DOJ record as far as accusations turning out to be grounded in reality is not unblemished.

>Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.

You say that as though you are contradicting NateJay.

But the fear NateJay is highlighting is exactly that a white hat is being accused. And that (whether ultimately borne out in this case, or not) this kind of thing could happen to people who are conducting innocent security research.

A white hat is being accused of black hat behaviour. There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way. He's accused of creating and distributing malware. He may be found innocent of that, but the crimes he is accused of are very definitely crimes, and he shouldn't get a pass just because he's been publicly acting as a white hat.

If the government has evidence, he should be charged and tried. And that appears to be what's happening here.

Again, no contradiction here. There is a fear that a white hat is being accused of black hat behavior. Not a claim. A fear. And a reality that a person (maybe white hat, maybe black hat, we don't know) is being accused of black hat behavior. Nothing surprising here. He may, or may not, be a black hat. The fear of unjust accusation is still valid. We will have to see if the DOJ will share the evidence, and what that evidence says.

>The fear of unjust accusation is still valid.

Then why isn't there a chill sent every time anyone is arrested on accusations of black hat crimes? If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.

I think it was just a lazy way to write a headline about how everyone in the security community is talking about this case --- which they are. It's a lot more interesting for readers if something important is at stake --- which I think really nothing is.

> If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.

How do you know that it doesn't? White hats are counterintel agents effectively. If a counterintel agent is arrested for doing something that could be deemed as part of his job, why wouldn't it 'send a chill' through the community?

No they aren't.

You're not quite making the right analogous scenario. It's more like if a neighbor you know who has some strong vocal opinions agaist the current regime suddenly gets arrested on some charges like conspiracy to incite revolt. I would be rightful to be afraid of being charged similarly if I had similar beliefs and had knew I'd had similar conversations as my neighbor.

> There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way.

There is only the thinnest of lines between the two.

White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.

The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.

But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.

"White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

People on this thread have a lot of strange ideas about what infosec people do in their jobs.

> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.

And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.

For the Nth time in this thread: watch the video of the software we're talking about. "White hats" do not build things like that all the time.

So, to make an analogy representing your position:

Watch the video of this horrendous deadly baseball bat attack. Baseball players do not bludgeon people to death with bats all the time. Therefore, baseball players should never worry that they might be falsely accused of an attack. Oh, and the crime was horrible, so that means the evidence must be pretty good. Q.E.D.

That's not analogous as the Bat was not developed for Bludgeoning. This was software designed to steal money / cause issues regardless of whom sold it. I don't know anyone in infosec that regularly creates fully functional and marketable platforms. It's also different than exploit proof of concepts, as again, this is designed to steal.

We don't know that he created the malware. He is accused of creating it. How hard is it to understand the difference between being accused and being guilty? It's been explained to death here that they are not the same thing.

You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?

And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?

None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.

The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.

While the tools, methods and knowledge might be similar or the same... to say "the thinnest of lines between the two" exists is a bit disingenuous.

There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.

Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.

There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.

Massive difference.

What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.

Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.

To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?

Then he'll have an extremely strong defense at trial, and the DOJ will be wasting its time. Which is why it's a little bit unlikely that that's what happened.

There's evidence he knew of Kronos in the wild on his twitter feed. Why wouldn't he alert someone that his research proof of concept had been leaked? Provided the source code to LEA.

White hats have to traffic in

I feel like you're changing the terminology here in order to confuse the pretty clear lines.

Obtaining and analysing != creating and selling.

Creating and selling is also normal course of operation, penetration testing tools, offensive tools used by various gov. entities, rootkits used by some entertainment conglomerates to "protect their ip" they are routinely created and sold.

This is complete nonsense.

Maybe there is a case that buying malware is a reasonable thing to do in some circumstances.

Selling your own malware is a different thing. That seems a pretty clear boundary.

"The indictment does not say Hutchins designed Kronos to be sold, knew about the sale or was at all aware his work was being used maliciously. "

A person he knew, or he was in touch with sold the said trojan. The indictment also doesn't say if he did gain financially from the sale or not.

So, he developed a trojan possibly for research, someone he knew sold it and he got arrested.

This is not the kind of thing you develop for "research". It's extremely boring code that is essentially just a user interface for seeding HTML trojans across a botnet.

This thread gives the impression that people not in the field see some sort of mystique to malware research and development. Malware isn't vulnerability research or exploit development. Most of the malware deployed in the real world is code that virtually anyone on HN could develop, from first principles without any additional research.

That's not true of exploit development, which can be extraordinarily difficult and almost always depends on specialized insider knowledge. There's lots of research reasons to work on exploit code. But that's just not true for the kind of malware we're talking about in this case.

This is important to understand, because the premise of the story is that prosecution over banking trojan malware is having a chilling effect in the industry. It is not. Very few people in the industry build stupid-looking PHP interfaces to HTML injection on botnet victims, not because it's illegal but because it's pointless and dumb and you wouldn't learn anything from doing it.

Wait, what?

How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?

There are a lot of logic jumps here that you have simply glossed over.

The same way someone accused of murder qualifies as not-a-murderer.

"Accused" just means someone said it, it doesn't make it true.

That itself is a huge logic jump that is being made, both by the DoJ and the infosec community. His bail was set at 30k, the 10% rule makes his bail 3k, so he should be out by tomorrow if he really deved that malware.

If not, you're all being targeted so you should grab a new career before you get feds at the door.

No the "10%" rule makes his BOND $3,000 which he would pay to a Bail bondsman and and lose forever.

You can put up $30,000 Cash or some other asset as BAIL then that is returned to you in full after the trail

Or you can pay a Bails Bondsmen 10% of that, as a fee, they will put up the court a 30K BOND then assure the court they will make you appear or pay the court the 30K if skip

You as the individual however lose that $3k.

Well. They're probably crimes. The law behind building and selling banking trojans is pretty hazy.

You're kidding, right? Looks like slam dunk aiding and abetting wire fraud.

I am not kidding, but rather parroting Orin Kerr, an expert on this subject, who does not think this case is a slam dunk.

(Not because the evidence for Hutchins' involvement is thin, but because the law here is hazy.)

Link to the Orin Kerr article: https://www.washingtonpost.com/news/volokh-conspiracy/wp/201...

Orin Kerr's analysis is excellent and made me consider the accused party's intent and the difference between selling code versus using code.

He makes great points, but I intuitively feel like certain acts of creating and selling malware should be illegal, even if only by the spirit and not the letter of the law.

If someone manufactures guns, doesn't register them, and knowingly sells them to street gangs, it kind of seems like they're aiding and abetting illegal activities for profit.

Of course there are instances of selling malware you created to parties who generally won't use it illegally, but that's not what's alleged here.

Whether Hutchins truly violated the law, I don't know, but if the allegations are true then he did something very unethical and something I feel should be illegal.

Some malware uses libcurl. Does that make its creator a criminal?

Obviously not.

You're comparing apples and orangutans.

Thanks for the cite. Interesting.

Do you think there should be a market for building/selling malware? I feel like it would aid in zero day disclosures. But it could also incentivize black hats.

Fuck no. Malware and exploits are not the same thing. Anyone can write malware; you just have to have the stones and a broken enough moral compass to make money by immiserating strangers. There is an infinite amount of malware; we don't benefit from its "disclosure".

There is a market already, the only diff. from this case is who is the end buyer. If you are building a rootkit for Sony Entertainment to use on it's customers none minds much.

The "chill" comes from legal activities potentially getting you detained and brought up on charges. That's a real cost, even assuming a perfect justice system that can tell they made a mistake.

For an analogy, suppose you wanted to rehabilitate some drug addicts in a bad part of town, and as a result, frequented that part of town, and bought books on drug dosages. If that could get you arrested because the cops couldn't tell the difference between you wanting to help drug addicts and being a drug dealer, and arrested you based on frequently being in the wrong part of town and showing an interest in drug literature, then it would send a clear message to go no where near these people in need. And that would be a shame.

>the cops couldn't tell the difference

is there any indication that's the case here? the FBI isn't a bunch of complete incompetents. He could be found innocent, but what makes this case different than the presumption of innocence that every person charged with a crime is supposed to be given?

> The FBI isn't a bunch of complete incompetents.

The FBI is human and therefor make mistakes, and they are a large organization and therefor have an structural inertia that occasionally directs a lot of power and effort at the wrong target.

Also, the price of democracy is eternal vigilance. Citizens have a duty to check the government's use of power. We should be worrying every time the government acts against a citizen until we also see proper due process including any necessary evidence.

> He could be found innocent

He is innocent until proven otherwise.

> what makes this case different

The government hasn't yet shown that they can handle this kind of case properly. That is partly due to the novel nature of situations involving new technology, but it is also from the government's own history of bad behavior. Their reputation means they do not get the benefit of the doubt, and until we see actual evidence that this case (regardless of the outcome) is being handled properly, it's prudent to worry that this might be an overreaching prosecutor (or worse).

> the FBI isn't a bunch of complete incompetents

It isn't a bunch of complete competents either, forensic hair analysis kerfuffle shows that much.

There is evidence that he was a white hat hacker now, and that is enough for current white hat hackers to be worried.

I don't know what these terms even mean. "White hat hacker"? Is that what we call "everyone who does anything in infosec but doesn't sell stolen financial information obtained from botnets"?

The attempt to divide the whole world into "people irrationally attacking 'hackers' and 'the good kind of hackers'" isn't doing anyone any favors.

If Hutchins has nothing to do with a criminal conspiracy to profit from a truly awful banking trojan, then his arrest and indictment is a travesty. But if he does have something to do with it, then his status as any kind of "hacker" should have nothing to do with anybody's take on the situation. I'm not sure how much lower you can go than deliberately making money by stealing bank logins from ordinary people, which is what he's accused of doing.

People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth. In every case like it, from NanoCore to Albert Gonzales and Stephen Watt, there's been a basis for the charges.

>People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth.

No? It is fairly common in Terrorism cases. I fail to see why they could not do it for Cyber Crime as well





Want more?

> Want more?

Well, yes, since none of those are actually examples of the FBI framing anyone. Stings are not the same thing as framing, no matter how much sarcasm techdirt uses to describe them.

A sting is law enforcement creating a situation where someone can demonstrate clear evidence of their intent to break the law. Framing is law enforcement MANUFACTURING evidence that someone broke or intended to break the law.

In the terrorism cases, a sting would be the FBI giving someone a fake bomb and that person trying to blow people up. Framing would be the FBI arresting someone and falsely claiming they found a bomb and plans for the local stadium in the persons's house. It's an important distinction. In the former case, the person clearly tried to kill people while in the latter case they did not.

>In the terrorism cases, a sting would be the FBI giving someone a fake bomb

No that should be entrapment

A Sting is where they get a tip that criminal action might be happening and they are there to catch the criminals in the act

Not where the FBI creates the plan, induces people into the plan, provides support for the plan, provide materials for the plan, then arrests everyone.

That is or should be considered entrapment, which I also consider framing someone

If I ask the FBI for a bomb and they give it to me and then arrest me that isn’t entrapment. That’s me being a jackass.

If the FBI put cocaine in my car and then pulled me over, that’s framing.

I’m not entirely sure what either of these things have to do with getting arrested for creating and selling exploits.

IANAL, but I entrapment can occur when law officers enticies the suspect to commit a crime the wouldn't normally https://en.m.wikipedia.org/wiki/Entrapment

The definition of "wouldn't normally" looks like some hairy case law, but it isn't as simple as you are saying. If they are offered a bomb for sale after a lengthy conversation about how great terrorism is and how important it would be for them to take the bomb, you could possibly have an entrapment case for example.

Wen-Ho Lee. Evidence showed that the leaked/stolen documents could only have come from a downstream contractor, not from Lee's lab. And yet the FBI latched on to him and wouldn't let go. Everything you think you know about the case is likely built on flawed reporting fueled by deliberate government leaks. Don't get me started... just know that what you think you know about that case is probably wrong. I was at most of his hearings and watched the judge apologize to him for the DOJ's behavior.

But as you say maybe that's another field. But still skepticism is not without basis imho.

That's a bit like saying there is evidence he is a white male, and that is enough for all white males to be worried.

I.e. not relevant.

> >the cops couldn't tell the difference

> is there any indication that's the case here? the FBI isn't a bunch of complete incompetents.

if they arrested someone selling the malware (which they did), and to get free that person say they can deliver the author (which they did), but instead point to any random security researcher he found working on that malware (we dont know). now, this plus the person whitehat research, the circle is closed and it would take one lifetime and imense legal fees to prove otherwise.

What about, say, Brian Krebs? According to his blog posts, he hangs out a lot on blackhat/cybercrime forums, particularly Eastern European and Russian (?) ones. He has contact with people there, posing as another blackhat, to lure information from them. It's possible, perhaps, that he also leaves out certain interactions that might cross further into a legal grey area (I'm not saying that he has), benign to his research.

That's bound to set off some alarm bells, somewhere some day, at some agency or bureau.

Now, Krebs keeps a relatively high profile pertaining to his work, so it's not improbable that they think twice when they read who he is, and see he's one of the "good guys" obviously.

But there's a lot of white hat researchers who aren't Internet-famous (in the tech world, not just security). Quite a few by choice, too.

So now they're worried if there's anything they might have done in the past that could get them into this kind of trouble. That is, being charged with something over having done (perhaps legally grey) security research. And yes they'll be given a fair trial, except that it seems that in the US proving one's innocence also depends on whether you have sufficient funds (I feel like I'm stereotyping here, but I see so many people casually mention these scenarios as if it's a given).

And then, being one of the "good guys"--by, say, single-handedly stopping the first wave of a global ransomware epidemic--doesn't seem to warrant a bit more considerate and less aggressive approach any more, either.

So now they're worried!

That's fair, it's always best to let the facts come out in court before any of us decide to judge him one way or another. By then we'll have a clearer picture of exactly what (if anything) his knowledge of and involvement with the principles of the crimes was.

It seems to me that, if proven, the DOJ has a case here. They key point will be exactly what they can or cannot prove in court.

It's best not to get too riled up over preliminary things like this. We haven't heard most of what there is to hear until the closing arguments are given and I'd rather not make up my mind too far one way or another before I've heard everything there is to know. And I would be embarrassed to stake an opinion later proven ridiculous because I rushed to judgement.

> It bears mentioning that accused does not mean convicted.

Of course it does. But the subject here is whether the indictment should cause a "chill" in the security community. Nothing he did in his legitimate research is related to the indictment.

This is like saying Hans Reiser's arrest would have had filesystem authors afraid of the government.

You know why it's called a hat? Cause you can take it off and put another one on. Or even be extra silly and wear two or more at the same time. It's tongue in cheek but there is some truth there.

In this case he was selling malware so I think this about a time when head gear was of a darker color...

It's a reference to Spy vs spy, a comic strip in mad magazine. The good guy had a white hat, the bad guy black.

Well, to be honest, both spies in Spy vs Spy were equally nefarious, taking turns in their ups and downs, but deploying identical methods. I always thought it referred more to movie Westerns, where blackhats were consistently the villains, and the whitehat was the studio star who saved the day.

> It bears mentioning that accused does not mean convicted.

That means it should be even less likely to be "send a chill through the security community"

Accused may not mean convicted, but it probably does mean a year in jail awaiting trial, and at trial, and paying for a lawyer that costs tens of thousands of dollars, maybe hundreds of thousands.

They don't give you back your lawyer money if you're found innocent. They don't give you back any job that you may have lost, and they certainly don't give you back the money you would have earned during that time.

He got $30k in bail, the equivalent of a $3k bond if he doesn't just pay it directly himself. The $30k is returned whether or not he's found guilty: it ensures only his appearance in court.

> a year in jail awaiting trial

Only in the most exceptional cases is someone held without bail.

> They don't give you back your lawyer money if you're found innocent.

Federal courts can award legal costs "where the court finds that the position of the United States was 'vexatious, frivolous, or in bad faith.'" https://en.wikipedia.org/wiki/Hyde_Amendment_(1997)


But yes, your broader point is correct that it's certain to be a very bad experience.

Then the fear should be over whether the FBI is competent at investigating, not whether researching Wannacry will get them arrested.

There's a big disconnect because people seem to be associating this guy's arrest with his serendipitous Wannacry incident. But there's no correlation at all. He is alleged to have had a shady past (corroborated by many reputable HN commenters) and later turned white hat.

There is a due process to catch an ally's civilian, that's called an extradition, that process is important.

The parties involved probably judged correctly that if they attempted to extradite him, he would be the subject of a prolonged media campaign against the government in the UK to keep him here.

What I don't understand is why the FBI didn't just hand the evidence to the NCA in the UK and have them arrest him.

Well the government shouldn't modulate how it executes the law based on the optics or media impact. And as you said, this move shows that they didn't think the UK would agree with their evidence, which is far more reason for this snatching to be worrying.

Which is why he was arrested. He is accused of a crime, and will stand trial.

You assume that is their goal, to actually convict him of a crime

FBI is known for arresting, and indicted people with crimes that carry LARGE sentences to use that a leverage to turn those people into informants.

Extortion is a power tool used by the US Government

Unless charges are dropped, of course.

That's absolutely true, but if the DoJ is acting in good faith (they believe they have sufficient evidence of guilt by this person) then is this really a problem?

There are good reasons to be cautious, but this particular case is far from decided either way.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

"He admitted he was the author of the code of Kronos malware and indicated he sold it," said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money.


We don't know the facts of the case yet and the government has released no evidence. This could all just be a massive FBI whoops as the FBI does from time to time. Or he could be completely innocent and the FBI is just using the threat of criminal prosecution to exert pressure to get him to inform on friends or contacts. We can't judge until more evidence is made available.

A general question not directly related to the case: Where exactly is the line between criminal conspiracy and writing software tools?

Certainly TOR is used by people to do bad things (and also good things), but almost everyone agrees that no criminal act has been committed by the creation of TOR. Plenty of legitimate businesses sell Remote Access Trojans (RATs) and go unarrested. On the other hand some developers that sell RATs have been arrested.

If someone pays you 2,000 grand to find an exploit have you committed a crime? What if then they use that exploit you sold them to commit a crime? What if you knew beyond all doubt that was their purpose but then the exploit isn't used? Does it matter if they bought an exploit from you or if you are a salaried employee of their company? What if instead of selling them an exploit you configured an email server for them?

It seems like he may not have created the trojan, but simply created a bootkit that it utilized. A fairly common thing for security researchers to do.

Yes, that's what they're saying. Consider the source.

I'm not convicting him, and if you put a gun to my head and forced me to render a verdict based on what's public now, I'd say "not guilty". What do you want from me? Cases like this unfold over time. We don't get to know everything we want to know the moment we want to know it.

The parent post thread is about why researchers were afraid as a result of the arrest. While it might unfold and get a not guilty, in the mean time he's in jail. If you were a malware researcher with good intentions, you might rightly think it's a mistake and one that could get you in the same kind of trouble.

My point isn't that I have a huge of trust and goodwill in the criminal justice system, but rather that almost nobody in the security community does the stuff that this person is accused of doing. Do you build banking trojans and then arrange for them to be sold to anonymous strangers on Darknet forums? If not: what does this case have to do with your security work?

It seems to me that this is kind of a litmus situation - this case reveals what you think of the DOJ. If you think that they somewhat routinely frame people that they are "after", then you look at the fact of the accusation and see this case as more proof that security researchers should be cautious (and maybe avoid entering the US).

On the other hand, if you think that the DOJ, while subject to making mistakes, does not often knowingly and deliberately falsely accuse people, then you look at the alleged behavior, and realize that it is well outside the bounds of whitehat behavior.

I think there's very little evidence that the DOJ routinely frames accused computer criminals --- or even that they routinely make mistakes with them. The reality is that so few computer crimes are prosecuted that the ones that are are usually smoking-gun cases.

I can't speak to any other aspect of federal prosecution. My thoughts about computer crime prosecution definitely can't be extrapolated to my thoughts about criminal justice in general.

The government has also been shown to be very vindictive and has a strong desire for revenge.

Wanncry was a massive black eye of the US Government, I think everyone believing there is zero connection between his involvement in that and this indictment is also naive.

I also fail to understand why you believe "computer crimes" are handled differently than any other type of crime, why you believe the DOJ would frame people for "other types of crimes" but never computer crimes, like there is some prohibition on entrapment when it comes to computers...

It doesn't matter too much if the DOJ doesn't knowingly frame people.

They come down hard and they come down heavy on the wrong people, ruining lives. They also pile ridiculous charges even on those who are guilty of minor crimes, threatening to bury them in an avalanche of charges unless they settle. They also seem to be really ignorant of technology, and show a deep suspicion of anything that they don't understand.

Whether this bullying is because they are out of their depth, have a culture of recklessness, or some other reason doesn't matter to those who end up in their crosshairs. If you are a bank fixing Libor, or money laundering (UBS), or are involved in any number of frauds in the financial crisis, you are treated with kid gloves. But if software or encryption is involved, then the sirens wail, SWAT teams gather, and the fear campaign begins.

I doubt the type of bug will matter unless people need license to sell trojans by law.

"Type of bug"? Sorry, I don't follow.

Banking trojans. They're saying that the DOJ might convict people for selling trojans in the course of their security work.

I think the "selling" part is the problem, not the writing. Don't sell trojans and you won't go to jail. Seems pretty clear.

I'd say making them is legal and using them on systems you own is completely legal... selling them or using them on machines you are not allowed to access are illegal. Giving them away to someone that sells them or uses them to commit a crime would be a grey area but likely illegal.

Is selling Trojans illegal? If so, why are companies like Punkbuster and nProtect allowed to develop anticheat software?

A lot of AC software runs in ring0 and behaves a lot like a Trojan. I remember nProtect specifically injecting DLLs into explorer.exe among other nasty "black hat" techniques.

It's a difference in kind, not degree. The trojan in this case was meant to harvest banking and Amazon logins.

Intent matters.

Accusations can be based on bad extrapolation of facts.

it's unclear what "creating" entails. If I write a crypto library that a piece of ransomware uses did I create the ransomware?

no you didn't

Why is there a tone that he's already found guilty without a trial?

> Hutchins is accused...

i thought it was pretty clear

Consider the context.

From the context, it looks like that particular snippet was posted as a counter to the notion that researchers should be concerned about false accusations happening due to the possibility of their work being misconstrued as the activities of a black hat hacker.

To post that as if to dismiss those concerns, is definitely tending toward the tone that piiie is talking about. While you are right to point out the word "accusation" is used, not guilt, the tone still comes through when you consider the context.

If I write open source code for research, share it with the community, and someone wants to license it for "further research" and pays me – am I responsible if their adapted software is then used / stolen / re-applied to kill people or hack a bank?

In this scenario I both wrote and explicitly sold the software with no idea of what the later applied tech would do. The computer laws referenced in the article seem to require direct knowledge of malicious intent of the software in the sale.

If you know the person licensing it from you is going to use it to steal financial information, and the clear purpose of the tool you've built is to steal financial information, then I would say you should definitely make sure you have a criminal defense lawyer you trust and can afford.

I don't think anyone would disagree with what you just said, but given the way prosecutors deal with "intent" sometimes, I think it would be easy for them to cross a line.

If you haven't already, listen to this podcast about Doug Williams and polygraphs: https://www.thisamericanlife.org/radio-archives/episode/618/...

There's a lot of parallels and how issues of intent can get very grey.

They're required to prove intent at trial.

As I understand it this is the crux of the case - that the creation of such software isn't illegal, but sale with the intent to be used in the commission of a crime is. I understand the indictment is pretty barebones, so I wonder what exactly they are basing their allegations of intent on.

honest question: if your code is open source, why would someone pay you for further research? why would you charge for that?

I was being a bit of a devil's advocate, altho didn't quite get the responses I hoped for. I suppose I didn't phrase it quite right since I don't have significant knowledge about this case other than the article.

It seems like the arrest is a bit aggressive, but so is the response – clearly out of fear and uncertainty of the govt and general time we live in. Hopefully more transparency will bring light to the allegations and reassure the innocent of their safety

From my limited perspective, the U.S. is continuing to transition more fully to "rubber hose" policing, for lack of a better term.

If they decide you are a problem for any reason or decide to put you in their sites, perhaps for their own political agenda, you will face an overwhelming range of charges and immediate legal expenses.

The goal isn't truth; the goal is to break you and so further their agenda.

I'm not saying there isn't legitimate law enforcement occurring within the mix.

But, in terms of the overall picture as opposed to court etiquette itself, "benefit of the doubt" seems to have long since gone out the window.

Now imagine being a foreigner, away from family and local support networks, and not knowing whether you've landed on some very political person's list (and prosecutors in the U.S. are very political creatures).

Imagine you work in an area engendering much controversy, such as computer systems security.

And finally, take it a step further, even sitting home or traveling in e.g. Europe: Just how far and pervasive are the FBI et al. willing to reach with politically aided extradition requests?

Political forces in the U.S. want to "stop" "cybercrime" by physically insisting that people they don't like "stop" doing those things. Not a technical solution. Not improving systems and systems management. Nope, get out the rubber hose.

And wield it based upon political calculation, more so than actual, (legally) substantiated fact.

Ok, so to this point (and I'm not a security researcher, so forgive my ignorance) couldn't a legit malware creator call their work "research"? I feel like a malware creator could throw this smoke screen whenever they wanted. It's not a free pass...

Given his life style at Vegas and that he didn't even attend the conference, just went there for partying and meetups, the "chills" are different to the "chills" one would assume from reading the headline. http://www.dailymail.co.uk/news/article-4762608/Marcus-Hutch...

They just caught another criminal hacker who was stupid and earned a lot of money from his Kronos hacks. The one chill is how stupid was he? Lamborghini? The second chill is how naive have I been when reading about the lone hacker fixing WannaCry and saving the world from his mom's house bedroom?

If you're not from the UK, just take everything the Daily Mail prints with a gain (well, a handful) of salt.

Yes, I know the reputation of the Daily Mail. But there are too many facts in there. The mansion, the admittance, the lamborghini.

You've got to make sure you have all the facts though. Renting a $1,900 per night mansion looks a lot less extravagant when that cost is being split by 7 people.

And renting a fancy car for a few days might not be that much money. I recently used Turo to rent a gold Cadillac for a trip up to Marin County. Pretty nice, huh? It cost less than renting a Nissan Altima from Budget. (I checked.)

This makes me hope hackers go back to selling vulns online.

There's a tweet dating back to 2014 [1] where he asks for a sample of Kronos.

A number of people have pointed out that would be taking the extremely ridiculously long game for an alibi - why would the author ask for a copy of his own code?

There's also little/no published information to back up the statement that he ever sold Kronos.

[1] https://twitter.com/MalwareTechBlog/status/48837379416825446...

> A number of people have pointed out that would be taking the extremely ridiculously long game for an alibi - why would the author ask for a copy of his own code?

If I was greedy and in the security field, with identities (or middlemen) on both sides of the game, I would be terribly tempted to play those identities to support each other. For example when blackhat-me would be selling an exploit, whitehat-me could create buzz by talking about it. Later, when the exploit's market value drops towards zero (ip enforcement is weak on the darknet), whitehat-me could reap the glory of discovering all the details about the exploit, maybe even using some "mistakes" blackhat-me left in the code to facilitate plausible parallel construction.

What are all those ifs having to do with the WannaCry situation? Probably nothing, hopefully nothing. Or maybe hopefully a lot, because it would mean that the FBI did not lock up the wrong guy?

I feel like you just described the business model of every anti-virus company ever.

Are they petty enough to sell exploits? Kaspersky, for example, is so deep in bed with FSB that it's hard to tell exactly where one ends and the other starts; I really doubt FSB would bother selling exploits to anyone.

He's not personally accused of selling Kronos in the indictment; his unnamed co-conspirator is.

(That co-conspirator is unnamed to us, but most probably is someone clearly known to the DOJ).

The indictment itself is pretty bare. But an indictment isn't a trial; the DOJ will need to prove its charges to a jury with a considerable amount of evidence, and, as Orin Kerr pointed out last night, they have an uphill climb ahead of themselves, because the letter of the law is favorable to people who create and sell banking trojans.

> most probably is someone clearly known to the DOJ

not probably. the first line of the indictment is "Defendant [redacted] used the online aliases [redacted].


I would imagine when he allegedly sold the malware it wasn't named "Kronos". He could have had no idea at the time that the specific campaign was his code, or perhaps had a suspicion and wanted to confirm it.

There's a video demonstration of the tool we're talking about. Nobody who has watched it is going to for a moment entertain the idea that the author of this tool didn't understand its intention. Its purpose is extracting financial information from botnets.

That doesn't seem to be a reply to GP's post.

If you wrote some malware and people were passing around copies of it, wouldn't you want to see the source of what they were passing around?

My personal opinion, until shown evidence otherwise, is this is the real author/seller being turned into an informant, and part of that process, the first step, is to protect the informant and smear another. MTB's high profile on the issue may mean he was a target of opportunity.

Of course I could be wrong, so time will tell. A good future indicator of this will be if the case is dropped as quietly as possible.

Anecdotal, but I did things that were a lot more paranoid than "tweeting myself" when I was doing questionably legal things on the internet as a 13 year old.

So to me, tweeting "I want a sample of Kronos" is indicative of nothing.

The quotes came from people who only knew him as a WannaCry researcher, due the fact that the DoJ took forever to say why they were arresting him. It's as if a prominent anti-spammer were to get arrested with no explanation. A naive guess would be that it was due to their anti-spam work. Even though this arrest wasn't related to his WannaCry, that was his most recent exposure to the public and I think assuming it was related to that can be forgiven

As far as I've been able to figure out, he wrote an open source API hooking engine that was used as a key component of the Kronos malware.

When he found his hooking code in a malware sample (presumably Kronos), he expressed his disappointment / frustration with this (ab)use of his work on twitter. Whether or not this is truthful or just public posturing remains to be seen.

None of this is recent news - it played out in early 2016, so his arrest now is a little odd, unless the DOJ has uncovered new details that have not been publicly disclosed.

If it turns out he is arrested for some of his public code in a piece of malware, it should worry both security researchers and open source developers a lot.

> He's not a "hacker" who is doing security research, he's a malware creator selling malware.

There's no reason he can't be both. We can both like him for stopping WannaCry, and dislike him for (if true) marketing/distributing malware based on Kronos.

Although I agree with your general sentiment, I'm confused as to why the security community is chilled by this. The court case should be public, so we'll be able to judge the evidence ourselves.

>The court case should be public, so we'll be able to judge the evidence ourselves.

Well this is still the United States, so by law it will be. People are blowing this way out of proportion as if he were disappeared by the secret police or something.

He is not a dangerous criminal, who is going to suddenly kill hundreds of people if he's released. He could have gone back to the UK and the US gov't could have requested his extradition. The fact that they didn't (and my natural tendency to consider governments evil) hint to me that they didn't have that strong a case.

I think the worry here is that he now has no way of returning to the U.K. where he earns his income. He is stuck in jail in the US without reasonable access to a good lawyer (an appointed lawyer won't understand this case). His outcome looks bleak, guilty or innocent.

Though as I understood it he was working remotely for a California based company. So not being in the UK is not the problem here.

Though I am not sure even if on bail if has access to his computers?

I think people who write malware to steal banking info should be prosecuted when possible. It will be interesting to see whether this goes to trial and if so how solid any evidence against him is.

However, I do not doubt that a mix of fear & incompetence could have resulted in his arrest as much as any concrete evidence of his involvement in Kronos. I think there's (perhaps rightfully) a culture of distrust and paranoia around law enforcement's interaction with ethical hacking. It's difficult to detach from that when legitimate prosecution happens.

> people who write malware to steal banking info should be prosecuted

I really disagree with you on this. The problem is not the person who researches different exploits (ie who may /write/ the malware) but with the people who /use/ the malware to do bad things.

When we keep preventing white hat researchers from doing their job, there's no defense against black hats.

If he actually sold Kronos for the sole purpose of stealing, I agree that he should be prosecuted. If he only used it for research purposes, this is a complete witch hunt.

There's a pretty significant difference between exploit research and banking trojan development.

You can’t just conflate exploit research and trojan creation with some hand waving. They are two very different things - not just different words.

> I think people who write malware to steal banking info should be prosecuted when possible.

If I write a program that can steal banking info, what law have I broken? Isn't it only the actual theft that's a crime?

You state he is a malware creator b cause the FBI and their indictment told you he is.

The FBI claim he created the software in July 2014, the exact month that he asked on twitter for a copy of the software. Now I am not saying he is innocent but I am also not assuming his guilt because the FBI said he was guilty.

What proof do you have that he is a malware creator selling malware?

People love a "lone hero" story and journalists/Twitter personalities are trying to squeeze as much milage as they can out of the genius who saved the entire world from malware.

Writing malware is not a crime. Using it is. What gets me about this case is that, if I understand it correctly, he is being punished for writing software.

I've read the indictment but we'll have to wait and see how the government argues its case when this comes to trial.

If you read the indictment then you’d know he was arrested for selling the trojan and conspiracy, not for writing it.

If you read the indictment then you'd know he's arrested for writing the software as a step to conspiring, not for selling it.

Why is there a law against selling malware? Couldn't a comparison be made with regards to firearms? He created the malware but didn't deploy it live

Not a good anology. What's a legitimate use for banking malware? A more apt analogy would be selling an IED.

Hmmm. What are the legitimate uses for firearms again?

Hunting, pest control, shooting sports, self-defense, various other rural stuff.

There are laws against selling weapons to criminals.

>>Why is this "sending a chill through the security community"?

because a lot of legitimate security research when viewed through the myopic and cynical lens of a Federal Agent can be seen as illegal, this is an ongoing and ever present fear for people in the field.

The FBI claims he is a malware creator and arrested him for it, you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.

The government has routinely, time and time again, over extended and prosecuted several people wrongly under CFAA, which is a terrible and broad law that can be applied at will to many innocent every day computer actions.

But he wasn't arrested for any normal thing a security researcher would do - he's arrested for creating and selling malware... big difference.

The FBI could be wrong and that'd suck. I'm just assuming that the FBI and their resources have enough evidence to reasonably believe he's the creator.

And again, your last comment doesn't fit this article. They aren't overextending and arresting a security researcher (although he is one), they're arresting someone whom they believe is a malware creator and distributor.

The implication is that the FBI may believe him to be the creator of Kronos based on something he did as part of security research, eg. gaining access to a control panel or taking over a CnC server.

Why is that supposed to be likely?

The FBI claims he created malware, an unnamed co-conspirator is charged with selling it

So you generally believe people are guilty until proven innocent, and I always believe people are innocent until they are proven guilty. I never take the government word for anything, and generally assume the government is lying at all times. History supports my position.

I find it extremely alarming how quickly people just believe the FBI's assertions as fact with almost no actual evidence being presented

> So you generally believe people are guilty until proven innocent, and I always believe people are innocent until they are proven guilty.

“Innocent until proven guilty” is a legal standard applied where “guilty” means having one’s liberty taken away. And in that context it’s a perfectly appropriate standard. But as mere spectators, where the harm caused by mistakenly believing he’s guilty is minimal, I think we should feel free to simply believe in the most likely possibility (aka preponderance of the evidence). You may disagree on that point, and that’s your right. However, if we agree to apply that standard, I don’t think it’s reasonable to believe that the FBI’s allegations being false is actually more likely than the alternative.

> I never take the government word for anything, and generally assume the government is lying at all times. History supports my position.

[citation needed]

So you're basically saying that if the police took him there must be a good reason for that to happen therefore guilty as charged.

You have a peculiar interpretation of justice, one that makes you pretty much like those that liked to burn people on fire pyres on the basis of allegations made by socially relevant people.

Being burned at stake would count as "having one's liberty taken away", and is therefore a case where, as I said, "innocent until proven guilty" is the appropriate standard.

Why is it the appropriate standard? Because as a society, we believe that taking away an innocent person's liberty is far worse than letting a guilty person go free. For the expected value (in the statistical sense) of the legal system's benefit to society to be positive, the prevalence of the former should be a tiny fraction of the prevalence of the latter. (How tiny that fraction actually is, in the US or anywhere else, is debatable - you could look at the number of convicts who were proved innocent upon the advent of DNA testing - but that's not the point.) Thus we should only convict if the apparent probability of guilt is extremely high.

But if I as a bystander believe an innocent person is guilty, it's not as big a deal. True, if a lot of people believe that, it causes some reputational damage, which can be bad. If someone with a connection to the person makes decisions disfavorable to them based on that belief, that's quite bad. But this risk is mitigated by the fact that soon enough the police will be required to present their evidence in court, which should help drive our assessments with more certainty to one possibility or the other. And in any case, these harms are far lesser than the harm of subjecting the person to prison, or worse punishments.

Perhaps I misstated the ideal standard for bystanders. Perhaps it should not be literally whichever possibility is more likely; perhaps we should give people some "benefit of the doubt", due to the above harms. But there's no need for the extreme standard demanded by the actual justice system. A reasonably high probability of guilt is enough, at least to treat guilt as a working hypothesis.

In a legal system such as the United States', "if the police took him" (specifically, indicted him), I'd say there's a high probability - at least 75% or so, probably higher - that there's a "good reason for that to happen". (At least in the sense of "he did what they say he did"; whether that thing ought to be illegal or not is typically more subjective.) It's not certain; there could be some sort of corruption or unethical behavior by the police, or they could simply be mistaken. But it's enough to form a working hypothesis, to use until we gain more information.

I am sure people like Richard Jewell would share belief that "as a bystander believe an innocent person is guilty, it's not as big a deal."

Innocent people have their lives for ever ruined with nothing more than false accusations, and not being found not guilty at trial does not change that.

Further I would like to see where you get your belief that police are correct 75% or more of the time.

It seems to me you have a very favorable opinion of the American legal System, this tells me you have very very limited first hand experience with it and like view of from rose colored world view never having known anyone personally that has been ground down to nothing by this system that is IMO largely unethical

Richard Jewell was not indicted for anything.

No he was tried by the public, something you seem to support based on your comments or atleast do not see as a "big deal" if people assume a person is guilty based on the FBI belief they may have done something wrong

it was the FBI that pointed the Media to him as a suspect.

> I never take the government word for anything, and generally assume the government is lying at all times. History supports my position.

Do you habitually eat food that has been left out for longer than government guidelines allow because you generally assume the government is lying at all times?

Do you increase your speed when you see a sign that says REDUCE SPEED, SHARP TURNS AHEAD because you generally assume the government is lying at all times?

there is no federal law or guidelines, or requirement for expiration dates on anything but infant formula, and I do not consume or buy infant formula

Those are completely Voluntary and used for Stock Control not food safety

As to speed limits and sharp turns I drive for the road conditions for the most part, so no I do not always slow down around sharp turns unless there is a posted speed limit for the turn for which I would be subject to arrest or fine for violating.

> So you generally believe people are guilty until proven innocent, and I always believe people are innocent until they are proven guilty.

Is indicting people for crimes they are alleged to have committed consistent with your position? Because that's all that's happened so far.

The FBI asserts that he created malware. He denies it. An indictment and a trial will figure out which of them is lying.

That's one thing that might happen.

Another is that he might plead guilty and we'll never know whether he was guilty or innocent (but threatened with consequences he didn't feel he could risk).

> Another is that he might plead guilty and we'll never know whether he was guilty or innocent

Yes, that might happen. Taking that position to its logical conclusion, nobody should be indicted for anything.

There are serious problems with the US justice system. As far as I can tell, there is nothing at face value that's unreasonable about this indictment.

I'm never entirely sure what people mean by "taking something to its logical conclusion", but if you mean something like "giving that consideration the greatest possible weight" I think where you end up is "end all reductions in sentence for pleading guilty", not "nobody should be indicted for anything".

Which of the two outcomes do you prefer to happen:

1. True malware creator and seller is sent to prison.

2. True malware creator and seller is not sent to prison.

Whether he pleads guilty or not has nothing to do with him being a security researcher. I'd much rather have more false positives than false negatives. You, and the rest of Europe, would too.

Um. I would much rather have false negatives than false positives in criminal cases, thanks.

"it is better 100 guilty Persons should escape than that one innocent Person should suffer"

Also, you've got this wonderful dichotomy laid out, but there are other options too: for instance, that this guy is sent to prison but was not the creator of the malware, thus ending any chance of the true creator ever being caught.

I really hope that last statement isn't true. Do you have any idea how horrible being in prison is when you are innocent? Your values are twisted if you think the innocent having their lives ruined is better than a criminal going free.

Until it's your sorry ass that gets booted to the slammer.

Unless of course you're so mediocre that you'll never ever risk doing anything even remotely significant; in which case, whatever.

Correct, I don't think the FBI is making up evidence about Marcus and they actually believe he's the creator of Kronos. Sounds crazy, I know.

>> Sounds crazy, I know.

At least you admit that believing the FBI is crazy, maybe there is hope for you.

What legitimate security research are we talking about? I work in vulnerability research and not malware research, but: can we name anyone who has been prosecuted for what turned out to clearly be benevolent research work?

"can we name anyone who has been prosecuted for what turned out to clearly be benevolent research work?"

Randal Schwartz https://en.wikipedia.org/wiki/Randal_L._Schwartz

That isn't a great example. He managed to get his conviction overturned because of the lack of criminal intent, but what he did was pretty stupid.

Rather ill-advisedly, the Perl-programming guru (who's written several books on the subject) tried to prove his worth by running a password cracking package after he'd left in order to produce evidence that security practices had deteriorated since his departure. Instead of re-hiring Schwartz, as he hoped, Intel called in the police and he was charged with hacking offences.


Yeah, I think you'll find when you dig into the details that that case is not a great example for you.

Instead of doubt, can you give us concrete reasons?

This is from memory, but it's been discussed on HN before, so you can also consult the search bar. Schwartz had a contract to do sysadmin work for Intel. In the course of doing that work, he backdoored some of the systems he worked on. After his employment with the firm that had staffed him at Intel concluded, he continued to use those backdoors to access Intel's systems. His claim is that it was necessary to do so, in order to complete work Intel had asked him to do. But from what I recall, he was caught using those backdoors after any relationship he'd had with Intel had been severed.

It's not the crime of the century, but it's not a case of someone doing benevolent security research getting caught. Nobody practicing today would backdoor a client computer, use the backdoor after their engagement had ended, and expect anyone to find that action defensible.

It depends how you define “research”.

- Weev’s harvesting and publication of iPad owners’ email addresses was far from benevolent, but it also wasn’t exactly hardcore hacking; IIRC he just changed a URL parameter. As you know, it’s not that far from what white hats sometimes do, in terms of probing public websites - with the obvious exception that they’d usually responsibly disclose the vulnerability to the site owner, rather than publishing people’s data!

- Barrett Brown was charged with (among other things) republishing a link to data someone else had leaked. That falls more into the category of journalism than research, and ultimately the charge was dropped, but it still fits a theme of overzealous use of <s>the CFAA</s>.

edit: that wasn’t the CFAA, but same idea.

I follow what you're saying, but look at these cases: Aurenheimer was confronted with IRC logs in which he discussed selling the information he got from the website, and Barrett Brown was accused of actively assisting the people who breached Stratfor.

What ever you think of the actual prosecutions here, neither of those are cases of security research being mistaken for something else. The most you can say, for instance, about Brown is that he is not as closely connected to an extraordinarily serious crime as the DOJ believed he was.

Regarding Weev, should planning on selling the data really affect the legality of his behavior? I mean, there are services that sell data they scrape from websites after all.

Yes? Of course it would?

I guess I'm looking at it like this:

1. Someone physically breaks into factory, steals a list of customers for the purpose of (selling to competitors/personal interest)

2. Someone drives around the country and records locations of $company infrastructure, in an industry where optimal placement provides a major competitive advantage, for the purpose of (selling to competitors/personal interest)

In both cases, the person now has information that the target would rather keep private, and in both I would assume that their plans for the data would be irrelevant to the legality of gathering that data. (I'd assume case 1 would be illegal either way, and 2 legal either way) So if Weev's actions are akin to breaking into/hacking a system, then case 1 would apply - but if it was closer to looking at publicly exposed information, then the situation would be like case 2. But either way, I don't think his reasons for taking the actions (or after the fact plans on what to do with the data) would affect the legality of what he did.

Of course, IANAL and US computer law seems to be completely screwed up so maybe it would matter. I just don't see how.

There are two elements to almost every crime in the US criminal justice: conduct and intent. Without provable intent, inappropriate conduct is often excused. Without inappropriate conduct, predatory intent is almost never prosecutable.

Your first case has both prohibited conduct and intent (actually, with or without the intent to sell the data, I think deliberately breaking into a factory is itself criminal).

Your second case does not.

Conspiracy to commit crime is a crime in the US.

As to your first example, there seems to be this pervasive idea in tech culture that something shouldn't be a serious crime or tort because it is so easy to do. I see the argument very often in cases of unauthorized access and copyright infringement.

Murder is also rather easy, and we execute people for it.

That's not what he's saying. He's saying that independent of how easy it is to do, it's also something that professional security people do routinely. And he's right. But that's not the basis of the charge against Aurenheimer.

>That's not what he's saying. He's saying that independent of how easy it is to do, it's also something that professional security people do routinely. And he's right. But that's not the basis of the charge against Aurenheimer.

It's certainly part of what he said:

>but it also wasn’t exactly hardcore hacking; IIRC he just changed a URL parameter.

The difficulty of carrying out an action is completely irrelevant to its legality.

Even if he did attempt to sell the data, is it illegal to sell data that is freely available on the internet (honest question, I couldnt find a solid answer via googling)? It might be against TOS.

I agree with you that the "hardcoreness" of what Aurenheimer did is a red herring.

Actual prosecutions of malware creators are exceedingly rare to almost none existent. As such I believe there are extreme pressure on law enforcement to "Make an example" of some malware creator, or anyone they can even remotely connect to the creation of malware.

This pressure I believe will lead them to over reach on CFAA like they have in the past in other "hacking" cases


So while I can not point to an example right now, that is simply because there is a general lack of case law in the field to begin with, nor does that support a position that the FBI is correct in this case, or would never go after a innocent security research, their history defies that completely.

> because a lot of legitimate security research when viewed through the myopic and cynical lens of a Federal Agent can be seen as illegal, this is an ongoing and ever present fear for people in the field.

While I tend to agree that this is possible, the parent's point was how unrelated this was to WC and to any research occurring in the field. It's strictly a case of "this guy wrote malware and sold it".

> you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.

I'm confused. The parent simply stated he was arrested for that. How does that translate into "Parent believes 100% what the FBI states with no room for the FBI to be wrong"?

I feel like no one here remembers when Dmitry Sklyarov was arrested under similar circumstances. The US government has no obligation to seek out every potential arrestee no matter where they are in the world for every single crime that the US has laws for. But if the target of an investigation (whether they know it or not) sets foot in the US, then we shouldn't be surprised when they are arrested. And this is just another case with Def Con (so no, it's probably not moving out of the US, it didn't 15 years ago), I'm quite certain that these sorts of things happen frequently for other crimes of (relatively) low priority that are just outside our primary focus on this forum (technology).

And is the US any worse for this than other nations? Probably not. They just get more publicity when it happens. But every nation that has a legal system will do the same thing. If the Russians or the Brits or the Germans or the Swiss decide that Jtsummers is a suspect in a crime, and I visit and they realize it, I shouldn't be surprised to find myself arrested and barred from leaving the country.

[0] https://www.cnet.com/g00/news/russian-crypto-expert-arrested... - may not be the best article, it's the first one that came up on Google for me.

Iceland would be great place if you want freedom, but I doubt the willingness from the current majority of attendees.

Realistically, DEF CON should move to the Caribbean.

Marcus Hutchins is a British citizen. Extradition before the event was feasible and would have been a far more honorable path than the snatch and grab that transpired.

British security experts might insist on Grand Cayman for any further conferences in the Americas.

You think the FBI is going to interdict a computer criminal before they spend a week in Las Vegas associating with computer security professionals, any of whom could be criminal co-conspirators?†

That would be exceptionally nice of them, but also extremely poor investigative practice.

I will say, though, as one of the many people in my field that is bone-tired of schlepping out to the worst place in the United States every damn year for these events, any other location in the world would be fine for me, and I endorse the actual suggestion you're making.

(Yes, obviously, I know virtually nobody who attends Defcon is a criminal).

You forgot to mention having the opportunities to electronically surveil his activities while he's physically located in the United States, to attempt to possibly catch him soliciting a plant, bragging to a stripper while drunk, or attempt to catch him in some other questionable activities that they could use as the basis of an arrest or further warrants without having to play their hand as to what they think he's actually guilty of (and therefore being able to possibly turn him as an informant).

There's a brazillion reasons not to arrest someone the minute you think you've got them.

"Basis of an arrest"? They had an arrest warrant. The complaint I'm addressing is "why did they not arrest him sooner???".

I'm agreeing with you (go figure?).

The point I was making RE: "basis of an arrest" is that if you wait for him to do something stupid, like get arrested by local LEO for drunk and disorderly, that gives you cover to approach him in an interrogation and threaten him with prosecution over the malware... unless he agrees to be a witness/informant. Because he's in with local LEO for something innocuous, there's cover.

In the end, they indict him for the malware, which pretty much ruins him from that perspective. Or, perhaps, they already figured he wasn't worth using and it's not above a US Attorney to go after someone well known in order to further their own career...

So I take it you're not a fan of Vegas?

I have friends who live there and don't want to talk shit about the real city of Las Vegas where people actually live, but the part of Las Vegas that Black Hat and Defcon drag us to every year is probably the worst place in the country.

Piggybacking on this to +1 the sentiment as another "security person": I literally do not go to Black Hat or Defcon because I don't like Vegas.

It's a minor networking hit for me, but a total win otherwise (and I can make up by networking elsewhere - I cannot get time spent in Vegas back).

Whats wrong with Vegas for large conferences? Airport is close by and has daily flights to it from most major cities, hotel rooms are cheap and decent quality. Can you name a better city to have a conference for 20,000 people? Only thing i wish it had was tougher smoking laws. You aren't forced to gamble or drink or partake in whatever debauchery that goes down in vegas.

Is it because of the gambling, drinking, or what? I don't gamble but I usually have a decent time visiting good restaurants and maybe seeing a show when I go to DEFCON.

The gambling doesn't do much for me, but I'm a drinker and a social smoker. It's hard to put my finger on what's so grating about the Vegas strip, but something about it puts my teeth on edge. It's a really fake and touristy place, and it's not fake and touristy in a pleasant way.

For me it's the incessant marketing of extremely generic entertainment experiences, amidst a backdrop of sexual exploitation. And half of the marketing reeks of bait and switch.

Plus the fact that it works on a plurality of tourists coming through makes it sad.

I leave Vegas with less faith in humanity than I had when I came. It's been a few years though.

Hunter S. Thompson had it right: try to cram as many drugs into your body as possible, seek out the ghosts of America's dead dreams and you may come out with some semblance of spirit intact.

I call it "the Times Square" effect. Every major city has one. Hollywood Boulevard in LA. Fisherman's Wharf in SF. The eponymous Times Square in NY. Etc. I don't know if the Vegas Strip deserves the title for "absolute worse", but it is certainly conceivable.

It may or may not be the absolute worst in absolute terms, but in relative terms ... take away the strip and Vegas as anyone knows it ceases to exist.

The drinking, the gambling, the strip clubs, the whole debauchery-to-the-max environment of Sin City.

Plus it's in the middle of a desert, so options are pretty limited.

Indoor smoking, 110F weather, and universally crappy, over-priced food.

Okay, so @arthulia and @hueving, is it "good restaurants" or "crappy, over-priced food"? Never been there, but could somewhat imagine either scenario. Actually I could imagine multiple possibilities for each:

"good restaurants": (1) lots of top-tier cooks go there because money and it's cheap because Vegas, or (2) lots of off-strip places with good chefs trying to make it big.

"crappy, overpriced food": (1) Wolfgang Puck etc, or (2) Even off-strip food is bad and expensive because they can't afford water.

So in reality which is it?

Both. There are a lot of chains and mid-grade restaurants where you will pay an arm and a leg for mediocre food.

However, there are also some of the best buffets in the world there (if you're into that). There are also some awesome high-end restaurants: https://www.tripsavvy.com/michelin-guide-rated-restaurants-l...

Because Vegas is a massive tourist destination where you are guaranteed to have a deep market of people eating out every day of the week, it attracts tons of restaurants so you do need to do a little research. Picking a random one will likely get you overpriced 'meh'.

There are lots of high-end restaurants, because every celebrity chef in America seems to open an outpost there. But if you're familiar with the originals, the Vegas versions tend to be overpriced tourist versions with limited menus. There are some great restaurants to be sure, but it's kind of a dice roll.

We've gone off the strip for sushi, Korean bbq, Thai, and Ethiopian and had good luck; I don't know enough about greater Las Vegas to judge it. But the strip is bad.

I think we should move it to Cuba.

>(Yes, obviously, I know virtually nobody who attends Defcon is a criminal).

Very particular definition of a word criminal I guess. Kevin Mitnick, James Clapper, veew, plenty of criminals attend/panel at defcon.

I was just at this past DEF CON. The good majority of attendees were from the United States.

It doesn't make sense to move it to the Caribbean. That would cause attendance to drop by a lot, and some other organization would just start another conference in the US, and most people would go to that one.

If our justice system behaves dishonorably, then the world's information security industry should certainly abandon the U.S. We can have our solo conferences, but we can't ask foreigners to risk incarceration for our convenience.

The Bahamas might also be a reasonable choice, as they only declared independence from Britain in 1973.

I might be misunderstanding your point but I don't understand what they did that was so dishonorable? I thought that this guy produced malware

We don't know whether he did or not. But if they have evidence to support arresting him, the US has an extradition treaty with Britain; they should have shared it and asked British authorities to make the arrest. And there very well may be evidence, especially if the timing is related to something new obtained from the Alpha Bay takedown and it happening when he happened to visit the US for DEFCON was a coincidence.

But running a snatch and grab at a security research conference looks really bad, and is bound to have a much wider chilling effect on people's willingness to attend US conferences.

> But if they have evidence to support arresting him, the US has an extradition treaty with Britain; they should have shared it and asked British authorities to make the arrest.

Is this just for alleged computer crimes, or would you apply that to all alleged crimes?

For example, suppose I run a fraudulent mail order business targeting people in, say, France, and this is a crime in France. Would you argue that if I visit France, and the French authorities want to arrest me and bring me to trial, they should let me go home and use extradition to try to force me back, rather than arrest me while I am in France?

Somewhat. The distinction I would make is not computer crimes vs other crimes, but rather the timeliness of the situation. For an emergency situation, or a case where a wanted individual enters the country anyway, I agree they'd be foolish to let them return home and only then try to have an arrest made. But there's also no reason prosecutors should lie in wait until you visit the US to even bring charges. They should decide you're being charged, issue a warrant, and try have the arrest made, including asking other countries for cooperation.

But the alleged crime here is years old, and I have don't remember anything (or find anything in a google news search-by-date) to suggest there were charges or an arrest warrant before July 2017. That makes it seem like they didn't think the evidence was strong enough to get British cooperation, and waited to even mention it until they'd have have a chance to act alone.

Either that, or they really had nothing linking Hutchins to Kronos until very recently. If it turns this really was based on new information, and the timing really was coincidental, I'll be a lot more comfortable with how it was handled. But that's sure not what it looks like right now...

I think that a Black Hat convention that attracts many federal employees who work in computer security should be especially sensitive to "snatch and grab" operations.

The pall which is descending over foreign attendees is a harbinger of either relocation or vastly reduced attendance.

What kind of an arrest isn't a "snatch and grab", in your mind?

I think we can all rest assured, unfortunately, that Black Hat isn't going anywhere.

Obviously, the polite thing to do would be to send a letter. "You have been charged with a crime. Please report to the local police station at your earliest convenience."

In what universe does a country not arrest a criminal suspect when they set foot on that country's soil?

Sure, so he was a suspect in a criminal investigation before attending DEF CON. The US doesn't try to extradite literally everyone suspected of a crime from every other country we have an extradition treaty with. Extradition is a pain in the ass so the DOJ decided that it probably wasn't worth their time. Then he comes to the US, he's flagged at immigration, and the DOJ is like "OK, now it's worth our time".

Seems completely acceptable to me.

There is already a similar huge convention held annually in Germany, the Chaos Communication Congress. It's quite well attended.

Except BlackHat happens annually on multiple continents. Sure, DEF CON doesn't, but there are comparable conferences elsewhere (CCC for example).

Extradition needn't have come into it. The US authorities could have sent their evidence to the UK police to deal with (assuming the UK police didn't have it to start with).

If we want justice to be seen to be done, we shouldn't encourage "forum-shopping" by law-enforcement, letting them bring prosecutions in a country where the defendent will be artificially disadvantaged.

This isn't "forum-shopping". Not every crime is going to get someone extradited, which is a huge hassle, but if the person accused is going to be entering the country of course you grab him.

Yeah everyone is just emotional and not using their brains. This is clearly the easiest route to take for the fbi. I appreciate our government being resourceful. However, if it turns out that the allegations are false and that this is harassment I will grab my pitchfork as well.

Agreed. I will be really upset if this is all just a colossal f-up on the part of the feds.

Having said that, if the unidentified co-conspirator is from the US and they're going to be tried together, it wouldn't be so unreasonable.

I am sure the "unidentified co-conspirator" is unidentified because they have a deal to talk and will likely not be charged or has a plea agreement so no trial

There is apparently going to be a DEF CON event in Beijing. But I'm not sure that will be any better in terms of not going to prison.

Got any details on that?

No, Dark Tangent just mentioned it at the closing at DEF CON 25, I can't find any more details than that.

[0] is an interesting article about this. It doesn't matter where it is, if they want you they will get you. They have done this private plane on the runway thing a few times now.

> Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States. U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam

Personally - I think in this Hutchins case they just wanted a new hire.


So many extradition experts visiting Hacker News these days.

I'm pretty sure every year someone arrested because they attended DEF CON. Considering the US are one of the main countries seeking out and arresting cyber criminals why on earth is the main security conference in the world in what could be considered a hostile country.

A case of smart people doing stupid things.

Because DEF CON is for whitehats / reformed blackhats so it shouldn't be an issue?

Maybe Sir Richard Branson could host it on Neckar and stream it live on Virgin.com -- I'm only slightly kidding.

Nowhere near enough space on Necker (my friend just went there) for a massive conference like this. Would be cool, though.

This seems, amusingly, like something I could imagine him actually getting involved with.

It's somewhat challenging to get to the Caribbean without risking IRROPS in USA.

>Extradition before the event was feasible

It wasn't feasible for political reasons. By attempting to extradite yet another sympathetic character from the UK the US would have risked undermining the extradition treaty for no gain.

Anyway, I don't understand how extraditing him from the UK would've been any more honorable.

If your code is used in an exploit and that is now a punishable crime, maybe next the NSA will be in the hot seat since the code that was used in wanacry was their own. Or perhaps Israel for their effort in Stuxnet. I hope he takes it to trial and we find out what is really happening here. Pretty suspicious that this happens years after the fact and only weeks after he helped prevent the further spread of wannaCry. WannaCry being created on top of the leaked NSA exploits they held on to instead of responsibly disclosing to Microsoft.

Yes, take this for an example, if someone were to deliberately sell firearms to someone that they knew would attempt to murder someone with their firearm, do you think they should be partially liable for the murder?

Yes, the seller would legally be an accessory to the murder, having had knowledge that the crime would be committed and having helped the murderer commit it.


Then shouldn't Hutchins legally be an accessory to uses of the malware to steal money, surveil unsuspecting victims, etc. if it is true that he knowingly sold it to people who do such things?

He might be able to get out of it by arguing that he didn't know about any particular crime they would commit, or that he thought they had good faith reasons to buy the software despite being criminals in general. I think this hinges on exactly what he knew.

Yes, absolutely. The burden is on the government to prove he knew who he was selling it to and that he knew what they were very likely going to use it for.

Firearms are legal. If you create an illegal firearm (banking trojan), and did the same, yes - you'd be partially liable.


I'm a pretty big fan of firearms. I disagree. If you had knowledge before hand, of the crime, and a reasonable expectation, you are culpable, to some percentage.

The law usually agrees with me, if that helps.

I does not, the vast majority of the law I disagree with

See I can not support the concept of 3rd party lability. I should only ever be responsible for my actions, not the actions of others, and I have no responsibility or obligation to stop any crime.

> and I have no responsibility or obligation to stop any crime.

You don't have to ask someone if he wants to commit a crime, so that is not the problem. It is when someone explicitly asks for your help in commiting a crime and you think to yourself "yes I want to be complicit in this" that lands you in legal trouble.

If someone asks you for a handgun to kill someone you don't have to stop him, you just aren't allowed to aid him.

I really don't understand how you people seem to be under the impression that not going out of your way to help criminals takes more effort than not. I am more under the impression that you would pull the trigger on your on grandmother if it made you money, since it is not you but the blodloss that finally does her in - degrees of seperation and all that.

Generally I oppose these types of laws because they are never used for the rare cases where Joe says John "hey John hand me your handgun so I can kill my wife"

Instead most often these types of laws are used to prosecute people under a "should have known" scenario.

Examples of real situations of 3rd party liability that have been used to send people to prison

1. Jim takes a friend to a bank, the friend goes in and robs the bank. Jim though the friend was just withdrawing some money from his account but Jim is arrested and convicted of aiding his friend in the robbery

2. Jane does not have a license, a police officer attempts to stop Jane, Jane panics and runs from the police. The Police officer runs through a red light while in pursuit and kills a bystander, Jane is charged with murder.

I wish there was a way to flag a user as "favorite"... so far I agree with all your comments on this page :)

lets take away the feelings by saying...

if someone were to deliberately sell a pair of shoes to someone that they new would attempt to j-walk with their shoes, do you think they should be partially liable for the j-walking?

> no.

sentencing is based around severity, change the severity of the situation and we are no longer talking about the same thing.

comment replied to raised the discussion to firearms and murder, which isn't the same as code that is designed to reveal flaws in software.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact