Your ssh client supports binary re-packing to evade antiviruses, hidden monero mining, and webcam and microphone capture to hidden file with "methods to disable the camera LED"?
Lol, yes, I could do any of those things if I chose to do so.. Should ssh be illegal? Or shall we stick with the principal that "commiting crimes" is illegal, not "producing tools that can be used to commit a crime"?
For what it's worth: "methods to disable the camera LED" was not a feature, that functionality was provided by an external plugin.
what if pretty much ALL your customers are criminals? That near enough the line for you yet? The moment you add that requested feature to disable the recording light on the camera of the targeted laptop. is that over the line yet?
How about if your customers request a function that encrypts the root C:\ and puts up a message with a linked bitcoin address? We still on plausible deniability?
Please stop the "what if's". They are speculation and have no relevance to the available information about this case.
For me personally, the line of what constitutes ethical behaviour has been long passed by the authors of this tool. That is however completely irrelevant, the question is whether they acted illegally. I have a hard time seeing that based on the information available in the media.
There's no currently active principle that "commiting crimes is illegal, not producing tools that can be used to commit a crime" so we can't stick to it - it's well established in many countries for many years now (the particular UK act is from 1990, so 29 years ago) that in certain conditions producing tools that can be used to commit a crime is a crime by itself.
Of course, that doesn't apply to all circumstances and all tools that might be possibly used to commit crime, and it's a valid discussion topic on where exactly the line should be drawn; but that line between crime and not-a-crime definitely has some "I'm just producing tools" people on the crime side of it, not only morally but also legally, and not in some indeterminate future, but for as long as some of these "tool producers" have been alive.
For UK, it's the Computer Misuse Act of 1990 at http://www.legislation.gov.uk/ukpga/1990/18/section/3A with things like, among other things, "A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under [section 1, 3 or 3ZA]." and "(4)In this section “article” includes any program or data held in electronic form." so it is quite explicitly about tool making - with the quoted criteria about the belief/intent separating whether it's a crime or not.
Though it seems that I made a mistake about the age of that law - it seems that this particular section of the "1990" law was actually inserted in 2006 with the amendments introduced by the Police and Justice Act 2006 http://www.legislation.gov.uk/ukpga/2006/48/section/37 so it's old but not that old.
For the people that think this is legitimate software, this is not legitimate software. It is sold and encouraged as malware, used to blackmail girls (barely women) - that's what "cam capture" is for - keylogger, general malware, backconnect proxy, auto-start and persistence.
I don't think anyone seriously doubts the intended, arguable unethical, use of IM-RAT. The question is whether authoring and or selling these tools is or should be illegal. I'd argue that would set a dangerous precedent allowing governments to go after any security researchers whenever they feel it convenient to do so.
I mean, there's probably more than enough intent here for prosecution. There's a fairly significant difference in selling a RAT that does remote administration, and selling a RAT that includes bulletpoint features to evade antivirus detection, persist through removals, and other features explicitly against the wishes of the device owner while the author actively and exclusively only advertises on script-kiddie forums and provides advice and encouragement of malicious infections.
I don't think I've ever seen people gone after for the former, even when it's been abused by miscreants.
At least in the US, people already "go after" security researchers all the time (at least the companies not smart enough to realise just how much a well meaning email can save them).
For what it's worth: I have tracked, managed, and recovered hundreds of devices using tools that were hardent against detection and removal at the express request of the device owners in enterprise, educational, and private settings. Mobile asset tracking is a thing. So yeah, there is a legitimate use for that too.
A key requirement under UK law is unauthorised access.
If someone explicitly asks you to hack their systems (and they have permission themselves), or if you want to do pentesting and hardening or your own systems, you should be fine.
The grey area here is how likely it is that someone would buy this tool for legitimate security analysis.
Most people wouldn't, which puts it on a slippery slope. A good defending lawyer should be able to make a good case for genuine legitimate use, but of course that's still going to leave some risk, not to mention a lot of stress and inconvenience before a case even gets to trial.
It is worth noting that there exists legitimate RATs that offer the bullet point features you've highlighted. The marketing issue is another problem entirely; these legitimate projects are usually open source on GitHub or posted on public blogs.
> Robbins v. Lower Merion School District is a federal class action lawsuit,[2] brought in February 2010 on behalf of students of two high schools in Lower Merion Township, a suburb of Philadelphia.[3] In October 2010, the school district agreed to pay $610,000 to settle the Robbins and parallel Hasan lawsuits against it.[1]
> The suit alleged that, in what was dubbed the "WebcamGate" scandal, the schools secretly spied on the students while they were in the privacy of their homes.[4][5] School authorities surreptitiously and remotely activated webcams embedded in school-issued laptops the students were using at home.[6][7] After the suit was brought, the school district, of which the two high schools are part, revealed that it had secretly taken more than 66,000 images.[8][9] The suit charged that in doing so the district infringed on its students' privacy rights.[6][10][11] A federal judge issued a preliminary injunction, ordering the school district to stop its secret webcam monitoring, and ordered the district to pay the plaintiffs' attorney fees.[12][13][14]
> The lawsuit was filed after 15-year-old high school sophomore (second year student) Blake Robbins was disciplined at school for his behavior in his home.
Acknowledging that the school was found to have been in the wrong and that the courts came down on the side of privacy, is the company which sold the school district the software they used to violate privacy guilty of anything? Should it be?
... said its software was intended to be used for theft recovery. Easier to recover stolen goods if the laptop can surreptitiously take pictures of its surroundings and send them home, see? Is that software inherently bad, like the software you're talking about is? It could certainly be used for the same thing.
I remember that case, and I am surprised criminal charges were not considered against the school officials.
Back to the matter at hand, I think the installation process can serve as a litmus test. If the software requires effective ownership of the device for initial installation, it would be of limited use as malware. Typical DRM software has characteristics of malware.
