Slashdot Mirror
Spyware Maker Indicted on Hacking Charges
An anonymous reader writes "The San Diego Union-Tribune is reporting that Carlos Enrique Perez Melara, the author of an investigative tool called 'Lover Spy,' has been indicted on 35 counts of federal hacking violations. This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?" From the article: "Perez, a native of El Salvador, probably is in the Los Angeles area, said Stewart Roberts, the second highest-ranking agent at the San Diego FBI office. Crime Stoppers has offered a $1,000 reward. Perez is charged with 35 crimes, each of which carries a potential five-year prison sentence if he is convicted. "
...it "raises" the question. "Begging the question" is something else completely, and you're not doing it.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Umm... hm. This isn't "spyware" in the sense people normally mean. These are hacking tools. "Spyware" is a word which is used to refer to software which in addition to its known function covertly transmits information back to the software author. This is nothing of the sort; it's a surveillance tool. It may be immoral or unethical to use this surveillance tool, but that doesn't mean it's a good idea to use words like "spyware". Words have meanings. If you start ignoring the meanings and deciding that if it's bad it can be referred to by the same terminology as any other bad things, language ceases to be useful.
Anyway, I find it funny that people are being prosecuted for creating tools like this at the exact same time that the government's use of tools like this is on the rise.
If you create a nuclear weapon, you should not sell it to North Korea. If you create a tank, selling it to Iran surely would not increase your merits in the western societies. If you sell guns to teenagers, you are a criminal and - as far as I am concerned - partly responsible if those teenagers start shooting their classmates.
Why of all things should you not be responsible for creating a software intended for potentially criminal purpose (here: spying on users) and giving it to people who will use it? Following this logic of non-responsibility, worm writers should not be persecuted, because the damage their creations have done was not their immediate fault.
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
a $1000 reward for a guy wanted on 35 counts? Cheepskates! Add a couple zeros to the back and I'll drag the guy in myself.
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
If they are suing the people who use the spyware against others and the peson who wrote the spyware, why are they not suing the company who wrote the software that makes it so easy for spyware to exist?
Caesar si viveret, ad remum dareris.
So what you're saying is that we should treat computer programs-- which are nothing but a series of instructions, potentially human-readable instructions, that just happen to be written in a language that a machine can interpret--
In the same way we treat real-world devices designed for and capable of killing very large numbers of people?
Hmm.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
IANAL, but if a gun maker named their pistol "Felon's Favorite"(TM) or "Rob-Rite"(TM), then I'm sure they would be susceptible to either civil or criminal legal pleasantries.
Are there legitimate uses of this code? If so, then why didn't the author market it strictly for those uses and name it something a little less felonious than "Lover Spy?"
Two wrongs don't make a right, but three lefts do.
and we'll call it even
I mean, my friend says he'll bring the guy in and he and the feds can call it even...
R(k)
How does an e-card install malicious software??? I suspect that perhaps what is going on is that he set up the server that served the e-cards, in order to infect users who opened the cards. If that's the case, he didn't just write the software, he installed it on computers without owners' and users' permission.
TFA doesn't explain this very well. Couldn't find an antivirus page about it, but here's another page mentioning the tool.
If hacking is a violation, then Linux must be illegal.
:-/
Yes, I know they mean that differently, but once laws outlaw "hackers", I wouldn't want to be counted as one..
Truth is in the eyes of the power-holder..
|| Geshem ||
I actually live in san diego and read this article yesterday. If it is the same article, this guy marketed it as a program to spy on your significant other. I think that is where the law gets him. If you distribute some code thats a trojan and slap on, "Educational purposes only, do not use on anyone without their permission, I am not responsible for your actions", then it seems the law is much more lenient. But this guy was marketing it as a tool that u send (like a greeting card) to check on your gf/bf to see if they are cheating.
No this trial doesn't mean coders are responsible for their users' actions, just responsible for how they say their program should be used
On a side not, this company started in 2001 - took 4 years for the FBI to notice & catch him. Kind of funny.
Why of all things should you not be responsible for creating a software intended for potentially criminal purpose (here: spying on users) and giving it to people who will use it?
It's not that. Many people who (of course) haven't RTFA miss the point. This isn't software which someone buys and then installs on their target's computer themselves. What they do is sign up at the site and then have that site send out an email with "You have a greeting card..." message. The victim clicks on the link to the website and views the card while, at the same time, this spyware is installed on their system automatically. So the end-user isn't the one doing the hacking and installation -- the guy running the site is the one who, in effect, does it all.
The end users are scumbags for using the service, but it's the guy who wrote it and put it up on the website and caused victims' computers to be compromised who is the guilty party here. This has nothing to do with distributing software.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?
The question boils down to the intent of the author. If the program, when considered as a whole, cannot be reasonably construed to have alternative non-damaging or benign uses then it serves to demonstrate the malicious intent of the author and therefore it becomes possible to assign some responsibility for the actions of users to the original author(s). Software engineers, like other engineers, must have some code of ethics that governs the standard and intent of the programs that we produce. If you write a virus, worm, spam ware, or other "evil" type of application then you are responsible for the damage you cause to other people. You cannot demonstrate vulnerabilities or exploit code to prove a point while damaging other people's property in the process. In this case it seems that the author in question, Carlos Enrique Perez Melara, is indeed responsible for malicious intent in the collateral damage that his software caused.
Priorities? Isn't it enough that CNN, Fox News, and MSNBC have been talking about Katrina all day long. Do we really need Slashdot regurgitating and spewing out the same stuff that every other major news outlet in the US has been blathering on about non-stop? This is News for Nerds, not news for people who like beating a dead horse.
If the Supreme Court decision, in its recent case regarding P2P software, is followed the makers of software may be responsbile for the illegal use of their products. All it takes is a reasonable (for some value of reasonable) chance that users will put your software to illegal uses and you get a ticket to jail or years of penury as you attempt to pay off the civil penalties that may be assessed against you. Now all it will take is for the FBI to discover that some "potential terrorist" used this software and Mr. Perez can kiss his rights to trial, an attorney, etc. goodbye thanks to THE PATRIOT Act.
Just my $.02,
Ron
Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
This mis-use of "begging the question" arose in the 1980s.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Then get in your car, drive down there, and find some of them-thar lost billions, ya' idjit.
Wouldn't this just be a trojan, like Backorifice?
"Begs the question" is a term of art in logic and debate. It's also pretty simple English, meaning "demands that we ask." To insist that *only* the term of art can be used, and the plain, simple English meaning is off-limits, is just annoying -- especially when the plain English meaning makes so much sense, and the term of art is a terrible way to describe what you mean. Besides getting to make fun of people who don't know the phrase, there's just no reason to name the logical fallacy that way.
All it takes is a reasonable (for some value of reasonable) chance that users will put your software to illegal uses and you get a ticket to jail or years of penury as you attempt to pay off the civil penalties that may be assessed against you.
This is a blatant and gross misrepresentation of the SCOTUS decision you mention. What it took in that case, was quite a load of evidence that the companies in question deliberately planned to profit, albeit indirectly from illegal uses.
"She sent me a greeting card on the Internet through my e-mail and that's how she got into my computer," she said. "She had access to everything."
How does reading plain text let someone into your computer?
Regarding a well publicized computer espionage case.
It seems, the authors of the spying tool used in this case, were arrested in the UK and are being turned over to Israel for justice.
This raises the same moral question, whether an author of the tool is responsible for the way it's being used.
Should Fire Arms companies be held responsible whenever someone uses their branded rifle to commit a crime?
Sigs are for the weak.
I'm not in favour for what he's done, but getting 175 years in prison for writing a program?
You can get less for killing a man. No wonder the prisons are already full.
Perhaps it's time to realize that it's not always the solution to lock people up for what they have done.
There are no atheists when recovering from tape backup.
I hate this constant bitching about the use of the word "hacker". Words are generally used to communicate. The word "cracker" is a word used by a small minority of geeks, and it's sole purpose is to allow the users of said word to bitch about the people who don't use it. It certainly doesn't serve the purpose of communication as most people don't even know the purported meaning the word in this context. Words whose sole purpose is to beat other people really aren't nice and the world is better off both without the word, and without those people who insist on using it.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
He sold this? I know it was a misspelling, but it was a little funny. Ok, a really little.
Among the most misused phrases EVER. Read this or do a search on your favorite search enging for "begs the question" and you'll see why some find this one of the most obnoxious phrases ever.
For more fun, see the reaction of people when they are making an argument that begs the question, and you tell them "you're really begging the question." Most of the time they'll respond with something similar to "what question?"
For those who don't wish to read the link - "begs the question" means to assume your conclusion as part of your argument, not forces one to ask a particular question.
" I hate this constant use of the word "hacker" when the correct usage of the word should be "cracker"."
Hacking has been used to mean breaking into a computer system for decades. People are trying to change this term to cracker, not the other way around, as you suggest with "It is the media that is poisoning the word"
Vote for Pedro
authors should not be responsible for how the users use their programs. Is Ford responsible for people using their cars to kill people? Smith and Wesson for people using their guns to shoot people? Absolutely not.
However if the creator of the program created the program to specifically hack people and cause damage than he is guilty for whatever the users do, as well as the ones who use the program.
How much do you want to bet that some high ranking official at the San Diego FBI office was caught cheating or at least had his email read by this program? :)
Rats would be more funny if they could fart.
...when the catch the &*$&# bastards that write shit like Aurora or CoolWebSearch. Now THAT would be time for some mob justice!
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
I've used hacking methods a number of times to help friends play practical jokes on other friends. But the only times I've ever been offered money was from requests to crack access to computers and emails of significant others.
I was amazed at how many people have no problem snooping on others, so I'm positive the guy providing this "Lover's Spy" service has made enough money to cover legal expensises, his eventual fine, and still have a nice sum left over.
Another part is simply if the product in question has a substantial legal use. If you make something that basically can only be used to break the law, it's probably illegal to sell. A back door program to a computer isn't illegal, there are plenty of them out there. What makes this one different is that it tries to sneak on to a computer without the owner's permission.
Now there's really not any substantial legal use for that. Sure you could come up with some extremely unlikely scenario but generally speaking, there's no legit reason for it.
Combined that with the fact that it's being advertised to be used to break the law and it's a lock.
>> if you develop and sell a software product, are you responsible for what your users choose to do with it?
That's a good question. Why don't you write Dr. Kevorkian a letter and ask him what he thinks?
First off the guy advertised the program solely as a product to spy on your lover or other people and did so by spamming. Secondly the software was not something the purchaser downloaded and installed on a machine on their own, it sent out an e-card, which directed the recepient/victim to visit a web site run by Perez. Said website then exploited a security hole in IE and installed the spyware in the background without any warning to the victim. Finally the software sent a copy of everything it recorded (and it even logged keystrokes) to Perez as well as the people who paid to spy on someone with it.
The FBI isn't going to need the PATRIOT Act to bust this guy and this guy's not the least bit innocent. He promptly dissapeared after they seized his computers, so it's pretty clear he knew what he was doing was illegal as well.
An interesting discussion of the phrase is given here. The reason for naming the fallacy is given as poor translation from latin, where "laying claim to the principle" would probably be more suitable. However, as the author suggests, it's probably better to use an alternative phrase (e.g. "raises the question") to avoid confusion.
In my view, while the most recent meaning does make more literal sense, redefining a phrase based on common usage is a slipper slope. On that basis, we should probably all be writing in "txt speak".
Cracker? I thought he was Hispanic.
We do not treat images that could be children, but are not, as child pornography. There was a Federal Law that tried to do so and that law was struck down. The grounds were free speech, but the minour grounds were that if no child was actually being harmed, then there was intent to harm, ergo the images of adults that looked like children were not child pornography and therefore could not be made illegal.
Catch that key word: "intent"? A programmer might not have the intent to harm by developing a program that others might use to spy illegally on users, but could equally well use to monitor their children or spouse. That intent is very important to determining the illegality of conduct. Let's pray the courts remember intent before setting precedent.
Yes, and for decades before that the term hacking was used to refer to people who spent their days 'hacking away' at the keyboard coding.
Nuff said: guns
I don't see gun manufacturers being arrested. This dudes biggest mistake was not selling the software to the government.
This is News for Nerds, not news for people who like beating a dead horse.
You really are new here, aren't you?
First off the guy advertised the program solely as a product to spy on your lover or other people
There is nothing wrong with this, most people do it, want to do it, or would do it if they weren't so lazy.
The pigs do it all the time.
People 'like you' are not only grossly out numbered...
But when 'it-all-comes-down', the pigs will hunt down, arrest and kill people like you first, for being so lame and yellow-bellied in your support for them.
I will gladly loose all of life's battles.. in order to win the war..
He sold this for the sole purpose of being installed into a system (in violation of the law) and sending the data out.
This is creating a selling a product that sole purpose is to commit a crime.
Fight Spammers!
The reason he's not responsible for the activites of his customers is called Ownership. The maker or inventor of a product is not responsible for the use his creation is put to after he sells it because he no longer OWNS it. He has no control over it, no knowledge of it's use or condition.
This is a direct result of the concept of private property. If what's mine is mine, in a free society nobody else has any claim to or control over what's mine. If I buy a thing it becomes mine, and all benefits and consequences from its use or abuse become mine also.
Take your issue of selling the tank to Iran. Let us, for the sake of argument, agree with your assertion that the tank maker is responsible for the use his machines are put to by the Iranian government.
Tanks are made of steel. If I make steel and sell it to the tank manufacturer, am I responsible for the tank he sells to Iran as well? How about the miners who dug up the iron ore? How about the caterers who fed the miners? How about the shipping company that delivered the ore?
Private property. Important concept. Personal responsibility, different concept, also important.
From the article, he collected all the information that was being sent to his clients. So he didn't just sell the software, he was collecting information that could have been used for identity theft, credit fraud, blackmail, etc.
This wasn't a simple case of selling software with the potential for abuse -- the retailer himself was one of the abusers.
I do not fail; I succeed at finding out what does not work.
This month, the Senate passed the bill protecting gunmakers from liability for the use of their products in crimes.
--
make install -not war
A simple google search for "Lover Spy" included Symantec's reference to it on the first page of results. See http://securityresponse.symantec.com/avcenter/venc /data/spyware.loverspy.html for details.
Note also that it's been detected since October 2003, so I really don't have that much sympathy with the victims. The guy who sold this software deserves far worse than arrest and incarceration, but the victims who claim they had current anti-virus software updates installed are full of it.
I do not fail; I succeed at finding out what does not work.
McAfee also has detected this issue since 2003, see http://vil.nai.com/vil/content/v_100716.htm
This one was tougher to find. I had to go to McAfee's site and use their virus information database search tool instead of google.
I do not fail; I succeed at finding out what does not work.
I hadn't caught the bit in the article about the "company" that sold the software being shutdown in October 2003 -- a couple of weeks before Symantec and McAfee released detection of the problem.
So my apologies to the people who had current AV software but got burned.
I do not fail; I succeed at finding out what does not work.
Gator, CyDoor, et al actually get to make money doing this, why haven't they been arrested.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
Ownership is not a defense if the product is sold with the understanding that it will be used for illegal purposes.
I can see it now Free Enrique Perez Melara!!!
What if you only sell all the tools needed to make a nuke to North Korea? Is that just as bad?
The way I read the article Perez only provided the tools to monitor others. I can't see it written that he used the tool to attack someone himself.
If providing tools which enable someone to break the law is an offence, wouldn't every company who developed a C or C++ compiler that someone used to write such programs also be liable?
Who is the judge that decides what "intended use" and "unintended abuse" is? If Perez was smart enough to put something about it being illegal to monitor someone w/o their consent in the EULA to his greeting card scam wouldn't that exempt him from liability on all counts exept for him monitoring the streams released by people buying his client (unless that also was noted in the EULA ofcourse)?
If he is found accountable for these offenses would makers of surveilance equipment like wireless microphones, small cameras or cell phones with an "automatic answer" feature also be liable if someone used it to illegaly monitor someone?
Heaven forbid people wish to keep something they associate themselves with from having a bad connotation. Especially when it did not always have such a bad one.
Now only if the pioneer to the art of 'mofo' were alive, he would probably need a copyright to 'mofo' and then he would become a 'quickie millionaire' . Goatse. email Jaxier_Viiv@intel.con
"What happend to just paying for a product without being constantly nibbled to death by Credit Card Ducks?"
Rare to find an instance wherein the US is more enlightened than Canada! Of course, different standards exist in different parts of the world. This particular accused is accused in the USA and not Canada - so the study in Canadian law is not particularly relevant. Nice facts to know though.
I also don't think the motive exception would apply in this case. There's ample evidence that he advertised the product for bugging someonelse's computer. The point of the comment was that the parent was making an absolute statement theat defies the current US jurisprudence.
And to differentiate between real "hackers", the term cracker came into being, it is a combination of the words CRiminal and hACKER. Brain dead Slashdotters strike again.
When I was growing up in the 80s, the term "cracker" referred to someone who soley cracked copy protection on software.
I think people are really confused about this. He isn't in trouble for the creation of the hacking tool, he's in trouble for providing services and profiting by helping gain access to others systems. The term "spyware" was used to mean a tool to spy on others here, it's not the normal semi-legal type spyware like gator. Just poor choice of words by a few different people. So all comparisons to companies like gator or operating systems being hacker's tools don't fit. He was never in trouble for creating the tool, our rights aren't threatened, nothing to see here.
Cracker? Was he staying at the Ritz?
Would he be served with soup?
If that doesn't make sense to you, then your a bigger idiot than I think you are.
So if *I* own a gun, and there is a probability that any of my fellow humans around me also own a gun, but may think they are faster or better using it, how does that make me feel more secure?
OK, so in countries with gun control, $badguy may have a weapon even if he is not allowed to. In nations without gun control (are there any beneath the US of A?), $badguy is allowed to own one. But your neighbor might also have a gun/rifle/whatever, and as soon as your dog is too loud at night, he might snap and start the fire on your house. Probably you are dead sooner than you are able to "defend yourself" with your own weapon. Great security, isn't it?
Somehow this "Get a weapon to protect yourself"-stuff does not appeal to me...
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
I think you meant confucius?
Thanks for the SCOTUS quote.
That sounds a lot more reasonable that how it's talked about on Slashdot. Somehow the "promoting", "clear expression" and "affirmative steps" always seem to be omitted by the sensationalists.
Begging a question is asking a question that implicitly assumes something is true that the author is trying to get you to believe. See also http://www.wsu.edu/~brians/errors/begs.html
That would make the sentence mean you are responsible for what your users choose to do with it, which is arguably false.
--dave
davecb@spamcop.net
Whoosh!
(Hint: The words/phrases "jenny say qua" and "split", among others, should have given it away.
Ever heard of Norm Crosby?
Sigh.
Kids today.)
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Please tell me you are just being a smartass. Cause seriously I am tired of people nearly twice my age thinking people my age don't know anything because we haven't heard of some two-bit comedian...Its not like the man was some legendary comedic figure which people from your own generation have necessarily heard of...
Man, the 1980's just loves to screw up words, don't they? After all, that decade is what happened to our beloved "hacker" as well.
I believe you mean 'h4x0r'. The 90's changed the spelling to avoid confusion after the horrendous mistakes of the 80's.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
That's because the seller is part of a criminal enterprise, which is different than simple commerce.
What you're proposing is changing English usage rather than correcting it. Deliberately changing the English language like this is very hard and I doubt you'll succeed. But it's not impossible, eg. the change of the meaning of the word 'gay' within my lifetime.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Whoosh!
The software that this guy sold was packaged as an email greeting card that you email to the person you intend to spy upon. The trojan spying software secretly installs itself when the person reads the card. How could you possibly believe that there wasn't an implicit understanding on the part of the seller that it would be used for illegal purposes? Especially when it was explicitly marketed as being handy for illegal purposes?
Not sure if anyone else noticed this at the bottom of the article. The FBI began investigating after getting a tip from someone who got e-mail spam from the company. Perez was present when agents raided his apartment and took his computers Oct. 10, 2003, but has since disappeared, Roberts said. Oh, he was there Two Fucking Years ago, but now, he's not? The FBI's giving some nice running starts lately, eh? I wonder why it took so long to indict him. =/