Slashdot Mirror
Spyware Maker Indicted on Hacking Charges
An anonymous reader writes "The San Diego Union-Tribune is reporting that Carlos Enrique Perez Melara, the author of an investigative tool called 'Lover Spy,' has been indicted on 35 counts of federal hacking violations. This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?" From the article: "Perez, a native of El Salvador, probably is in the Los Angeles area, said Stewart Roberts, the second highest-ranking agent at the San Diego FBI office. Crime Stoppers has offered a $1,000 reward. Perez is charged with 35 crimes, each of which carries a potential five-year prison sentence if he is convicted. "
...it "raises" the question. "Begging the question" is something else completely, and you're not doing it.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Umm... hm. This isn't "spyware" in the sense people normally mean. These are hacking tools. "Spyware" is a word which is used to refer to software which in addition to its known function covertly transmits information back to the software author. This is nothing of the sort; it's a surveillance tool. It may be immoral or unethical to use this surveillance tool, but that doesn't mean it's a good idea to use words like "spyware". Words have meanings. If you start ignoring the meanings and deciding that if it's bad it can be referred to by the same terminology as any other bad things, language ceases to be useful.
Anyway, I find it funny that people are being prosecuted for creating tools like this at the exact same time that the government's use of tools like this is on the rise.
If you create a nuclear weapon, you should not sell it to North Korea. If you create a tank, selling it to Iran surely would not increase your merits in the western societies. If you sell guns to teenagers, you are a criminal and - as far as I am concerned - partly responsible if those teenagers start shooting their classmates.
Why of all things should you not be responsible for creating a software intended for potentially criminal purpose (here: spying on users) and giving it to people who will use it? Following this logic of non-responsibility, worm writers should not be persecuted, because the damage their creations have done was not their immediate fault.
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
a $1000 reward for a guy wanted on 35 counts? Cheepskates! Add a couple zeros to the back and I'll drag the guy in myself.
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
So what you're saying is that we should treat computer programs-- which are nothing but a series of instructions, potentially human-readable instructions, that just happen to be written in a language that a machine can interpret--
In the same way we treat real-world devices designed for and capable of killing very large numbers of people?
Hmm.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
IANAL, but if a gun maker named their pistol "Felon's Favorite"(TM) or "Rob-Rite"(TM), then I'm sure they would be susceptible to either civil or criminal legal pleasantries.
Are there legitimate uses of this code? If so, then why didn't the author market it strictly for those uses and name it something a little less felonious than "Lover Spy?"
Two wrongs don't make a right, but three lefts do.
and we'll call it even
I mean, my friend says he'll bring the guy in and he and the feds can call it even...
R(k)
How does an e-card install malicious software??? I suspect that perhaps what is going on is that he set up the server that served the e-cards, in order to infect users who opened the cards. If that's the case, he didn't just write the software, he installed it on computers without owners' and users' permission.
TFA doesn't explain this very well. Couldn't find an antivirus page about it, but here's another page mentioning the tool.
If hacking is a violation, then Linux must be illegal.
:-/
Yes, I know they mean that differently, but once laws outlaw "hackers", I wouldn't want to be counted as one..
Truth is in the eyes of the power-holder..
|| Geshem ||
I actually live in san diego and read this article yesterday. If it is the same article, this guy marketed it as a program to spy on your significant other. I think that is where the law gets him. If you distribute some code thats a trojan and slap on, "Educational purposes only, do not use on anyone without their permission, I am not responsible for your actions", then it seems the law is much more lenient. But this guy was marketing it as a tool that u send (like a greeting card) to check on your gf/bf to see if they are cheating.
No this trial doesn't mean coders are responsible for their users' actions, just responsible for how they say their program should be used
On a side not, this company started in 2001 - took 4 years for the FBI to notice & catch him. Kind of funny.
Why of all things should you not be responsible for creating a software intended for potentially criminal purpose (here: spying on users) and giving it to people who will use it?
It's not that. Many people who (of course) haven't RTFA miss the point. This isn't software which someone buys and then installs on their target's computer themselves. What they do is sign up at the site and then have that site send out an email with "You have a greeting card..." message. The victim clicks on the link to the website and views the card while, at the same time, this spyware is installed on their system automatically. So the end-user isn't the one doing the hacking and installation -- the guy running the site is the one who, in effect, does it all.
The end users are scumbags for using the service, but it's the guy who wrote it and put it up on the website and caused victims' computers to be compromised who is the guilty party here. This has nothing to do with distributing software.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
This begs the question: if you develop and sell a software product, are you responsible for what your users choose to do with it?
The question boils down to the intent of the author. If the program, when considered as a whole, cannot be reasonably construed to have alternative non-damaging or benign uses then it serves to demonstrate the malicious intent of the author and therefore it becomes possible to assign some responsibility for the actions of users to the original author(s). Software engineers, like other engineers, must have some code of ethics that governs the standard and intent of the programs that we produce. If you write a virus, worm, spam ware, or other "evil" type of application then you are responsible for the damage you cause to other people. You cannot demonstrate vulnerabilities or exploit code to prove a point while damaging other people's property in the process. In this case it seems that the author in question, Carlos Enrique Perez Melara, is indeed responsible for malicious intent in the collateral damage that his software caused.
If the Supreme Court decision, in its recent case regarding P2P software, is followed the makers of software may be responsbile for the illegal use of their products. All it takes is a reasonable (for some value of reasonable) chance that users will put your software to illegal uses and you get a ticket to jail or years of penury as you attempt to pay off the civil penalties that may be assessed against you. Now all it will take is for the FBI to discover that some "potential terrorist" used this software and Mr. Perez can kiss his rights to trial, an attorney, etc. goodbye thanks to THE PATRIOT Act.
Just my $.02,
Ron
Impeach Barack Obama for violating the Constitutional requirement to be a "natural born" citizen to hold the office of P
This mis-use of "begging the question" arose in the 1980s.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
"Begs the question" is a term of art in logic and debate. It's also pretty simple English, meaning "demands that we ask." To insist that *only* the term of art can be used, and the plain, simple English meaning is off-limits, is just annoying -- especially when the plain English meaning makes so much sense, and the term of art is a terrible way to describe what you mean. Besides getting to make fun of people who don't know the phrase, there's just no reason to name the logical fallacy that way.
All it takes is a reasonable (for some value of reasonable) chance that users will put your software to illegal uses and you get a ticket to jail or years of penury as you attempt to pay off the civil penalties that may be assessed against you.
This is a blatant and gross misrepresentation of the SCOTUS decision you mention. What it took in that case, was quite a load of evidence that the companies in question deliberately planned to profit, albeit indirectly from illegal uses.
"She sent me a greeting card on the Internet through my e-mail and that's how she got into my computer," she said. "She had access to everything."
How does reading plain text let someone into your computer?
Regarding a well publicized computer espionage case.
It seems, the authors of the spying tool used in this case, were arrested in the UK and are being turned over to Israel for justice.
This raises the same moral question, whether an author of the tool is responsible for the way it's being used.
Should Fire Arms companies be held responsible whenever someone uses their branded rifle to commit a crime?
Sigs are for the weak.
I'm not in favour for what he's done, but getting 175 years in prison for writing a program?
You can get less for killing a man. No wonder the prisons are already full.
Perhaps it's time to realize that it's not always the solution to lock people up for what they have done.
There are no atheists when recovering from tape backup.
I hate this constant bitching about the use of the word "hacker". Words are generally used to communicate. The word "cracker" is a word used by a small minority of geeks, and it's sole purpose is to allow the users of said word to bitch about the people who don't use it. It certainly doesn't serve the purpose of communication as most people don't even know the purported meaning the word in this context. Words whose sole purpose is to beat other people really aren't nice and the world is better off both without the word, and without those people who insist on using it.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
He sold this? I know it was a misspelling, but it was a little funny. Ok, a really little.
" I hate this constant use of the word "hacker" when the correct usage of the word should be "cracker"."
Hacking has been used to mean breaking into a computer system for decades. People are trying to change this term to cracker, not the other way around, as you suggest with "It is the media that is poisoning the word"
Vote for Pedro
How much do you want to bet that some high ranking official at the San Diego FBI office was caught cheating or at least had his email read by this program? :)
Rats would be more funny if they could fart.
...when the catch the &*$&# bastards that write shit like Aurora or CoolWebSearch. Now THAT would be time for some mob justice!
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
I've used hacking methods a number of times to help friends play practical jokes on other friends. But the only times I've ever been offered money was from requests to crack access to computers and emails of significant others.
I was amazed at how many people have no problem snooping on others, so I'm positive the guy providing this "Lover's Spy" service has made enough money to cover legal expensises, his eventual fine, and still have a nice sum left over.
Another part is simply if the product in question has a substantial legal use. If you make something that basically can only be used to break the law, it's probably illegal to sell. A back door program to a computer isn't illegal, there are plenty of them out there. What makes this one different is that it tries to sneak on to a computer without the owner's permission.
Now there's really not any substantial legal use for that. Sure you could come up with some extremely unlikely scenario but generally speaking, there's no legit reason for it.
Combined that with the fact that it's being advertised to be used to break the law and it's a lock.
First off the guy advertised the program solely as a product to spy on your lover or other people and did so by spamming. Secondly the software was not something the purchaser downloaded and installed on a machine on their own, it sent out an e-card, which directed the recepient/victim to visit a web site run by Perez. Said website then exploited a security hole in IE and installed the spyware in the background without any warning to the victim. Finally the software sent a copy of everything it recorded (and it even logged keystrokes) to Perez as well as the people who paid to spy on someone with it.
The FBI isn't going to need the PATRIOT Act to bust this guy and this guy's not the least bit innocent. He promptly dissapeared after they seized his computers, so it's pretty clear he knew what he was doing was illegal as well.
>> if you develop and sell a software product, are you responsible for what your users choose to do with it?
That's a good question. Why don't you write Dr. Kevorkian a letter and ask him what he thinks?
That doesn't make a lick of sense. Dr. Kevorkian advertised and performed euthenasia. As good-intentioned as he may have been, what he did was illegal.
I want to preface this with the fact that I'm not defending spyware authors. I hate that crap with a passion, but I feel this issue should be addressed.
The real question should be: if someone takes a program - that was created with and advertised to have fully legal intentions - and uses it in an illegal way, should the author of the program be held responsible because the criminal breached their license?
I'm not talking about programs that obviously have a malicious intent (spyware, viruses), but legal things, such as keyloggers intended to be used for family computers. If somone uses that program in an act of federal espionage, should the author of the program be held responsible?
How about "ping.exe?" Should Microsoft be held responsible for the various DDoS attacks because the majority of the zombies simply use "ping" to flood their victims machines?
What about Mozilla? Should they be held responsible because someone could send a virus via their program?
If a programs intent is legal, and someone uses it illegally, should the author be held responsible?
He sold this for the sole purpose of being installed into a system (in violation of the law) and sending the data out.
This is creating a selling a product that sole purpose is to commit a crime.
Fight Spammers!
The reason he's not responsible for the activites of his customers is called Ownership. The maker or inventor of a product is not responsible for the use his creation is put to after he sells it because he no longer OWNS it. He has no control over it, no knowledge of it's use or condition.
This is a direct result of the concept of private property. If what's mine is mine, in a free society nobody else has any claim to or control over what's mine. If I buy a thing it becomes mine, and all benefits and consequences from its use or abuse become mine also.
Take your issue of selling the tank to Iran. Let us, for the sake of argument, agree with your assertion that the tank maker is responsible for the use his machines are put to by the Iranian government.
Tanks are made of steel. If I make steel and sell it to the tank manufacturer, am I responsible for the tank he sells to Iran as well? How about the miners who dug up the iron ore? How about the caterers who fed the miners? How about the shipping company that delivered the ore?
Private property. Important concept. Personal responsibility, different concept, also important.
From the article, he collected all the information that was being sent to his clients. So he didn't just sell the software, he was collecting information that could have been used for identity theft, credit fraud, blackmail, etc.
This wasn't a simple case of selling software with the potential for abuse -- the retailer himself was one of the abusers.
I do not fail; I succeed at finding out what does not work.
This month, the Senate passed the bill protecting gunmakers from liability for the use of their products in crimes.
--
make install -not war
A simple google search for "Lover Spy" included Symantec's reference to it on the first page of results. See http://securityresponse.symantec.com/avcenter/venc /data/spyware.loverspy.html for details.
Note also that it's been detected since October 2003, so I really don't have that much sympathy with the victims. The guy who sold this software deserves far worse than arrest and incarceration, but the victims who claim they had current anti-virus software updates installed are full of it.
I do not fail; I succeed at finding out what does not work.
McAfee also has detected this issue since 2003, see http://vil.nai.com/vil/content/v_100716.htm
This one was tougher to find. I had to go to McAfee's site and use their virus information database search tool instead of google.
I do not fail; I succeed at finding out what does not work.
I hadn't caught the bit in the article about the "company" that sold the software being shutdown in October 2003 -- a couple of weeks before Symantec and McAfee released detection of the problem.
So my apologies to the people who had current AV software but got burned.
I do not fail; I succeed at finding out what does not work.
Gator, CyDoor, et al actually get to make money doing this, why haven't they been arrested.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
Ownership is not a defense if the product is sold with the understanding that it will be used for illegal purposes.
Heaven forbid people wish to keep something they associate themselves with from having a bad connotation. Especially when it did not always have such a bad one.
While this may be true in the U.S., it is not true everywhere. I remember a case in Ontario, Canada where an artist was convicted of producing child pornography because of drawings depicting children with their genials in plain view (though, IIRC, there was no overt sexual activity going on). Part of the justification for the conviction was that such materials appealed to a prurient interest and had no redeming artistic value. IOW, they were harmful not to the fictitious children represented therin, but to society in that they would induce others to molest children.
Indeed (and it's been a while so I might misremeber this part), part of the controversy surrounding the case arose because of the artist's use of such drawings as a release mechanism for his own pederastic impulses even though he never molested any children.
Furthermore, depictions of child pornography or molestation are also illegal: it doesn't matter if the model is an adult, if s/he looks under age, the material is pornographic, and thus illegal. The complexities of "looks under age" make this a nightmare for producers of adult pornography who might wish to cater to a market that likes to see young women doing naughty things.
There are even worse implications. There used to be an award winning TV program, "Degrassi Jr. High" which dealt with issues faced by, well, Jr. highschool kids. One episode addressed the subject of child sexual abuse by a teacher, and the question arose whether a depiction of such abuse (toned down enough for network television via use of strong innuendo) violated the decency laws.
The standard in Canada is (or at least was -- I've not kept up with the law) that if something is found obscene by anyone, it *is* obscene. Thus, museums showing classical art have often covered famous nude paintings, lest they offend someone and the directors face criminal charges. This extends to kissing in public: at what point is such a display obscene and flies right in the face of discrimination laws: are a gay couple kissing in public protected by the anti-discrimination laws, whereas a straight couple isn't?
You could've hired me.
"What happend to just paying for a product without being constantly nibbled to death by Credit Card Ducks?"
Gee, my message got tagged as flame-bait. I wonder if you were the only person who actually understood my point, even if you disagreed with it.
My understanding of Kevorkian's case is that he never performed euthanasia, he merely facilitated other people's efforts to end their lives be building simple contraptions that they could easily use to do so. Maybe I read wrong.
But in this way, I still think I have a valid, if unsophisticated, point. Can anyone construct and distribute anything that they want without regard to how it can be used?
That's just a rhetorical question, since their are a large number of existing laws and court ruling that hold creators accountable for the things that they create. (This is very out of step with the local Slashdot pathos, I know.)
You have some good points and mostly I agree with you but we're not really interested in the simplistic example of ping.exe. It's in the gray areas where things get interesting.
I don't like it when some people blame others for their problems and sue, sue, sue. By the same token, I don't like software developers who automatically assert holy immunity.
I think people are really confused about this. He isn't in trouble for the creation of the hacking tool, he's in trouble for providing services and profiting by helping gain access to others systems. The term "spyware" was used to mean a tool to spy on others here, it's not the normal semi-legal type spyware like gator. Just poor choice of words by a few different people. So all comparisons to companies like gator or operating systems being hacker's tools don't fit. He was never in trouble for creating the tool, our rights aren't threatened, nothing to see here.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
I think you meant confucius?
Begging a question is asking a question that implicitly assumes something is true that the author is trying to get you to believe. See also http://www.wsu.edu/~brians/errors/begs.html
That would make the sentence mean you are responsible for what your users choose to do with it, which is arguably false.
--dave
davecb@spamcop.net
Whoosh!
(Hint: The words/phrases "jenny say qua" and "split", among others, should have given it away.
Ever heard of Norm Crosby?
Sigh.
Kids today.)
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Actually, no. If you lived in Canada for any length of time, you might find that "Canadian Enlightenment" has many negative undesirable effects. Universal health care, for example, has led to long waits for service and a shortage of qualified doctors.
I'm one of those apparantly rare Canadians that sees the U.S. "way of doing things" as far better than what is done in Canada -- yes I've seen the pros and cons of "both ways" and overall find the U.S. far more enlightned (at least in principle, if not in practice) in realizing that "there is no such thing as a free lunch". Yes, this sometimes leads to bad things. But, the alternative is even worse. Others, on either side of the border, may see things differently.
You could've hired me.
Universal health care, for example, has led to long waits for service and a shortage of qualified doctors
This shortsighted, irrelevant, offtopic comparison shows your complete lack of understanding. Universal health care is not the cause of long wait lines or qualified doctors. If that were the case, European countries with similar health systems would have similar problems.
Canadians (as a rule) do not think of health care as a "free lunch" as you seem to imply. We know, and (for the most part) willingly pay higher taxes for our social safety net that results in Canada repeatedly placing above the US as one of the best countries to live
No European country has universal health care of the kind Canada has: same level of care for everyone regardless of an ability to pay for more which is illegal for covered services in Canada. Despite a Supreme Court ruling that it is unconsititutional to prevent a patient from paying a doctor for preferential service, Quebec intends to invoke to notwithstanding clause on the Canadian constitution of overrule the court! (Only in Canada, sigh.)
Many European countries have two-tier health care systems, where a different level of service is available to those who can pay and this seams to be more effective.
We know, and (for the most part) willingly pay higher taxes for our social safety net that results in Canada repeatedly placing above the US as one of the best countries to live.
Best for who? Certainly not for me. That's why I left. Best perhaps for those who can not or will not support themselves with the fruits of their own labour.
The bottom line is that I find it far better to risk not having access to health care if I become destitute than to have to wait when I have the money to pay for care that a willing doctor can provide immediately. Willing to take that risk translates into more after-tax dollars that I can, guess what?, save for a day that I might become so destitute.
Others, on either side of the border, are free to disagree.
But, the reason many Canadians become angry with my personal choice is that their "system" depends on people like me to fund it, and we are leaving in drives, because, for us, it offers no value -- it is very poor insurance from a financial perspective. While some income redistribution to help the truely poor might be arguably justified, the inefficiencies and amount of such redistribution in Canada is truely horrific -- a properly run system would find the funds to help the poor by the savings inherent in large economies of scale. Clearly, this has not happened.
Canada relies on brainwashing its productive citizens to become willing tax-slaves. Not this one.
You could've hired me.
Man, the 1980's just loves to screw up words, don't they? After all, that decade is what happened to our beloved "hacker" as well.
I believe you mean 'h4x0r'. The 90's changed the spelling to avoid confusion after the horrendous mistakes of the 80's.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
That's because the seller is part of a criminal enterprise, which is different than simple commerce.
I know this is off topic, but, as a Canadian living in the US and with two uncles who died of cancer because they were not diagnosed until after their cancers had metastasized, I beg to differ. In both cases, my father (a MD) told them that they should have necessary tests done and therapy started, but the Canadian system didn't allow them to cut the queue. When, six months and eights later, the Canadian system finally got to them, they were past saving.
Because they trusted the Canadian system, neither of them took Dad up on his offer to pay for them to go to California for proton beam treatment when he initial suspected trouble. Both of them died early because of that trust. I love Canada, but the medical program, along with the NDP party are both farces.
What you're proposing is changing English usage rather than correcting it. Deliberately changing the English language like this is very hard and I doubt you'll succeed. But it's not impossible, eg. the change of the meaning of the word 'gay' within my lifetime.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
The software that this guy sold was packaged as an email greeting card that you email to the person you intend to spy upon. The trojan spying software secretly installs itself when the person reads the card. How could you possibly believe that there wasn't an implicit understanding on the part of the seller that it would be used for illegal purposes? Especially when it was explicitly marketed as being handy for illegal purposes?
Not sure if anyone else noticed this at the bottom of the article. The FBI began investigating after getting a tip from someone who got e-mail spam from the company. Perez was present when agents raided his apartment and took his computers Oct. 10, 2003, but has since disappeared, Roberts said. Oh, he was there Two Fucking Years ago, but now, he's not? The FBI's giving some nice running starts lately, eh? I wonder why it took so long to indict him. =/