Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com)

Posted by EditorDavid on from the write-a-keylogger-go-to-jail dept.

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.

13 of 181 comments (clear)

  1. Illegal product? by sinij · · Score: 4, Insightful

    Heavy-handed over-reaction. 10 years?! Unless this was self-spreading malware, the issue here is that kid a) talked to feds b) couldn't afford decent lawyer.

    1. Re:Illegal product? by Anonymous Coward · · Score: 2, Insightful

      That's nothing. I've heard people sell guns too.

    2. Re:Illegal product? by Anonymous Coward · · Score: 0, Insightful

      He won't get anything like 10 years, that's the maximum possible.

      And it's intended to force him to plea guilty, rather than attempt to defend himself. Who wants to risk 10 years in prison? The prosecutor gets another notch in his belt and this guy's life is ruined. Unconscionable.

    3. Re: Illegal product? by Dahamma · · Score: 2, Insightful

      If he had been consistent to market it as an auditing system, he might have been ok. But instead he marketed is on sites like "Hack Forums" specifically for the purpose of... hacking. And that was illegal. Intent matters (and in fact was probably what the case hinged on).
       

    4. Re:Illegal product? by Dahamma · · Score: 3, Insightful

      The problem is, it's not illegal to manufacture or sell guns that are used in a crime. It's illegal to sell malware that is used to commit a crime.

      Maybe we should go after Smith & Wesson. But not until it's made illegal. I think you are conflating legality with morality here.

    5. Re:Illegal product? by Motherfucking+Shit · · Score: 4, Insightful

      Perhaps he shouldn't have been engaged in criminal activity and his life would be just fine.

      Contrariwise, perhaps selling software shouldn't be criminal activity.

      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    6. Re: Illegal product? by AK+Marc · · Score: 4, Insightful

      A kid makes a clone of https://en.wikipedia.org/wiki/... and faces prison time for it? Since one is still available, and the other is criminal, yet they are quite similar, seems his crime was not being rich enough to buy his rights.

      Someone should try to bring justice back to the justice system.

      --
      Learn to love Alaska
    7. Re:Illegal product? by Aighearach · · Score: 4, Insightful

      Smith & Wesson does not advertise their product as a tool to use for robbery. If they started putting posters up in rough neighborhoods telling people where to buy it without a background check, and then one of those weapons purchased that way was used in a murder, then they would be responsible.

      That is the difference. Smith & Wesson makes a product and only advertises legal uses of their product, and there are many legal uses. So no problem!

      This guy made a tool and advertised it as being useful in committing crimes. That is part of that he was accused of in the first place. If he had advertised it as a debugging tool for programmers, and advertised it in normal places, then no problem! Keyloggers are legal. But malware intended to be installed without permission is not. And if only advertised it in normal places, he might not get any sales, because programmers wouldn't pay for that they would just download and compile one, or use the one that came with one of their pen testing tools.

      If you make security tools available to ignorant criminals who couldn't do it on their own, that will turn out to be provable and you will be punished.

      Just like, if you opened a martial arts dojo and advertised it as a way to be better at assaulting people, and one of your students then assaulted somebody, you'd have problems! Whereas if you keep your mouth shut and don't try to capitalize on the illegal uses of fighting arts, then no problem! Then if your student assaults somebody it is only bad PR.

      It isn't enough that there is some theoretical legal use for something. You have to also NOT be claiming that it is really for an illegal use. ;)

  2. Never write a keylogger. by HornWumpus · · Score: 5, Insightful

    Write an input debugger with logging instead.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  3. Illegal? by Dan+East · · Score: 5, Insightful

    I'm curious what aspect of this was illegal. The keylogging itself isn't illegal. If someone buys and installs keylogger software on devices they own, that's not illegal. If someone installs software of that kind on someone else's device, without the owner's permission, then the person who did the installation broke the law. Not the author of the software.

    Both articles are vague in that regard, but one states,

    intentionally cause damage without authorization

    ,
    Which may mean the software had the capability to erase files or do something harmful besides capturing data.

    Unless the software actively multiplied and installed itself without permission somehow, it would seem to me that the customers are (in some specific cases) the guilty parties.

    --
    Better known as 318230.
    1. Re:Illegal? by NoNonAlphaCharsHere · · Score: 3, Insightful

      I think what's really interesting here is that the keylogger is described as an "illegal product" in a United States Attorney's Office press release. Those guys are lawyers, and they know the product itself is NOT illegal.

  4. Re:And yet .... by JustAnotherOldGuy · · Score: 3, Insightful

    How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?

    Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.

    Yahoo is welcome to monitor your mouse movements and key strokes when you're on Yahoo, but If Yahoo could monitor your mouse movements and key strokes when you were on CNN or Google, then there would be a problem, no?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Damn... by EmeraldBot · · Score: 3, Insightful

    Surely a stern talk and a 100 hours of community service would be a saner approach? He didn't do anything other than sell a tool, and while it's dubious where and who he sold it, he hasn't actually committed a crime yet, and it's not like a keylogger doesn't have legitimate purposes, nor is it illegal to possess one. Fucking over some kid for the rest of his life, in an environment where he's almost certain to repeat an offence, and turning him into a perpetual lifelong drain on the public, is not the answer - for either us or him. Yet another demonstration of my country's collective idocacy...

    --
    "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."