Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com)

← Back to Stories (view on slashdot.org)

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com)

Posted by EditorDavid on Saturday January 14, 2017 @06:49AM from the write-a-keylogger-go-to-jail dept.

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.

21 of 181 comments (clear)

Min score:

Reason:

Sort:

Illegal product? by sinij · 2017-01-14 06:52 · Score: 4, Insightful

Heavy-handed over-reaction. 10 years?! Unless this was self-spreading malware, the issue here is that kid a) talked to feds b) couldn't afford decent lawyer.
1. Re:Illegal product? by Richard_at_work · 2017-01-14 07:02 · Score: 5, Interesting
  
  Congratulations, the marketing speak of the headline worked 100% on you, you must be proud of the fact that you fall into the headline writers perfect audience demographic of suggestibility.
  He won't get anything like 10 years, that's the maximum possible. The headline is designed to whip you into an outraged state, nothing more.
2. Re:Illegal product? by Anonymous Coward · 2017-01-14 07:08 · Score: 2, Insightful
  
  That's nothing. I've heard people sell guns too.
3. Re:Illegal product? by 0100010001010011 · 2017-01-14 07:23 · Score: 2
  
  > " 16000 people had their property invaded for nefarious purposes!
  Did he do it or did he make the tool?
  Or are we going to start going after Smith & Wesson now too?
4. Re: Illegal product? by Dahamma · 2017-01-14 07:38 · Score: 2, Insightful
  
  If he had been consistent to market it as an auditing system, he might have been ok. But instead he marketed is on sites like "Hack Forums" specifically for the purpose of... hacking. And that was illegal. Intent matters (and in fact was probably what the case hinged on).
5. Re:Illegal product? by Dahamma · 2017-01-14 07:43 · Score: 3, Insightful
  
  The problem is, it's not illegal to manufacture or sell guns that are used in a crime. It's illegal to sell malware that is used to commit a crime.
  Maybe we should go after Smith & Wesson. But not until it's made illegal. I think you are conflating legality with morality here.
6. Re:Illegal product? by Motherfucking+Shit · 2017-01-14 08:35 · Score: 4, Insightful
  
  Perhaps he shouldn't have been engaged in criminal activity and his life would be just fine.
  
  Contrariwise, perhaps selling software shouldn't be criminal activity.
  
  --
  "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
7. Re: Illegal product? by AK+Marc · 2017-01-14 08:55 · Score: 4, Insightful
  
  A kid makes a clone of https://en.wikipedia.org/wiki/... and faces prison time for it? Since one is still available, and the other is criminal, yet they are quite similar, seems his crime was not being rich enough to buy his rights.
  
  Someone should try to bring justice back to the justice system.
  
  --
  Learn to love Alaska
8. Re: Illegal product? by BlueStrat · 2017-01-14 09:07 · Score: 3, Funny
  
  Someone should try to bring justice back to the justice system.
  Sorry, I think that's been made illegal. How's a third-rate alcoholic prosecutor to make a name for himself that way?
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
9. Re:Illegal product? by admin7087 · 2017-01-14 12:08 · Score: 2
  
  The issue is that the kid sold the software to the wrong people. If he had sold it to the FBI instead, he'd be a 100,000$ richer now.
10. Re:Illegal product? by Aighearach · 2017-01-14 12:45 · Score: 4, Insightful
  
  Smith & Wesson does not advertise their product as a tool to use for robbery. If they started putting posters up in rough neighborhoods telling people where to buy it without a background check, and then one of those weapons purchased that way was used in a murder, then they would be responsible.
  That is the difference. Smith & Wesson makes a product and only advertises legal uses of their product, and there are many legal uses. So no problem!
  This guy made a tool and advertised it as being useful in committing crimes. That is part of that he was accused of in the first place. If he had advertised it as a debugging tool for programmers, and advertised it in normal places, then no problem! Keyloggers are legal. But malware intended to be installed without permission is not. And if only advertised it in normal places, he might not get any sales, because programmers wouldn't pay for that they would just download and compile one, or use the one that came with one of their pen testing tools.
  If you make security tools available to ignorant criminals who couldn't do it on their own, that will turn out to be provable and you will be punished.
  Just like, if you opened a martial arts dojo and advertised it as a way to be better at assaulting people, and one of your students then assaulted somebody, you'd have problems! Whereas if you keep your mouth shut and don't try to capitalize on the illegal uses of fighting arts, then no problem! Then if your student assaults somebody it is only bad PR.
  It isn't enough that there is some theoretical legal use for something. You have to also NOT be claiming that it is really for an illegal use. ;)
11. Re:Illegal product? by arth1 · 2017-01-15 04:32 · Score: 2
  
  The 2nd amendment is pretty simple, as long as you're a person, you're right to have a gun is not to be infringed.
  Your right to have a gun in order to form a well regulated militia shall not be infringed. Show me what well regulated militia you are joining, and I'll sell you the gun.
Never write a keylogger. by HornWumpus · 2017-01-14 06:52 · Score: 5, Insightful

Write an input debugger with logging instead.

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
1. Re:Never write a keylogger. by Anonymous Coward · 2017-01-14 08:28 · Score: 2, Funny
  
  Or just upgrade to Windows 10.
Illegal? by Dan+East · 2017-01-14 06:57 · Score: 5, Insightful

I'm curious what aspect of this was illegal. The keylogging itself isn't illegal. If someone buys and installs keylogger software on devices they own, that's not illegal. If someone installs software of that kind on someone else's device, without the owner's permission, then the person who did the installation broke the law. Not the author of the software.
Both articles are vague in that regard, but one states,

intentionally cause damage without authorization
,
Which may mean the software had the capability to erase files or do something harmful besides capturing data.
Unless the software actively multiplied and installed itself without permission somehow, it would seem to me that the customers are (in some specific cases) the guilty parties.

--
Better known as 318230.
1. Re:Illegal? by CaptainDork · 2017-01-14 07:04 · Score: 2
  
  And that's why you aren't a lawyer.
  
  --
  It little behooves the best of us to comment on the rest of us.
2. Re:Illegal? by NoNonAlphaCharsHere · 2017-01-14 07:38 · Score: 3, Insightful
  
  I think what's really interesting here is that the keylogger is described as an "illegal product" in a United States Attorney's Office press release. Those guys are lawyers, and they know the product itself is NOT illegal.
3. Re:Illegal? by sabt-pestnu · 2017-01-14 13:45 · Score: 2
  
  A liar for pleading guilty while innocent? You're really asking that.
  What would your choice be?
  - 2 years of probation, and a $6,000 lawyer bill that you can hope to pay off, or...
  - 2 years in jail after losing a one year court fight, with an attorney fee of ~$150,000 that you have no hope of paying off in under 30 years.
  Please, tell me whether you'd lie and plead guilty, or mortgage your future and go to jail anyway?
Re:And yet .... by JustAnotherOldGuy · 2017-01-14 07:56 · Score: 3, Insightful

How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?
Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.
Yahoo is welcome to monitor your mouse movements and key strokes when you're on Yahoo, but If Yahoo could monitor your mouse movements and key strokes when you were on CNN or Google, then there would be a problem, no?

--
Just cruising through this digital world at 33 1/3 rpm...
Damn... by EmeraldBot · 2017-01-14 08:14 · Score: 3, Insightful

Surely a stern talk and a 100 hours of community service would be a saner approach? He didn't do anything other than sell a tool, and while it's dubious where and who he sold it, he hasn't actually committed a crime yet, and it's not like a keylogger doesn't have legitimate purposes, nor is it illegal to possess one. Fucking over some kid for the rest of his life, in an environment where he's almost certain to repeat an offence, and turning him into a perpetual lifelong drain on the public, is not the answer - for either us or him. Yet another demonstration of my country's collective idocacy...

--
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Exact wording. by will_die · 2017-01-14 09:30 · Score: 4, Interesting

From on or about August 2013 through on or about March 17,2015, in the Eastern District of Virginia and elsewhere, the defendant, ZACHARY LEE SHAMES, knowingly and intentionally aided and abetted the commission of computer intrusions, in violation of 18U.S.C. ÂÂ 1030(a)(5)(A) and 2. In particular, attimes listed above, in the Eastern District of Virginia andelsewhere, SHAMES designed, marketed and sold certain malicious keylogger software, knowing that the software was going tobeused to knowingly cause the transmission ofa program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization to 10 or more protected computers during any one year period.
(All in violation of Title 18,United States Code, Section 1030(a)(5)(A) and 2)

https://regmedia.co.uk/2017/01...
So what he plead guilty to was developing the software and then knowingly selling it people who would be breaking the law. If he had marketed it toward the general public instead of marketing to crackers it would of not been a problem. For example I can sell and train people in lock picking all I want, however if someone comes up to me and says they want to break into a house with type X lock and want training and tools and I sell it to them then I am in trouble.