Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com)

Posted by EditorDavid on from the write-a-keylogger-go-to-jail dept.

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.

8 of 181 comments (clear)

  1. Illegal product? by sinij · · Score: 4, Insightful

    Heavy-handed over-reaction. 10 years?! Unless this was self-spreading malware, the issue here is that kid a) talked to feds b) couldn't afford decent lawyer.

    1. Re:Illegal product? by Richard_at_work · · Score: 5, Interesting

      Congratulations, the marketing speak of the headline worked 100% on you, you must be proud of the fact that you fall into the headline writers perfect audience demographic of suggestibility.

      He won't get anything like 10 years, that's the maximum possible. The headline is designed to whip you into an outraged state, nothing more.

    2. Re:Illegal product? by Motherfucking+Shit · · Score: 4, Insightful

      Perhaps he shouldn't have been engaged in criminal activity and his life would be just fine.

      Contrariwise, perhaps selling software shouldn't be criminal activity.

      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    3. Re: Illegal product? by AK+Marc · · Score: 4, Insightful

      A kid makes a clone of https://en.wikipedia.org/wiki/... and faces prison time for it? Since one is still available, and the other is criminal, yet they are quite similar, seems his crime was not being rich enough to buy his rights.

      Someone should try to bring justice back to the justice system.

      --
      Learn to love Alaska
    4. Re:Illegal product? by Aighearach · · Score: 4, Insightful

      Smith & Wesson does not advertise their product as a tool to use for robbery. If they started putting posters up in rough neighborhoods telling people where to buy it without a background check, and then one of those weapons purchased that way was used in a murder, then they would be responsible.

      That is the difference. Smith & Wesson makes a product and only advertises legal uses of their product, and there are many legal uses. So no problem!

      This guy made a tool and advertised it as being useful in committing crimes. That is part of that he was accused of in the first place. If he had advertised it as a debugging tool for programmers, and advertised it in normal places, then no problem! Keyloggers are legal. But malware intended to be installed without permission is not. And if only advertised it in normal places, he might not get any sales, because programmers wouldn't pay for that they would just download and compile one, or use the one that came with one of their pen testing tools.

      If you make security tools available to ignorant criminals who couldn't do it on their own, that will turn out to be provable and you will be punished.

      Just like, if you opened a martial arts dojo and advertised it as a way to be better at assaulting people, and one of your students then assaulted somebody, you'd have problems! Whereas if you keep your mouth shut and don't try to capitalize on the illegal uses of fighting arts, then no problem! Then if your student assaults somebody it is only bad PR.

      It isn't enough that there is some theoretical legal use for something. You have to also NOT be claiming that it is really for an illegal use. ;)

  2. Never write a keylogger. by HornWumpus · · Score: 5, Insightful

    Write an input debugger with logging instead.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  3. Illegal? by Dan+East · · Score: 5, Insightful

    I'm curious what aspect of this was illegal. The keylogging itself isn't illegal. If someone buys and installs keylogger software on devices they own, that's not illegal. If someone installs software of that kind on someone else's device, without the owner's permission, then the person who did the installation broke the law. Not the author of the software.

    Both articles are vague in that regard, but one states,

    intentionally cause damage without authorization

    ,
    Which may mean the software had the capability to erase files or do something harmful besides capturing data.

    Unless the software actively multiplied and installed itself without permission somehow, it would seem to me that the customers are (in some specific cases) the guilty parties.

    --
    Better known as 318230.
  4. Exact wording. by will_die · · Score: 4, Interesting

    From on or about August 2013 through on or about March 17,2015, in the Eastern District of Virginia and elsewhere, the defendant, ZACHARY LEE SHAMES, knowingly and intentionally aided and abetted the commission of computer intrusions, in violation of 18U.S.C. ÂÂ 1030(a)(5)(A) and 2. In particular, attimes listed above, in the Eastern District of Virginia andelsewhere, SHAMES designed, marketed and sold certain malicious keylogger software, knowing that the software was going tobeused to knowingly cause the transmission ofa program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization to 10 or more protected computers during any one year period.
    (All in violation of Title 18,United States Code, Section 1030(a)(5)(A) and 2)

    https://regmedia.co.uk/2017/01...
    So what he plead guilty to was developing the software and then knowingly selling it people who would be breaking the law. If he had marketed it toward the general public instead of marketing to crackers it would of not been a problem. For example I can sell and train people in lock picking all I want, however if someone comes up to me and says they want to break into a house with type X lock and want training and tools and I sell it to them then I am in trouble.