Slashdot Mirror
Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com)
Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."
The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."
Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:
Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."
And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."
Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."
What do Slashdot's readers think?
The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."
Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:
Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."
And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."
Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."
What do Slashdot's readers think?
"I didn't murder someone" is a very commonly used claim among those who don't murder people. Would that "raise skepticism" and make one a target for a murder investigation? I don't think so. This is a chilling-effect arrest. They know this guy didn't hack someone, they're just trying to make the tool-makers lives harder because the tools can be used for no good.
Well.. as outrageous as the OP makes it sounds, you actually don't need to "hack" someone to break the law.
There are lots of laws out there. For starters, trafficking in software or devices which circumvent security measures is often illegal. "Using" said device isn't necessary to run afoul of the law.
The DMCA has strong anti-circumvention language for example. Other countries have similar laws.
Time to arrest the manufacturers of trucks that are used to plow into civilians, hey?
Almost every "hacking tool" has a beneficial use.
RAT is just like TurboTax. Each has an intended purpose (Remote Administration / Tax Filing). Each can be used by criminals (unauthorized system administration for ransom / filing another person's taxes for refund). Poor business decisions about where to promote your product for maximum intended purpose sales is not a crime. Improper use of the product is a crime.
Yes, they should. They should arrest him and make an example out of him. And now you should apply that same logic to anyone that builds weapons of any type. The entire panel of those that worked so hard to get the atomic bomb working also need to be taken in for war crimes.
I would be happy if he went to jail ONLY IF executives of arms manufacturing also went to jail for killing people. Otherwise hacking tools do not hack, it is people that hack.
Except that windows already comes built in with a remote administration tool. So, I guess everyone making and selling windows should be charged with trafficking in circumvention measures?
...everytime the media kneejerkingly supports the bad guys!
.On or about November 21,2013, HUDDLESTON caused an activation email to be sent to a customer who had purchased the Limitless key logger, knowing that individual intended to use the Limitless key logger for the purpose of committing unlawful and unauthorized computer intrusions. 'The email contained the license serial code and instructions for how to download and activate the keylogger.
Guy is toast and rightly so.
Yup, also arrest the auto manufacturers, bicycle makers, kitchen knife forgers, car slim jim makers, ski mask knitters, on and on to the makers of anyting that has ever been used in the commiting of a crime. Why not the shoe companies as well since a lot of criminals run away wewring shoes.
This is so fucking stupid.
Going to a black hat hacker forum and saying "do not use this program to do such and such illegal things, which this program is totally capable of" is like those penis pills coyly warning users to "seek medical attention if erection lasts 4 hours or more."
If even the EFF is skeptical of this guy, there is probably much more damning evidence we are not privy to.
Make it simple and just arrest everyone attending white and black conventions.
That doesn't make it immoral. This is a case of opportunists making use of bad laws they likely lobbied for.
I you develop a hacking tool what else would you develop that for but hacking? It's a hacking tool right? You supply bomb making instructions to terrorists don't you think the FBI would be arresting you for it. People seem rather clueless as if they don't pull the trigger so they have no responsibility. I don't buy his defense and many court systems probably wouldn't either.
There is this argument in court called intent. What was your intent, if proven you can be as guilty as anyone else involved because of that intent.
This seems like an open and shut free speech case to me. Unless he gets a crap jury. I'd like to see us do away with those The occasional legit jury nullification isn't worth all the people wrongly convicted because they're not personable enough to stand in front of a jury
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Are gun manufacturers held responsible for deaths caused by their products ? I guess you know the answer now
My first instinct was to say 'no' before I had even read the summary based on the argument that if this guy should be arrested for making a legal admin tool that's been misused by hackers then the CEO of Beechcraft should be arrested because his planes are used to run drugs as well as passengers and legal cargo. However, it then occurred to me that even the evil trinity of Donald Trump, Steve Bannon and Mitch McConnell could not have turned the FBI into the holy inquisition this quickly. There must be more to the story so I read the summary. If it is really true that this guy launched the marketing campaign for his 'admin tool' on black-hat hacker forums, I'd say they should at the very least drag him into an FBI field office for some serious questioning. There is a difference between your aircraft that you market for civilian purposes being used by criminals and you actively catering to the needs of criminals, concentrating your marketing on them and advertising in places that criminals frequent.
When I asserted my First and Second Amendment rights in a Slashdot discussion, some asshat went on and on and on for six weeks about how I threatened to shoot him. Never mind that neither amendment gave me a right to shoot him and I was using named account with a link to my website that even the dumbest FBI agent could figure out who I was. The asshat later claimed that I was bullying him by writing up a blog post and posting the link (see below) when he was just "joking" about the false accusation that I threatened to shoot him. I'm still waiting for the asshat to make a snarky comment on my blog so I can capture the IP address and report him to the FBI.
https://www.kickingthebitbucket.com/2017/03/21/have-i-threatened-to-shoot-you-today/
:-/
So if we prove gun makers true intentions they get to go to prison for murder? Or will they just point to the bullet makers?
Or is it really truly the fault of the one pulling the trigger?
Authorities need to focus on the real culprits and not just take the lazy way out.
Since we're operating under U.S. Federal law, our innocent until proven guilty developer will be able to force the prosecutors to prove their case and have a jury decide his fate. The government's case is this: if you're a developer of a legitimate remote admin tool and DRM tools, why are you marketing and supporting the product in a known criminally linked forum? What was your relationship with the convicted felon who distributed the Limitless keylogger tool? From the Krebs piece it appears he assisted (a prosecutor might say "conspired with") the developer of key logger crimeware to receive payments. This is a case of what did he know and when did he know it? This is not an easy case to prove, but there is probable cause to suspect something criminal was going on based on the totality of circumstances. The government will have its work cut out for it, but I think the "chilling" effect defense is weak. You're free to develop, market, and sell any type of RAT or DRM software you want. You cannot knowingly assist criminals commit cybercrime. Pretty simple in my book. If you think otherwise, hire a lobbying firm and buy your own legal exceptions to established laws like the gun lobby did ;)
ssh/putty and RDP handle linux/unix/bsd and Windows remote administration perfectly well. The major difference is that you can't set up an sshd/putty/RDP server on your machine by clicking on an email attachment. Question... what legitimate use-cases are there which ssh/putty/RDP don't handle?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
So if we prove gun makers true intentions they get to go to prison for murder?
Probably as an 'accessory to a crime' or 'aiding and abetting.' The legal system has been able to deal with this problem for a long time. If the bullet manufacturers intentions can be proven, they will likely go to jail, too.
Of course that's an unlikely scenario.
"First they came for the slanderers and i said nothing."
How long have we got before creating security software is deemed to be a crime. Think VPN's and PGP. Should Zimmerman be worried?
That game looks a bit like a retextured Ikaruga.
If that's true: May $deity have mercy on your files!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hey I know that guy. I see him on /. all the time.
xD
Stallman Saint Neckbeard is a crazy demented old man who sucks his own toes and this story he wrote is a fantasy and the story is set in 2047 and that is 30 from now so it has no relevance today.
The reality here is: If they want you, they will get you. Saying anything else is both stupid and dangerous.
Sadly, as the song goes, "first they came for the murders, but I didn't say anything because I wasn't a murderer...", they will get away with it because they are the unopposed enemy. Unopposed, because everyone thinks that keeps them safe. But like the song ends: " then they came for me, and there was no one left to say anything." We will all find out that we are the last person standing sooner or later. Isn't the apathy of others great? The guy is being attacked because he made a tool, and they treat him as if he "pulled the trigger" himself. Any person who values freedom and justice should be against this, but most people won't be. So the new law of the land is: "It is illegal to create without government permission." What a great country.....
Sadly, as the song goes, "first they came for the murders, but I didn't say anything because I wasn't a murderer...",
Um, no actually, I actively cheer them on for catching murderers because I strongly believe murderers shouldn't be allowed free in society. I don't know what weird ideology you have that believes otherwise.
"First they came for the slanderers and i said nothing."
If this person is guilty of developing a remote admin tool, then so are the developers of SSH, Citrix Desktop developers, Microsoft Remote Desktop developers, VMware developers, VNC developers, Oracle SGD developers, Apple remote control services, and any other remote admin tool or tool that could be used for remote admin. All of those tools are developed to avoid people seeing what you are doing, all are configurable ports to avoid detection, etc.. Ask any developer or security expert if those tools can be used for hacking, and the answer is "YES" across the board.
The EFF should have stopped when they said it would have a chilling effect. It does, because this would make "not hacking" but developing a certain type of tool a crime.
Now had the guy actually used the tools to commit a crime, he should be charged with a crime.
This is no different than charging a gun manufacturer with murder because a gang member killed someone with a gun made by the manufacturer. This is tyrannical authoritarianism, plain and simple.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Tor is being used by criminals including C&C of ransomwares these days, time to imprison those people who built Tor. Oh ok I get it, there are legit use of Tor for non-criminals too.
Protects creation of computer software. If you disagree you should jump off a tall building head first.
VLC, they're coming after you next!
Um, no actually, I actively cheer them on for catching murderers because I strongly believe murderers shouldn't be allowed free in society. I don't know what weird ideology you have that believes otherwise.
Actually, Niemöller's poem never talked about murderers, but merely about Socialists, Trade Unionists and Jews. Well, some variants listed communists, incurable patients, Jehova's witnesses, civilians of occupied countries, but none listed murderers.
> What do Slashdot's readers think?
I think the FBI should fuck the hell off, along with the rest of the federal government. Their purpose isn't law enforcement, it's to violate our civil rights, instil fear, and keep the populace under the thumb of the elitists who run the government (for their own benefit).
Seriously, we need to disband the FBI, the DHS (as Ron Paul said, "we fought World War II without a DHS"), ATF, TSA (a bunch of dumb-fucks who couldn't hack it at McDonalds), DEA, NSA, and pretty much the rest of the federal agencies. We don't need some massive, sprawling, byzantine, corrupt bureaucracy... we just need self-government.
// TODO: Insert Cool Sig
That is one of the tests. Intent itself is not enough. Don't try to be a lawyer ever.
> There are lots of laws out there. For starters, trafficking in software or devices which circumvent security measures is often illegal.
Congress shall make no law ... abridging the freedom of speech
"Hey, this security scheme sucks. I am not going to circumvent it, because that would be illegal, but here is exactly how to demonstrate it -- specified in unambiguous machine language. That's right -- language -- a method of communication/speech. Share if you think bad security should be shamed!"
We're with The Government and you're under arrest. You and Robert Kahn are credited with "inventing" TCP/IP which is a key technology now used by internet villians. Unfortunately we can't arrest Chris Sholes, the developer of QWERTY, but we've already locked up Federico Faggin, Ted Hoff and the gang of Intel thugs who claim to have developed the first microprocessor. We're headed to Redmond after we're done with you.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Do you really not know the difference between clothing and a weapon?
A weapon may occasionally be used in a crime, shoes well considering the number of them in use i challenge you to calculate the odds of a pair of shoes being used in a crime!
It's as simple as blame the perpetrator regardless of the tool or toolmakers intent when he made the tool.
A gun is harmless until someone loads and fires it. Stop looking for someone else to blame. This age of political correctness and excuses for bad behavior needs to die.
Well I know a certain blinded cyclops who feels no one deserves whatever he gets.
I'd be willing to bet more shoes are used in crimes than weapons :)
Net Seal is just software. It's not even a little illegal. It's license management software, like uPlay, Steam & Origin. He sold software to somebody who then committed a crime. We're right back where we started. It's the same as trying to sue a Gun manufacturer for selling handguns. Probably less so. With the gun manufacturer you could argue they weren't following all the laws/rules about selling guns (there are lots, and some folks tow the line pretty close on them). With software there's nothing to say I can't sell to whoever's buying. They'd have to prove not that I was selling to the keylogger guy but that I was trying to aid him in keylogging.
This all smacks of Law enforcement cracking down on a powerless guy because they can. It's infuriating because it gives good cops a bad name and puts the public at odds with law enforcement.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
... arresting Someone for sharing instructions on how to build bombs: in violation of the Free Speech clause.
Could it be that the tool is too secure? Is it better to attack on the face of the tools negative attributes, rather than say they are trying to discourage the, possibly powerful, positive attribute(s)? Someone asked, "Why aren't the legal users of the tool using some other VPN tool?". I think the question was asked to support the idea that those users were only using the software with negative intentions. Just a silly way to look at the whole thing and I apologize for it. But I can't deny the simple logic, that individual security is a governing insecurity. When we speak of security, in a political way, it means that the government isn't prevented from governing. So eventually, providing a tool that prevents awareness of activity is very similar to hacking. You are hacking the governments security.
can programs be considered contraband and is selling or even spreading a program to other people who know and want said programs a crime. would a script that utilized rm or dd or even crypto be a crime or is it how and if it is used a certain way but not realy the tools used but the act and intent.
“It’s a dual-use technology case,” says Grimmelman. “And you typically don’t get criminal liability in dual-use technology cases unless there’s a pretty clear intent to promote the criminal use instead of the legitimate ones.”
The gummint is fully aware that it can't prove criminal intent, but it has the deep bench of lawyers while Huddleston has whatever late-night TV lawyer he can afford. .
I would be most interested to know.
Intent is pretty much all that's needed (besides doing the otherwise innocent thing that resulted, or could have resulted in illegal act) to be charged with "conspiracy" or "providing accessory" to some crime.
Say, you purchase a lot of potassium nitrate (a common fertilizer) and leave it in your garage. There's absolutely nothing illegal about it.
But if you give it to someone who makes it into explosives, and build a bomb, you're in trouble. And your intent will be the deciding factor: did you buy it as a fertilizer for your garden, or did you intend to aid someone in building a bomb?
Welcome to the rest of the world's view of the justification for the existence of your internal arms industry.
Requiem for the American Dream
Holy shit, how did you learn to write compiled programs without using a compiler that turned your free speech into non-protected non-human speech?
The entire indictment centers around one of his users that licensed his software put it into a keylogger. Can Microsoft be charged if I uses msvc with msvc runtime dll?
It is outright insane.
this situation reminds me very much of that man who published a book on how to cook methamphetamine at home. the book sold so well he became a multi millionaire though he made no meth. Of course using his book, hundreds of thousands died from addiction and explosions.
was his an action of unmitigated evil for personal gain which ruined countless lives? YES
Was it technically illegal when he did it? NO
Is it reasonable to assume that anything not deemed actually specifically illegal should be accepted by society no matter how damaging it is? That appears to be the question. IMHO the answer is a resounding NO, but i am one man.
Make it more simple and arrest everyone.
He didn't do a crime he made a tool. Is a gun dealer guilty when someone shoots someone else up?
Shoes are thrown at Presidents and other politicians all the time. It's awesome.
shouldn't the fbi be arresting the nsa and cia, whose hack tools are now - as wikileaks notes, in the wild and are *actually* hack tools and considerably more interesting?
Isn't this pretty much the same garbage they tried to use in regards to piracy, and it was joked away for being stupid? Trying to blame ftp server/client software makers for people using ftp for pirating.
What's the difference? This tool is more powerful than just the transfer of data?
I will say that if he was marketing it as a malicious piece of software, though, slap his wrist.
Better to err on the safe side. Just as is the case with firearms, general purpose computers have no place in the hands of the average citizen. We need to put the programmers' category under strict surveillance and require them to be identified and to be issued a permit. With the IoT one step from being reality, we cannot be too cautious.
The reason is that Law can not be arbitrary. Baseball bat manufacturers _KNOW_ that what they produce is used for crime. Hammer manufacturers _KNOW_ that tools they produce are used for crime. Knife manufacturers _KNOW_ that the instruments they produced are used for crime.
Singling out one of those manufacturers because criminals think they are cooler than the other manufacturers is an arbitrary act and has no basis in law.
Try really really hard to use logic and reason instead of the run of the mill bullshit appeal to emotion.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
www.nirsoft.net have produced and given out a lot of useful software and many have found their way into hacking tools. I'd hate to see it stopped.
Couldn't the same argument be made against gun manufacturers? Why aren't they being arrested?
Oh wait, the NRA bought the government. Forgot about that.
You should cheer them on for catching murderers LEGALLY and following DUE PROCESS. Anything else is entirely unacceptable.
How come the two Steve's (aka Jobs and Woz) where never arrested then? They sold devices with the express intention of breaking the law. Or does the fact they used the money to start Apple give them a free pass?
Even money (which you didn't design or print) is free speech these days.
I don't know, but lots of likely reasons:
The laws around phreaking tools may have been inadequate at the time.
They were not caught before the statute of limitations expired.
There may never have been evidence of a specific crime.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
I would assume gun uses are recorded. But I guess maybe not in the "wild west".
Note. In other countries where guns aren't pervasive the mere act of drawing your gun, signaling that you have one, or flashing it, is consider use for force and must be reported (like any other act of violence).
As an interesting statistics from Danish police 2015:
Use of gun: 148 instances (a police officer drawing or signaling that he has a gun)
Number of shots: 11 (of which 8 were warning shots)
That's from ~10k police officers protecting a population of 5m people.
Granted that's stats from police; but it's hard to argue that civilians are likely to need a gun more often than the police.
Note: Yes, US murder rate is 10x, police killing rate is 100x (at least), so US has more violence, but if guns aren't pervasive you rarely need them.