Should The FBI Have Arrested 'The Hacker Who Hacked No One'?

Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."

The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."

Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:

Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."

And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."

Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."

What do Slashdot's readers think?

commonly used claim?

"I didn't murder someone" is a very commonly used claim among those who don't murder people. Would that "raise skepticism" and make one a target for a murder investigation? I don't think so. This is a chilling-effect arrest. They know this guy didn't hack someone, they're just trying to make the tool-makers lives harder because the tools can be used for no good.

Re: commonly used claim?

[Zak3056]

Handguns are mostly worthless as a means of hunting either for food or sport. The simple fact is that handguns are made to kill.

Some thoughts on the above:

1. Apparently "hunting" is not "killing" in your lexicon?

2. Some handguns (though none I can think of made by Glock) are indeed used for hunting. This is what cartridges like .500S&W and .454Casull are for. I have friends who take deer or boar with them.

3. There are other shooting sports beside hunting. Glocks appear quite frequently in some of them.

4. Some handguns are made specifically for the purpose of punching holes in paper or knocking over steel plates, rather than for killing things. While they're capable of the latter, it would be akin to using a screwdriver as a hammer.

Just saying.

Re: commonly used claim?

I'll bite your strawman argument...

Once more, yes, if Ford advertized their cars as primarily useful in running over humans
and were less useful as a form of transportation, they too would be in trouble.

Since your statement is so subjective, how about when Ford provides vehicles for movie studios
(for the free publicity), and in some cases those vehicles are user to "simulate" bad things. So, if fact,
they are advertising those things as something their vehicle is capable. Do that make your case tighter?

There has to be an mens rea "evil mind" at play. You can't just make you own rules up. How about
all of the people who work in the manufacturing of ordinance? There is only 1 purpose for the fruit
of their labour, amiright?

The absolute best the feds _Should_ be able to do is assert that he conspired to do evil, but there isn't
any credible evidence for even that. They have taken a huge leap and risk to make this guy a
multimillionaire through damages that will be award to him in any sane court of law.

CAP === 'miseries'

Bullshit logic.

Time to arrest the manufacturers of trucks that are used to plow into civilians, hey?

Almost every "hacking tool" has a beneficial use.

Re:Trafficking in circumvention measures is illega

[epyT-R]

That doesn't make it immoral. This is a case of opportunists making use of bad laws they likely lobbied for.

simple answer

[jmccue]

Are gun manufacturers held responsible for deaths caused by their products ? I guess you know the answer now

Re:simple answer

[Richard_at_work]

Do gun manufacturers hang out on "home invaders" forums touting their wares...?

Question of intent for the Jury

[techesq]

Since we're operating under U.S. Federal law, our innocent until proven guilty developer will be able to force the prosecutors to prove their case and have a jury decide his fate. The government's case is this: if you're a developer of a legitimate remote admin tool and DRM tools, why are you marketing and supporting the product in a known criminally linked forum? What was your relationship with the convicted felon who distributed the Limitless keylogger tool? From the Krebs piece it appears he assisted (a prosecutor might say "conspired with") the developer of key logger crimeware to receive payments. This is a case of what did he know and when did he know it? This is not an easy case to prove, but there is probable cause to suspect something criminal was going on based on the totality of circumstances. The government will have its work cut out for it, but I think the "chilling" effect defense is weak. You're free to develop, market, and sell any type of RAT or DRM software you want. You cannot knowingly assist criminals commit cybercrime. Pretty simple in my book. If you think otherwise, hire a lobbying firm and buy your own legal exceptions to established laws like the gun lobby did ;)

Re:It's an outrage...

[Orgasmatron]

Good post - insightful and informative.

Note that this is a different scenario than the hypothetical question asked in the article/summary. The key is "knowing that individual intended to use the Limitless key logger for the purpose of committing unlawful and unauthorized computer intrusions". This is the standard FBI quasi-entrapment operation.

In my opinion, no tool should be illegal to make or sell as long as some legal use is possible, however improbable. Selling it to someone after you know that they intend to use it illegally, however, I'm willing to let law enforcement do their thing. (But I'd like to see some more public scrutiny of their methods, which smell like bullshit a bit more often than I'd like.)

Re: Overreaction...

[Zero__Kelvin]

So in your mind there is such a thing as Black Hat only forums and white hats never go there to be able to keep up with them? You really believe that? How, EXACTLY, do they ever that? It's there a "Black Hat Certificate" of which I am unaware?

BS - This is thoughtcrime

[s.petry]

If this person is guilty of developing a remote admin tool, then so are the developers of SSH, Citrix Desktop developers, Microsoft Remote Desktop developers, VMware developers, VNC developers, Oracle SGD developers, Apple remote control services, and any other remote admin tool or tool that could be used for remote admin. All of those tools are developed to avoid people seeing what you are doing, all are configurable ports to avoid detection, etc.. Ask any developer or security expert if those tools can be used for hacking, and the answer is "YES" across the board.

The EFF should have stopped when they said it would have a chilling effect. It does, because this would make "not hacking" but developing a certain type of tool a crime.

Now had the guy actually used the tools to commit a crime, he should be charged with a crime.

This is no different than charging a gun manufacturer with murder because a gang member killed someone with a gun made by the manufacturer. This is tyrannical authoritarianism, plain and simple.

What do Slashdot's readers think?

[psykocrime]

> What do Slashdot's readers think?

I think the FBI should fuck the hell off, along with the rest of the federal government. Their purpose isn't law enforcement, it's to violate our civil rights, instil fear, and keep the populace under the thumb of the elitists who run the government (for their own benefit).

Seriously, we need to disband the FBI, the DHS (as Ron Paul said, "we fought World War II without a DHS"), ATF, TSA (a bunch of dumb-fucks who couldn't hack it at McDonalds), DEA, NSA, and pretty much the rest of the federal agencies. We don't need some massive, sprawling, byzantine, corrupt bureaucracy... we just need self-government.