Slashdot Mirror
Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com)
Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."
The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."
Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:
Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."
And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."
Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."
What do Slashdot's readers think?
The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."
Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:
Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."
And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."
Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."
What do Slashdot's readers think?
"I didn't murder someone" is a very commonly used claim among those who don't murder people. Would that "raise skepticism" and make one a target for a murder investigation? I don't think so. This is a chilling-effect arrest. They know this guy didn't hack someone, they're just trying to make the tool-makers lives harder because the tools can be used for no good.
Well.. as outrageous as the OP makes it sounds, you actually don't need to "hack" someone to break the law.
There are lots of laws out there. For starters, trafficking in software or devices which circumvent security measures is often illegal. "Using" said device isn't necessary to run afoul of the law.
The DMCA has strong anti-circumvention language for example. Other countries have similar laws.
Time to arrest the manufacturers of trucks that are used to plow into civilians, hey?
Almost every "hacking tool" has a beneficial use.
RAT is just like TurboTax. Each has an intended purpose (Remote Administration / Tax Filing). Each can be used by criminals (unauthorized system administration for ransom / filing another person's taxes for refund). Poor business decisions about where to promote your product for maximum intended purpose sales is not a crime. Improper use of the product is a crime.
I would be happy if he went to jail ONLY IF executives of arms manufacturing also went to jail for killing people. Otherwise hacking tools do not hack, it is people that hack.
...everytime the media kneejerkingly supports the bad guys!
.On or about November 21,2013, HUDDLESTON caused an activation email to be sent to a customer who had purchased the Limitless key logger, knowing that individual intended to use the Limitless key logger for the purpose of committing unlawful and unauthorized computer intrusions. 'The email contained the license serial code and instructions for how to download and activate the keylogger.
Guy is toast and rightly so.
That doesn't make it immoral. This is a case of opportunists making use of bad laws they likely lobbied for.
People like you are the reason big government inevitably becomes tyrannical.
This 'blame chain game' inevitably leads to unchecked witch hunting. Do we blame Toyota for bank robberies when one of their cars are used? No. Do we blame Intel when one of their cpus is used in a 'hacking' crime? No. This is no different.
It's a sad day when this kind of thing has to be explained to someone who reads a site like slashdot.
Are gun manufacturers held responsible for deaths caused by their products ? I guess you know the answer now
My first instinct was to say 'no' before I had even read the summary based on the argument that if this guy should be arrested for making a legal admin tool that's been misused by hackers then the CEO of Beechcraft should be arrested because his planes are used to run drugs as well as passengers and legal cargo. However, it then occurred to me that even the evil trinity of Donald Trump, Steve Bannon and Mitch McConnell could not have turned the FBI into the holy inquisition this quickly. There must be more to the story so I read the summary. If it is really true that this guy launched the marketing campaign for his 'admin tool' on black-hat hacker forums, I'd say they should at the very least drag him into an FBI field office for some serious questioning. There is a difference between your aircraft that you market for civilian purposes being used by criminals and you actively catering to the needs of criminals, concentrating your marketing on them and advertising in places that criminals frequent.
Wrong, it's a tool to remotely administer your own computers.
And if your keylog session lasts for more than four hours seek immediate help from a legal professional?
I will put it upon you to read this before reacting so hastily.
“He’s not deformed, he’s just drunk!”
Stop embarrassing yourself and read the comment I replied to. RAT is not a bomb.
I'm not sure it matters. Such arguments are made quite a bit these days and deserve critical responses, if not for the benefit of the troll who likely knows better, then for those who read his comments.
Since we're operating under U.S. Federal law, our innocent until proven guilty developer will be able to force the prosecutors to prove their case and have a jury decide his fate. The government's case is this: if you're a developer of a legitimate remote admin tool and DRM tools, why are you marketing and supporting the product in a known criminally linked forum? What was your relationship with the convicted felon who distributed the Limitless keylogger tool? From the Krebs piece it appears he assisted (a prosecutor might say "conspired with") the developer of key logger crimeware to receive payments. This is a case of what did he know and when did he know it? This is not an easy case to prove, but there is probable cause to suspect something criminal was going on based on the totality of circumstances. The government will have its work cut out for it, but I think the "chilling" effect defense is weak. You're free to develop, market, and sell any type of RAT or DRM software you want. You cannot knowingly assist criminals commit cybercrime. Pretty simple in my book. If you think otherwise, hire a lobbying firm and buy your own legal exceptions to established laws like the gun lobby did ;)
I'm not sure it matters. Such arguments are made quite a bit these days and deserve critical responses, if not for the benefit of the troll who likely knows better, then for those who read his comments.
Be honest now - did you really think AC was trolling, rather than simply using sarcasm to make his point? Or did you just type so fast that your comment outpaced that whooshing sound?
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Around here? I give it 50/50.
ssh/putty and RDP handle linux/unix/bsd and Windows remote administration perfectly well. The major difference is that you can't set up an sshd/putty/RDP server on your machine by clicking on an email attachment. Question... what legitimate use-cases are there which ssh/putty/RDP don't handle?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
So if we prove gun makers true intentions they get to go to prison for murder?
Probably as an 'accessory to a crime' or 'aiding and abetting.' The legal system has been able to deal with this problem for a long time. If the bullet manufacturers intentions can be proven, they will likely go to jail, too.
Of course that's an unlikely scenario.
"First they came for the slanderers and i said nothing."
How long have we got before creating security software is deemed to be a crime. Think VPN's and PGP. Should Zimmerman be worried?
He apparently added DRM to the software, and if anyone bragged about using it for hacking, he disabled their license. So.......
"First they came for the slanderers and i said nothing."
So? Was he caught spearfishing with it? Someone still has to decide to and then use his tool unlawfully. Arrest those people. I'd rather these easy-to-use tools are made and distributed because they highlight the vulnerabilities (software and policy) required to get them installed. Software vendors and governments don't want them highlighted, the former because of image and the latter because they hoard them as munitions. Neither attitude is beneficial.
The last thing society should do is depend on law and law enforcement for system security. I bet they use RAT (or something like it) too. If it's ok for them, then it's ok for everyone else.
“During the course of the conspiracy, Huddleston received over 25,000 payments via PayPal from Net Seal customers. As part of the conspiracy, Huddleston provided Shames with access to his Net Seal licensing software in order to assist Shames in the distribution of his Limitless keylogger. In exchange, Shames made at least one thousand payments via PayPal to Huddleston.”
Conspiring to commit a crime is not free speech..
That game looks a bit like a retextured Ikaruga.
If that's true: May $deity have mercy on your files!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You evidently have never heard of the perfectly legal "Anarchists Cookbook".
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I agree with you; All Microsoft executives SHOULD be arrested post haste. Great point!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
He added DRM to allow the malware developers to disable their malware if the person using it wasn't a customer didn't have a license. He aided and abetted criminals to enforce the licenses on their malware. He even marketed his sofware to them directly, knowing for what purpose they intended to use it. That makes him a criminal.
He even marketed his sofware to them directly, knowing for what purpose they intended to use it.
That's the central question, right? If the government can prove he knew, then he'll go to jail. If they can't, he'll probably go free.
"First they came for the slanderers and i said nothing."
Sadly, as the song goes, "first they came for the murders, but I didn't say anything because I wasn't a murderer...",
Um, no actually, I actively cheer them on for catching murderers because I strongly believe murderers shouldn't be allowed free in society. I don't know what weird ideology you have that believes otherwise.
"First they came for the slanderers and i said nothing."
If this person is guilty of developing a remote admin tool, then so are the developers of SSH, Citrix Desktop developers, Microsoft Remote Desktop developers, VMware developers, VNC developers, Oracle SGD developers, Apple remote control services, and any other remote admin tool or tool that could be used for remote admin. All of those tools are developed to avoid people seeing what you are doing, all are configurable ports to avoid detection, etc.. Ask any developer or security expert if those tools can be used for hacking, and the answer is "YES" across the board.
The EFF should have stopped when they said it would have a chilling effect. It does, because this would make "not hacking" but developing a certain type of tool a crime.
Now had the guy actually used the tools to commit a crime, he should be charged with a crime.
This is no different than charging a gun manufacturer with murder because a gang member killed someone with a gun made by the manufacturer. This is tyrannical authoritarianism, plain and simple.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Cool story, troll. Keep trolling, you're hilarious.
I'm not a troll. I'm just someone who loves to troll the trolls on Slashdot. Being doing that for years.
VLC, they're coming after you next!
I'm not a troll. I'm just someone who loves to troll
On your permanent record now, troll.
Not yet. I'm working on a Python script to scrape my ~8,000 comments from Slashdot. When I publicly release the script on GitHub, everyone can have access my comments — or their own.
Flaming narcissist downloads his posting history onto a pen drive and masturbates with it. So appropriate.
Reference materials for my Silicon Valley memoir.
Cars kill people so imprison auto manufacturers, OSes are used to sometimes do nefarious things so imprison OS vendors and those who contribute to them, and the list goes on. This world has gone nuts and the governments of this world have gone crazy with their power and ability to spy on their citizens.
Um, no actually, I actively cheer them on for catching murderers because I strongly believe murderers shouldn't be allowed free in society. I don't know what weird ideology you have that believes otherwise.
Actually, Niemöller's poem never talked about murderers, but merely about Socialists, Trade Unionists and Jews. Well, some variants listed communists, incurable patients, Jehova's witnesses, civilians of occupied countries, but none listed murderers.
Everyone?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Published in three volumes!
#1 I am Not a Troll
l #2 I am a Troll
#3 My Life as a Liar
Not quite. One essay will be about my software testing internship in 1997 at Fujitsu's WorldsAway virtual world. Several essays on being a video game tester and lead video game tester at Acclode/Infogrames/Atari (same, different owner, multiple personality disorders). A longer essay on testing the Sony Reader in 2005. Of course, an essay on the Great Recession when I was out of work for two years (2009-10), unemployed for six months (working 20 hours per month), and filing for Chapter Seven bankruptcy. And, for shakes and giggles, an essay on how I love to troll the trolls on Slashdot. ;)
> What do Slashdot's readers think?
I think the FBI should fuck the hell off, along with the rest of the federal government. Their purpose isn't law enforcement, it's to violate our civil rights, instil fear, and keep the populace under the thumb of the elitists who run the government (for their own benefit).
Seriously, we need to disband the FBI, the DHS (as Ron Paul said, "we fought World War II without a DHS"), ATF, TSA (a bunch of dumb-fucks who couldn't hack it at McDonalds), DEA, NSA, and pretty much the rest of the federal agencies. We don't need some massive, sprawling, byzantine, corrupt bureaucracy... we just need self-government.
// TODO: Insert Cool Sig
Everyone?
If you're making a reference to playing card games in the wee hours, I got off work at midnight from a restaurant job and it took several hours to unwind. My college roommates and I didn't have classes until noon. These days I can't stay up late because I get up at 4:30AM to start work at 7:00AM in government IT.
Nice reading the indictment document. I'm impressed.
"First they came for the slanderers and i said nothing."
You forgot to include the chapters on
350#, 1500 calories a day
Laid off two years
Gov't it job
No plans to write about my weight in the near future. Being laid off for two years will in the essay about the Great Recession. My current job is off limits until such time I'm no longer working there and a few years have passed.
They are all self published books by the way.
Self-published ebooks that make me money. Surprisingly, my original essays sell better than my previously published short stories in anthologies and magazines.
I'd be willing to bet more shoes are used in crimes than weapons :)
How do so many people not understand the concept of intent.
Net Seal is just software. It's not even a little illegal. It's license management software, like uPlay, Steam & Origin. He sold software to somebody who then committed a crime. We're right back where we started. It's the same as trying to sue a Gun manufacturer for selling handguns. Probably less so. With the gun manufacturer you could argue they weren't following all the laws/rules about selling guns (there are lots, and some folks tow the line pretty close on them). With software there's nothing to say I can't sell to whoever's buying. They'd have to prove not that I was selling to the keylogger guy but that I was trying to aid him in keylogging.
This all smacks of Law enforcement cracking down on a powerless guy because they can. It's infuriating because it gives good cops a bad name and puts the public at odds with law enforcement.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Could it be that the tool is too secure? Is it better to attack on the face of the tools negative attributes, rather than say they are trying to discourage the, possibly powerful, positive attribute(s)? Someone asked, "Why aren't the legal users of the tool using some other VPN tool?". I think the question was asked to support the idea that those users were only using the software with negative intentions. Just a silly way to look at the whole thing and I apologize for it. But I can't deny the simple logic, that individual security is a governing insecurity. When we speak of security, in a political way, it means that the government isn't prevented from governing. So eventually, providing a tool that prevents awareness of activity is very similar to hacking. You are hacking the governments security.
“It’s a dual-use technology case,” says Grimmelman. “And you typically don’t get criminal liability in dual-use technology cases unless there’s a pretty clear intent to promote the criminal use instead of the legitimate ones.”
The gummint is fully aware that it can't prove criminal intent, but it has the deep bench of lawyers while Huddleston has whatever late-night TV lawyer he can afford. .
Welcome to the rest of the world's view of the justification for the existence of your internal arms industry.
Requiem for the American Dream
The entire indictment centers around one of his users that licensed his software put it into a keylogger. Can Microsoft be charged if I uses msvc with msvc runtime dll?
It is outright insane.
this situation reminds me very much of that man who published a book on how to cook methamphetamine at home. the book sold so well he became a multi millionaire though he made no meth. Of course using his book, hundreds of thousands died from addiction and explosions.
was his an action of unmitigated evil for personal gain which ruined countless lives? YES
Was it technically illegal when he did it? NO
Is it reasonable to assume that anything not deemed actually specifically illegal should be accepted by society no matter how damaging it is? That appears to be the question. IMHO the answer is a resounding NO, but i am one man.
since when did free speech cover knowingly aiding and abetting a crime?
we already that. IF a car model has a design feature that kills the passengers such as defective seatbelts or whatnot, that is what happens. Your implication is that the use of this system as a hacking tool was accidental, and also not a case of criminal negligence.
What is more important? Intent or effect? How much if any care was taken to prevent misuse of the application in the way it was misused?
In the 80's Regan and thatcher closed the national mental health hospitals nation wide in their countries in what was called in Brittan "throw the nutter in the gutter" program. In the US of the 300,000 some patients over 150000 were dead within the year. Additionally there was a giant rash of "arsons" resulting from said patients attempting to move into unfinished building sites and starting fires to stay warm. The net economic cost was in the billions.
Was this murder? Was it criminal negligence? Was it merely "a timely cost savings" as the administration called it?
Intent and effect. Your argument is quite similar to the NRA slogan " guns dont kill people, people kill people" My favorite response to this comes from Australian comedian Jim Jefferies. feel free to google " jim jefferies gun control" for the video He's pretty funny.
The reason is that Law can not be arbitrary. Baseball bat manufacturers _KNOW_ that what they produce is used for crime. Hammer manufacturers _KNOW_ that tools they produce are used for crime. Knife manufacturers _KNOW_ that the instruments they produced are used for crime.
Singling out one of those manufacturers because criminals think they are cooler than the other manufacturers is an arbitrary act and has no basis in law.
Try really really hard to use logic and reason instead of the run of the mill bullshit appeal to emotion.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
www.nirsoft.net have produced and given out a lot of useful software and many have found their way into hacking tools. I'd hate to see it stopped.
How come the two Steve's (aka Jobs and Woz) where never arrested then? They sold devices with the express intention of breaking the law. Or does the fact they used the money to start Apple give them a free pass?
I've been told that, during Prohibition, some folks sold sets of pipes and other apparatus. The sets came with warnings: Do not do these things (described in detail), for then you would have created an alcoholic beverage and broken the law.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I don't know, but lots of likely reasons:
The laws around phreaking tools may have been inadequate at the time.
They were not caught before the statute of limitations expired.
There may never have been evidence of a specific crime.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
I would assume gun uses are recorded. But I guess maybe not in the "wild west".
Note. In other countries where guns aren't pervasive the mere act of drawing your gun, signaling that you have one, or flashing it, is consider use for force and must be reported (like any other act of violence).
As an interesting statistics from Danish police 2015:
Use of gun: 148 instances (a police officer drawing or signaling that he has a gun)
Number of shots: 11 (of which 8 were warning shots)
That's from ~10k police officers protecting a population of 5m people.
Granted that's stats from police; but it's hard to argue that civilians are likely to need a gun more often than the police.
Note: Yes, US murder rate is 10x, police killing rate is 100x (at least), so US has more violence, but if guns aren't pervasive you rarely need them.