Slashdot Mirror
The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com)
Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.
Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.
Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.
I'll say yes, just like it's a crime to set booby traps for people.
Even if you don't execute it? What line of code is against the law? What about distributing samples of malware?
If I was a creator of Adobe Flash, I'd be worried right now.
I don't know... some people seem to think that treasonously colluding with a hostile foreign adversary's attack on your country isn't a crime.
By that standard, selling malware isn't a crime either.
Interestingly, that's the same standard that protects gun sellers from being charged with a crime for selling guns to murderers. Gun sellers know for a fact that a certain percentage - say 5% of their guns will be used for murders and other crimes. It doesn't take much arithmetic to realize the exact number of deaths that their guns will cause.
100,000 guns x .05 = 5000 deaths.
100,000 guns x $500 = $50,000,000
$50,000,000 / 5,000 = $10,000
So, each gun death earns the gun manufacturer $10,000.
That seems like a pretty low value for human life, but remember - gun sellers have immunity from prosecution for the crimes their guns are used in. Deaths are an externalized cost.
If you compare it to the river of blood left by gun sellers, selling malware shouldn't trigger much more than a speeding ticket, however only gun sellers have immunity for death and destruction caused by their products.
Article 1: Google "charged for writing a virus" - it seems there's bunch of established case law on charging people for writing and distributing malware.
Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".
I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.
Microsoft seems to be getting away with it. =)
Betteridge's Law of Headlines indicates that any headline containing a question should be answered with 'no.' This headline contains a question, and thus Betteridge's Law of Headlines clearly states that the answer is no. Therefore, it is not a crime to create and sell malware. End of discussion.
The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.
Bruce Perens.
So now British nationals can be charged for violations of NN U.S.C. x.y.z (technical/procedural "crimes") that occurred OUTSIDE U.S. jurisdiction? So when can we expect US bankers to go to jail for violating other countries banking laws?
Once again the US thinks their laws apply everywhere...
With this kind of theory, an American girl visiting Saudi Arabia can be detained because she was not wearing a head scarf while walking in the middle of LA....
He's screwed
I am Slashdot. Are you Slashdot as well?
Counts two, three and four all allege violations of 18 U.S.C. 2512.
Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.
Since when is it illegal in the UK to make wiretapping devices, and to sell them?
The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.
That depends on where you live/are, who they have extradition treaties with, and their willingness to enforce the existing laws/treaties against YOU.
If you're talking about a U.K. security researcher, arrested in Las Vegas, Nevada, then I would say yes. If you're talking about a software company based in Ukraine, then I would say no.
If the Feds win big here it may well set a very dangerous precident.
A lot of people in the USA should start to get very, very worried right now.
I'm not a lawyer so I couldn't accurately say if it is, or isn't illegal.
However, I will say I don't think writing Malware per se is necessarily an arrest-able crime. Unless it impacts someone negatively.
If you write Malware for research purposes, and it stays locked in your network. No-one can argue that that should be punishable.
If you write Malware and that Malware impacts another human being (intentionally or not) YES you shoulder some of the responsibility and should be held accountable.
It's not illegal to have a vicious dog, but if your vicious dog escapes and mauls a child; you're partially responsible.
"That's the way to do it" - Punch
If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.
Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.
...unless you sell it to the Five Eyes because our governments' hypocrisy knows no bounds.
Anons need not reply. Questions end with a question mark.
Really - are we this stupid now Slashdot eds?
I can just imagine you asking the same questions of things like, oh I dunno... GUNS being sold to criminals with known intent to harm.
This is not a case where the software had productive use (say like software used to bypass video encryption to make backups of your DVDs) but only had an intent to harm.
What's next? Are the people responsible for WannaCry REALLLY criminals?
Like China, the government demands that all your data are belong to them, including your thoughts and creations.
They should have just named their software Symantec or McAfee and they would have gotten away with it. See, a little marketing goes a long way.
Just like it should be a crime to sell people guns
No it's not - it's already illegal to knowingly sell a gun to a felon. IF Kronos was sold with the known intent to be used for research or testing purposes than Hutchins has a defense - but I kinda doubt that.
And what if he built it for the NSA to allow them to gain UNAUTHORIZED access into computers? Does that change anything? If not, some companies could be in very big trouble.
When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
All he has to claim is he had no intention that the person he sold it to would use it illegally.
Or are you claiming intention has no bearing in this instance and we have a two tiered legal system?
Apparently 18 U.S.C. 2512 amounts to a noun a verb and...
" manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or "
Sure would love to know what "primarily useful" is supposed to mean.
We crossed this bridge long ago. There are people in prison today for loaning a phone to someone who then made a drug deal with it. If they had knowledge that the other person was likely to be making a drug deal, then they are guilty of felony conspiracy in a cut and dried way. Conviction, if charged, is near certain as the elements of the crime are often trivial to prove.
Conspiracy is a commonly charged offense today. Interestingly, the crime itself never even has to be committed.
Like much in law today, this crime is one that is applied when they want to apply it - usually based on whether or not the police or prosecutors approve of the lifestyle of the target. Technically, anyone writing a fictional crime novel or movie is committing conspiracy, but are they ever charged?
Nope. When you're supplying the government there is a reasonable presumption that they already have checks and balances, there is no duty for the supplier to ask about that. Furthermore, the government is allowed to retain tools that have potential illegal uses. Even something at the extreme end, like a missile, which can be used for both legal or illegal targets. It also is known to be able to land in the intended place, or even in an UNAUTHORIZED place. And yet, it is still legal for the government to have missiles.
If you're going to substitute the word "allow" for the word "intend," you should probably just close any browser window whenever you see the word "law" on the page. But even if you had that part right, the government is allowed to possess tools whose intended purpose is "unauthorized."
I would say so, yes. If it's not, it's something which can easily be added. If you create tools specifically to hurt other people (a gun for instance can be used for self defense, but a banking trojan is explicitly created to steal identities in order to commit fraud and steal money) then you are something which needs to be removed from society.
For example is metasploit malware? If not the framework itself what about an exploit module someone authored?
Some will argue about some test being, "does this thing have a legitimate use case" The problem is one man's testing tool is another mans hacking tool.
We have been down this road over and over again, with things like lock picks. Probably the only solution here is to potentially classify this type of software as "burglars tools" or similar. Where its not illegal to produce/sell/possess but if you have happen to have them in your possession while commuting some other crime its an aggravating offense.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The media told me that wiretapping only means personally and physically climbing the Trump tower to connect a phone line. So this was obviously not wiretapping. Plus its not like he unmasked the personal information or anything. Since it all was just masked bank information of foreign nationals I'm sure CNN, WSJ, NYT, Fox News, and MSNBC will correct the record for us on this.
I just googled for "charged for writing a virus" and found ... Marcus Huchins!
Better to google for "convicted for writing a virus", which gives examples of people convicted for _running_ a virus, and is ambiguous about the writing.
Best to try google scholar, and select the "case law" option
davecb@spamcop.net
The lines are very simple. Don't create or sell the device for the purpose of others committing crimes.
For example with your lock picks. In most US States you can carry and sell the lock picks all you want. You can even hold classes teaching people how to lockpick the masterlock model 22F and all is good and legal with that. However it someone came up to you and said "tell me how to lock pick the masterlock model 22F because I want to break into a house protected by one" then you are in trouble.
Arrested for stopping Wannacry. That's what you get for white knighting.
Remember kids, always pay the ransom.
If it's illegal in another country it's illegal in the UK.
Was the first website I saw taken down of many in the future. A malware data base, taken down as it could harm other sites. https://www.google.com/search?...
There is a larger problem that is not being addressed. Companies that write insecure software and improperly manage their networks should be liable for damages as a result of their negligence.
I can think of a slew of 3 letter agencies all guilty of far worse computer crimes in direct conflict with the US Constitution than what they are trying to charge this security researcher with. Sounds like an unethical, if not, illegal attempt by DOJ to try and coerce this guy into doing something for them. I'm only speculating, but sounds like they have an ulterior motive.
The British government really needs to be involved at this point and at the very least file a lawsuit against DOJ to protect their citizens. Should probably release a travel ban for coming to the US while their at it. LOL
the US Gov wants to hire this guy... Lol
Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".
And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools based on their functionality rather than the users actions with them could have a very chilling effect on information security research.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
From the summary above it kind of looks like someone has decided to charge Hutchins and has gone through the books looking for something that can be twisted to fit.
Not a good look FBI or whoever is calling the shots here.
If you want a high profile arrest go for the guy behind the Stratfor crack - if you can't find him ask your payroll department (people who don't know the story of how that crack was carried out by an FBI informant and how he was not charged should look it up - interesting story and shows how immunity deals should not be done).
I'm not so sure it's seen as that simple.
There was that guy that was charged with teaching people how to get good results when subjected to a "lie detector", which is similar to those lockpick classes. Those people who scam the taxpayer by selling snake-oil "lie detector" services are really the ones that need to be imprisoned IMHO.
So, Chinese style, the current case and that guy undermining the "lie detector" scammers seem to have commited the crime of pissing off government employees that should have much better things to do. Whether "Wannacry" was some NSA masterplan (unlikely outside of a Bond movie) or people in the FBI etc wanted to use the chaos as an excuse for departmental empire building (almost certain) Hutchins has pissed off some people who are now using the power of the State against him. Where is oversight when you need it?
The lie detector case was similar he advertised to those people required to take a poly for federal positions. He would work with people that hired him on things they wanted to lie about and then instructed them to lie when asked if they got training.
This made him guilty of working with those people to defraud the government and since they benefited from getting money(salary) they were not eligible for and since he deliberately assisted them in the defrauding and profited from that he was guilty of various crimes.
If he had just stuck with generic classes, training on how to beat generic lie detectors, and not instructed them to lie when asked about the training he would of been good.
So according to you the FBI released the Wannacry and planned to use to that as some master planning in taking over a part of the world. I believe you are the one needing oversight.
WTF? Did I have to put the words I used above "unlikely outside of a Bond movie" in flashing text the full height of the screen or something?
Oh that's right, you saw it but you want some reason to attack to give your life meaning or something so pretended it wasn't there - how utterly pathetic.
WTF is it with people being so deliberately and obviously dishonest just so they can argue?
In USSA everything is illegal and everyone is guilty. So of course it's a crime. Duhhh.
Why be worried? We've had a full-on police state for over a decade. Not like this makes our current tyranny any more tyrannical than it already was.
Creating malware? Guilty as charged. I do that occasionally on behalf of my clients that want to know whether their security is as tight as they think it is. This is of course very specific software, written with rigid restraints when it comes to propagation and what machines the "malware" may affect at all to ensure that nobody outside gets hit by it and of course without any malicious payload, but the whole criteria for malware are fulfilled. Installation without the user's consent (but of course the machine's owner), hiding from detection, informing a controlling server (the customer's own, of course), transfer of information, circumvention of anti-malware measures and so on.
The same applies to "hacking". If that's outlawed, I'm not only out of a job, I belong behind bars because that's what I do all day long. Of course with the written consent of the owner of the machine(s) being hacked and at their own request, but nonetheless it is exactly the same procedure as if a malicious hacker tried to gain access (maybe with a little less brutality when it comes to the question whether the server survives it...).
This is a necessity of security work. How do you plan to test your defenses if you disallow using the same tools, tricks and means that an actual attacker has at his disposal?
In other words, the US is currently pretty much using a Zeiss scope to ensure it hits its own foot perfectly. Because one thing is certain, no security researcher worth his salt will willingly set foot into a country where simply being what he is and doing what he has to do to be good at his job means putting a foot into the slammer. Nope. Sorry. I'd rather visit a SecCon in Moscow at this point because the chance to get back home are higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The same way they have a pile of press releases and request for extra funding every time there is a "cybersecurity" threat no matter where it comes from - as you obviously well know but wish to appear utterly ridiculous by pretending you do not.
WTF is it with this stupid game? Is your life really so empty?
The kiddies may not know how such tedious workplace politics of profiting from chaos works (which is why I mentioned it) but you have no such excuse. Why act like you were born yesterday?
Boiling down the indictment; it is like prosecuting a manufacturer of lock picks because a customer committed a burglary with his brand of lock pick.
It could be argued that malware is a tool with only a malevolent function. This case may well set an interesting precedent.
Can a gas station and hardware store be prosecuted for selling the products a terrorist uses to make a bomb with?
NRRPT/RCT