Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com)

Posted by msmash on from the what-the-law-says dept.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.

118 of 199 comments (clear)

  1. Adobe Flash by Albanach · · Score: 4, Funny

    If I was a creator of Adobe Flash, I'd be worried right now.

    1. Re:Adobe Flash by NoNonAlphaCharsHere · · Score: 2

      If I was a creator of Adobe Flash, I'd be worried right now.

      Yeah, all them villagers at the gate with torches and pitchforks would make me nervous, too.

    2. Re:Adobe Flash by Chris+Mattern · · Score: 1

      Wow. Did you try the lost and found when you were looking for your sense of humor?

    3. Re:Adobe Flash by PIBM · · Score: 1

      Hiring bad developers is a conscious decision by the management, with the known result of tons of vulnerabilities popping up. They have been perfecting that art for so long that the only way out will be shutting flash down totally in a few years...

    4. Re:Adobe Flash by vladimir.sakharuk · · Score: 1

      No good deed should be left unpunished.

    5. Re:Adobe Flash by the_skywise · · Score: 1

      pfft - never attribute to malice what can be attributed to stupidity!

    6. Re:Adobe Flash by BronsCon · · Score: 1

      I don't think they realize it's missing.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    7. Re:Adobe Flash by RockDoctor · · Score: 1

      villagers at the gate with torches and pitchforks would make me nervous, too.

      They're on the outside of the gate, which I'm fine with. It's what I'm locked into the building with that I'm worried about.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Re:If treasonous collusion isn't a crime... by drinkypoo · · Score: 1

    I don't know... some people seem to think that treasonously colluding with a hostile foreign adversary's attack on your country isn't a crime.

    Even if it's a crime, it's not treason if they are an ally, even if they are only an ally on paper.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Seems legit. (Seriously.) by xxxJonBoyxxx · · Score: 4, Interesting

    Article 1: Google "charged for writing a virus" - it seems there's bunch of established case law on charging people for writing and distributing malware.

    Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

    I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.

  4. Yes, this time it is by Bruce+Perens · · Score: 5, Insightful

    The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.

    --
    Bruce Perens.
    1. Re:Yes, this time it is by Spy+Handler · · Score: 1

      So if I find a vulnerability in Acme Corporation's custom in-house application, that exists nowhere else, and write a tool that specifically targets https://acmecorp.com/ and downloads their entire customer database, and sell it to someone who uses it to hack them, did I commit a crime or no?

      After all, I only wrote code and sold it, I did not personally hack their servers.

    2. Re:Yes, this time it is by Bruce+Perens · · Score: 4, Insightful

      Well, welcome back to Slashdot then.

      I think you are missing a critical distinction. Let's compare a gun and an improvised explosive device (IED). The gun can be used to keep your family fed with venison, etc. It only shoots where you aim it, if properly operated by a trained person and kept locked up the rest of the time. If you were to set a deadfall trap, you'd have to place signs around it warning people away, or you'd be liable for anyone who was hurt. You can't really kid anyone that you've made an IED as a hunting weapon or to remove a tree stump. It's purpose built to surprise someone and maim or kill them.

      As far as I've heard, this trojan was meant to eavesdrop on communications and pick up banking credentials. It's not a tool that sysadmins use to remotely assist some naive user. Those things require the user to authorize them first. This trojan just sneaks up on you and eavesdrops, for someone who intends to scoop out your bank account.

      The court is not going after the person who wrote the compiler or assembler meant to produce it, or even the libraries it might use. It's going after an action committed with conscious bad intent.

      --
      Bruce Perens.
    3. Re:Yes, this time it is by MobyDisk · · Score: 1

      ANYTHING can be used for evil.... It's the kind of clueless hysterical fear-mongering that you see when politicians say we need to ban encryption to stop crimes.

      Yes, anything can be used for evil. Encryption has legitimate uses. what about things that can *only* be used for evil? Is it a crime to create them? If not, is it a crime to distribute them to someone else to profit from? If not, is it a crime to sell them? If not, is it a crime to use them?

      This comes up in copyright too: DropBox is legal, but Mega was not. What's the difference since both tools can be used to distribute piracy? The argument is that the mens rea was different. But, this is a banking trojan. Are you saying it is legal to create a banking trojan and give to a hacker to sell? That seems like a stretch to me.

    4. Re:Yes, this time it is by Beerdood · · Score: 3, Insightful

      The point the GP was making wasn't the point that "if something can be used for EVIL, so we should hold the manufacturer liable if it is". The point was that if you manufacture something with no good or legitimate purpose or if it's obvious the intent is *PURELY* for malice or criminal activities, then the creator should be held liable. This software wasn't something designed for white hats to find security vulnerabilities.

      A considerable number of slashdot readers seem to have this weird quasi-libertarian notion that creating something with the intention of malice or subverting the law is just fine and dandy, and the creators should be absolved of responsibility - see The Pirate Bay and Silk Road. "What??? I just created the dark net trading platform that's hidden to authorities!! It's not MYYYY fault if people use it for CP, assassination attempts and selling slaves... It's not like I did the actual crimes!". If your creation has 99% illegitimate uses or is used by 99% of the users for illegitimate & illegal purposes, then maybe you totally knew that when you created it and should be held responsible.

      Reminds me of that Death Ray quote from futurama "Amy, technology isn't intrinsically good or evil. It's how it's used. Like the Death Ray.". But even the fucking death ray sounds like it has more legitimate uses than this malware (like potentially killing cancel cells, parasites, or warding off an invading force from Omicron Persei 8)

      --
      Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
    5. Re:Yes, this time it is by Bruce+Perens · · Score: 1

      There is a tendency, especially in our community, for people to attempt to logically explain their way out of fault for bad behavior. If the logic parses, they are able to convince themselves that the bad behavior is done by someone else or that they did not do it at all.

      Good people should point out these rationalizations for what they are.

      --
      Bruce Perens.
    6. Re:Yes, this time it is by Bruce+Perens · · Score: 1

      I don't think the word "improvised" means what you think it means.

      If somewhere there is an idiot who makes a fertilizer bomb to take out a tree stump, that person is not the topic of this discussion.

      --
      Bruce Perens.
    7. Re:Yes, this time it is by Aighearach · · Score: 1

      7-11 is just as popular with bank robbers as with accountants. It has nothing to do with anything, though.

      The reason it sounds like "clueless hysterical fear-mongering" is that when you read about some black hat malware author being arrested, you respond without having any details, and you wave your hands in the air and claim it is scary. Since you don't know anything about the story, your response swamps your data about the story, leaving your response to wank itself.

    8. Re:Yes, this time it is by the_skywise · · Score: 1

      It's a GOOD thing to prefer innocence over guilt, especially if you believe in an open society - these aren't even proper rationalizations. Even creation of things that are GOOD can be wrong. I can't build a nuclear reactor in my backyard. Even though I'm just trying to research safer designs!
      I'd be the first one to jump and say let this guy go but the charges here sound legitimate.

      He sold a tool that was knowingly used in the commission of a crime that did massive damage. Is he guilty? That's to be determined. Maybe he didn't know, in which case he's likely not culpable for all the charges. But that's the whole point of the trial.

    9. Re:Yes, this time it is by Bruce+Perens · · Score: 1

      So are we going to charge the NSA and CIA next for creating hacking tools?

      Wait a second. You are aware that the CIA commits other acts that would normally be characterized as crimes in the course of their operation.

      3-letter-agencies, the military, and to some extent undercover police get a pass, and there are laws supporting that.

      Not saying it's nice.

      --
      Bruce Perens.
    10. Re: Yes, this time it is by Brockmire · · Score: 1

      Yes, are you fucking stupid?

    11. Re:Yes, this time it is by kaizendojo · · Score: 1

      I knew SOMEONE would bring up a gun analogy. I'm just pleased this time it was the RIGHT one.

    12. Re: Yes, this time it is by revmoo · · Score: 1

      Exactly

      --
      I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
    13. Re:Yes, this time it is by EETech1 · · Score: 1

      Metasploit? There's a module for nearly every known vulnerability.
      Thank goodness it's only for the good guys!

  5. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 2, Insightful

    By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

  6. Re:If treasonous collusion isn't a crime... by Kaenneth · · Score: 1

    And some percentage of oxygen atoms are involved in murders; it doesn't make them the cause.

  7. Re:Is writing code a crime? by Luthair · · Score: 1

    Well, you might be an accessory if you knew about it. Its an interesting question though, if you write something for a friend whom you have reason to believe would abuse it is that different than maintaining something openly that has the possibility for abuse?

  8. Doesn't matter by OzPeter · · Score: 1

    He's screwed

    --
    I am Slashdot. Are you Slashdot as well?
  9. Re:Wait, what? by Anonymous Coward · · Score: 2, Informative

    He committed a crime that affected U.S. businesses within the united states, then he entered the united states. So, yes.

  10. Manufacturing Wiretapping devices? by mysidia · · Score: 3, Insightful

    Counts two, three and four all allege violations of 18 U.S.C. 2512.

    Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.

    Since when is it illegal in the UK to make wiretapping devices, and to sell them?
    The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.

    1. Re:Manufacturing Wiretapping devices? by NoNonAlphaCharsHere · · Score: 1

      By the ridiculous logic of this case, a (foreign national) knife maker could be charged as an "accessory to murder".

    2. Re:Manufacturing Wiretapping devices? by zlives · · Score: 1

      but not a gun manufacturer, settled law.

    3. Re:Manufacturing Wiretapping devices? by F.Ultra · · Score: 3, Insightful

      Since when have the US courts bothered with what is legal or illegal in other countries?

    4. Re:Manufacturing Wiretapping devices? by Aighearach · · Score: 1

      If you build a knife in the UK, and advertise it in the US as being better at murder than a regular knife, and Americans send you money to buy it, and you ship it to them, and they commit murders with it, you in fact you committed numerous crimes in the United States.

      Being a foreign national isn't some sort of diplomatic immunity! lol

      When you sell an item to a person in another country, it is up to you to know if it is legal to sell the thing in that country. If you only want to deal with your own country's laws, have that foreigner come and visit your country, and sell it to them there! And make sure they don't involve you in any planning of whatever they're doing in the other country. It is actually very simple. If you sell products to people who will receive them in another country, you need to be following the laws of both countries.

  11. Who Defines Crime? by brian.stinar · · Score: 1

    That depends on where you live/are, who they have extradition treaties with, and their willingness to enforce the existing laws/treaties against YOU.

    If you're talking about a U.K. security researcher, arrested in Las Vegas, Nevada, then I would say yes. If you're talking about a software company based in Ukraine, then I would say no.

    1. Re:Who Defines Crime? by freak0fnature · · Score: 1

      They didn't extradite him. They didn't even try, nor did the UK charge him. They found out he was coming to the US and went after him.

  12. Re:If treasonous collusion isn't a crime... by Oswald+McWeany · · Score: 1

    By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

    Yeah, and Vin Diesel along with him.

    --
    "That's the way to do it" - Punch
  13. Re:Is writing code a crime? by Mr+D+from+63 · · Score: 1

    There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

  14. Re:Is writing code a crime? by JASegler · · Score: 1

    The problem with that is you head down a rabbit hole fast.

    If a security researcher writes a proof of concept exploit code that is then incorporated into malware is the security researcher now an accomplice?

    What about the old Backorifice tool? It could be used for good or evil.

    What about openssl? openssl can be used to encrypt the command and control communication for malware.

    Or even windows iteself. Between windows and visual studio you have everything you need to write, distribute and run malware. Therefore is everyone involved in writing windows, Visual Studio, etc an accomplice?

  15. Not a lawyer by Oswald+McWeany · · Score: 1

    I'm not a lawyer so I couldn't accurately say if it is, or isn't illegal.

    However, I will say I don't think writing Malware per se is necessarily an arrest-able crime. Unless it impacts someone negatively.

    If you write Malware for research purposes, and it stays locked in your network. No-one can argue that that should be punishable.

    If you write Malware and that Malware impacts another human being (intentionally or not) YES you shoulder some of the responsibility and should be held accountable.

    It's not illegal to have a vicious dog, but if your vicious dog escapes and mauls a child; you're partially responsible.
     

    --
    "That's the way to do it" - Punch
  16. Accessory to the crimes committed with it. by CraigCruden · · Score: 3, Insightful

    If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.

    Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.

    1. Re:Accessory to the crimes committed with it. by Anonymous Coward · · Score: 1

      Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.

      This is where things get complicated. If he builds the safe cracking device and sells exclusively to licensed locksmiths, is he guilty if one of his devices is stolen and used to rob someone? Is he guilty if the locksmith he sells to moonlights as a thief? Is he guilty if he knows/suspects that 1% of all locksmiths do something illegal with his device? 10%? 50%? 90%? Is he guilty if he doesn't sell the device to anyone and just keeps it for himself cracking his own safe and those of his friends? Is he guilty if one of his friends lies about having ownership of the safe he opens? It's a difficult line to draw.

      A tool is a tool. Neither good nor evil. Motivations and intentions are hard to judge and have an almost infinite capacity for shades of grey. It's best to let a jury sort something like this out.

    2. Re:Accessory to the crimes committed with it. by Obfuscant · · Score: 2

      This is where things get complicated. If he builds the safe cracking device and sells exclusively to licensed locksmiths, is he guilty if one of his devices is stolen and used to rob someone?

      Not that complicated. The device was built for a legal purpose, and was sold to a person who was a legal user. What would he be guilty of, conspiracy to use a legal device in a legal way?

      Is he guilty if the locksmith he sells to moonlights as a thief?

      Same answer. He is not responsible if the legal user uses it for some other purpose.

      Is he guilty if he doesn't sell the device to anyone and just keeps it for himself cracking his own safe and those of his friends?

      Guilty of what?

      A tool is a tool. Neither good nor evil.

      A fine rationalization, but untrue. Tools that have legitimate purposes are neither good nor evil, but a tool that has no purpose other than to break the law is not good.

      A hammer can be used to drive a nail, or hit someone on the head to kill them. A hammer, therefore, is neither good nor evil. A fully functioning malware program that has no purpose other than attacking other people has no legitimate purpose, therefore it is evil in itself. If the only thing a hammer could be used for was hitting someone on the head to kill them then it would join "malware" as being evil.

      It's best to let a jury sort something like this out.

      For a jury to sort it out, there has to be a charge and an arrested suspect. That's what is going on now.

    3. Re:Accessory to the crimes committed with it. by Obfuscant · · Score: 1

      That's the thing though - there are almost no tools that have no legitimate purposes.

      The malware that is the heart of this topic is one of the few.

      A 900Mhz frequency scanner can tap cell phone call in the hand of a criminal,

      I know of no scanners that can decrypt the digital signals of modern cell phones. When cell was analog, yes.

      Even crap like malware CAN have legitimate uses - such as testing of anti-virus products,

      You do not need a fully functioning, ready to run attack system to test defenses. There is little question that the author of this code intended it to be used to attack systems in violation of the law.

      For me at least though, I wouldn't have had a problem with him writing whatever he likes as long as it never left his computer.

      Irrelevant. This is not what happened.

      It seems a little odd to me though, that this fine line can be so narrow that the simple act of copying a file can be the difference between being legally ok,

      Oh, please. Selling malware to people you know are going to use it to attack other people's systems is not the "simple act of copying a file".

  17. Re:Is writing code a crime? by Anonymous Coward · · Score: 1

    Yes if he knowingly gave it to criminals then he's an accomplice. If didn't then he's still liable due to his gross negligence.

    Either way this guy is rightly screwed. I just hope he's found guilty of a crime. Then he gets to experience what happens when your back door is exploited.

  18. Of course... by Gravis+Zero · · Score: 1

    ...unless you sell it to the Five Eyes because our governments' hypocrisy knows no bounds.

    --
    Anons need not reply. Questions end with a question mark.
  19. Re:US power by Albanach · · Score: 1

    With this kind of theory, an American girl visiting Saudi Arabia can be detained because she was not wearing a head scarf while walking in the middle of LA....

    If Saudi law prohibited the non-wearing of headscarves in LA, and the American woman were then to visit Saudi Arabia, that's exactly what could happen. When you visit another country, you are subjecting yourself to their laws and judicial system.

    Similarly, many countries will prosecute over sexual abuse of minors, even if the abuse occurred in an overseas jurisdiction where it was not prohibited.

  20. Re:Is writing code a crime? by Anonymous Coward · · Score: 1

    Is building a pipe bomb illegal even if you don't explode it? What single element of a pipe bomb is against the law? What about distributing training dummies?

  21. Re:If treasonous collusion isn't a crime... by JoeyRox · · Score: 1

    That comparison is Quick and Spurious.

  22. Re:US power by freak0fnature · · Score: 1

    If you are a US citizen and live in a country that has lower taxes than the IRS, then this is true. That does not apply here as he is a UK citizen.

  23. Re:Gun Dealers by the_skywise · · Score: 1

    No it's not - it's already illegal to knowingly sell a gun to a felon. IF Kronos was sold with the known intent to be used for research or testing purposes than Hutchins has a defense - but I kinda doubt that.

  24. Re: Going against Betteridge by Anonymous Coward · · Score: 1

    i agree with what you're saying, but this is more like...

    1. a gun manufacturer makes a gun
    2. the gun manufacturer sells that gun to a person who says they intend to kill people

  25. Re:US power by freak0fnature · · Score: 1

    If I fire a bullet from Mexico or Canada that kills someone in the US, have I committed a crime? Can the US come after me even though the crime was committed from another country? Yes they can, and they should. If I build a rocket in UK, sell it to a guy in Canada, who launches it at someone in the US...is the guy in the UK liable to the US? That is where it gets messy.

  26. Re:Seems legit. (Seriously.) by Proudrooster · · Score: 1

    And what if he built it for the NSA to allow them to gain UNAUTHORIZED access into computers? Does that change anything? If not, some companies could be in very big trouble.

  27. Well I did build the device to unlock safes by future+assassin · · Score: 3, Interesting

    When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re: Well I did build the device to unlock safes by Brockmire · · Score: 2

      Your sentence is hard to parse, but sounds like you're saying that the device is authorized by owner, which is not illegal. Not sure what point you were making that the GP didn't already make clear.

  28. Fun with wiretapping devices by WaffleMonster · · Score: 1

    Apparently 18 U.S.C. 2512 amounts to a noun a verb and...

    " manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or "

    Sure would love to know what "primarily useful" is supposed to mean.

  29. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    there is a notable difference. Guns ran in OFF were "military grade" full-auto weapons, not the knock-off semi-auto "lookalike" found in the civilian market.

  30. Re: Going against Betteridge by Aighearach · · Score: 1

    News flash, intent matters in law. Fucking "duh." Is that really that new? Where have you been the past 800 years?

    If you do something that is normally legal, but you do it to help somebody commit a crime, you're an accomplice. For example, driving a car is legal. Driving a getaway car at a robbery is not legal. Pointing at your drivers license doesn't help.

  31. Yes. Whether it should be is another question. by Anonymous Coward · · Score: 1

    We crossed this bridge long ago. There are people in prison today for loaning a phone to someone who then made a drug deal with it. If they had knowledge that the other person was likely to be making a drug deal, then they are guilty of felony conspiracy in a cut and dried way. Conviction, if charged, is near certain as the elements of the crime are often trivial to prove.

    Conspiracy is a commonly charged offense today. Interestingly, the crime itself never even has to be committed.

    Like much in law today, this crime is one that is applied when they want to apply it - usually based on whether or not the police or prosecutors approve of the lifestyle of the target. Technically, anyone writing a fictional crime novel or movie is committing conspiracy, but are they ever charged?

  32. Re:If treasonous collusion isn't a crime... by TheCastro1689 · · Score: 1

    That's not true, most guns that criminals use are sold by FFLs illegally, who then report them stolen.

  33. Re:Is writing code a crime? by Aighearach · · Score: 2

    There is no rabbit hole.

    Intent has to be provable. If a security researcher arranges for their code to end up in the hands of people who will use it to commit a crime, the question is, can the prosecutor prove that he intended to? No rabbit hole, that is the same situation as every time an accomplice is arrested.

    In your examples, you don't say anything that demonstrates intent, so they answer is that those are all fine, and you should know it when you propose them because you're not even talking about intent.

    Intent is all that matters. Having random ideas doesn't instruct you in law. Stop trying to think up an answer, and just look it up.

  34. Re:If treasonous collusion isn't a crime... by Aighearach · · Score: 2

    That has nothing to do with anything.

    7-11 benefits when a bank robber buys Cheesypoofs. It means nothing.

  35. Re:Seems legit. (Seriously.) by Aighearach · · Score: 2

    Nope. When you're supplying the government there is a reasonable presumption that they already have checks and balances, there is no duty for the supplier to ask about that. Furthermore, the government is allowed to retain tools that have potential illegal uses. Even something at the extreme end, like a missile, which can be used for both legal or illegal targets. It also is known to be able to land in the intended place, or even in an UNAUTHORIZED place. And yet, it is still legal for the government to have missiles.

    If you're going to substitute the word "allow" for the word "intend," you should probably just close any browser window whenever you see the word "law" on the page. But even if you had that part right, the government is allowed to possess tools whose intended purpose is "unauthorized."

  36. Re:Is writing code a crime? by parkinglot777 · · Score: 1

    There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

    Unless you know what your weird neighbor is going to do with the candy you sold (e.g. gives it to kids in the neighborhood), then it is the opposite...

  37. Re:Betteridge's Law of Headlines by Aighearach · · Score: 1

    Right, the answer is "no" but only because the title lacks some form of the word "intent."

    Don't expect that the technical answer to a poorly phrased question being "no" will end discussion, though.

    Is it a crime to create and sell malware? No.

    Is it a crime to create and sell software whose intent is malicious? Yes.

    The obvious conclusion is that being called a pejorative prefixed with mal- does not make you a criminal. Duh.

  38. Re:Wait, what? by Aighearach · · Score: 1

    It reminds me of the Scottish village council member who was pretending to be especially violated by a CIA airplane having once flown overhead, waving his fist at every airplane, shouting, "Nemo me impune lacessit!"

  39. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    Exactly 0. Petty thugs will never sink $20k in any full-auto M-16 receiver sparsely available to the civilian market, nor will the apply for the NFA tax stamp and 6 month associated waiting period. They'll use off the self .380 snub-nose that have been in production for nearly 200 years.

  40. Re:US power by Aighearach · · Score: 1

    For somebody claiming to be worried about legal details like jurisdiction you seem exceptionally ignorant of those details.

    And yes, Saudi Arabia is free to make whatever laws they want, including if they wanted to make it illegal for any person to visit who ever walked in the middle of LA without a head scarf. It has nothing to do with anything, though.

    In this case, the crime he's accused of committing happened in the United States, and he was also arrested in the United States, so it is a lot more like if Saudi Arabia made it illegal to possess alcohol in Saudi Arabia, and then somebody gets arrested for smuggling it in. And they complain, "Golly, I was outside the country by the time it was delivered, how can your laws touch me?" Easily, is how.

  41. Re:US power by Aighearach · · Score: 1

    If I build a rocket in UK, sell it to a guy in Canada, who launches it at someone in the US...is the guy in the UK liable to the US? That is where it gets messy.

    If he is criminally liable depends on the details of the case, but he's a legit military target if they need to take it that far.

  42. Re:Is writing code a crime? by Anonymous Coward · · Score: 1

    Is building a pipe bomb illegal even if you don't explode it? What single element of a pipe bomb is against the law? What about distributing training dummies?

    In this case, yes, because federal law specifically makes it illegal to own "destructive devices" or the parts to readily assemble one.
    https://www.gpo.gov/fdsys/pkg/USCODE-2011-title26/pdf/USCODE-2011-title26-subtitleE-chap53.pdf
    See page 3034, destructive device.
    This is just an example of the multiple laws saying nope to your plan.

    However, there are exemptions so that fireworks would, within limits, be OK.
    No sane person uses pipe for homemade fireworks, though. I was a teenager when I did that and I don't consider teen as being sane.

  43. The trouble with this will be where the lines are by DarkOx · · Score: 1

    For example is metasploit malware? If not the framework itself what about an exploit module someone authored?

    Some will argue about some test being, "does this thing have a legitimate use case" The problem is one man's testing tool is another mans hacking tool.

    We have been down this road over and over again, with things like lock picks. Probably the only solution here is to potentially classify this type of software as "burglars tools" or similar. Where its not illegal to produce/sell/possess but if you have happen to have them in your possession while commuting some other crime its an aggravating offense.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  44. He Should Be Fine by Anonymous Coward · · Score: 1

    The media told me that wiretapping only means personally and physically climbing the Trump tower to connect a phone line. So this was obviously not wiretapping. Plus its not like he unmasked the personal information or anything. Since it all was just masked bank information of foreign nationals I'm sure CNN, WSJ, NYT, Fox News, and MSNBC will correct the record for us on this.

  45. Re:Is writing code a crime? by Mr+D+from+63 · · Score: 1

    There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

    Unless you know what your weird neighbor is going to do with the candy you sold (e.g. gives it to kids in the neighborhood), then it is the opposite...

    He told me he was going to see if he could figure out a way to tell the poison candy from regular, then he kind of gave me a weird laugh.

  46. Re:US power by Albanach · · Score: 1

    The European arrest warrant scheme allows European nations to request deportation of non-citizens from another EU nation for 32 different offenses with no dual-criminality requirement. That is, without even subjecting themselves to the law of the requesting nation by entering its borders.

    That goes far beyond what appears to be happening here where jurisdiction could probably be established by the objective territoriality principle. In other words, even without subjecting himself to US law by visiting, the alleged author of the code could potentially be deported because of the impact in the US. Visiting the US just made it a whole lot easier.

  47. Re: Going against Betteridge by shellster_dude · · Score: 2

    Who are you to decide what is has only "Legal" and "Legitimate" uses? There is likely still a good mens rea case to be made probably against this guy based on what he said while selling Kronos and/or providing tech support for clearly illicit usage, but that remains to be seen. I do red team work on a daily basis. The tools I use are very similar and used for a legitimate and lawful purpose. In fact, I write many of my own tools, if I were to sell them, am I also guilty of a crime?

  48. Re:Seems legit. (Seriously.) by davecb · · Score: 1

    I just googled for "charged for writing a virus" and found ... Marcus Huchins!

    Better to google for "convicted for writing a virus", which gives examples of people convicted for _running_ a virus, and is ambiguous about the writing.

    Best to try google scholar, and select the "case law" option

    --
    davecb@spamcop.net
  49. Re:The trouble with this will be where the lines a by will_die · · Score: 1

    The lines are very simple. Don't create or sell the device for the purpose of others committing crimes.
    For example with your lock picks. In most US States you can carry and sell the lock picks all you want. You can even hold classes teaching people how to lockpick the masterlock model 22F and all is good and legal with that. However it someone came up to you and said "tell me how to lock pick the masterlock model 22F because I want to break into a house protected by one" then you are in trouble.

  50. Re: Is writing code a crime? by Brockmire · · Score: 1

    Only exception allowed is in Monopoly.

  51. Re: If treasonous collusion isn't a crime... by Brockmire · · Score: 1

    Why? I can't speak to most, but definitely happens regularly. If you didn't know this, you're the retarded one.

  52. Re: Going against Betteridge by will_die · · Score: 1

    Alot depends on how you market it and where you sell it. Part of the charge is that the software was primarily marketed and sold where people expected to find cybercrime market items.
    There have been court cases where the product was marketed as spyware for monitoring your spouse and children. That was deemed as fully legal because the action of monitoring you children and even your spouse is legal. However go to a site where stalkers hang out and advertise and sell it and you will probably get into some problems.

  53. Re: US power by Brockmire · · Score: 1

    I don't think you understand laws. You can't make laws for other countries. You're missing the point the crimes committed happened in the US where US laws were broken. Your incorrect analogy would somehow require not wearing the headscarf IN Saudi Arabia.

  54. Re: Going against Betteridge by superdave80 · · Score: 1

    Your analogy is completely wrong. The reason you can manufacture and sell guns is that there are LOTS of legal uses for them. Can you name a legal reason to make and sell code whose only purpose is to break into other people's computers? Probably not. In fact, we specifically have laws against breaking into computers.

  55. Re: YES by Brockmire · · Score: 1

    What are "people guns"? Do they "fire" when pissing or ejaculating? Or are people the ammunition in a really large gun? Puts a new spin on "guns don't kill people, people do".

  56. Yes http://vx.netlux.org/ by Trax3001BBS · · Score: 1

    Was the first website I saw taken down of many in the future. A malware data base, taken down as it could harm other sites. https://www.google.com/search?...

  57. Missing the larger issue by VikingNation · · Score: 1

    There is a larger problem that is not being addressed. Companies that write insecure software and improperly manage their networks should be liable for damages as a result of their negligence.

  58. Re: Going against Betteridge by Obfuscant · · Score: 1

    The assumption that the manufacturer knows the mind of the customer has no place in a legal setting.

    If someone is selling a tool that has only illegal uses, it is pretty certain that the mind of the customer is known.

    In fact, I'll argue that assumption period does not belong in a courtroom.

    The level of proof is "beyond a reasonable doubt" not "beyond all doubt". Sometimes there are assumptions that are so reasonable and with such a high level of probability that they meet the "reasonable doubt" standard without being known as a fact.

    Legal ramifications should be based on fact

    Convenience store attendant is shot to death. Defendant was seen on a CCTV recording outside the convenience store holding a gun. CCTV shows him entering the store, and then running away. The CCTV inside the store was inoperable. The next person shown on CCTV entering the store called the police. Defendant was captured with a gun in his possession, which ballistics testing showed fired the fatal bullet.

    Do we allow the missing "fact" of actually seeing the fatal shot being fired by the defendant prevent a guilty verdict? After all, the defendant could argue that the gun he was holding in the videos was not the murder weapon and that he traded that gun with someone on the street following the murder, and gosh if it isn't just a remarkable coincidence that it turned out to be the murder weapon. Is that a reasonable story? There is no fact that says he did it, but I think his guilt was proven beyond a reasonable doubt. In a court where guilt must be fact he goes free. What do you think?

  59. Re: Serves him right. by Brockmire · · Score: 1

    Remember kids, don't pay attention to idiots with no comprehension of things.

  60. Re:Seems legit. (Seriously.) by Mr.+Shotgun · · Score: 2

    Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

    And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools based on their functionality rather than the users actions with them could have a very chilling effect on information security research.

    --
    Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  61. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    Operation Fast and Furious was about smuggling full-auto weapons across the mexican border, so your point is irrelevant. Those guns are being used to kill mexicans in the drugs wars, not gansta downtown Chicago. You're argument is at best irrelevant to the conversation.

  62. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    We're not talking about killing yourself drinking, we're talking about the lethal consequences of alcohol *to other*. Once again, your argument is irrelevant.

  63. From the summary above ... by dbIII · · Score: 1

    From the summary above it kind of looks like someone has decided to charge Hutchins and has gone through the books looking for something that can be twisted to fit.
    Not a good look FBI or whoever is calling the shots here.
    If you want a high profile arrest go for the guy behind the Stratfor crack - if you can't find him ask your payroll department (people who don't know the story of how that crack was carried out by an FBI informant and how he was not charged should look it up - interesting story and shows how immunity deals should not be done).

  64. Re: US power by will_die · · Score: 1

    Unfortunately he is not wrong. there are some countries that have a policy called "universal jurisdiction" which does as he descibed.

  65. Re:The trouble with this will be where the lines a by dbIII · · Score: 1

    I'm not so sure it's seen as that simple.
    There was that guy that was charged with teaching people how to get good results when subjected to a "lie detector", which is similar to those lockpick classes. Those people who scam the taxpayer by selling snake-oil "lie detector" services are really the ones that need to be imprisoned IMHO.
    So, Chinese style, the current case and that guy undermining the "lie detector" scammers seem to have commited the crime of pissing off government employees that should have much better things to do. Whether "Wannacry" was some NSA masterplan (unlikely outside of a Bond movie) or people in the FBI etc wanted to use the chaos as an excuse for departmental empire building (almost certain) Hutchins has pissed off some people who are now using the power of the State against him. Where is oversight when you need it?

  66. Re:The trouble with this will be where the lines a by will_die · · Score: 1

    The lie detector case was similar he advertised to those people required to take a poly for federal positions. He would work with people that hired him on things they wanted to lie about and then instructed them to lie when asked if they got training.
    This made him guilty of working with those people to defraud the government and since they benefited from getting money(salary) they were not eligible for and since he deliberately assisted them in the defrauding and profited from that he was guilty of various crimes.
    If he had just stuck with generic classes, training on how to beat generic lie detectors, and not instructed them to lie when asked about the training he would of been good.

    So according to you the FBI released the Wannacry and planned to use to that as some master planning in taking over a part of the world. I believe you are the one needing oversight.

  67. WTF^2 by dbIII · · Score: 1

    So according to you the FBI released the Wannacry and planned to use to that as some master planning in taking over a part of the world.

    WTF? Did I have to put the words I used above "unlikely outside of a Bond movie" in flashing text the full height of the screen or something?

    Oh that's right, you saw it but you want some reason to attack to give your life meaning or something so pretended it wasn't there - how utterly pathetic.
    WTF is it with people being so deliberately and obviously dishonest just so they can argue?

    1. Re:WTF^2 by will_die · · Score: 1

      You are the one that believes in your words that "people in the FBI etc wanted to use the chaos as an excuse for departmental empire building (almost certain) " so how could they of done what you said without releasing it?

  68. Re: Going against Betteridge by saloomy · · Score: 2

    This. Making malware is not illegal. It is intact software. It would be akin to writing down (in a notepad) how the malware works. That is protected by free speech. We can make demonstration software, we can make examples, and hack our own systems. All of that is perfectly legal.

    Selling those tools to someone else (like an anti-virus company) is also legal. The law states that you can not hack into a system without authorization, not that you can not own hacking tools.

    Furthermore, intent has everything to do with motive and therefore the charges that accompany it (did he kill someone accidentally through negligence / did he kill someone intending to kill the person / did he plan to kill someone over a longer period of time and execute his plan), and intent is written in law. It's up to the DA, the courtroom, and the defense to argue the merits of intent. It is not up to a seller to interpret intent, or be held liable for failing to do so. If a seemingly crazed person walks into a car dealership, visibly upset, and buys a car; then takes the car and mows down their cheating significant other, is the dealer liable for her Murder 1? No.

    Expansions like this in law make me sick. Read the fucking constitution, then explain to Marcus Hutchins why he isn't wrong.

  69. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    Arguably, you have only a one sided view on the issue. Gun *saves* much more lives than they do. The very fact that we live in a free world is above all thanks to a single kind of tools: firearms. You can keep throwing love and flower, but that will always be ineffective against lead. Also, gun saves lives everyday, that's why LEO carry them, that's why armored carriers personnel carry them, and that why the fucking elite who want to disarm us is surrounded by hundreds of them.

  70. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 1

    Also, leave the fucking ivory tower you live in. If it not for guns, people would use knives. Hell, the first murder ever was committed not with a full-auto weapon, but by a stick. Wake the fuck up, violence is an inherent part of mankind.

  71. Re: Going against Betteridge by JoelKatz · · Score: 1

    > If someone is selling a tool that has only illegal uses, it is pretty certain that the mind of the customer is known.

    I don't think there's any such thing as "a tool that has only illegal uses", unless you're talking about something that's illegal to possess. A person might want malware to:

    1) Test their skills at analyzing malware.

    2) Test their own defenses against malware.

    3) Perform lawful intercepts on their own equipment.

    4) Analyze to fingerprint to add additional detection patterns to existing malware detection systems.

    5) Own for bragging rights.

    6) Use by law enforcement pursuant to a warrant.

  72. Re: Going against Betteridge by JoelKatz · · Score: 1

    > In the case of Hutchins, his product is by design intended to be used in a way that is always illegal, so creating it in concert with someone who intends to use the product is being part of a conspiracy to commit illegal acts.

    What if a court authorized the use of the malware to gather evidence? In what way is the malware's design not perfect for that type of use too?

  73. Re:Is writing code a crime? by JoelKatz · · Score: 1

    You having reason to believe they would abuse it does not matter. You can sell a hammer to someone even if you have reason to believe they might use it to harm someone. The issue is whether you intended the harm or abuse or whether you conspired with them to commit the crime.

  74. of course by Reverend+Green · · Score: 1

    In USSA everything is illegal and everyone is guilty. So of course it's a crime. Duhhh.

  75. Re: Is writing code a crime? by Reverend+Green · · Score: 1

    Baizou sure do love the thought of torturing prisoners with forced sodomy. Tells you a lot about their character.

    The silver lining: history suggests that police states often end up devouring their own biggest proponents.

  76. Re:Is writing code a crime? by bongey · · Score: 1

    "But officer I never intended to speed , so it really isn't breaking the law"

  77. Re: Gun Dealers by Reverend+Green · · Score: 1

    Why be worried? We've had a full-on police state for over a decade. Not like this makes our current tyranny any more tyrannical than it already was.

  78. What matters is the intent by Opportunist · · Score: 1

    Creating malware? Guilty as charged. I do that occasionally on behalf of my clients that want to know whether their security is as tight as they think it is. This is of course very specific software, written with rigid restraints when it comes to propagation and what machines the "malware" may affect at all to ensure that nobody outside gets hit by it and of course without any malicious payload, but the whole criteria for malware are fulfilled. Installation without the user's consent (but of course the machine's owner), hiding from detection, informing a controlling server (the customer's own, of course), transfer of information, circumvention of anti-malware measures and so on.

    The same applies to "hacking". If that's outlawed, I'm not only out of a job, I belong behind bars because that's what I do all day long. Of course with the written consent of the owner of the machine(s) being hacked and at their own request, but nonetheless it is exactly the same procedure as if a malicious hacker tried to gain access (maybe with a little less brutality when it comes to the question whether the server survives it...).

    This is a necessity of security work. How do you plan to test your defenses if you disallow using the same tools, tricks and means that an actual attacker has at his disposal?

    In other words, the US is currently pretty much using a Zeiss scope to ensure it hits its own foot perfectly. Because one thing is certain, no security researcher worth his salt will willingly set foot into a country where simply being what he is and doing what he has to do to be good at his job means putting a foot into the slammer. Nope. Sorry. I'd rather visit a SecCon in Moscow at this point because the chance to get back home are higher.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  79. WTF^4 by dbIII · · Score: 1

    so how could they of done what you said without releasing it?

    The same way they have a pile of press releases and request for extra funding every time there is a "cybersecurity" threat no matter where it comes from - as you obviously well know but wish to appear utterly ridiculous by pretending you do not.
    WTF is it with this stupid game? Is your life really so empty?

    The kiddies may not know how such tedious workplace politics of profiting from chaos works (which is why I mentioned it) but you have no such excuse. Why act like you were born yesterday?

  80. Re:Going against Betteridge by slashrio · · Score: 1

    Did he 'set' or did he 'sell'?
    If the latter, what's the crime?

    --
    "Trump!!", the new Godwin.
  81. Re:If treasonous collusion isn't a crime... by slashrio · · Score: 1

    treasonously colluding with a hostile foreign adversary's attack on your country...

    I still haven't seen any evidence that 'Putin' did it, and not the NSA (or any other 3-letter deep-state organization for that matter).
    One very possible scenario:
    Wikileaks (Assange) announces release of emails from HC.
    Clinton's team comes up with the brilliant idea to divert the attention by staging a false flag software attack and to blame it on the Ruskis.
    Fucking brilliant. Nobody looked at the emails anymore and they brought Trump (oh shit, there's my godwin) in trouble.
    So I'd say: evidence required.

    --
    "Trump!!", the new Godwin.
  82. Re:If treasonous collusion isn't a crime... by slashrio · · Score: 1

    homocide: noun homocide \hä-m0-sd, h-\ : the deliberate and systematic destruction of the group of homosexual people.

    --
    "Trump!!", the new Godwin.
  83. Re:Is writing code a crime? by Aighearach · · Score: 1

    This situation though is at the other end; the prosecutor says they can prove intent. So he's going to need a pretty good story. Imagine, you're live-streaming from your car while speeding, and the prosecutor has the video. You won't be able to claim that the car was malfunctioning and driving fast on its own.

    A more applicable car-related situation would be of a person accused of reckless driving whose defense is they were avoiding a squirrel in the road. If everybody agrees there was really a squirrel, then the defense works. If the jury doesn't believe you that there even was a squirrel, you're guilty. So in this case, does the researcher have some excuse? (spoiler: no)

  84. From a different paradigm... by MercTech · · Score: 1

    Boiling down the indictment; it is like prosecuting a manufacturer of lock picks because a customer committed a burglary with his brand of lock pick.
    It could be argued that malware is a tool with only a malevolent function. This case may well set an interesting precedent.
    Can a gas station and hardware store be prosecuted for selling the products a terrorist uses to make a bomb with?

    --
    NRRPT/RCT
  85. Re: Going against Betteridge by Obfuscant · · Score: 1

    You're very good at rationalizing. You don't need malware to test your skills at analyzing other people's software. You don't need fully functional malware to test defenses against a specific attack vector. You don't need to intercept your own data, or hold it hostage. The purchasers of the malware weren't antivirus authors. If you aren't ready to use it, then bragging about owning a bit of software that you can use to shut down NHS is meaningless. And law enforcement isn't going to encrypt someone's files and hold them ransom as part of any warrant.

  86. Re: Going against Betteridge by JoelKatz · · Score: 1

    Nothing you said contradicts anything that I said.

  87. Re: Going against Betteridge by beastofburdon · · Score: 1

    Not in the US.

  88. Re:If treasonous collusion isn't a crime... by pr0fessor · · Score: 1

    Drunk drivers kill other people though his 250 a day is really far off it's more like 28 and as for your gun deaths the number is much higher though the majority of them are suicides and the number of gun homicides is closer to the number of drunk driving fatalities or fatal influenza.