Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com)

Posted by msmash on from the what-the-law-says dept.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.

20 of 199 comments (clear)

  1. Adobe Flash by Albanach · · Score: 4, Funny

    If I was a creator of Adobe Flash, I'd be worried right now.

    1. Re:Adobe Flash by NoNonAlphaCharsHere · · Score: 2

      If I was a creator of Adobe Flash, I'd be worried right now.

      Yeah, all them villagers at the gate with torches and pitchforks would make me nervous, too.

  2. Seems legit. (Seriously.) by xxxJonBoyxxx · · Score: 4, Interesting

    Article 1: Google "charged for writing a virus" - it seems there's bunch of established case law on charging people for writing and distributing malware.

    Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

    I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.

  3. Yes, this time it is by Bruce+Perens · · Score: 5, Insightful

    The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.

    --
    Bruce Perens.
    1. Re:Yes, this time it is by Bruce+Perens · · Score: 4, Insightful

      Well, welcome back to Slashdot then.

      I think you are missing a critical distinction. Let's compare a gun and an improvised explosive device (IED). The gun can be used to keep your family fed with venison, etc. It only shoots where you aim it, if properly operated by a trained person and kept locked up the rest of the time. If you were to set a deadfall trap, you'd have to place signs around it warning people away, or you'd be liable for anyone who was hurt. You can't really kid anyone that you've made an IED as a hunting weapon or to remove a tree stump. It's purpose built to surprise someone and maim or kill them.

      As far as I've heard, this trojan was meant to eavesdrop on communications and pick up banking credentials. It's not a tool that sysadmins use to remotely assist some naive user. Those things require the user to authorize them first. This trojan just sneaks up on you and eavesdrops, for someone who intends to scoop out your bank account.

      The court is not going after the person who wrote the compiler or assembler meant to produce it, or even the libraries it might use. It's going after an action committed with conscious bad intent.

      --
      Bruce Perens.
    2. Re:Yes, this time it is by Beerdood · · Score: 3, Insightful

      The point the GP was making wasn't the point that "if something can be used for EVIL, so we should hold the manufacturer liable if it is". The point was that if you manufacture something with no good or legitimate purpose or if it's obvious the intent is *PURELY* for malice or criminal activities, then the creator should be held liable. This software wasn't something designed for white hats to find security vulnerabilities.

      A considerable number of slashdot readers seem to have this weird quasi-libertarian notion that creating something with the intention of malice or subverting the law is just fine and dandy, and the creators should be absolved of responsibility - see The Pirate Bay and Silk Road. "What??? I just created the dark net trading platform that's hidden to authorities!! It's not MYYYY fault if people use it for CP, assassination attempts and selling slaves... It's not like I did the actual crimes!". If your creation has 99% illegitimate uses or is used by 99% of the users for illegitimate & illegal purposes, then maybe you totally knew that when you created it and should be held responsible.

      Reminds me of that Death Ray quote from futurama "Amy, technology isn't intrinsically good or evil. It's how it's used. Like the Death Ray.". But even the fucking death ray sounds like it has more legitimate uses than this malware (like potentially killing cancel cells, parasites, or warding off an invading force from Omicron Persei 8)

      --
      Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
  4. Re:If treasonous collusion isn't a crime... by x0ra · · Score: 2, Insightful

    By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

  5. Re:Wait, what? by Anonymous Coward · · Score: 2, Informative

    He committed a crime that affected U.S. businesses within the united states, then he entered the united states. So, yes.

  6. Manufacturing Wiretapping devices? by mysidia · · Score: 3, Insightful

    Counts two, three and four all allege violations of 18 U.S.C. 2512.

    Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.

    Since when is it illegal in the UK to make wiretapping devices, and to sell them?
    The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.

    1. Re:Manufacturing Wiretapping devices? by F.Ultra · · Score: 3, Insightful

      Since when have the US courts bothered with what is legal or illegal in other countries?

  7. Accessory to the crimes committed with it. by CraigCruden · · Score: 3, Insightful

    If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.

    Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.

    1. Re:Accessory to the crimes committed with it. by Obfuscant · · Score: 2

      This is where things get complicated. If he builds the safe cracking device and sells exclusively to licensed locksmiths, is he guilty if one of his devices is stolen and used to rob someone?

      Not that complicated. The device was built for a legal purpose, and was sold to a person who was a legal user. What would he be guilty of, conspiracy to use a legal device in a legal way?

      Is he guilty if the locksmith he sells to moonlights as a thief?

      Same answer. He is not responsible if the legal user uses it for some other purpose.

      Is he guilty if he doesn't sell the device to anyone and just keeps it for himself cracking his own safe and those of his friends?

      Guilty of what?

      A tool is a tool. Neither good nor evil.

      A fine rationalization, but untrue. Tools that have legitimate purposes are neither good nor evil, but a tool that has no purpose other than to break the law is not good.

      A hammer can be used to drive a nail, or hit someone on the head to kill them. A hammer, therefore, is neither good nor evil. A fully functioning malware program that has no purpose other than attacking other people has no legitimate purpose, therefore it is evil in itself. If the only thing a hammer could be used for was hitting someone on the head to kill them then it would join "malware" as being evil.

      It's best to let a jury sort something like this out.

      For a jury to sort it out, there has to be a charge and an arrested suspect. That's what is going on now.

  8. Well I did build the device to unlock safes by future+assassin · · Score: 3, Interesting

    When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re: Well I did build the device to unlock safes by Brockmire · · Score: 2

      Your sentence is hard to parse, but sounds like you're saying that the device is authorized by owner, which is not illegal. Not sure what point you were making that the GP didn't already make clear.

  9. Re:Is writing code a crime? by Aighearach · · Score: 2

    There is no rabbit hole.

    Intent has to be provable. If a security researcher arranges for their code to end up in the hands of people who will use it to commit a crime, the question is, can the prosecutor prove that he intended to? No rabbit hole, that is the same situation as every time an accomplice is arrested.

    In your examples, you don't say anything that demonstrates intent, so they answer is that those are all fine, and you should know it when you propose them because you're not even talking about intent.

    Intent is all that matters. Having random ideas doesn't instruct you in law. Stop trying to think up an answer, and just look it up.

  10. Re:If treasonous collusion isn't a crime... by Aighearach · · Score: 2

    That has nothing to do with anything.

    7-11 benefits when a bank robber buys Cheesypoofs. It means nothing.

  11. Re:Seems legit. (Seriously.) by Aighearach · · Score: 2

    Nope. When you're supplying the government there is a reasonable presumption that they already have checks and balances, there is no duty for the supplier to ask about that. Furthermore, the government is allowed to retain tools that have potential illegal uses. Even something at the extreme end, like a missile, which can be used for both legal or illegal targets. It also is known to be able to land in the intended place, or even in an UNAUTHORIZED place. And yet, it is still legal for the government to have missiles.

    If you're going to substitute the word "allow" for the word "intend," you should probably just close any browser window whenever you see the word "law" on the page. But even if you had that part right, the government is allowed to possess tools whose intended purpose is "unauthorized."

  12. Re: Going against Betteridge by shellster_dude · · Score: 2

    Who are you to decide what is has only "Legal" and "Legitimate" uses? There is likely still a good mens rea case to be made probably against this guy based on what he said while selling Kronos and/or providing tech support for clearly illicit usage, but that remains to be seen. I do red team work on a daily basis. The tools I use are very similar and used for a legitimate and lawful purpose. In fact, I write many of my own tools, if I were to sell them, am I also guilty of a crime?

  13. Re:Seems legit. (Seriously.) by Mr.+Shotgun · · Score: 2

    Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

    And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools based on their functionality rather than the users actions with them could have a very chilling effect on information security research.

    --
    Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
  14. Re: Going against Betteridge by saloomy · · Score: 2

    This. Making malware is not illegal. It is intact software. It would be akin to writing down (in a notepad) how the malware works. That is protected by free speech. We can make demonstration software, we can make examples, and hack our own systems. All of that is perfectly legal.

    Selling those tools to someone else (like an anti-virus company) is also legal. The law states that you can not hack into a system without authorization, not that you can not own hacking tools.

    Furthermore, intent has everything to do with motive and therefore the charges that accompany it (did he kill someone accidentally through negligence / did he kill someone intending to kill the person / did he plan to kill someone over a longer period of time and execute his plan), and intent is written in law. It's up to the DA, the courtroom, and the defense to argue the merits of intent. It is not up to a seller to interpret intent, or be held liable for failing to do so. If a seemingly crazed person walks into a car dealership, visibly upset, and buys a car; then takes the car and mows down their cheating significant other, is the dealer liable for her Murder 1? No.

    Expansions like this in law make me sick. Read the fucking constitution, then explain to Marcus Hutchins why he isn't wrong.