Microsoft Tricks Hacker Into Jail

CompotatoJ writes "Wired News reported that William 'IllWill' Genovese was sentenced to prison after being tricked by a Microsoft Investigator offering to pay $20 for a copy of the secret source code. From the article: 'The investigator then returned and arranged a second $20 transaction for an FBI agent, which led to Genovese's indictment under the U.S. Economic Espionage Act, which makes it a felony to sell a company's stolen trade secrets ... [Microsoft] has also expressed fears that making its source code public could allow hackers to find security holes in Microsoft products -- though, so far, intruders are doing fine without the source.'"

Not a hacker, and not very tricked

[vm146j2]

FTFA Genovese would have had a viable defense had he gone to trial, because the documents were widely available on peer-to-peer networks at the time of the sale, said Mark Rasch, a former Justice Department cybercrime prosecutor.

"This guy didn't participate in the misappropriation, and probably didn't conspire with anybody to misappropriate it," said Rasch, a vice president at security company Solutionary. "Once it's posted online, it's just not secret anymore. At some point it becomes public information."

Microsoft must be getting really serious 'bout this issue; not any security issue, mind you, but a PR one, thats for sure.

They went after some guy who tried to sell what he found, and then was dum enuf to sell for $40 online, but who had no connection whatsoever to leaking anything, and, by his own description, is less than the sharpest tack in the bulletin board:

"Basically, everything I do, I do ass-backwards," Genovese said in an instant-messaging interview ahead of Friday's sentencing. "I like drawing, so I spray paint. I like music, so I took some radios of kids I hated in high school. I like computers, so I hack."

Selling other people's stuff that you find laying around may not be legal or especially smart, but making a big deal out of the 800 billion lb. gorilla "catching" a petty criminal in the act ain't much news, either, unless MS wants to spend their PR highlighting their own incompetence....Oh, now I get it.

Re:Not entrapment

[Anonymous Coward]

I think everyone other than Microsoft realized the offer to sell was not meant to be taken seriously.

Trade secret law?

[Dr. Manhattan]

My understanding was that if a trade secret gets out, the company doesn't really have any legal standing to go after people distributing it. They can go after the people who leaked or stole it, provided they actually did something illegal in the process of discovering it, but people that they give the secret to (so long as they weren't co-conspirators in the illegal acts) didn't do anything wrong under the law.

So apparently this is wrong, or at least has been amended a bit by the act referenced in the summary. Would this guy have been in the clear if he'd just been offering a trade secret for download? (With source code, it's complicated by the fact that the code is subject to copyright, too, though. What if we were dealing with, say, the formual for Coca Cola, to take the canonical example?)

Yeah, they are right.

[BoneFlower]

Sharing the source code would make it easier to find bugs. I don't think anyone seriously disputes this.

Thats often the entire point. The hardest part of fixing a bug is often *finding* it. Unless you would prefer to leave it alone and hope for the best, you want your bugs, especially critical security flaws, to be found as quickly as possible so they can be fixed.

Re:More stupid than criminal

[fitchmicah]

Why not? There are warez FTPs and Hotlines and stuff that offer to sell you downloads... people post tons of crap on the internet... why isn't the FBI tracking down on people who buy domains and use them for kiddie porn? Look, this guy didn't do /anything/ ! This is completely ridiculous!

Re:Ah, so THAT'S how they can get away w' entrapme

[ScentCone]

I see now. Since the government isn't supposed to engage in entrapment, private companies will. And since private companies are now becoming increasingly indistinguishable from governments... I guess we're all fucked.

Are you so anxious to hate private businesses, and to think it's cool if people try to make $20 off of their stolen source code, that you're willing to pretend this jerk didn't advertise for the sale of the source code on his own web site? He wasn't "entrapped," he was advertising stolen stuff. Plus, he's obviously a complete moron.

As for private companies looking after their own welfare... why do you supposed that retailers are forced to have security guards? Retails stores, especially the ones selling expensive, eBay-friendly stuff, are hit constantly by shoplifters and scam artists. But most local taxpayers would scream bloody murder if they had to pay for enough police officers to have one on hand in every department store in every mall, 7 days a week. So, private security is a big and (unfortunately) completely necessary line of work.

You also seem to be forgetting about corporate/international espionage. Companies working on competitive products - especially those performing very expensive research - have to be continually vigilant against both inside and outside theft of their trade secrets, materials, financial plans, marketing campaigns, etc. If they don't use private security to help them deal with that, their only choice is to just put up with the consequences of seeing, say, a factory in China starting up production on something that the ripped-off research company just spent millions of dollars figuring out how to make, or they could... ask the government to provide trade security for every company? What would you say then, that the taxpayers are being forced to serve the coporations, blah blah blah? Exactly. So, when a company with a lot at stake has their own security people urgently tracking down people that are ripping them off (even some complete idiot advertising astoundingly sensitive stolen O/S source code for sale on his web site, and willing to take $20 for it), you can hardly bitch. Unless your position is that it's cool to steal sensitive information and sell it, in which case, let's start with yours: I can probably make $20 with your SSN and some other personal details. And that's too small to bother the police with, so I'm home free since you clearly don't think it's ethical for you to personally track down someone who rips you off.

Oh, and try one of those fancy new high-tech online dictionaries. You can immediately, and without fear of prosecution, learn what entrapment [m-w.com] actually means.

A public service announcement

[Merle Darling]

Ok, first of all I think it's weird that MS can claim the source code is a trade secret in the first place. It's my understand that in order for something to be classified as a trade secret it would have to be kept secret, and people who take it and distribute it would have to be pursued and dealt with. otherwise the company loses its right to claim it as a trade secret. Witness how little (if anything) they've done about the code being swapped around for years now. Then again, IANAL, ISUCK, etc.

Regardless, the guy was convicted of selling stolen trade secrets. He was a dumbass for selling it in the first place, but I digress.. It turns out that the penalty for POSSESSION of a stolen trade secret is up to 10 years in jail and a $250k fine. It's worth considering for those of you who might have copies stashed away in backups somewhere just for the hell of it.

Not that I'd ever stoop so low as to possess stolen trade secrets, of course..

(runs off to scour his hard drive)

I wonder how hard it would be for MS to decide to scan your system for files with names matching those discovered on p2p networks. They could stick it in that monthly "Malicious Software Removal" tool in Windows Update, even. Ouch. I doubt it would work as evidence in a court but it would give them reason to suspect you or to attempt to gather evidence that WOULD stand up if they really wanted to bother charging everyone.

I know illwill, he's not that bad...

[Afecks]

I've known illwill for a very long time. We've both been in the same 'scene' for quite a while. The Windows backdoor programming scene. Most of the people in our little niche are sociopaths pure and simple. We know it's wrong but we don't really care. Saying illwill was tricked is pretty stupid. He knew it was wrong, he didn't care and he assumed no one else would. It's the same for many others, we just simply don't care. Now I'm sure illwill cares about going to jail for 2 years but that's fear of punishment, not fear of wrong doing. I'm sure even some of the more sane serial killers value their freedom.

This being said, Microsoft has won nothing. He was responsible for distributing the source code to exactly 1 person, a Microsoft snitch. If it wasn't for the snitch taking him up on his offer there would have been nobody that cared. Taking away 2 years of a persons life over such trivial shit is appalling and only serves to make us more numb and hateful to the laws of our society.

That being said, good luck illwill, we're going to miss your exploits and granny pr0n that you've posted in #trinity over the years!

Re:Semantics...

[hunterx11]

Private citizens or entities cannot commit entrapment unless they are acting on behalf of the government. Microsoft could have blatantly pushed Genovese into doing something he otherwise wouldn't have done, and he would still be guilty (although in such a case, Microsoft might be guilty as well).

Re:Available on P2P?

[E++99]

Yes, it is/was available on P2P, and I believe the article said that the Feds were his only customers. And, yes, lawyers are basically saying that there was no case, as the code was in the public domain at that point. However, the poor sap took the advise of the public defender, so he'll be spending 2 years in jail.

I'd be all for going after the guy who originally distributed this, I think this case really sucks.

Read the Perp's Account

[E++99]

http://illmob.org/ [illmob.org] It's pretty hillarious when he describes the "bust". The feds pound on the door early in the morning. He asks who's there, they say that some cars were broken into and they want to check if his was one of them. So... he gets his shoes on goes out the BACK door to the parking lot. There's guy in a bullet-proof vest guarding his car, who obviously has no idea that he's the guy they're coming to arrest. When he indicates that that's his car, he's like "oh, uh... did you talk to the men inside?" It's freakin hillarious. They should make a TV special on FBI busts gone bad.

Re:$200?

[Mattcelt]

Err, you know, Windows has had a stable API (and ABI) since 1.0.

And it is this stubborn refusal to update the API that allows the same attacks (buffer overflows, etc.) to be successful through four generations of OS.

Microsoft's vulnerabilities aren't just the result of pushy managers and sloppy coding - it's because the APIs weren't written with security in mind, and they have more holes than swiss cheese.

Re:Read the Perp's Account

[Psykus]

The site is down, but of course Google still has a cache of it here:

http://216.239.51.104/search?q=cache:7K18878iJ3gJ: www.illmob.org/+&hl=en&gl=us&ct=clnk&cd=1&client=f irefox-a [216.239.51.104]