Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government The Courts Businesses Crime Programming Security Software United States

Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com) 227

Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."

The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."

Click through for the rest of the story.
Mark Rumold, senior staff attorney at the EFF, tells Krebs "I don't read the government's complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this." Also skeptical is Allison Nixon, director of security research for New York City-based security firm Flashpoint. "Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system -- to prevent people from pirating the software or initiating a Paypal chargeback." Krebs writes:

Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people "could at best be seen as the actions of the most naive software developer on the Earth. In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is."

And of course, the FBI's complaint also notes that the software was promoted on HackForums.net. The Daily Beast says Huddleston eventually realized "it was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums," adding that at first Huddleston handed off the business, "while continuing to develop the code as an 'advisor' in exchange for 60 percent of every sale."

Slashdot reader Highdude702 believes Huddleston's arrest "is an outrage, and is a push too far, also in the wrong direction," calling it "the story of a script kiddie gone big time...arrested for being an accomplice to a crime committed by people he had never met, let alone knew well enough to commit crimes with."

What do Slashdot's readers think?
This discussion has been archived. No new comments can be posted.

Should The FBI Have Arrested 'The Hacker Who Hacked No One'?

Comments Filter:
  • by Anonymous Coward on Saturday April 08, 2017 @10:41AM (#54198247)

    "I didn't murder someone" is a very commonly used claim among those who don't murder people. Would that "raise skepticism" and make one a target for a murder investigation? I don't think so. This is a chilling-effect arrest. They know this guy didn't hack someone, they're just trying to make the tool-makers lives harder because the tools can be used for no good.

    • Bullshit logic. (Score:2, Insightful)

      by Anonymous Coward

      Time to arrest the manufacturers of trucks that are used to plow into civilians, hey?

      Almost every "hacking tool" has a beneficial use.

      • by epyT-R ( 613989 )

        Exactly. It exposes known vulnerabilities (at least to the author). Shutting these people down is just another form of security through obscurity.

      • Bullshit logic? Here's some budget logic.

        The FBI arrest three people.
        The FBI arrest 79 million people.

        In which case do they get the most money?

    • Do you arrest Glock cause someone was murdered with one of the pistols they made? What about Louisville Slugger cause someone was beaten with one of their baseball bats? How about Ford cause one of their cars was used to run someone down? Arresting the creator of a tool because of how it is being misused by others is highly questionable in any circumstance. I think most of the civilised world would agree that the responsibility for the use of such a tool in all the listed cases is on the person who used it

      • by Anonymous Coward

        Do you arrest Glock cause someone was murdered with one of the pistols they made?

        Yes, if Glock ran commercial ads stating their products were most and solely useful for murder and no other uses, they would likely be arrested or at least charged with crimes.

        What about Louisville Slugger cause someone was beaten with one of their baseball bats?

        Yes, again if Louisville Slugger specifically advertised their bats were most useful for assault and battery and less useful for baseball, they too would likely be in legal trouble for doing that.

        How about Ford cause one of their cars was used to run someone down?

        Once more, yes, if Ford advertized their cars as primarily useful in running over humans and were less useful as a form of transportation, t

        • Re: (Score:3, Informative)

          Comment removed based on user account deletion
          • by Zak3056 ( 69287 ) on Saturday April 08, 2017 @12:54PM (#54198677) Journal

            Handguns are mostly worthless as a means of hunting either for food or sport. The simple fact is that handguns are made to kill.

            Some thoughts on the above:

            1. Apparently "hunting" is not "killing" in your lexicon?

            2. Some handguns (though none I can think of made by Glock) are indeed used for hunting. This is what cartridges like .500S&W and .454Casull are for. I have friends who take deer or boar with them.

            3. There are other shooting sports beside hunting. Glocks appear quite frequently in some of them.

            4. Some handguns are made specifically for the purpose of punching holes in paper or knocking over steel plates, rather than for killing things. While they're capable of the latter, it would be akin to using a screwdriver as a hammer.

            Just saying.

            • 2. Some handguns (though none I can think of made by Glock) are indeed used for hunting. This is what cartridges like .500S&W and .454Casull are for. I have friends who take deer or boar with them.

              I thought I'd get into deer hunting after talking to some of my friends that hunt. Along with their exciting tales of deer hunting I heard horror stories of hunting during what we call "shotgun season". You see around here it is legal to hunt with a shotgun that fires "slugs", which is a shotgun shell loaded with a single projectile. In this case the "shotgun" is really just a rifle with a big slow bullet, or what I call a "slug gun". Anyway, since just about anyone can hit a deer with a $300 "slug gun"

              • "Anyway, since just about anyone can hit a deer with a $300 "slug gun" all the good hunting spots fill up real quick with inexperienced hunters on the few days when "slug gun" hunting is allowed."

                You can say the same thing about any rifle (well, .270 and higher...not sure I'd use a .22 for deer). A 12-gauge slug is what, three quarters of an inch wide? If you're a good marksman, you can group your shots at minute-of-angle, or 1 inch at 100 yards. Going from a one quarter inch wide bullet (.30) to 3/4 inc

            • Arizonan reporting in: Hikers carry handguns in bear country because hunting rifles are too heavy in the pack.

        • Explain how cigarettes are legal. They serve no benefit to anyone and murder millions of people every year.
          • The standard freedom argument: If people want to do something incredibly stupid and hazardous to their own health, that's their decision.

            It doesn't work very well for cigarettes though, as the rest of society eventually ends up footing the bill for their lung cancer, either through taxes or higher insurance premiums.

          • Historical reasons. If Walter Raleigh had visited Central Asia instead of the Americas, cannabis would be a legal health problem and tobacco would be a banned substance.

      • Making gun manufacturers liable for crime is exactly what admin carts spent the last eight years trying to do. Now that Repubkicans are in control, the jackboot is on the other foot.

      • by rtb61 ( 674572 )

        How about as a recruitment tool ie either work for us for free or spend the next ten years in jail. That is closer to the reality of what is going on.

    • The difference here is that the government doesn't even claim he hacked anyone. Usually when someone is arrested for murder says, "I didn't murder someone" the government is asserting that they did.
    • "I didn't murder someone" is a very commonly used claim among those who don't murder people. Would that "raise skepticism" and make one a target for a murder investigation? I don't think so. This is a chilling-effect arrest. They know this guy didn't hack someone, they're just trying to make the tool-makers lives harder because the tools can be used for no good.

      If I was a gun manufacturer and someone used a gun I manufactured and sold to commit murder, am I an accomplice or guilty in the use of the gun?

      The guy made a hacking tool. It became available and hackers used it. Should the guy be found guilty of being an accomplice or even being charged as a hacker?

  • by Anonymous Coward on Saturday April 08, 2017 @10:41AM (#54198249)

    Well.. as outrageous as the OP makes it sounds, you actually don't need to "hack" someone to break the law.

    There are lots of laws out there. For starters, trafficking in software or devices which circumvent security measures is often illegal. "Using" said device isn't necessary to run afoul of the law.

    The DMCA has strong anti-circumvention language for example. Other countries have similar laws.

    • by epyT-R ( 613989 ) on Saturday April 08, 2017 @11:11AM (#54198331)

      That doesn't make it immoral. This is a case of opportunists making use of bad laws they likely lobbied for.

    • by s.petry ( 762400 ) on Saturday April 08, 2017 @01:18PM (#54198765)

      If this person is guilty of developing a remote admin tool, then so are the developers of SSH, Citrix Desktop developers, Microsoft Remote Desktop developers, VMware developers, VNC developers, Oracle SGD developers, Apple remote control services, and any other remote admin tool or tool that could be used for remote admin. All of those tools are developed to avoid people seeing what you are doing, all are configurable ports to avoid detection, etc.. Ask any developer or security expert if those tools can be used for hacking, and the answer is "YES" across the board.

      The EFF should have stopped when they said it would have a chilling effect. It does, because this would make "not hacking" but developing a certain type of tool a crime.

      Now had the guy actually used the tools to commit a crime, he should be charged with a crime.

      This is no different than charging a gun manufacturer with murder because a gang member killed someone with a gun made by the manufacturer. This is tyrannical authoritarianism, plain and simple.

      • not that i necessarily agree with the following reasoning either, but i feel it's important to represent the case accurately.

        his offense was not developing a remote admin tool. i'm pretty sure that, were he to have just developed it and put it on github or a personal page or even offered it for sale with neutral language, that he would be fine. i believe this in part because a lot of people have released RATs and not been prosecuted.

        his offense, more specifically, was selling and promoting the tool as, basi

      • Re: (Score:2, Interesting)

        by Anonymous Coward
        No there is a distinct difference here. He wrote the tool explicitly to perform illegal activity and then sold it to those who intended to commit a crime. Just like a gun shop selling a gun isn't a crime, but if you sell a gun to a guy you know intends to go out and shoot people you are going to be fucked over majorly by the authorities and you will deserve it.
    • by jabuzz ( 182671 )

      How come the two Steve's (aka Jobs and Woz) where never arrested then? They sold devices with the express intention of breaking the law. Or does the fact they used the money to start Apple give them a free pass?

      • I don't know, but lots of likely reasons:

        The laws around phreaking tools may have been inadequate at the time.

        They were not caught before the statute of limitations expired.

        There may never have been evidence of a specific crime.

  • RAT is just like TurboTax. Each has an intended purpose (Remote Administration / Tax Filing). Each can be used by criminals (unauthorized system administration for ransom / filing another person's taxes for refund). Poor business decisions about where to promote your product for maximum intended purpose sales is not a crime. Improper use of the product is a crime.
  • I would be happy if he went to jail ONLY IF executives of arms manufacturing also went to jail for killing people. Otherwise hacking tools do not hack, it is people that hack.

  • It's an outrage... (Score:3, Informative)

    by Anonymous Coward on Saturday April 08, 2017 @11:04AM (#54198305)

    ...everytime the media kneejerkingly supports the bad guys!

    .On or about November 21,2013, HUDDLESTON caused an activation email to be sent to a customer who had purchased the Limitless key logger, knowing that individual intended to use the Limitless key logger for the purpose of committing unlawful and unauthorized computer intrusions. 'The email contained the license serial code and instructions for how to download and activate the keylogger.

    Guy is toast and rightly so.

    • by Orgasmatron ( 8103 ) on Saturday April 08, 2017 @12:16PM (#54198557)

      Good post - insightful and informative.

      Note that this is a different scenario than the hypothetical question asked in the article/summary. The key is "knowing that individual intended to use the Limitless key logger for the purpose of committing unlawful and unauthorized computer intrusions". This is the standard FBI quasi-entrapment operation.

      In my opinion, no tool should be illegal to make or sell as long as some legal use is possible, however improbable. Selling it to someone after you know that they intend to use it illegally, however, I'm willing to let law enforcement do their thing. (But I'd like to see some more public scrutiny of their methods, which smell like bullshit a bit more often than I'd like.)

  • This seems like an open and shut free speech case to me. Unless he gets a crap jury. I'd like to see us do away with those The occasional legit jury nullification isn't worth all the people wrongly convicted because they're not personable enough to stand in front of a jury
    • by tomhath ( 637240 )
      FTFA:

      “During the course of the conspiracy, Huddleston received over 25,000 payments via PayPal from Net Seal customers. As part of the conspiracy, Huddleston provided Shames with access to his Net Seal licensing software in order to assist Shames in the distribution of his Limitless keylogger. In exchange, Shames made at least one thousand payments via PayPal to Huddleston.”

      Conspiring to commit a crime is not free speech..

      • Net Seal is just software. It's not even a little illegal. It's license management software, like uPlay, Steam & Origin. He sold software to somebody who then committed a crime. We're right back where we started. It's the same as trying to sue a Gun manufacturer for selling handguns. Probably less so. With the gun manufacturer you could argue they weren't following all the laws/rules about selling guns (there are lots, and some folks tow the line pretty close on them). With software there's nothing to s
    • since when did free speech cover knowingly aiding and abetting a crime?
  • simple answer (Score:4, Insightful)

    by jmccue ( 834797 ) on Saturday April 08, 2017 @11:26AM (#54198355) Homepage

    Are gun manufacturers held responsible for deaths caused by their products ? I guess you know the answer now

    • Gun manufacturers are not guilty of the same crime as this person: the crime of not being wealthy.

    • Re:simple answer (Score:4, Insightful)

      by Richard_at_work ( 517087 ) on Saturday April 08, 2017 @12:05PM (#54198499)

      Do gun manufacturers hang out on "home invaders" forums touting their wares...?

      • by jopsen ( 885607 )

        Do gun manufacturers hang out on "home invaders" forums touting their wares...?

        Are the major of people killed by handguns killed in justifiable self-defense?

        • Are the major of people killed by handguns killed in justifiable self-defense?

          Are most defensive gun uses reported, or even result in a gun being fired?

          That's honestly the hardest part with this debate. We simply have no idea when the mere brandishing of a gun caused a potential victim to move on unharmed while the attacker left.

          I'd love to actually see some method of reporting an tracking DGU, just do know the answer, whatever it is.

          • I would assume gun uses are recorded. But I guess maybe not in the "wild west".

            Note. In other countries where guns aren't pervasive the mere act of drawing your gun, signaling that you have one, or flashing it, is consider use for force and must be reported (like any other act of violence).
            As an interesting statistics from Danish police 2015:
            Use of gun: 148 instances (a police officer drawing or signaling that he has a gun)
            Number of shots: 11 (of which 8 were warning shots)

            That's from ~10k police of
    • If you advertise your gun as being particularly good at stickups, if you sell the gun to someone you know will use it unlawfully, yes. Yes they are
      If this guy can be proven to have knowingly sold tools to an individual stated his illicit intent. If he ever made any claims to its potential use illegally, he will likely be convicted. I me likely will not be if it was just some pirates who used his software to hack.

    • If they advertise and sell it to criminals as ideal for committing crimes then yes they would be held responsible.
    • Are gun manufacturers held responsible for deaths caused by their products ?

      No, but they're also not advertising their wares on sites dedicated to exchanging tips for committing murder, nor are they providing customer support to people who are apparently engaged in murdering others.

      From the sounds of things, this guy was advertising on forums commonly used by hackers to sell their wares to each other, and was offering support to people who made it abundantly clear that they intended to use his software for illegal purposes.

  • My first instinct was to say 'no' before I had even read the summary based on the argument that if this guy should be arrested for making a legal admin tool that's been misused by hackers then the CEO of Beechcraft should be arrested because his planes are used to run drugs as well as passengers and legal cargo. However, it then occurred to me that even the evil trinity of Donald Trump, Steve Bannon and Mitch McConnell could not have turned the FBI into the holy inquisition this quickly. There must be more
  • by techesq ( 1669562 ) on Saturday April 08, 2017 @11:56AM (#54198461)
    Since we're operating under U.S. Federal law, our innocent until proven guilty developer will be able to force the prosecutors to prove their case and have a jury decide his fate. The government's case is this: if you're a developer of a legitimate remote admin tool and DRM tools, why are you marketing and supporting the product in a known criminally linked forum? What was your relationship with the convicted felon who distributed the Limitless keylogger tool? From the Krebs piece it appears he assisted (a prosecutor might say "conspired with") the developer of key logger crimeware to receive payments. This is a case of what did he know and when did he know it? This is not an easy case to prove, but there is probable cause to suspect something criminal was going on based on the totality of circumstances. The government will have its work cut out for it, but I think the "chilling" effect defense is weak. You're free to develop, market, and sell any type of RAT or DRM software you want. You cannot knowingly assist criminals commit cybercrime. Pretty simple in my book. If you think otherwise, hire a lobbying firm and buy your own legal exceptions to established laws like the gun lobby did ;)
    • Its also more of a tricky case than what you might imagine at first glance.
      All these people know what their customers are doing with their products. I am sure their are gun sellers who know with 100% certainly that when a certain type of person comes into his store that one of his guns is going to end up at a crime scene sooner rather than latter. And yet you cannot discriminate even if you know the guy is part of a gang. There are gun sellers who know 90% of their sales go on to commit crimes. What is the

  • ssh/putty and RDP handle linux/unix/bsd and Windows remote administration perfectly well. The major difference is that you can't set up an sshd/putty/RDP server on your machine by clicking on an email attachment. Question... what legitimate use-cases are there which ssh/putty/RDP don't handle?

    • Pen testing is a legitimate use. If it's possible to create such a tool then it's necessary for security operatives to use such tools to treat the effects they would have when penetrating a particular network's security.

  • How long have we got before creating security software is deemed to be a crime. Think VPN's and PGP. Should Zimmerman be worried?
  • That game looks a bit like a retextured Ikaruga [youtube.com].

    If that's true: May $deity have mercy on your files!

  • > What do Slashdot's readers think?

    I think the FBI should fuck the hell off, along with the rest of the federal government. Their purpose isn't law enforcement, it's to violate our civil rights, instil fear, and keep the populace under the thumb of the elitists who run the government (for their own benefit).

    Seriously, we need to disband the FBI, the DHS (as Ron Paul said, "we fought World War II without a DHS"), ATF, TSA (a bunch of dumb-fucks who couldn't hack it at McDonalds), DEA, NSA, and pretty much the rest of the federal agencies. We don't need some massive, sprawling, byzantine, corrupt bureaucracy... we just need self-government.

    • <quote><p>&gt; What do Slashdot's readers think?</p><p>I think the FBI should fuck the hell off, along with the rest of the federal government. Their purpose isn't law enforcement, it's to violate our civil rights, instil fear, and keep the populace under the thumb of the elitists who run the government (for their own benefit).</p><p>Seriously, we need to disband the FBI, the DHS (as Ron Paul said, "we fought World War II without a DHS"), ATF, TSA (a bunch of dumb-fu
    • DHS (as Ron Paul said, "we fought World War II without a DHS")

      During WWII, the US government (a) interred Japanese-Americans (b) rationed all manner of goods (c) had official propaganda departments aimed at US citizens and an official Office of Censorship (d) Diverted 40%+ of the economy to the military, etc. etc. etc. Whether an agency called the DHS existed, certainly far more reaching government intervention occurred. (Plus the military did homeland security; you know, at war and all).

  • “It’s a dual-use technology case,” says Grimmelman. “And you typically don’t get criminal liability in dual-use technology cases unless there’s a pretty clear intent to promote the criminal use instead of the legitimate ones.”

    The gummint is fully aware that it can't prove criminal intent, but it has the deep bench of lawyers while Huddleston has whatever late-night TV lawyer he can afford. .

  • by bombastinator ( 812664 ) on Saturday April 08, 2017 @09:08PM (#54200317)
    this situation reminds me very much of that man who published a book on how to cook methamphetamine at home. the book sold so well he became a multi millionaire though he made no meth. Of course using his book, hundreds of thousands died from addiction and explosions.

    was his an action of unmitigated evil for personal gain which ruined countless lives? YES

    Was it technically illegal when he did it? NO

    Is it reasonable to assume that anything not deemed actually specifically illegal should be accepted by society no matter how damaging it is? That appears to be the question. IMHO the answer is a resounding NO, but i am one man.
  • www.nirsoft.net have produced and given out a lot of useful software and many have found their way into hacking tools. I'd hate to see it stopped.

No spitting on the Bus! Thank you, The Mgt.

Working...