Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Courts United States

The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com) 199

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.
Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.
This discussion has been archived. No new comments can be posted.

The Kronos Indictment: Is it a Crime To Create and Sell Malware?

Comments Filter:
  • Adobe Flash (Score:5, Funny)

    by Albanach ( 527650 ) on Friday August 04, 2017 @01:22PM (#54941895) Homepage

    If I was a creator of Adobe Flash, I'd be worried right now.

  • by xxxJonBoyxxx ( 565205 ) on Friday August 04, 2017 @01:24PM (#54941919)
    Article 1: Google "charged for writing a virus" - it seems there's bunch of established case law on charging people for writing and distributing malware.

    Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

    I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.
    • And what if he built it for the NSA to allow them to gain UNAUTHORIZED access into computers? Does that change anything? If not, some companies could be in very big trouble.

      • Nope. When you're supplying the government there is a reasonable presumption that they already have checks and balances, there is no duty for the supplier to ask about that. Furthermore, the government is allowed to retain tools that have potential illegal uses. Even something at the extreme end, like a missile, which can be used for both legal or illegal targets. It also is known to be able to land in the intended place, or even in an UNAUTHORIZED place. And yet, it is still legal for the government to hav

    • by davecb ( 6526 )

      I just googled for "charged for writing a virus" and found ... Marcus Huchins!

      Better to google for "convicted for writing a virus", which gives examples of people convicted for _running_ a virus, and is ambiguous about the writing.

      Best to try google scholar, and select the "case law" option

    • Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

      And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell [rapid7.com] in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools b

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Friday August 04, 2017 @01:26PM (#54941935) Homepage Journal

    The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.

  • He's screwed

  • by mysidia ( 191772 ) on Friday August 04, 2017 @01:34PM (#54942007)

    Counts two, three and four all allege violations of 18 U.S.C. 2512.

    Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.

    Since when is it illegal in the UK to make wiretapping devices, and to sell them?
    The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.

    • By the ridiculous logic of this case, a (foreign national) knife maker could be charged as an "accessory to murder".
      • by zlives ( 2009072 )

        but not a gun manufacturer, settled law.

      • If you build a knife in the UK, and advertise it in the US as being better at murder than a regular knife, and Americans send you money to buy it, and you ship it to them, and they commit murders with it, you in fact you committed numerous crimes in the United States.

        Being a foreign national isn't some sort of diplomatic immunity! lol

        When you sell an item to a person in another country, it is up to you to know if it is legal to sell the thing in that country. If you only want to deal with your own country's

    • by F.Ultra ( 1673484 ) on Friday August 04, 2017 @01:49PM (#54942151)
      Since when have the US courts bothered with what is legal or illegal in other countries?
  • That depends on where you live/are, who they have extradition treaties with, and their willingness to enforce the existing laws/treaties against YOU.

    If you're talking about a U.K. security researcher, arrested in Las Vegas, Nevada, then I would say yes. If you're talking about a software company based in Ukraine, then I would say no.

    • They didn't extradite him. They didn't even try, nor did the UK charge him. They found out he was coming to the US and went after him.
  • I'm not a lawyer so I couldn't accurately say if it is, or isn't illegal.

    However, I will say I don't think writing Malware per se is necessarily an arrest-able crime. Unless it impacts someone negatively.

    If you write Malware for research purposes, and it stays locked in your network. No-one can argue that that should be punishable.

    If you write Malware and that Malware impacts another human being (intentionally or not) YES you shoulder some of the responsibility and should be held accountable.

    It's not ille

  • by Craig Cruden ( 3592465 ) on Friday August 04, 2017 @01:45PM (#54942113)
    If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.

    Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.
    • by future assassin ( 639396 ) on Friday August 04, 2017 @02:10PM (#54942359)

      When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.

  • ...unless you sell it to the Five Eyes because our governments' hypocrisy knows no bounds.

  • Apparently 18 U.S.C. 2512 amounts to a noun a verb and...

    " manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or "

    Sure would love to know what "prim

  • For example is metasploit malware? If not the framework itself what about an exploit module someone authored?

    Some will argue about some test being, "does this thing have a legitimate use case" The problem is one man's testing tool is another mans hacking tool.

    We have been down this road over and over again, with things like lock picks. Probably the only solution here is to potentially classify this type of software as "burglars tools" or similar. Where its not illegal to produce/sell/possess but if you

    • The lines are very simple. Don't create or sell the device for the purpose of others committing crimes.
      For example with your lock picks. In most US States you can carry and sell the lock picks all you want. You can even hold classes teaching people how to lockpick the masterlock model 22F and all is good and legal with that. However it someone came up to you and said "tell me how to lock pick the masterlock model 22F because I want to break into a house protected by one" then you are in trouble.
      • by dbIII ( 701233 )
        I'm not so sure it's seen as that simple.
        There was that guy that was charged with teaching people how to get good results when subjected to a "lie detector", which is similar to those lockpick classes. Those people who scam the taxpayer by selling snake-oil "lie detector" services are really the ones that need to be imprisoned IMHO.
        So, Chinese style, the current case and that guy undermining the "lie detector" scammers seem to have commited the crime of pissing off government employees that should have muc
        • The lie detector case was similar he advertised to those people required to take a poly for federal positions. He would work with people that hired him on things they wanted to lie about and then instructed them to lie when asked if they got training.
          This made him guilty of working with those people to defraud the government and since they benefited from getting money(salary) they were not eligible for and since he deliberately assisted them in the defrauding and profited from that he was guilty of variou
          • by dbIII ( 701233 )

            So according to you the FBI released the Wannacry and planned to use to that as some master planning in taking over a part of the world.

            WTF? Did I have to put the words I used above "unlikely outside of a Bond movie" in flashing text the full height of the screen or something?

            Oh that's right, you saw it but you want some reason to attack to give your life meaning or something so pretended it wasn't there - how utterly pathetic.
            WTF is it with people being so deliberately and obviously dishonest just so the

            • You are the one that believes in your words that "people in the FBI etc wanted to use the chaos as an excuse for departmental empire building (almost certain) " so how could they of done what you said without releasing it?
              • by dbIII ( 701233 )

                so how could they of done what you said without releasing it?

                The same way they have a pile of press releases and request for extra funding every time there is a "cybersecurity" threat no matter where it comes from - as you obviously well know but wish to appear utterly ridiculous by pretending you do not.
                WTF is it with this stupid game? Is your life really so empty?

                The kiddies may not know how such tedious workplace politics of profiting from chaos works (which is why I mentioned it) but you have no such

  • Was the first website I saw taken down of many in the future. A malware data base, taken down as it could harm other sites. https://www.google.com/search?... [google.com]

  • From the summary above it kind of looks like someone has decided to charge Hutchins and has gone through the books looking for something that can be twisted to fit.
    Not a good look FBI or whoever is calling the shots here.
    If you want a high profile arrest go for the guy behind the Stratfor crack - if you can't find him ask your payroll department (people who don't know the story of how that crack was carried out by an FBI informant and how he was not charged should look it up - interesting story and shows ho
  • Creating malware? Guilty as charged. I do that occasionally on behalf of my clients that want to know whether their security is as tight as they think it is. This is of course very specific software, written with rigid restraints when it comes to propagation and what machines the "malware" may affect at all to ensure that nobody outside gets hit by it and of course without any malicious payload, but the whole criteria for malware are fulfilled. Installation without the user's consent (but of course the mach

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"

Working...