The Kronos Indictment: Is it a Crime To Create and Sell Malware?

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.

Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.

Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.

Adobe Flash

[Albanach]

If I was a creator of Adobe Flash, I'd be worried right now.

Re:

[NoNonAlphaCharsHere]

If I was a creator of Adobe Flash, I'd be worried right now.

Yeah, all them villagers at the gate with torches and pitchforks would make me nervous, too.

Re:

[RockDoctor]

villagers at the gate with torches and pitchforks would make me nervous, too.

They're on the outside of the gate, which I'm fine with. It's what I'm locked into the building with that I'm worried about.

Re:

[the_skywise]

pfft - never attribute to malice what can be attributed to stupidity!

Re:

[Chris Mattern]

Wow. Did you try the lost and found when you were looking for your sense of humor?

Re:

[BronsCon]

I don't think they realize it's missing.

Seems legit. (Seriously.)

[xxxJonBoyxxx]

Article 1: Google "charged for writing a virus" - it seems there's bunch of established case law on charging people for writing and distributing malware.

Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.

Re:

[Proudrooster]

And what if he built it for the NSA to allow them to gain UNAUTHORIZED access into computers? Does that change anything? If not, some companies could be in very big trouble.

Re:

[Aighearach]

Nope. When you're supplying the government there is a reasonable presumption that they already have checks and balances, there is no duty for the supplier to ask about that. Furthermore, the government is allowed to retain tools that have potential illegal uses. Even something at the extreme end, like a missile, which can be used for both legal or illegal targets. It also is known to be able to land in the intended place, or even in an UNAUTHORIZED place. And yet, it is still legal for the government to hav

Re:

[davecb]

I just googled for "charged for writing a virus" and found ... Marcus Huchins!

Better to google for "convicted for writing a virus", which gives examples of people convicted for _running_ a virus, and is ambiguous about the writing.

Best to try google scholar, and select the "case law" option

Re:

[Mr. Shotgun]

Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".

And that is where a lot of the information security professionals are concerned. There are several programs and methods used in information security research and penetration testing that would fall under that category, one example being the Meterpreter shell [rapid7.com] in the Metasploit framework. If this case results in a conviction under those charges you can bet many companies and researchers would hesitate to publish their tools for fear of being the next target on an ambitious DA's hit list. Criminalizing tools b

Yes, this time it is

[Bruce Perens]

The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.

Re:

[Spy Handler]

So if I find a vulnerability in Acme Corporation's custom in-house application, that exists nowhere else, and write a tool that specifically targets https://acmecorp.com/ [acmecorp.com] and downloads their entire customer database, and sell it to someone who uses it to hack them, did I commit a crime or no?

After all, I only wrote code and sold it, I did not personally hack their servers.

Re:Yes, this time it is

[Bruce Perens]

Well, welcome back to Slashdot then.

I think you are missing a critical distinction. Let's compare a gun and an improvised explosive device (IED). The gun can be used to keep your family fed with venison, etc. It only shoots where you aim it, if properly operated by a trained person and kept locked up the rest of the time. If you were to set a deadfall trap, you'd have to place signs around it warning people away, or you'd be liable for anyone who was hurt. You can't really kid anyone that you've made an IED as a hunting weapon or to remove a tree stump. It's purpose built to surprise someone and maim or kill them.

As far as I've heard, this trojan was meant to eavesdrop on communications and pick up banking credentials. It's not a tool that sysadmins use to remotely assist some naive user. Those things require the user to authorize them first. This trojan just sneaks up on you and eavesdrops, for someone who intends to scoop out your bank account.

The court is not going after the person who wrote the compiler or assembler meant to produce it, or even the libraries it might use. It's going after an action committed with conscious bad intent.

Re:

[kaizendojo]

I knew SOMEONE would bring up a gun analogy. I'm just pleased this time it was the RIGHT one.

Re:

[Bruce Perens]

I don't think the word "improvised" means what you think it means.

If somewhere there is an idiot who makes a fertilizer bomb to take out a tree stump, that person is not the topic of this discussion.

Re: Yes, this time it is

[revmoo]

Exactly

Re:

[MobyDisk]

ANYTHING can be used for evil.... It's the kind of clueless hysterical fear-mongering that you see when politicians say we need to ban encryption to stop crimes.

Yes, anything can be used for evil. Encryption has legitimate uses. what about things that can *only* be used for evil? Is it a crime to create them? If not, is it a crime to distribute them to someone else to profit from? If not, is it a crime to sell them? If not, is it a crime to use them?

This comes up in copyright too: DropBox is legal, but Mega was not. What's the difference since both tools can be used to distribute piracy? The argument is that the mens rea was different. But, this is a banki

Re:

[EETech1]

Metasploit? There's a module for nearly every known vulnerability.
Thank goodness it's only for the good guys!

Re:Yes, this time it is

[Beerdood]

The point the GP was making wasn't the point that "if something can be used for EVIL, so we should hold the manufacturer liable if it is". The point was that if you manufacture something with no good or legitimate purpose or if it's obvious the intent is *PURELY* for malice or criminal activities, then the creator should be held liable. This software wasn't something designed for white hats to find security vulnerabilities.

A considerable number of slashdot readers seem to have this weird quasi-libertarian notion that creating something with the intention of malice or subverting the law is just fine and dandy, and the creators should be absolved of responsibility - see The Pirate Bay and Silk Road. "What??? I just created the dark net trading platform that's hidden to authorities!! It's not MYYYY fault if people use it for CP, assassination attempts and selling slaves... It's not like I did the actual crimes!". If your creation has 99% illegitimate uses or is used by 99% of the users for illegitimate & illegal purposes, then maybe you totally knew that when you created it and should be held responsible.

Reminds me of that Death Ray quote from futurama "Amy, technology isn't intrinsically good or evil. It's how it's used. Like the Death Ray.". But even the fucking death ray sounds like it has more legitimate uses than this malware (like potentially killing cancel cells, parasites, or warding off an invading force from Omicron Persei 8)

Re:

[Bruce Perens]

There is a tendency, especially in our community, for people to attempt to logically explain their way out of fault for bad behavior. If the logic parses, they are able to convince themselves that the bad behavior is done by someone else or that they did not do it at all.

Good people should point out these rationalizations for what they are.

Re:

[the_skywise]

It's a GOOD thing to prefer innocence over guilt, especially if you believe in an open society - these aren't even proper rationalizations. Even creation of things that are GOOD can be wrong. I can't build a nuclear reactor in my backyard. Even though I'm just trying to research safer designs!
I'd be the first one to jump and say let this guy go but the charges here sound legitimate.

He sold a tool that was knowingly used in the commission of a crime that did massive damage. Is he guilty? That's to be

Re:

[Aighearach]

7-11 is just as popular with bank robbers as with accountants. It has nothing to do with anything, though.

The reason it sounds like "clueless hysterical fear-mongering" is that when you read about some black hat malware author being arrested, you respond without having any details, and you wave your hands in the air and claim it is scary. Since you don't know anything about the story, your response swamps your data about the story, leaving your response to wank itself.

Re:

[Bruce Perens]

So are we going to charge the NSA and CIA next for creating hacking tools?

Wait a second. You are aware that the CIA commits other acts that would normally be characterized as crimes in the course of their operation.

3-letter-agencies, the military, and to some extent undercover police get a pass, and there are laws supporting that.

Not saying it's nice.

Doesn't matter

[OzPeter]

He's screwed

Manufacturing Wiretapping devices?

[mysidia]

Counts two, three and four all allege violations of 18 U.S.C. 2512.

Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.

Since when is it illegal in the UK to make wiretapping devices, and to sell them?
The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.

Re:

[NoNonAlphaCharsHere]

By the ridiculous logic of this case, a (foreign national) knife maker could be charged as an "accessory to murder".

Re:

[zlives]

but not a gun manufacturer, settled law.

Re:

[Aighearach]

If you build a knife in the UK, and advertise it in the US as being better at murder than a regular knife, and Americans send you money to buy it, and you ship it to them, and they commit murders with it, you in fact you committed numerous crimes in the United States.

Being a foreign national isn't some sort of diplomatic immunity! lol

When you sell an item to a person in another country, it is up to you to know if it is legal to sell the thing in that country. If you only want to deal with your own country's

Re:Manufacturing Wiretapping devices?

[F.Ultra]

Since when have the US courts bothered with what is legal or illegal in other countries?

Who Defines Crime?

[brian.stinar]

That depends on where you live/are, who they have extradition treaties with, and their willingness to enforce the existing laws/treaties against YOU.

If you're talking about a U.K. security researcher, arrested in Las Vegas, Nevada, then I would say yes. If you're talking about a software company based in Ukraine, then I would say no.

Re:

[freak0fnature]

They didn't extradite him. They didn't even try, nor did the UK charge him. They found out he was coming to the US and went after him.

Not a lawyer

[Oswald McWeany]

I'm not a lawyer so I couldn't accurately say if it is, or isn't illegal.

However, I will say I don't think writing Malware per se is necessarily an arrest-able crime. Unless it impacts someone negatively.

If you write Malware for research purposes, and it stays locked in your network. No-one can argue that that should be punishable.

If you write Malware and that Malware impacts another human being (intentionally or not) YES you shoulder some of the responsibility and should be held accountable.

It's not ille

Accessory to the crimes committed with it.

[Craig Cruden]

If he wrote the virus and sold it with the knowledge that this was neither an academic exercise or proof of vulnerability and he knew or should have known the tool that he wrote was going to be used to commit crimes... then yes - he should be charged with at least being an accessory to the crimes.

Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.

Well I did build the device to unlock safes

[future assassin]

When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.

Re: Well I did build the device to unlock safes

[Brockmire]

Your sentence is hard to parse, but sounds like you're saying that the device is authorized by owner, which is not illegal. Not sure what point you were making that the GP didn't already make clear.

Re:

[Obfuscant]

This is where things get complicated. If he builds the safe cracking device and sells exclusively to licensed locksmiths, is he guilty if one of his devices is stolen and used to rob someone?

Not that complicated. The device was built for a legal purpose, and was sold to a person who was a legal user. What would he be guilty of, conspiracy to use a legal device in a legal way?

Is he guilty if the locksmith he sells to moonlights as a thief?

Same answer. He is not responsible if the legal user uses it for some other purpose.

Is he guilty if he doesn't sell the device to anyone and just keeps it for himself cracking his own safe and those of his friends?

Guilty of what?

A tool is a tool. Neither good nor evil.

A fine rationalization, but untrue. Tools that have legitimate purposes are neither good nor evil, but a tool that has no purpose other than to break the law is not good.

A hammer can be used to drive a nail, or hit someone o

Re:

[Obfuscant]

That's the thing though - there are almost no tools that have no legitimate purposes.

The malware that is the heart of this topic is one of the few.

A 900Mhz frequency scanner can tap cell phone call in the hand of a criminal,

I know of no scanners that can decrypt the digital signals of modern cell phones. When cell was analog, yes.

Even crap like malware CAN have legitimate uses - such as testing of anti-virus products,

You do not need a fully functioning, ready to run attack system to test defenses. There is little question that the author of this code intended it to be used to attack systems in violation of the law.

For me at least though, I wouldn't have had a problem with him writing whatever he likes as long as it never left his computer.

Irrelevant. This is not what happened.

It seems a little odd to me though, that this fine line can be so narrow that the simple act of copying a file can be the difference between being legally ok,

Oh, please. Selling malware to people you know are going to use it to attack other people's systems is

Of course...

[Gravis Zero]

...unless you sell it to the Five Eyes because our governments' hypocrisy knows no bounds.

Fun with wiretapping devices

[WaffleMonster]

Apparently 18 U.S.C. 2512 amounts to a noun a verb and...

" manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or "

Sure would love to know what "prim

The trouble with this will be where the lines are

[DarkOx]

For example is metasploit malware? If not the framework itself what about an exploit module someone authored?

Some will argue about some test being, "does this thing have a legitimate use case" The problem is one man's testing tool is another mans hacking tool.

We have been down this road over and over again, with things like lock picks. Probably the only solution here is to potentially classify this type of software as "burglars tools" or similar. Where its not illegal to produce/sell/possess but if you

Re:

[will_die]

The lines are very simple. Don't create or sell the device for the purpose of others committing crimes.
For example with your lock picks. In most US States you can carry and sell the lock picks all you want. You can even hold classes teaching people how to lockpick the masterlock model 22F and all is good and legal with that. However it someone came up to you and said "tell me how to lock pick the masterlock model 22F because I want to break into a house protected by one" then you are in trouble.

Re:

[dbIII]

I'm not so sure it's seen as that simple.
There was that guy that was charged with teaching people how to get good results when subjected to a "lie detector", which is similar to those lockpick classes. Those people who scam the taxpayer by selling snake-oil "lie detector" services are really the ones that need to be imprisoned IMHO.
So, Chinese style, the current case and that guy undermining the "lie detector" scammers seem to have commited the crime of pissing off government employees that should have muc

Re:

[will_die]

The lie detector case was similar he advertised to those people required to take a poly for federal positions. He would work with people that hired him on things they wanted to lie about and then instructed them to lie when asked if they got training.
This made him guilty of working with those people to defraud the government and since they benefited from getting money(salary) they were not eligible for and since he deliberately assisted them in the defrauding and profited from that he was guilty of variou

WTF^2

[dbIII]

So according to you the FBI released the Wannacry and planned to use to that as some master planning in taking over a part of the world.

WTF? Did I have to put the words I used above "unlikely outside of a Bond movie" in flashing text the full height of the screen or something?

Oh that's right, you saw it but you want some reason to attack to give your life meaning or something so pretended it wasn't there - how utterly pathetic.
WTF is it with people being so deliberately and obviously dishonest just so the

Re:

[will_die]

You are the one that believes in your words that "people in the FBI etc wanted to use the chaos as an excuse for departmental empire building (almost certain) " so how could they of done what you said without releasing it?

WTF^4

[dbIII]

so how could they of done what you said without releasing it?

The same way they have a pile of press releases and request for extra funding every time there is a "cybersecurity" threat no matter where it comes from - as you obviously well know but wish to appear utterly ridiculous by pretending you do not.
WTF is it with this stupid game? Is your life really so empty?

The kiddies may not know how such tedious workplace politics of profiting from chaos works (which is why I mentioned it) but you have no such

Yes http://vx.netlux.org/

[Trax3001BBS]

Was the first website I saw taken down of many in the future. A malware data base, taken down as it could harm other sites. https://www.google.com/search?... [google.com]

From the summary above ...

[dbIII]

From the summary above it kind of looks like someone has decided to charge Hutchins and has gone through the books looking for something that can be twisted to fit.
Not a good look FBI or whoever is calling the shots here.
If you want a high profile arrest go for the guy behind the Stratfor crack - if you can't find him ask your payroll department (people who don't know the story of how that crack was carried out by an FBI informant and how he was not charged should look it up - interesting story and shows ho

What matters is the intent

[Opportunist]

Creating malware? Guilty as charged. I do that occasionally on behalf of my clients that want to know whether their security is as tight as they think it is. This is of course very specific software, written with rigid restraints when it comes to propagation and what machines the "malware" may affect at all to ensure that nobody outside gets hit by it and of course without any malicious payload, but the whole criteria for malware are fulfilled. Installation without the user's consent (but of course the mach

Re:

[drinkypoo]

I don't know... some people seem to think that treasonously colluding with a hostile foreign adversary's attack on your country isn't a crime.

Even if it's a crime, it's not treason if they are an ally, even if they are only an ally on paper.

Re:

[x0ra]

By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

Re:

[Oswald McWeany]

By the same standard, Obama would get life sentence for his involvement in Operation Fast and Furious.

Yeah, and Vin Diesel along with him.

Re:

[JoeyRox]

That comparison is Quick and Spurious.

Re:

[x0ra]

there is a notable difference. Guns ran in OFF were "military grade" full-auto weapons, not the knock-off semi-auto "lookalike" found in the civilian market.

Re:

[x0ra]

Exactly 0. Petty thugs will never sink $20k in any full-auto M-16 receiver sparsely available to the civilian market, nor will the apply for the NFA tax stamp and 6 month associated waiting period. They'll use off the self .380 snub-nose that have been in production for nearly 200 years.

Re:

[x0ra]

Operation Fast and Furious was about smuggling full-auto weapons across the mexican border, so your point is irrelevant. Those guns are being used to kill mexicans in the drugs wars, not gansta downtown Chicago. You're argument is at best irrelevant to the conversation.

Re:

[x0ra]

Arguably, you have only a one sided view on the issue. Gun *saves* much more lives than they do. The very fact that we live in a free world is above all thanks to a single kind of tools: firearms. You can keep throwing love and flower, but that will always be ineffective against lead. Also, gun saves lives everyday, that's why LEO carry them, that's why armored carriers personnel carry them, and that why the fucking elite who want to disarm us is surrounded by hundreds of them.

Re:

[x0ra]

Also, leave the fucking ivory tower you live in. If it not for guns, people would use knives. Hell, the first murder ever was committed not with a full-auto weapon, but by a stick. Wake the fuck up, violence is an inherent part of mankind.

Re:

[slashrio]

homocide: noun homocide \hä-m0-sd, h-\ : the deliberate and systematic destruction of the group of homosexual people.

Re:

[x0ra]

We're not talking about killing yourself drinking, we're talking about the lethal consequences of alcohol *to other*. Once again, your argument is irrelevant.

Re:

[pr0fessor]

Drunk drivers kill other people though his 250 a day is really far off it's more like 28 and as for your gun deaths the number is much higher though the majority of them are suicides and the number of gun homicides is closer to the number of drunk driving fatalities or fatal influenza.

Re:

[Kaenneth]

And some percentage of oxygen atoms are involved in murders; it doesn't make them the cause.

Re:

[slashrio]

treasonously colluding with a hostile foreign adversary's attack on your country...

I still haven't seen any evidence that 'Putin' did it, and not the NSA (or any other 3-letter deep-state organization for that matter).
One very possible scenario:
Wikileaks (Assange) announces release of emails from HC.
Clinton's team comes up with the brilliant idea to divert the attention by staging a false flag software attack and to blame it on the Ruskis.
Fucking brilliant. Nobody looked at the emails anymore and they brought Trump (oh shit, there's my godwin) in trouble.
So I'd say: evidence required

Re:

[the_skywise]

No it's not - it's already illegal to knowingly sell a gun to a felon. IF Kronos was sold with the known intent to be used for research or testing purposes than Hutchins has a defense - but I kinda doubt that.

Re: Gun Dealers

[Reverend Green]

Why be worried? We've had a full-on police state for over a decade. Not like this makes our current tyranny any more tyrannical than it already was.

Re:

[Colin Castro]

That's not true, most guns that criminals use are sold by FFLs illegally, who then report them stolen.

Re:

[Aighearach]

That has nothing to do with anything.

7-11 benefits when a bank robber buys Cheesypoofs. It means nothing.

Re:

[Luthair]

Well, you might be an accessory if you knew about it. Its an interesting question though, if you write something for a friend whom you have reason to believe would abuse it is that different than maintaining something openly that has the possibility for abuse?

Re:

[Mr D from 63]

There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

Re:

[parkinglot777]

There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

Unless you know what your weird neighbor is going to do with the candy you sold (e.g. gives it to kids in the neighborhood), then it is the opposite...

Re:

[Mr D from 63]

There is nothing wrong with selling poisoned candy to the weird neighbor the night before Halloween either.

Unless you know what your weird neighbor is going to do with the candy you sold (e.g. gives it to kids in the neighborhood), then it is the opposite...

He told me he was going to see if he could figure out a way to tell the poison candy from regular, then he kind of gave me a weird laugh.

Re:

[JASegler]

The problem with that is you head down a rabbit hole fast.

If a security researcher writes a proof of concept exploit code that is then incorporated into malware is the security researcher now an accomplice?

What about the old Backorifice tool? It could be used for good or evil.

What about openssl? openssl can be used to encrypt the command and control communication for malware.

Or even windows iteself. Between windows and visual studio you have everything you need to write, distribute and run malware. There

Re:

[Aighearach]

There is no rabbit hole.

Intent has to be provable. If a security researcher arranges for their code to end up in the hands of people who will use it to commit a crime, the question is, can the prosecutor prove that he intended to? No rabbit hole, that is the same situation as every time an accomplice is arrested.

In your examples, you don't say anything that demonstrates intent, so they answer is that those are all fine, and you should know it when you propose them because you're not even talking about inten

Re:

[bongey]

"But officer I never intended to speed , so it really isn't breaking the law"

Re:

[Aighearach]

This situation though is at the other end; the prosecutor says they can prove intent. So he's going to need a pretty good story. Imagine, you're live-streaming from your car while speeding, and the prosecutor has the video. You won't be able to claim that the car was malfunctioning and driving fast on its own.

A more applicable car-related situation would be of a person accused of reckless driving whose defense is they were avoiding a squirrel in the road. If everybody agrees there was really a squirrel, the

Re: Is writing code a crime?

[Reverend Green]

Baizou sure do love the thought of torturing prisoners with forced sodomy. Tells you a lot about their character.

The silver lining: history suggests that police states often end up devouring their own biggest proponents.

Re:

[JoelKatz]

You having reason to believe they would abuse it does not matter. You can sell a hammer to someone even if you have reason to believe they might use it to harm someone. The issue is whether you intended the harm or abuse or whether you conspired with them to commit the crime.

of course

[Reverend Green]

In USSA everything is illegal and everyone is guilty. So of course it's a crime. Duhhh.

Re:

[Anonymous Coward]

He committed a crime that affected U.S. businesses within the united states, then he entered the united states. So, yes.

Re:

[Aighearach]

It reminds me of the Scottish village council member who was pretending to be especially violated by a CIA airplane having once flown overhead, waving his fist at every airplane, shouting, "Nemo me impune lacessit!"

Re:

[Albanach]

With this kind of theory, an American girl visiting Saudi Arabia can be detained because she was not wearing a head scarf while walking in the middle of LA....

If Saudi law prohibited the non-wearing of headscarves in LA, and the American woman were then to visit Saudi Arabia, that's exactly what could happen. When you visit another country, you are subjecting yourself to their laws and judicial system.

Similarly, many countries will prosecute over sexual abuse [justice.gov] of minors, even if the abuse occurred in an over

Re:

[Albanach]

The European arrest warrant scheme allows European nations to request deportation of non-citizens from another EU nation for 32 different offenses with no dual-criminality requirement. That is, without even subjecting themselves to the law of the requesting nation by entering its borders.

That goes far beyond what appears to be happening here where jurisdiction could probably be established by the objective territoriality principle. In other words, even without subjecting himself to US law by visiting, the a

Re:

[will_die]

Unfortunately he is not wrong. there are some countries that have a policy called "universal jurisdiction" which does as he descibed.

Re:

[freak0fnature]

If I fire a bullet from Mexico or Canada that kills someone in the US, have I committed a crime? Can the US come after me even though the crime was committed from another country? Yes they can, and they should. If I build a rocket in UK, sell it to a guy in Canada, who launches it at someone in the US...is the guy in the UK liable to the US? That is where it gets messy.

Re:

[Aighearach]

If I build a rocket in UK, sell it to a guy in Canada, who launches it at someone in the US...is the guy in the UK liable to the US? That is where it gets messy.

If he is criminally liable depends on the details of the case, but he's a legit military target if they need to take it that far.

Re:

[Aighearach]

For somebody claiming to be worried about legal details like jurisdiction you seem exceptionally ignorant of those details.

And yes, Saudi Arabia is free to make whatever laws they want, including if they wanted to make it illegal for any person to visit who ever walked in the middle of LA without a head scarf. It has nothing to do with anything, though.

In this case, the crime he's accused of committing happened in the United States, and he was also arrested in the United States, so it is a lot more like if

Re:

[freak0fnature]

If you are a US citizen and live in a country that has lower taxes than the IRS, then this is true. That does not apply here as he is a UK citizen.

Re:

[slashrio]

Did he 'set' or did he 'sell'?
If the latter, what's the crime?

Re:

[Aighearach]

News flash, intent matters in law. Fucking "duh." Is that really that new? Where have you been the past 800 years?

If you do something that is normally legal, but you do it to help somebody commit a crime, you're an accomplice. For example, driving a car is legal. Driving a getaway car at a robbery is not legal. Pointing at your drivers license doesn't help.

Re:

[superdave80]

Your analogy is completely wrong. The reason you can manufacture and sell guns is that there are LOTS of legal uses for them. Can you name a legal reason to make and sell code whose only purpose is to break into other people's computers? Probably not. In fact, we specifically have laws against breaking into computers.

Re:

[shellster_dude]

Who are you to decide what is has only "Legal" and "Legitimate" uses? There is likely still a good mens rea case to be made probably against this guy based on what he said while selling Kronos and/or providing tech support for clearly illicit usage, but that remains to be seen. I do red team work on a daily basis. The tools I use are very similar and used for a legitimate and lawful purpose. In fact, I write many of my own tools, if I were to sell them, am I also guilty of a crime?

Re:

[will_die]

Alot depends on how you market it and where you sell it. Part of the charge is that the software was primarily marketed and sold where people expected to find cybercrime market items.
There have been court cases where the product was marketed as spyware for monitoring your spouse and children. That was deemed as fully legal because the action of monitoring you children and even your spouse is legal. However go to a site where stalkers hang out and advertise and sell it and you will probably get into some

Re:

[JoelKatz]

> In the case of Hutchins, his product is by design intended to be used in a way that is always illegal, so creating it in concert with someone who intends to use the product is being part of a conspiracy to commit illegal acts.

What if a court authorized the use of the malware to gather evidence? In what way is the malware's design not perfect for that type of use too?

Re:

[Obfuscant]

The assumption that the manufacturer knows the mind of the customer has no place in a legal setting.

If someone is selling a tool that has only illegal uses, it is pretty certain that the mind of the customer is known.

In fact, I'll argue that assumption period does not belong in a courtroom.

The level of proof is "beyond a reasonable doubt" not "beyond all doubt". Sometimes there are assumptions that are so reasonable and with such a high level of probability that they meet the "reasonable doubt" standard without being known as a fact.

Legal ramifications should be based on fact

Convenience store attendant is shot to death. Defendant was seen on a CCTV recording outside the convenience store holding a gun. CCTV shows him en

Re:

[saloomy]

This. Making malware is not illegal. It is intact software. It would be akin to writing down (in a notepad) how the malware works. That is protected by free speech. We can make demonstration software, we can make examples, and hack our own systems. All of that is perfectly legal.

Selling those tools to someone else (like an anti-virus company) is also legal. The law states that you can not hack into a system without authorization, not that you can not own hacking tools.

Furthermore, intent has everything to d

Re:

[JoelKatz]

> If someone is selling a tool that has only illegal uses, it is pretty certain that the mind of the customer is known.

I don't think there's any such thing as "a tool that has only illegal uses", unless you're talking about something that's illegal to possess. A person might want malware to:

1) Test their skills at analyzing malware.

2) Test their own defenses against malware.

3) Perform lawful intercepts on their own equipment.

4) Analyze to fingerprint to add additional detection patterns to existing malwa

Re:

[Obfuscant]

You're very good at rationalizing. You don't need malware to test your skills at analyzing other people's software. You don't need fully functional malware to test defenses against a specific attack vector. You don't need to intercept your own data, or hold it hostage. The purchasers of the malware weren't antivirus authors. If you aren't ready to use it, then bragging about owning a bit of software that you can use to shut down NHS is meaningless. And law enforcement isn't going to encrypt someone's files

Re:

[JoelKatz]

Nothing you said contradicts anything that I said.

Re:

[Aighearach]

Right, the answer is "no" but only because the title lacks some form of the word "intent."

Don't expect that the technical answer to a poorly phrased question being "no" will end discussion, though.

Is it a crime to create and sell malware? No.

Is it a crime to create and sell software whose intent is malicious? Yes.

The obvious conclusion is that being called a pejorative prefixed with mal- does not make you a criminal. Duh.