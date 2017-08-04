The Kronos Indictment: Is it a Crime To Create and Sell Malware? (washingtonpost.com) 76
Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, was arrested by the FBI over his alleged involvement in separate malicious software targeting bank accounts. According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015. Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. A preliminary analysis of those counts suggest that the government will face significant legal challenges. Orin Kerr, the Fred C. Stevenson Research Professor at The George Washington University Law School, writes: The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability -- basically, aiding and abetting a hacking crime. Do the charges hold up? Just based on a first look at the case, my sense is that the government's theory of the case is fairly aggressive. It will lead to some significant legal challenges. It's hard to say, at this point, how those challenges will play out. The indictment is pretty bare-bones, and we don't have all the facts or even what the government thinks are the facts.Count one: If I understand it correctly, the government is saying that the act of selling the malware -- distributing it to a third party -- was the act of causing computer damage. In effect, the government treats the selling of the malware as a use of the malware to damage a computer. It's saying Hutchins and X conspired (formed an agreement) to send off the program (distributing it to the buyer) intending to cause damage (eventually, albeit indirectly, when the buyer later used it to cause damage). I have never seen Section 1030(a)(5)(A) used that way before. And for the charge to fit the statute, the government has to prove two things that it may or may not be able to prove.
Counts Two, Three and Four: The 2512 Charges: Counts two, three and four all allege violations of 18 U.S.C. 2512. Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices. The basic idea is to deter wiretapping by interfering with the market in wiretapping devices. [...] One legal issue raised by these charges is whether software alone counts as a "device" under Section 2512. Section 2510(5) defines an "electronic, mechanical, or other device" as "any device or apparatus which can be used to intercept a wire, oral, or electronic communication" subject to some exclusions not relevant here.
The problem with that is you head down a rabbit hole fast.
If a security researcher writes a proof of concept exploit code that is then incorporated into malware is the security researcher now an accomplice?
What about the old Backorifice tool? It could be used for good or evil.
What about openssl? openssl can be used to encrypt the command and control communication for malware.
Or even windows iteself. Between windows and visual studio you have everything you need to write, distribute and run malware. There
Adobe Flash (Score:5, Funny)
If I was a creator of Adobe Flash, I'd be worried right now.
Wow. Did you try the lost and found when you were looking for your sense of humor?
Hiring bad developers is a conscious decision by the management, with the known result of tons of vulnerabilities popping up. They have been perfecting that art for so long that the only way out will be shutting flash down totally in a few years...
Yeah, all them villagers at the gate with torches and pitchforks would make me nervous, too.
Seems legit. (Seriously.) (Score:3)
Articles 2-4: Don't be confused by the word blizzard. Was the Trojan built an "apparatus which can be used to intercept...electronic communication"? Then "yes".
I'd be interesting in knowing whether he actually built the thing and whether there was motive and intent, but quibbling over whether the Trojan was a "device" or an "apparatus" seems a bit pointless here.
And what if he built it for the NSA to allow them to gain UNAUTHORIZED access into computers? Does that change anything? If not, some companies could be in very big trouble.
Yes, this time it is (Score:4, Insightful)
The Kronos software was not an educational tool for people who would prevent computer penetration or a utility with some other legitimate function. It is not a hunting weapon that just happens to also be capable of shooting people. It looks like it was made to be sold to someone who would commit a crime with it, and for no other purpose.
Re: (Score:3)
I haven't posted here in years, but I signed in to tell you how absolutely ridiculous your opinion is. ANYTHING can be used for evil. All of the vulnerability scanning tools are just as popular with criminals as they are IT professionals. Your opinion isn't just flat wrong; it's dangerous. It's the kind of clueless hysterical fear-mongering that you see when politicians say we need to ban encryption to stop crimes.
So if I find a vulnerability in Acme Corporation's custom in-house application, that exists nowhere else, and write a tool that specifically targets https://acmecorp.com/ [acmecorp.com] and downloads their entire customer database, and sell it to someone who uses it to hack them, did I commit a crime or no?
After all, I only wrote code and sold it, I did not personally hack their servers.
Well, welcome back to Slashdot then.
I think you are missing a critical distinction. Let's compare a gun and an improvised explosive device (IED). The gun can be used to keep your family fed with venison, etc. It only shoots where you aim it, if properly operated by a trained person and kept locked up the rest of the time. If you were to set a deadfall trap, you'd have to place signs around it warning people away, or you'd be liable for anyone who was hurt. You can't really kid anyone that you've made an IED
ANYTHING can be used for evil.... It's the kind of clueless hysterical fear-mongering that you see when politicians say we need to ban encryption to stop crimes.
Yes, anything can be used for evil. Encryption has legitimate uses. what about things that can *only* be used for evil? Is it a crime to create them? If not, is it a crime to distribute them to someone else to profit from? If not, is it a crime to sell them? If not, is it a crime to use them?
This comes up in copyright too: DropBox is legal, but Mega was not. What's the difference since both tools can be used to distribute piracy? The argument is that the mens rea was different. But, this is a banki
Wait, what? (Score:1)
He committed a crime that affected U.S. businesses within the united states, then he entered the united states. So, yes.
If Saudi law prohibited the non-wearing of headscarves in LA, and the American woman were then to visit Saudi Arabia, that's exactly what could happen. When you visit another country, you are subjecting yourself to their laws and judicial system.
Similarly, many countries will prosecute over sexual abuse [justice.gov] of minors, even if the abuse occurred in an over
Doesn't matter (Score:2)
He's screwed
Manufacturing Wiretapping devices? (Score:3)
Counts two, three and four all allege violations of 18 U.S.C. 2512.
Section 2512 is a rarely used law that criminalizes making, selling or advertising for sale illegal wiretapping devices.
Since when is it illegal in the UK to make wiretapping devices, and to sell them?
The governing law for actions that occurred in the UK by a UK national would not be any part of 18 USC.
but not a gun manufacturer, settled law.
Who Defines Crime? (Score:2)
That depends on where you live/are, who they have extradition treaties with, and their willingness to enforce the existing laws/treaties against YOU.
If you're talking about a U.K. security researcher, arrested in Las Vegas, Nevada, then I would say yes. If you're talking about a software company based in Ukraine, then I would say no.
Not a lawyer (Score:2)
I'm not a lawyer so I couldn't accurately say if it is, or isn't illegal.
However, I will say I don't think writing Malware per se is necessarily an arrest-able crime. Unless it impacts someone negatively.
If you write Malware for research purposes, and it stays locked in your network. No-one can argue that that should be punishable.
If you write Malware and that Malware impacts another human being (intentionally or not) YES you shoulder some of the responsibility and should be held accountable.
Accessory to the crimes committed with it. (Score:3)
Similarly, if you built a custom device to tap into a lock mechanism on a safe and that the only use was to break into safes... and he built the device for a criminal or criminal organization (and not a locksmith) that person should also be charged.
Well I did build the device to unlock safes (Score:2)
When someone forgot the combo or for someone who collects safes and treasure haunts for safes or uses them in a business that unlocks safes for people who lost their combos.
Of course... (Score:2)
...unless you sell it to the Five Eyes because our governments' hypocrisy knows no bounds.
Fun with wiretapping devices (Score:2)
Apparently 18 U.S.C. 2512 amounts to a noun a verb and...
" manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce; or "
Sure would love to know what "prim