[NateyJay]

The concern is that a lot of behaviour that a security researcher would do in the course of their research, taking over C&C server addresses such as with Wannacry, soliciting for samples of malware, such as Hutchins did with the Kronos trojan, and having contacts with black-hat hackers, might look to the DOJ as if he is the culprit who created the malware.

People think that an innocent white hat hacker could get swept up in this kind of arrest, and there has been so little evidence released, nobody knows what actually happened.

[tptacek]

Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.

[natch]

It bears mentioning that accused does not mean convicted. The DOJ record as far as accusations turning out to be grounded in reality is not unblemished.

>Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.

You say that as though you are contradicting NateJay.

But the fear NateJay is highlighting is exactly that a white hat is being accused. And that (whether ultimately borne out in this case, or not) this kind of thing could happen to people who are conducting innocent security research.

[notatoad]

A white hat is being accused of black hat behaviour. There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way. He's accused of creating and distributing malware. He may be found innocent of that, but the crimes he is accused of are very definitely crimes, and he shouldn't get a pass just because he's been publicly acting as a white hat.

If the government has evidence, he should be charged and tried. And that appears to be what's happening here.

[natch]

Again, no contradiction here. There is a fear that a white hat is being accused of black hat behavior. Not a claim. A fear. And a reality that a person (maybe white hat, maybe black hat, we don't know) is being accused of black hat behavior. Nothing surprising here. He may, or may not, be a black hat. The fear of unjust accusation is still valid. We will have to see if the DOJ will share the evidence, and what that evidence says.

[hueving]

>The fear of unjust accusation is still valid.

Then why isn't there a chill sent every time anyone is arrested on accusations of black hat crimes? If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.

[tptacek]

I think it was just a lazy way to write a headline about how everyone in the security community is talking about this case --- which they are. It's a lot more interesting for readers if something important is at stake --- which I think really nothing is.

[throwaway122916]

> If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.

How do you know that it doesn't? White hats are counterintel agents effectively. If a counterintel agent is arrested for doing something that could be deemed as part of his job, why wouldn't it 'send a chill' through the community?

[milesvp]

You're not quite making the right analogous scenario. It's more like if a neighbor you know who has some strong vocal opinions agaist the current regime suddenly gets arrested on some charges like conspiracy to incite revolt. I would be rightful to be afraid of being charged similarly if I had similar beliefs and had knew I'd had similar conversations as my neighbor.

[AnthonyMouse]

> There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way.

There is only the thinnest of lines between the two.

White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.

The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.

But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.

[tptacek]

"White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

People on this thread have a lot of strange ideas about what infosec people do in their jobs.

[AnthonyMouse]

> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.

And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.

[wernercd]

While the tools, methods and knowledge might be similar or the same... to say "the thinnest of lines between the two" exists is a bit disingenuous.

There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.

Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.

There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.

Massive difference.

[uiri]

What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.

Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.

To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?

[mehwoot]

White hats have to traffic in

I feel like you're changing the terminology here in order to confuse the pretty clear lines.

Obtaining and analysing != creating and selling.

[qaq]

Creating and selling is also normal course of operation, penetration testing tools, offensive tools used by various gov. entities, rootkits used by some entertainment conglomerates to "protect their ip" they are routinely created and sold.

[nl]

This is complete nonsense.

Maybe there is a case that buying malware is a reasonable thing to do in some circumstances.

Selling your own malware is a different thing. That seems a pretty clear boundary.

[bahularora]

"The indictment does not say Hutchins designed Kronos to be sold, knew about the sale or was at all aware his work was being used maliciously. "

A person he knew, or he was in touch with sold the said trojan. The indictment also doesn't say if he did gain financially from the sale or not.

So, he developed a trojan possibly for research, someone he knew sold it and he got arrested.

[oxide]

Wait, what?

How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?

There are a lot of logic jumps here that you have simply glossed over.

[jstanley]

The same way someone accused of murder qualifies as not-a-murderer.

"Accused" just means someone said it, it doesn't make it true.

[tptacek]

Well. They're probably crimes. The law behind building and selling banking trojans is pretty hazy.

[AlexCoventry]

You're kidding, right? Looks like slam dunk aiding and abetting wire fraud.

[tptacek]

I am not kidding, but rather parroting Orin Kerr, an expert on this subject, who does not think this case is a slam dunk.

(Not because the evidence for Hutchins' involvement is thin, but because the law here is hazy.)

[ShabbosGoy]

Do you think there should be a market for building/selling malware? I feel like it would aid in zero day disclosures. But it could also incentivize black hats.

[tptacek]

Fuck no. Malware and exploits are not the same thing. Anyone can write malware; you just have to have the stones and a broken enough moral compass to make money by immiserating strangers. There is an infinite amount of malware; we don't benefit from its "disclosure".

[qaq]

There is a market already, the only diff. from this case is who is the end buyer. If you are building a rootkit for Sony Entertainment to use on it's customers none minds much.

[mattnewton]

The "chill" comes from legal activities potentially getting you detained and brought up on charges. That's a real cost, even assuming a perfect justice system that can tell they made a mistake.

For an analogy, suppose you wanted to rehabilitate some drug addicts in a bad part of town, and as a result, frequented that part of town, and bought books on drug dosages. If that could get you arrested because the cops couldn't tell the difference between you wanting to help drug addicts and being a drug dealer, and arrested you based on frequently being in the wrong part of town and showing an interest in drug literature, then it would send a clear message to go no where near these people in need. And that would be a shame.

[notatoad]

>the cops couldn't tell the difference

is there any indication that's the case here? the FBI isn't a bunch of complete incompetents. He could be found innocent, but what makes this case different than the presumption of innocence that every person charged with a crime is supposed to be given?

[pdkl95]

> The FBI isn't a bunch of complete incompetents.

The FBI is human and therefor make mistakes, and they are a large organization and therefor have an structural inertia that occasionally directs a lot of power and effort at the wrong target.

Also, the price of democracy is eternal vigilance. Citizens have a duty to check the government's use of power. We should be worrying every time the government acts against a citizen until we also see proper due process including any necessary evidence.

> He could be found innocent

He is innocent until proven otherwise.

> what makes this case different

The government hasn't yet shown that they can handle this kind of case properly. That is partly due to the novel nature of situations involving new technology, but it is also from the government's own history of bad behavior. Their reputation means they do not get the benefit of the doubt, and until we see actual evidence that this case (regardless of the outcome) is being handled properly, it's prudent to worry that this might be an overreaching prosecutor (or worse).

[RaleyField]

> the FBI isn't a bunch of complete incompetents

It isn't a bunch of complete competents either, forensic hair analysis kerfuffle shows that much.

[mattnewton]

There is evidence that he was a white hat hacker now, and that is enough for current white hat hackers to be worried.

[gcb0]

> >the cops couldn't tell the difference

> is there any indication that's the case here? the FBI isn't a bunch of complete incompetents.

if they arrested someone selling the malware (which they did), and to get free that person say they can deliver the author (which they did), but instead point to any random security researcher he found working on that malware (we dont know). now, this plus the person whitehat research, the circle is closed and it would take one lifetime and imense legal fees to prove otherwise.

[tripzilch]

What about, say, Brian Krebs? According to his blog posts, he hangs out a lot on blackhat/cybercrime forums, particularly Eastern European and Russian (?) ones. He has contact with people there, posing as another blackhat, to lure information from them. It's possible, perhaps, that he also leaves out certain interactions that might cross further into a legal grey area (I'm not saying that he has), benign to his research.

That's bound to set off some alarm bells, somewhere some day, at some agency or bureau.

Now, Krebs keeps a relatively high profile pertaining to his work, so it's not improbable that they think twice when they read who he is, and see he's one of the "good guys" obviously.

But there's a lot of white hat researchers who aren't Internet-famous (in the tech world, not just security). Quite a few by choice, too.

So now they're worried if there's anything they might have done in the past that could get them into this kind of trouble. That is, being charged with something over having done (perhaps legally grey) security research. And yes they'll be given a fair trial, except that it seems that in the US proving one's innocence also depends on whether you have sufficient funds (I feel like I'm stereotyping here, but I see so many people casually mention these scenarios as if it's a given).

And then, being one of the "good guys"--by, say, single-handedly stopping the first wave of a global ransomware epidemic--doesn't seem to warrant a bit more considerate and less aggressive approach any more, either.

So now they're worried!

[Natsu]

That's fair, it's always best to let the facts come out in court before any of us decide to judge him one way or another. By then we'll have a clearer picture of exactly what (if anything) his knowledge of and involvement with the principles of the crimes was.

It seems to me that, if proven, the DOJ has a case here. They key point will be exactly what they can or cannot prove in court.

It's best not to get too riled up over preliminary things like this. We haven't heard most of what there is to hear until the closing arguments are given and I'd rather not make up my mind too far one way or another before I've heard everything there is to know. And I would be embarrassed to stake an opinion later proven ridiculous because I rushed to judgement.

[ajross]

> It bears mentioning that accused does not mean convicted.

Of course it does. But the subject here is whether the indictment should cause a "chill" in the security community. Nothing he did in his legitimate research is related to the indictment.

This is like saying Hans Reiser's arrest would have had filesystem authors afraid of the government.

[rdtsc]

You know why it's called a hat? Cause you can take it off and put another one on. Or even be extra silly and wear two or more at the same time. It's tongue in cheek but there is some truth there.

In this case he was selling malware so I think this about a time when head gear was of a darker color...

[Spooky23]

It's a reference to Spy vs spy, a comic strip in mad magazine. The good guy had a white hat, the bad guy black.

[firebones]

Well, to be honest, both spies in Spy vs Spy were equally nefarious, taking turns in their ups and downs, but deploying identical methods. I always thought it referred more to movie Westerns, where blackhats were consistently the villains, and the whitehat was the studio star who saved the day.

[paulddraper]

> It bears mentioning that accused does not mean convicted.

That means it should be even less likely to be "send a chill through the security community"

[fennecfoxen]

Accused may not mean convicted, but it probably does mean a year in jail awaiting trial, and at trial, and paying for a lawyer that costs tens of thousands of dollars, maybe hundreds of thousands.

They don't give you back your lawyer money if you're found innocent. They don't give you back any job that you may have lost, and they certainly don't give you back the money you would have earned during that time.

[tptacek]

He got $30k in bail, the equivalent of a $3k bond if he doesn't just pay it directly himself. The $30k is returned whether or not he's found guilty: it ensures only his appearance in court.

[paulddraper]

> a year in jail awaiting trial

Only in the most exceptional cases is someone held without bail.

> They don't give you back your lawyer money if you're found innocent.

Federal courts can award legal costs "where the court finds that the position of the United States was 'vexatious, frivolous, or in bad faith.'" https://en.wikipedia.org/wiki/Hyde_Amendment_(1997)

---

But yes, your broader point is correct that it's certain to be a very bad experience.

[meowface]

Then the fear should be over whether the FBI is competent at investigating, not whether researching Wannacry will get them arrested.

There's a big disconnect because people seem to be associating this guy's arrest with his serendipitous Wannacry incident. But there's no correlation at all. He is alleged to have had a shady past (corroborated by many reputable HN commenters) and later turned white hat.

[ddlsmurf]

There is a due process to catch an ally's civilian, that's called an extradition, that process is important.

[bencollier49]

The parties involved probably judged correctly that if they attempted to extradite him, he would be the subject of a prolonged media campaign against the government in the UK to keep him here.

What I don't understand is why the FBI didn't just hand the evidence to the NCA in the UK and have them arrest him.

[ddlsmurf]

Well the government shouldn't modulate how it executes the law based on the optics or media impact. And as you said, this move shows that they didn't think the UK would agree with their evidence, which is far more reason for this snatching to be worrying.

[balls187]

Which is why he was arrested. He is accused of a crime, and will stand trial.

[syshum]

You assume that is their goal, to actually convict him of a crime

FBI is known for arresting, and indicted people with crimes that carry LARGE sentences to use that a leverage to turn those people into informants.

Extortion is a power tool used by the US Government

[ptaipale]

Unless charges are dropped, of course.

[am1988]

That's absolutely true, but if the DoJ is acting in good faith (they believe they have sufficient evidence of guilt by this person) then is this really a problem?

There are good reasons to be cautious, but this particular case is far from decided either way.

[TroubleTicket]

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

"He admitted he was the author of the code of Kronos malware and indicated he sold it," said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money.

http://www.bbc.com/news/technology-40833951

[EthanHeilman]

We don't know the facts of the case yet and the government has released no evidence. This could all just be a massive FBI whoops as the FBI does from time to time. Or he could be completely innocent and the FBI is just using the threat of criminal prosecution to exert pressure to get him to inform on friends or contacts. We can't judge until more evidence is made available.

A general question not directly related to the case: Where exactly is the line between criminal conspiracy and writing software tools?

Certainly TOR is used by people to do bad things (and also good things), but almost everyone agrees that no criminal act has been committed by the creation of TOR. Plenty of legitimate businesses sell Remote Access Trojans (RATs) and go unarrested. On the other hand some developers that sell RATs have been arrested.

If someone pays you 2,000 grand to find an exploit have you committed a crime? What if then they use that exploit you sold them to commit a crime? What if you knew beyond all doubt that was their purpose but then the exploit isn't used? Does it matter if they bought an exploit from you or if you are a salaried employee of their company? What if instead of selling them an exploit you configured an email server for them?

[problems]

It seems like he may not have created the trojan, but simply created a bootkit that it utilized. A fairly common thing for security researchers to do.

[loeg]

Yes, that's what they're saying. Consider the source.

[tptacek]

I'm not convicting him, and if you put a gun to my head and forced me to render a verdict based on what's public now, I'd say "not guilty". What do you want from me? Cases like this unfold over time. We don't get to know everything we want to know the moment we want to know it.

[ggggtez]

The parent post thread is about why researchers were afraid as a result of the arrest. While it might unfold and get a not guilty, in the mean time he's in jail. If you were a malware researcher with good intentions, you might rightly think it's a mistake and one that could get you in the same kind of trouble.

[tptacek]

My point isn't that I have a huge of trust and goodwill in the criminal justice system, but rather that almost nobody in the security community does the stuff that this person is accused of doing. Do you build banking trojans and then arrange for them to be sold to anonymous strangers on Darknet forums? If not: what does this case have to do with your security work?

[AnimalMuppet]

It seems to me that this is kind of a litmus situation - this case reveals what you think of the DOJ. If you think that they somewhat routinely frame people that they are "after", then you look at the fact of the accusation and see this case as more proof that security researchers should be cautious (and maybe avoid entering the US).

On the other hand, if you think that the DOJ, while subject to making mistakes, does not often knowingly and deliberately falsely accuse people, then you look at the alleged behavior, and realize that it is well outside the bounds of whitehat behavior.

[mkagenius]

I doubt the type of bug will matter unless people need license to sell trojans by law.

[gjjrfcbugxbhf]

Accusations can be based on bad extrapolation of facts.

[BrainInAJar]

it's unclear what "creating" entails. If I write a crypto library that a piece of ransomware uses did I create the ransomware?

[andylei]

no you didn't

[piiie]

Why is there a tone that he's already found guilty without a trial?

[andylei]

> Hutchins is accused...

i thought it was pretty clear

[natch]

Consider the context.

From the context, it looks like that particular snippet was posted as a counter to the notion that researchers should be concerned about false accusations happening due to the possibility of their work being misconstrued as the activities of a black hat hacker.

To post that as if to dismiss those concerns, is definitely tending toward the tone that piiie is talking about. While you are right to point out the word "accusation" is used, not guilt, the tone still comes through when you consider the context.

[cargo8]

If I write open source code for research, share it with the community, and someone wants to license it for "further research" and pays me – am I responsible if their adapted software is then used / stolen / re-applied to kill people or hack a bank?

In this scenario I both wrote and explicitly sold the software with no idea of what the later applied tech would do. The computer laws referenced in the article seem to require direct knowledge of malicious intent of the software in the sale.

[tptacek]

If you know the person licensing it from you is going to use it to steal financial information, and the clear purpose of the tool you've built is to steal financial information, then I would say you should definitely make sure you have a criminal defense lawyer you trust and can afford.

[uyhso8]

I don't think anyone would disagree with what you just said, but given the way prosecutors deal with "intent" sometimes, I think it would be easy for them to cross a line.

If you haven't already, listen to this podcast about Doug Williams and polygraphs: https://www.thisamericanlife.org/radio-archives/episode/618/...

There's a lot of parallels and how issues of intent can get very grey.

[tptacek]

They're required to prove intent at trial.

[travmatt]

As I understand it this is the crux of the case - that the creation of such software isn't illegal, but sale with the intent to be used in the commission of a crime is. I understand the indictment is pretty barebones, so I wonder what exactly they are basing their allegations of intent on.

[hmahncke]

honest question: if your code is open source, why would someone pay you for further research? why would you charge for that?

[cargo8]

I was being a bit of a devil's advocate, altho didn't quite get the responses I hoped for. I suppose I didn't phrase it quite right since I don't have significant knowledge about this case other than the article.

It seems like the arrest is a bit aggressive, but so is the response – clearly out of fear and uncertainty of the govt and general time we live in. Hopefully more transparency will bring light to the allegations and reassure the innocent of their safety

[pasbesoin]

From my limited perspective, the U.S. is continuing to transition more fully to "rubber hose" policing, for lack of a better term.

If they decide you are a problem for any reason or decide to put you in their sites, perhaps for their own political agenda, you will face an overwhelming range of charges and immediate legal expenses.

The goal isn't truth; the goal is to break you and so further their agenda.

I'm not saying there isn't legitimate law enforcement occurring within the mix.

But, in terms of the overall picture as opposed to court etiquette itself, "benefit of the doubt" seems to have long since gone out the window.

Now imagine being a foreigner, away from family and local support networks, and not knowing whether you've landed on some very political person's list (and prosecutors in the U.S. are very political creatures).

Imagine you work in an area engendering much controversy, such as computer systems security.

And finally, take it a step further, even sitting home or traveling in e.g. Europe: Just how far and pervasive are the FBI et al. willing to reach with politically aided extradition requests?

Political forces in the U.S. want to "stop" "cybercrime" by physically insisting that people they don't like "stop" doing those things. Not a technical solution. Not improving systems and systems management. Nope, get out the rubber hose.

And wield it based upon political calculation, more so than actual, (legally) substantiated fact.

[dclowd9901]

Ok, so to this point (and I'm not a security researcher, so forgive my ignorance) couldn't a legit malware creator call their work "research"? I feel like a malware creator could throw this smoke screen whenever they wanted. It's not a free pass...

[rurban]

Given his life style at Vegas and that he didn't even attend the conference, just went there for partying and meetups, the "chills" are different to the "chills" one would assume from reading the headline. http://www.dailymail.co.uk/news/article-4762608/Marcus-Hutch...

They just caught another criminal hacker who was stupid and earned a lot of money from his Kronos hacks. The one chill is how stupid was he? Lamborghini? The second chill is how naive have I been when reading about the lone hacker fixing WannaCry and saving the world from his mom's house bedroom?

[petepete]

If you're not from the UK, just take everything the Daily Mail prints with a gain (well, a handful) of salt.

[rurban]

Yes, I know the reputation of the Daily Mail. But there are too many facts in there. The mansion, the admittance, the lamborghini.

[snowwrestler]

You've got to make sure you have all the facts though. Renting a $1,900 per night mansion looks a lot less extravagant when that cost is being split by 7 people.

And renting a fancy car for a few days might not be that much money. I recently used Turo to rent a gold Cadillac for a trip up to Marin County. Pretty nice, huh? It cost less than renting a Nissan Altima from Budget. (I checked.)

[megamindbrian]

This makes me hope hackers go back to selling vulns online.