Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.
It bears mentioning that accused does not mean convicted. The DOJ record as far as accusations turning out to be grounded in reality is not unblemished.
>Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.
You say that as though you are contradicting NateJay.
But the fear NateJay is highlighting is exactly that a white hat is being accused. And that (whether ultimately borne out in this case, or not) this kind of thing could happen to people who are conducting innocent security research.
A white hat is being accused of black hat behaviour. There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way. He's accused of creating and distributing malware. He may be found innocent of that, but the crimes he is accused of are very definitely crimes, and he shouldn't get a pass just because he's been publicly acting as a white hat.
If the government has evidence, he should be charged and tried. And that appears to be what's happening here.
Again, no contradiction here. There is a fear that a white hat is being accused of black hat behavior. Not a claim. A fear. And a reality that a person (maybe white hat, maybe black hat, we don't know) is being accused of black hat behavior. Nothing surprising here. He may, or may not, be a black hat. The fear of unjust accusation is still valid. We will have to see if the DOJ will share the evidence, and what that evidence says.
Then why isn't there a chill sent every time anyone is arrested on accusations of black hat crimes? If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.
I think it was just a lazy way to write a headline about how everyone in the security community is talking about this case --- which they are. It's a lot more interesting for readers if something important is at stake --- which I think really nothing is.
> If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.
How do you know that it doesn't? White hats are counterintel agents effectively. If a counterintel agent is arrested for doing something that could be deemed as part of his job, why wouldn't it 'send a chill' through the community?
You're not quite making the right analogous scenario. It's more like if a neighbor you know who has some strong vocal opinions agaist the current regime suddenly gets arrested on some charges like conspiracy to incite revolt. I would be rightful to be afraid of being charged similarly if I had similar beliefs and had knew I'd had similar conversations as my neighbor.
> There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way.
There is only the thinnest of lines between the two.
White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.
The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.
But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.
> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.
The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.
And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.
You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?
And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?
While the tools, methods and knowledge might be similar or the same... to say "the thinnest of lines between the two" exists is a bit disingenuous.
There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.
Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.
There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.
What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.
Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.
To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?
Then he'll have an extremely strong defense at trial, and the DOJ will be wasting its time. Which is why it's a little bit unlikely that that's what happened.
There's evidence he knew of Kronos in the wild on his twitter feed. Why wouldn't he alert someone that his research proof of concept had been leaked? Provided the source code to LEA.
Creating and selling is also normal course of operation, penetration testing tools, offensive tools used by various gov. entities, rootkits used by some entertainment conglomerates to "protect their ip" they are routinely created and sold.
This is not the kind of thing you develop for "research". It's extremely boring code that is essentially just a user interface for seeding HTML trojans across a botnet.
This thread gives the impression that people not in the field see some sort of mystique to malware research and development. Malware isn't vulnerability research or exploit development. Most of the malware deployed in the real world is code that virtually anyone on HN could develop, from first principles without any additional research.
That's not true of exploit development, which can be extraordinarily difficult and almost always depends on specialized insider knowledge. There's lots of research reasons to work on exploit code. But that's just not true for the kind of malware we're talking about in this case.
This is important to understand, because the premise of the story is that prosecution over banking trojan malware is having a chilling effect in the industry. It is not. Very few people in the industry build stupid-looking PHP interfaces to HTML injection on botnet victims, not because it's illegal but because it's pointless and dumb and you wouldn't learn anything from doing it.
How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?
There are a lot of logic jumps here that you have simply glossed over.
That itself is a huge logic jump that is being made, both by the DoJ and the infosec community. His bail was set at 30k, the 10% rule makes his bail 3k, so he should be out by tomorrow if he really deved that malware.
If not, you're all being targeted so you should grab a new career before you get feds at the door.
Do you think there should be a market for building/selling malware? I feel like it would aid in zero day disclosures. But it could also incentivize black hats.
Fuck no. Malware and exploits are not the same thing. Anyone can write malware; you just have to have the stones and a broken enough moral compass to make money by immiserating strangers. There is an infinite amount of malware; we don't benefit from its "disclosure".
There is a market already, the only diff. from this case is who is the end buyer. If you are building a rootkit for Sony Entertainment to use on it's customers none minds much.
The "chill" comes from legal activities potentially getting you detained and brought up on charges. That's a real cost, even assuming a perfect justice system that can tell they made a mistake.
For an analogy, suppose you wanted to rehabilitate some drug addicts in a bad part of town, and as a result, frequented that part of town, and bought books on drug dosages. If that could get you arrested because the cops couldn't tell the difference between you wanting to help drug addicts and being a drug dealer, and arrested you based on frequently being in the wrong part of town and showing an interest in drug literature, then it would send a clear message to go no where near these people in need. And that would be a shame.
is there any indication that's the case here? the FBI isn't a bunch of complete incompetents. He could be found innocent, but what makes this case different than the presumption of innocence that every person charged with a crime is supposed to be given?
The FBI is human and therefor make mistakes, and they are a large organization and therefor have an structural inertia that occasionally directs a lot of power and effort at the wrong target.
Also, the price of democracy is eternal vigilance. Citizens have a duty to check the government's use of power. We should be worrying every time the government acts against a citizen until we also see proper due process including any necessary evidence.
> He could be found innocent
He is innocent until proven otherwise.
> what makes this case different
The government hasn't yet shown that they can handle this kind of case properly. That is partly due to the novel nature of situations involving new technology, but it is also from the government's own history of bad behavior. Their reputation means they do not get the benefit of the doubt, and until we see actual evidence that this case (regardless of the outcome) is being handled properly, it's prudent to worry that this might be an overreaching prosecutor (or worse).
I don't know what these terms even mean. "White hat hacker"? Is that what we call "everyone who does anything in infosec but doesn't sell stolen financial information obtained from botnets"?
The attempt to divide the whole world into "people irrationally attacking 'hackers' and 'the good kind of hackers'" isn't doing anyone any favors.
If Hutchins has nothing to do with a criminal conspiracy to profit from a truly awful banking trojan, then his arrest and indictment is a travesty. But if he does have something to do with it, then his status as any kind of "hacker" should have nothing to do with anybody's take on the situation. I'm not sure how much lower you can go than deliberately making money by stealing bank logins from ordinary people, which is what he's accused of doing.
People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth. In every case like it, from NanoCore to Albert Gonzales and Stephen Watt, there's been a basis for the charges.
> is there any indication that's the case here? the FBI isn't a bunch of complete incompetents.
if they arrested someone selling the malware (which they did), and to get free that person say they can deliver the author (which they did), but instead point to any random security researcher he found working on that malware (we dont know). now, this plus the person whitehat research, the circle is closed and it would take one lifetime and imense legal fees to prove otherwise.
What about, say, Brian Krebs? According to his blog posts, he hangs out a lot on blackhat/cybercrime forums, particularly Eastern European and Russian (?) ones. He has contact with people there, posing as another blackhat, to lure information from them. It's possible, perhaps, that he also leaves out certain interactions that might cross further into a legal grey area (I'm not saying that he has), benign to his research.
That's bound to set off some alarm bells, somewhere some day, at some agency or bureau.
Now, Krebs keeps a relatively high profile pertaining to his work, so it's not improbable that they think twice when they read who he is, and see he's one of the "good guys" obviously.
But there's a lot of white hat researchers who aren't Internet-famous (in the tech world, not just security). Quite a few by choice, too.
So now they're worried if there's anything they might have done in the past that could get them into this kind of trouble. That is, being charged with something over having done (perhaps legally grey) security research. And yes they'll be given a fair trial, except that it seems that in the US proving one's innocence also depends on whether you have sufficient funds (I feel like I'm stereotyping here, but I see so many people casually mention these scenarios as if it's a given).
And then, being one of the "good guys"--by, say, single-handedly stopping the first wave of a global ransomware epidemic--doesn't seem to warrant a bit more considerate and less aggressive approach any more, either.
That's fair, it's always best to let the facts come out in court before any of us decide to judge him one way or another. By then we'll have a clearer picture of exactly what (if anything) his knowledge of and involvement with the principles of the crimes was.
It seems to me that, if proven, the DOJ has a case here. They key point will be exactly what they can or cannot prove in court.
It's best not to get too riled up over preliminary things like this. We haven't heard most of what there is to hear until the closing arguments are given and I'd rather not make up my mind too far one way or another before I've heard everything there is to know. And I would be embarrassed to stake an opinion later proven ridiculous because I rushed to judgement.
> It bears mentioning that accused does not mean convicted.
Of course it does. But the subject here is whether the indictment should cause a "chill" in the security community. Nothing he did in his legitimate research is related to the indictment.
This is like saying Hans Reiser's arrest would have had filesystem authors afraid of the government.
You know why it's called a hat? Cause you can take it off and put another one on. Or even be extra silly and wear two or more at the same time. It's tongue in cheek but there is some truth there.
In this case he was selling malware so I think this about a time when head gear was of a darker color...
Well, to be honest, both spies in Spy vs Spy were equally nefarious, taking turns in their ups and downs, but deploying identical methods. I always thought it referred more to movie Westerns, where blackhats were consistently the villains, and the whitehat was the studio star who saved the day.
Accused may not mean convicted, but it probably does mean a year in jail awaiting trial, and at trial, and paying for a lawyer that costs tens of thousands of dollars, maybe hundreds of thousands.
They don't give you back your lawyer money if you're found innocent. They don't give you back any job that you may have lost, and they certainly don't give you back the money you would have earned during that time.
He got $30k in bail, the equivalent of a $3k bond if he doesn't just pay it directly himself. The $30k is returned whether or not he's found guilty: it ensures only his appearance in court.
Then the fear should be over whether the FBI is competent at investigating, not whether researching Wannacry will get them arrested.
There's a big disconnect because people seem to be associating this guy's arrest with his serendipitous Wannacry incident. But there's no correlation at all. He is alleged to have had a shady past (corroborated by many reputable HN commenters) and later turned white hat.
The parties involved probably judged correctly that if they attempted to extradite him, he would be the subject of a prolonged media campaign against the government in the UK to keep him here.
What I don't understand is why the FBI didn't just hand the evidence to the NCA in the UK and have them arrest him.
Well the government shouldn't modulate how it executes the law based on the optics or media impact. And as you said, this move shows that they didn't think the UK would agree with their evidence, which is far more reason for this snatching to be worrying.
That's absolutely true, but if the DoJ is acting in good faith (they believe they have sufficient evidence of guilt by this person) then is this really a problem?
There are good reasons to be cautious, but this particular case is far from decided either way.
Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.
"He admitted he was the author of the code of Kronos malware and indicated he sold it," said Mr Cowhig.
The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money.
We don't know the facts of the case yet and the government has released no evidence. This could all just be a massive FBI whoops as the FBI does from time to time. Or he could be completely innocent and the FBI is just using the threat of criminal prosecution to exert pressure to get him to inform on friends or contacts. We can't judge until more evidence is made available.
A general question not directly related to the case: Where exactly is the line between criminal conspiracy and writing software tools?
Certainly TOR is used by people to do bad things (and also good things), but almost everyone agrees that no criminal act has been committed by the creation of TOR. Plenty of legitimate businesses sell Remote Access Trojans (RATs) and go unarrested. On the other hand some developers that sell RATs have been arrested.
If someone pays you 2,000 grand to find an exploit have you committed a crime? What if then they use that exploit you sold them to commit a crime? What if you knew beyond all doubt that was their purpose but then the exploit isn't used? Does it matter if they bought an exploit from you or if you are a salaried employee of their company? What if instead of selling them an exploit you configured an email server for them?
I'm not convicting him, and if you put a gun to my head and forced me to render a verdict based on what's public now, I'd say "not guilty". What do you want from me? Cases like this unfold over time. We don't get to know everything we want to know the moment we want to know it.
The parent post thread is about why researchers were afraid as a result of the arrest. While it might unfold and get a not guilty, in the mean time he's in jail. If you were a malware researcher with good intentions, you might rightly think it's a mistake and one that could get you in the same kind of trouble.
My point isn't that I have a huge of trust and goodwill in the criminal justice system, but rather that almost nobody in the security community does the stuff that this person is accused of doing. Do you build banking trojans and then arrange for them to be sold to anonymous strangers on Darknet forums? If not: what does this case have to do with your security work?
It seems to me that this is kind of a litmus situation - this case reveals what you think of the DOJ. If you think that they somewhat routinely frame people that they are "after", then you look at the fact of the accusation and see this case as more proof that security researchers should be cautious (and maybe avoid entering the US).
On the other hand, if you think that the DOJ, while subject to making mistakes, does not often knowingly and deliberately falsely accuse people, then you look at the alleged behavior, and realize that it is well outside the bounds of whitehat behavior.
I think there's very little evidence that the DOJ routinely frames accused computer criminals --- or even that they routinely make mistakes with them. The reality is that so few computer crimes are prosecuted that the ones that are are usually smoking-gun cases.
I can't speak to any other aspect of federal prosecution. My thoughts about computer crime prosecution definitely can't be extrapolated to my thoughts about criminal justice in general.
It doesn't matter too much if the DOJ doesn't knowingly frame people.
They come down hard and they come down heavy on the wrong people, ruining lives. They also pile ridiculous charges even on those who are guilty of minor crimes, threatening to bury them in an avalanche of charges unless they settle. They also seem to be really ignorant of technology, and show a deep suspicion of anything that they don't understand.
Whether this bullying is because they are out of their depth, have a culture of recklessness, or some other reason doesn't matter to those who end up in their crosshairs. If you are a bank fixing Libor, or money laundering (UBS), or are involved in any number of frauds in the financial crisis, you are treated with kid gloves. But if software or encryption is involved, then the sirens wail, SWAT teams gather, and the fear campaign begins.
From the context, it looks like that particular snippet was posted as a counter to the notion that researchers should be concerned about false accusations happening due to the possibility of their work being misconstrued as the activities of a black hat hacker.
To post that as if to dismiss those concerns, is definitely tending toward the tone that piiie is talking about. While you are right to point out the word "accusation" is used, not guilt, the tone still comes through when you consider the context.
If I write open source code for research, share it with the community, and someone wants to license it for "further research" and pays me – am I responsible if their adapted software is then used / stolen / re-applied to kill people or hack a bank?
In this scenario I both wrote and explicitly sold the software with no idea of what the later applied tech would do. The computer laws referenced in the article seem to require direct knowledge of malicious intent of the software in the sale.
If you know the person licensing it from you is going to use it to steal financial information, and the clear purpose of the tool you've built is to steal financial information, then I would say you should definitely make sure you have a criminal defense lawyer you trust and can afford.
I don't think anyone would disagree with what you just said, but given the way prosecutors deal with "intent" sometimes, I think it would be easy for them to cross a line.
As I understand it this is the crux of the case - that the creation of such software isn't illegal, but sale with the intent to be used in the commission of a crime is. I understand the indictment is pretty barebones, so I wonder what exactly they are basing their allegations of intent on.
I was being a bit of a devil's advocate, altho didn't quite get the responses I hoped for. I suppose I didn't phrase it quite right since I don't have significant knowledge about this case other than the article.
It seems like the arrest is a bit aggressive, but so is the response – clearly out of fear and uncertainty of the govt and general time we live in. Hopefully more transparency will bring light to the allegations and reassure the innocent of their safety
>Hutchins is accused of creating the Kronos trojan, and of working closely with someone who sold the trojan. The lines the DOJ is saying were crossed are pretty bright.
You say that as though you are contradicting NateJay.
But the fear NateJay is highlighting is exactly that a white hat is being accused. And that (whether ultimately borne out in this case, or not) this kind of thing could happen to people who are conducting innocent security research.