[tptacek]

My point isn't that I have a huge of trust and goodwill in the criminal justice system, but rather that almost nobody in the security community does the stuff that this person is accused of doing. Do you build banking trojans and then arrange for them to be sold to anonymous strangers on Darknet forums? If not: what does this case have to do with your security work?

[AnimalMuppet]

It seems to me that this is kind of a litmus situation - this case reveals what you think of the DOJ. If you think that they somewhat routinely frame people that they are "after", then you look at the fact of the accusation and see this case as more proof that security researchers should be cautious (and maybe avoid entering the US).

On the other hand, if you think that the DOJ, while subject to making mistakes, does not often knowingly and deliberately falsely accuse people, then you look at the alleged behavior, and realize that it is well outside the bounds of whitehat behavior.

[tptacek]

I think there's very little evidence that the DOJ routinely frames accused computer criminals --- or even that they routinely make mistakes with them. The reality is that so few computer crimes are prosecuted that the ones that are are usually smoking-gun cases.

I can't speak to any other aspect of federal prosecution. My thoughts about computer crime prosecution definitely can't be extrapolated to my thoughts about criminal justice in general.

[syshum]

The government has also been shown to be very vindictive and has a strong desire for revenge.

Wanncry was a massive black eye of the US Government, I think everyone believing there is zero connection between his involvement in that and this indictment is also naive.

I also fail to understand why you believe "computer crimes" are handled differently than any other type of crime, why you believe the DOJ would frame people for "other types of crimes" but never computer crimes, like there is some prohibition on entrapment when it comes to computers...

[rsj_hn]

It doesn't matter too much if the DOJ doesn't knowingly frame people.

They come down hard and they come down heavy on the wrong people, ruining lives. They also pile ridiculous charges even on those who are guilty of minor crimes, threatening to bury them in an avalanche of charges unless they settle. They also seem to be really ignorant of technology, and show a deep suspicion of anything that they don't understand.

Whether this bullying is because they are out of their depth, have a culture of recklessness, or some other reason doesn't matter to those who end up in their crosshairs. If you are a bank fixing Libor, or money laundering (UBS), or are involved in any number of frauds in the financial crisis, you are treated with kid gloves. But if software or encryption is involved, then the sirens wail, SWAT teams gather, and the fear campaign begins.

[mkagenius]

I doubt the type of bug will matter unless people need license to sell trojans by law.

[tptacek]

"Type of bug"? Sorry, I don't follow.

[sillysaurus3]

Banking trojans. They're saying that the DOJ might convict people for selling trojans in the course of their security work.

I think the "selling" part is the problem, not the writing. Don't sell trojans and you won't go to jail. Seems pretty clear.

[weaksauce]

I'd say making them is legal and using them on systems you own is completely legal... selling them or using them on machines you are not allowed to access are illegal. Giving them away to someone that sells them or uses them to commit a crime would be a grey area but likely illegal.

[ShabbosGoy]

Is selling Trojans illegal? If so, why are companies like Punkbuster and nProtect allowed to develop anticheat software?

A lot of AC software runs in ring0 and behaves a lot like a Trojan. I remember nProtect specifically injecting DLLs into explorer.exe among other nasty "black hat" techniques.

[sillysaurus3]

It's a difference in kind, not degree. The trojan in this case was meant to harvest banking and Amazon logins.

[ryanlol]

Intent matters.