[AnthonyMouse]

> There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way.

There is only the thinnest of lines between the two.

White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.

The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.

But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.

[tptacek]

"White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

People on this thread have a lot of strange ideas about what infosec people do in their jobs.

[AnthonyMouse]

> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.

The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.

And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.

[tptacek]

For the Nth time in this thread: watch the video of the software we're talking about. "White hats" do not build things like that all the time.

[natch]

So, to make an analogy representing your position:

Watch the video of this horrendous deadly baseball bat attack. Baseball players do not bludgeon people to death with bats all the time. Therefore, baseball players should never worry that they might be falsely accused of an attack. Oh, and the crime was horrible, so that means the evidence must be pretty good. Q.E.D.

[ganoushoreilly]

That's not analogous as the Bat was not developed for Bludgeoning. This was software designed to steal money / cause issues regardless of whom sold it. I don't know anyone in infosec that regularly creates fully functional and marketable platforms. It's also different than exploit proof of concepts, as again, this is designed to steal.

[natch]

We don't know that he created the malware. He is accused of creating it. How hard is it to understand the difference between being accused and being guilty? It's been explained to death here that they are not the same thing.

[wepple]

You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?

And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?

[dTal]

None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.

The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.

[wernercd]

While the tools, methods and knowledge might be similar or the same... to say "the thinnest of lines between the two" exists is a bit disingenuous.

There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.

Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.

There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.

Massive difference.

[uiri]

What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.

Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.

To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?

[tptacek]

Then he'll have an extremely strong defense at trial, and the DOJ will be wasting its time. Which is why it's a little bit unlikely that that's what happened.

[wepple]

There's evidence he knew of Kronos in the wild on his twitter feed. Why wouldn't he alert someone that his research proof of concept had been leaked? Provided the source code to LEA.

[mehwoot]

White hats have to traffic in

I feel like you're changing the terminology here in order to confuse the pretty clear lines.

Obtaining and analysing != creating and selling.

[qaq]

Creating and selling is also normal course of operation, penetration testing tools, offensive tools used by various gov. entities, rootkits used by some entertainment conglomerates to "protect their ip" they are routinely created and sold.

[nl]

This is complete nonsense.

Maybe there is a case that buying malware is a reasonable thing to do in some circumstances.

Selling your own malware is a different thing. That seems a pretty clear boundary.

[bahularora]

"The indictment does not say Hutchins designed Kronos to be sold, knew about the sale or was at all aware his work was being used maliciously. "

A person he knew, or he was in touch with sold the said trojan. The indictment also doesn't say if he did gain financially from the sale or not.

So, he developed a trojan possibly for research, someone he knew sold it and he got arrested.

[tptacek]

This is not the kind of thing you develop for "research". It's extremely boring code that is essentially just a user interface for seeding HTML trojans across a botnet.

This thread gives the impression that people not in the field see some sort of mystique to malware research and development. Malware isn't vulnerability research or exploit development. Most of the malware deployed in the real world is code that virtually anyone on HN could develop, from first principles without any additional research.

That's not true of exploit development, which can be extraordinarily difficult and almost always depends on specialized insider knowledge. There's lots of research reasons to work on exploit code. But that's just not true for the kind of malware we're talking about in this case.

This is important to understand, because the premise of the story is that prosecution over banking trojan malware is having a chilling effect in the industry. It is not. Very few people in the industry build stupid-looking PHP interfaces to HTML injection on botnet victims, not because it's illegal but because it's pointless and dumb and you wouldn't learn anything from doing it.

[oxide]

Wait, what?

How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?

There are a lot of logic jumps here that you have simply glossed over.

[jstanley]

The same way someone accused of murder qualifies as not-a-murderer.

"Accused" just means someone said it, it doesn't make it true.

[oxide]

That itself is a huge logic jump that is being made, both by the DoJ and the infosec community. His bail was set at 30k, the 10% rule makes his bail 3k, so he should be out by tomorrow if he really deved that malware.

If not, you're all being targeted so you should grab a new career before you get feds at the door.

[syshum]

No the "10%" rule makes his BOND $3,000 which he would pay to a Bail bondsman and and lose forever.

You can put up $30,000 Cash or some other asset as BAIL then that is returned to you in full after the trail

Or you can pay a Bails Bondsmen 10% of that, as a fee, they will put up the court a 30K BOND then assure the court they will make you appear or pay the court the 30K if skip

You as the individual however lose that $3k.