It's interesting to see how trusting another criminal with your address opens you up to serious blackmail... maybe I should set up a PO Box for Bitcoin business :)
I cringed when it came to describing how he'd try to tell the FBI half truth. Even if they hadn't had enough evidence to get him for his involvement in the Kronos malware, they'd still throw the lying to a Fed charge at him.
Why wouldn’t the wannacry malware writers register the domain first? Should be possible to simply update the name servers or dns records should the kill switch need to be engaged?
This is a bit over the top. He is not a master hacker who "saved the Internet"; He accidentally neutered WannaCry by registering a domain he found in the binary, which as it turned out, acted as a kill switch.
he did not "accidentally neuter WannaCry". He stopped WannaCry by registering the kill-switch domain. Nothing accidental about that.
> He is not a master hacker
he is a kid. what makes his experience interesting, and his story worth listening to is that he had first-hand experience with the legal system as a hacker that went too far (because he is/was a kid). that is worth more than the arm-chair analysis of law (by wannabe skript kiddies and theoretical security experts).
He named his own blogpost of the incident "How to Accidentally Stop a Global Cyber Attacks". He thought it was trying to spread like a worm, and they followed standard procedure to register the domain and black hole the traffic.
It is 100% accidental. He registered a domain he observed being queried from his analysis system. He did not figure out what the purpose of this domain was before registering it. One of three options:
- Act as a centralised C2.
- Act as a kill-switch (this is what happened)
- Act as a dead-man-trigger, destroying the host system.
Even if the third option is not as likely as the first one, the repercussions had he been wrong would have been severe.
He didn't know it was the kill-switch domain. He expected it would enable him to kill the malware, though, and was trying to figure out how to send the kill command before it turned out that simply sitting a server behind the domain was enough to kill it.
I mean, how does one solve a problem with unknowns? You try different things until you make some progress and work from there. Turns out he didn't have to do more than registering the domain but just because the problem turned out to be simple to resolve, doesn't make solving it an accident.
The question is, what would he have done if it wasn't a kill switch, but happened to be a server that received bitcoin payments from ransomware victims?
He was still selling banking trojans the year before, so who knows?
His goal was to kill the malware. Registering the (unclaimed) domain in the binary was supposed to be step 0 to this. Such a domain would almost certainly act as a control center of some sort. You can claim it while it's still available and analyze the malware or even just the traffic reaching your domain to try and neuter it. Even if there's no killswitch, maybe sending invalid data will cause the malware to malfunction and effectively stop its spread for example.
The fact that just registering the domain killed WannaCry wasn't expected, but his intent was to kill the virus from the start, that's no accident.
Also, I think the key point to reflect on here, Marcus had the domain knowledge and intuition to know where to start hacking literally within minutes/hours of plugging back in and getting the source.
"Would almost certainly", yeah, in most cases. But, and this is something that didn't get talked about enough, what if registering the domain actually caused the malware to nuke the host system instead? Think of it as a kill-switch to deter malware researchers that only superficially reverse-engineered a sample before jumping to action. Viewed from that light, just registering the domain because you saw your sandbox talk to it looks more than reckless...
We're talking about WannaCry here. It's a ransomware that already more or less nukes the host system. It encrypts the files with strong encryption, which is the same as shredding them if you don't have the ransom money. Sure, the malware author could go further and harm the system physically (e.g. forcefully overheat the CPU or something), but that's actually surprisingly hard to do reliably ^^.
Besides, history tells us that those malwares won't really have such "nuking" functionality. Gating it on the presence of a server is ridiculous, and would be found out eventually when the virus runs in a weird environment where, for instance, every DNS queries resolve (e.g. hotel WiFi).
isn't the first thing anyone would do when coming across such a domain in a malware binary to check it is claimed (and if not then who here wouldn't register it (even just if to see what happens)?) I mean we can argue over the semantics of accidental, but imo you can't accidentally register a domain?
i totally agree. most of innovation is "i wonder if..." and then you do something and see what happens. him registering the domain was based on research, it killing wanacry was based on research and a bit of luck, just like most things
Hutchins was busted for committing bank fraud. Him doing one good thing does not absolve him of having committed another crime...he's still a criminal. Rather than protest him being arrested we should advocate for him getting a reduced sentence for having at least done some good.
Shouldn’t the system be set up to reward the good thing more than the bad thing when possible? If someone is in a position of power from doing bad things, how could you expect them to stop of their own volition?
One problem with rewarding an action is that humans are very good at gaming rules. For example, let's say I get X for donating to charity. I can for example setup my own charity, donate to it, pay myself all its income as salary and then just collect lot's of X.
The US tax system is a perfect example of this I'd say.
One of the most useful monetary goals in life is being able to afford US federal appeal's court. It's the only part of the system where arbiters of the law actually begin to analyze the law. There is no dog and pony show for jurors there, no instructions that a prosecutor can tell the judges and sway them.
So it wouldn't matter what a single judge thought in lower court, if you were compliant.
That logic doesn't make sense. Everyone has the potential to do something bad. If you have a concealed carry firearm with you, should you get rewarded for not shooting someone on a particular day?
What's more interesting on the "good deed - bad deed" ometer is
> Among those who pinned down the attacker was James Ford, 42, who is also thought to have tried to save the life of a woman who had been stabbed. Ford was jailed for life in 2004 for the murder of 21-year-old Amanda Champion.
A system that rewards the morally 'right' behavior seems ripe for abuse. Should we not set the expectation that one should be 'good' as the base of our society contract?
Title was intentionally misleading before mods updated it.
This is a very one-sided article meant to make Hutchins look good.
The valuable bit of the article is a a reminder of why it's important not to start being criminal/evil, because it traps you in a postive-feedvack loop of criminality as you feel a need to commit ever-greater criminal acts to cover up past acts.
The only escape from this is to create a culture where criminals know that it safer to turn themselves in and turn informant on their co-conspirators, than to try to evade the authorities.
I carefully read the entire article and I don't think it made Hutchins look good. But it does describe, accurately in my view, the kind of rationalizations people apply to cross line after line until they see no way out.
A statute of limitations on hacking laws would also help. There's no reason people should be fearful decades later for stuff they did as (relative if not literal) kids.