The Indictment Against Malware Researcher Marcus Hutchines Is Really Weird

from the why-is-that-illegal? dept

Fri, Aug 4th 2017 11:57am — Mike Masnick

So, yesterday, we wrote a quick post about recently-famous malware research Marcus Hutchins (famous for accidentally stopping the WannaCry attack) being detained by the FBI as he left Defcon. An hour or so later, we updated it with the details of the indictment which had been released. That had my quick response, which noted that the "evidence" didn't seem very strong. It just claims (without anything else) that Hutchins wrote the Kronos malware, and most of the indictment and most of the activity focuses on a second defendant (whose name is redacted) who apparently was out selling the malware. I was planning to write up a more thorough look at the indictment and its problems today, but last night, Orin Kerr beat me to it, and he (famed lawyer, law professor and former assistant US attorney) has a bit more expertise in the subject, so let's work off of his analysis.

The crux of the indictment is that Hutchins and the unnamed "co-conspirator" worked together to create and sell malware, leading Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

After all, as many others pointed out, there are lots of folks out there who build and sell malware of one kind or another -- and, indeed, the US government is often a large purchaser of malware sold by others. Kerr's initial gut reaction was more or less the same as mine: that the actual amount of evidence in the indictment is pretty minimal, though obviously they may have a lot more that just hasn't been shared yet (or they may turn up more).

Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.

From there, Kerr digs into each of the charges. The first is "conspiracy." This one struck my layman's mind as somewhat odd. Two people working together does not a conspiracy make. Kerr similarly calls it "odd" and notes that for this charge to work, the government has to argue that selling malware is the same as using malware to damage a computer. And that seems... difficult. Kerr points out that there are two conditions that must be met for this to work:

First, the government must prove that Hutchins and X had an intent to damage a computer. That is, the goal of their conspiracy must have been to impair the availability or integrity of a program or data. Maybe there are facts that support that, but at the very least they don’t appear in the indictment. The indictment makes it seem that the purpose of selling the malware was to, well, sell malware. It’s not obvious that Hutchins and X cared what the buyer did with the malware after so long as they paid. If Hutchins and X didn’t care what the buyer did with the malware, it’s hard to see how they could have a purpose to impair the availability or integrity of a computer.

Second, the government must prove that the agreement was to cause the result of damaging a computer. In an ordinary 1030(a)(5)(A) case, causation is easy. The person sends the malware and the malware damages the machine. Here, though, the government’s theory adds an intermediary: The theory seems to be that Hutchins and X conspired, and the goal of their collective activity was to cause damage, even though the actual act of damaging a computer (if it happened) was to be caused directly by the buyer using the malware rather than by Hutchins and X.

That second point is especially interesting to me. We've seen more and more attempts to charge "intermediaries" with crimes based on actions of third party users of their tools (the Megaupload case being one big example). And that seems like a very dangerous path to go down. One of the reasons why we talk about "intermediary liability protections" on Techdirt so much is that they're so important on a basic "blame the person who actually did the wrong" spectrum. It's not the intermediary, it's the user. Go after the user, even if that's more difficult. Here, the DOJ seems to be going after the intermediary. Because.

The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well.

In Potter v. Havlice, 2008 WL 2556723 (S.D. Ohio 2008), the plaintiff sued the defendant under Section 2512 for making and selling “Activity Monitor,” which was billed as “an ideal spy software package to ensure you have the control you need over your child or spouse activity when they are online.” After rejecting Section 2512 liability because there is no civil cause of action under the statute, the court added an alternative holding that “Activity Monitor is not a device as contemplated by Section 2512.”

Section 2512 makes the manufacture and/or trafficking of “any electronic, mechanical, or other device” illegal. The phrase “electronic, mechanical, or other device” is defined in 18 U.S.C. § 2510(5) to generally mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication….” Clearly, Activity Monitor alone cannot be used to intercept communications. It must be installed in a device, such as a computer, to be able to do so.
Also, the definition of the word “device” does not encompass software such as Activity Monitor. Merriam Webster Dictionary defines “device” as “a piece of equipment or a mechanism designed to serve a special purpose or perform a special function.” Activity Monitor alone is not a piece of equipmentor a mechanism.

So... that's going to make this interesting. Of course, then there's the further question of whether or not the malware itself is really intercepting communications. Either way, this feels like a way to try to twist a law targeting older technology to pretend that it applies to a very different kind of technology. I know this happens semi-frequently, but it always troubles me. You get bad results this way, because the technology that was originally being regulated, and what it's now being used against, are very different, and should be treated differently. But when you try to shove something like malware into laws created to stop wiretapping devices... you end up with bad results, where rulings can be made about something being "bad" without realizing the wider reverberations it may have.

And, finally, there's a CFAA claim, because if there's a criminal case that could be summarized as "behaving badly on a computer" you have to expect an eventual CFAA claim.

This count raises the same challenges as count one. The theory seems to be that that selling a copy of malware is akin to using the malware to damage a computer. But to get there, they need to show that Hutchins and X had the intent to impair the availability or integrity of information on a computer and not just intent to distribute the malware to a paying customer. The government also needs to prove that their act of distributing the malware was the proximate cause of the resulting damage even though a third party’s intentional act of sending the malware was required for that to happen.

Again... this seems quite difficult to actually show, though perhaps there's more evidence that the DOJ hasn't yet revealed.

In the meantime, others are insisting that the DOJ has the wrong guy. A friend and colleague of Hutchins, Kevin Beaumont, insisted that the DOJ is simply wrong, and that Marcus has more or less dedicated his life to fighting malware, not creating it:

To be absolutely clear @MalwareTechBlog's business is reversing malware to monitor botnet traffic. The DoJ has seriously fucked up.

— Kevin Beaumont (@GossiTheDog) August 3, 2017

I know Marcus. He has a business which fights against exactly this (bot malware), it's all he does. He feeds that info to US law enforcement

— Kevin Beaumont (@GossiTheDog) August 3, 2017

On top of that, the BBC spotted the fact that Marcus asked on Twitter if anyone had a sample of Kronos after it first was discovered:

Now, of course, that alone is not evidence of much. After all, if he really had created it, why not tweet something like that to make sure people think he hadn't? But, still, it is worth pointing out, along with multiple other folks saying that they simply don't believe Hutchins would have been behind the malware, let alone the broader legal question of whether or not making and selling malware is even illegal in the first place.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, conspiracy, doj, indictment, kronos, malware, malwaretech, marcus hutchins, orin kerr, selling malware

51 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

Anonymous Coward, 4 Aug 2017 @ 12:08pm

Given your record predicting court cases, he's toast.
An overlap between white and black hat is also likely. Others speculate he was behind Wannacry, or that he stopped the NSA's extortion with it. Or they're squeezing him for info, including the bits he snagged at DefCon.

We don't know! But key point for sure is that Masnick leaps to defend a hacker. (A British hacker: avoided extradition!)
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 12:54pm
  
  Re: Given your record predicting court cases, he's toast.
  Speaking of leaping...
  [ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 1:19pm
  
  Re: Given your record predicting court cases, he's toast.
  "..Masnick leaps to defend a hacker."
  
  Uh, how about: "..Masnick leaps to defend an innocent-until-proven-guilty hacker."
  [ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 2:57pm
  
  Re: Given your record predicting court cases, he's toast.
  How's that John Steele appeal going bro?
  [ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 12:12pm

Also worth noting, the Indictment was issued before he entered the US, but they don't bother to pick him up until he tries to leave the US. Surely if the though he was behind distributing malware, the would have arrested him on entry, so as to stop him distributing it to contacts at the conferences.
[ link to this | view in chronology ]
Ninja (profile), 4 Aug 2017 @ 12:12pm

Considering he works with security and more specifically with vulnerability exploits through malware one can go conspiracy and argue he found out stuff he shouldn't have or probed the wrong botnet. From the little I read about Hutchines he does everything quite in the open. You know, if you are doing everything right you have nothing to fear? Yeah about that...
[ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 12:13pm

the british government have been strangely silent, and if he did create malware why has he not been prosecuted under uk law
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 3:12pm
  
  Re:
  indeed. fishy.
  [ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 3:49pm
  
  HMG reaction [was Re: ]
  
  the british government have been strangely silent
  
  Oh, seeing the latest comment bumped this thread for me.
  
  I wasn't really going to bother posting a link to this Dustin Volz tweet, but that tweet contains a short statement for publication from Peter Heaton-Jones, Member of Parliament (Conservative, North Devon). As of half-an-hour ago or so, I hadn't see the statement anywhere else besides Twitter.
  
  (Via @cfarivar retweet.)
  [ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 12:20pm

Another notable lawyer

Orin Kerr … famed lawyer

Thomas Fox-Brewster writing at Forbes has a piece today ( “Kronos Malware Dealer On WannaCry Killer Charges: What Charges?”, Aug 4, 2017) with some reaction from attorney Tor Ekeland:

Tor Ekeland, a lawyer specializing in Computer Fraud and Abuse Act (CFAA) cases, described the charges as "a disaster", claiming the government is trying to punish Hutchins for "non-alleged harms that other people may have committed with Kronos."

In the next paragraph, that piece goes on to further quote Mr Ekeland. All in all, though, it's a much shorter take than the analysis by Professor Kerr.

“A disaster”.
[ link to this | view in chronology ]
Norahc (profile), 4 Aug 2017 @ 12:30pm

"The next three charges are all similar, and I didn't quite get them at first, but Kerr explains. They're making use of 18 U.S.C 2512 which Kerr describes as, "a rarely-used law that criminalizes making, selling, or advertising for sale illegal wiretapping devices." Yes, wiretapping devices. Here, Kerr focuses on the question of whether or not a piece of malware software is a "device" under the law, and argues that may be difficult as well."

The government's viewpoint:
Malware equals a wiretap
Stingray does not equal a wiretap
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 1:31pm
  
  Re:
  If you ask me, this has the sniff of the early phreaking cases in the eighties, where cops who were completely out of their depths were charging hackers with causing phone service failures - which were likely the phone companies' fault.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 12:32pm

Novel legal interpretation
Supposing for the sake of argument that the DOJ actually prevails with their odd theory that selling computer-impairing software is illegal even when the seller had no particular interest in how the buyer would use it, that could open a fascinating mess with regard to the selling of software that impairs computers not because it is malicious, but because it is very poorly written. This could also have interesting chilling effects on anyone who creates toolkits that readily can be converted into malware (e.g. Windows-hosted VNC servers aren't that far off if you compile out the pieces that make it easy for the console user to know VNC is running, tell it to stand down, or tell it to stop), even when the toolkit has substantial non-malicious uses.

Since we're contemplating criminal law, rather than civil law, the usual EULA disclaimer about "not liable for damage caused by defects even if the vendor knew, should have known, or was warned about these defects" would not apply.
[ link to this | view in chronology ]
- Christenson, 4 Aug 2017 @ 1:19pm
  
  Extending the Novel legal interpretation
  We could go all the way to Microsoft itself with *that* legal interpretation, since there are those that view the Windows operating system or the Internet Explorer browser as impairing computers and facilitating crime.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Aug 2017 @ 9:53am
    
    Re: Extending the Novel legal interpretation
    The eventual "logical" conclusion is to take it to the hardware vendors and include the PC's themselves. Because the PC is a necessary piece of equipment to create and run the software that impairs another computer.
    
    You could also include the internet provides, etc., etc.
    [ link to this | view in chronology ]
Anonmylous, 4 Aug 2017 @ 12:49pm

Ugh...
Yes two can conspire, happens all the time in murder cases, usually with attempts to hire not involving an undercover agent posing as the hitman. But its a catch-all, and might actually get them if they provided more than basic instruction on how to use the software. Supporting a buyer by providing additional instruction beyond bug fixes and troubleshooting installation on their own machines could net them a conviction. Luckily, in order to do that, they'll have to prove that Marcus and the other guy really did create or at least distribute this malware, and that they did support it afterwards. That said, the other charges should crumble. If he gets a competent attorney and it looks like he intends to fight it, the Gov will either re-charge with something more concrete, or drag it out a long while then fold. This is gonna suck either way.
[ link to this | view in chronology ]
- Wyrm (profile), 5 Aug 2017 @ 12:40pm
  
  Re: Ugh...
  Regarding you comparison with hiring a hitman, this is a backwards comparison.
  
  In the case of A hiring B to kill C, A actually has the intent to kill a specific target. The intermediary B would do the actual murder, but A provided the intent first.
  
  In the case of A creating a malware that B then buys to infect C's computer, B had the intent, and B is the one to execute the task. A here doesn't have intent, nor does he acts against C's computer. He only created a general tool that might be used for nefarious purposes, or for research, or then again for legal investigation...
  
  There is no valid comparison here.
  [ link to this | view in chronology ]
  - Anonymous Coward, 9 Aug 2017 @ 1:48pm
    
    Re: Re: Ugh...
    The comparison would be going after the Colt for a murder committed with one of their firearms.
    [ link to this | view in chronology ]
CanadianByChoice (profile), 4 Aug 2017 @ 12:49pm

They need someone to blame
In order to not look incompetent, they need to find a scapegoat. Reality need not enter the equation - they simply need someone to pile charges on so that it LOOKS like they can actually do their jobs.
[ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 12:53pm

Representation
Yesterday, a Reuters article by Dustin Volz and John L. Smith (“Cyber expert who stopped 'WannaCry' attack arrested in U.S. on hacking charges”, Aug 3, 2017) reported:

Hutchins appeared before U.S. Judge Nancy Koppe in Las Vegas on Thursday. Dan Coe, a federal public defender, told the court Hutchins "had cooperated with the government prior to being charged."

The hearing was scheduled to continue Friday afternoon to determine whether he will be represented by private legal counsel or a public defender.

“Friday” would be today.

(Via retweet of an @MattBlaze retweet.)
[ link to this | view in chronology ]
- Christenson, 4 Aug 2017 @ 1:23pm
  
  Re: Representation
  More than that, the docket indicated they had him in shackles yesterday.
  
  On a nonviolent offender, that's a strong indicator of a made-up, bogus case.
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Aug 2017 @ 2:51pm
    
    Shackles [was Re: Re: Representation]
    
    … the docket indicated they had him in shackles…
    
    US v Hutchins Docket (D.Nev., 2:17-mj-00825)
    
    Document 5: Assertion Of Right To Be Present In Court Unshackled
    [ link to this | view in chronology ]
    - Anonymous Coward, 6 Aug 2017 @ 3:09pm
      
      Re: Shackles [was Re: Re: Representation]
      
      … the docket indicated they had him in shackles…
      
      US v Hutchins Docket (D.Nev., 2:17-mj-00825)
      
      Document 2: MINUTES OF PROCEEDINGS
      
      Initial Appearance in Rule 5(c)(3) Proceeding as to Marcus Hutchins held on 8/3/2017 before Magistrate Judge Nancy J. Koppe. . . . Defendant shall have no restraints during court proceedings. . . .
      
      (Emphasis added.)
      [ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 5:11pm
  
  Re: Representation
  This afternoon, reporter Christy Wilcox (KSNV News 3) has posted two different videos with statements from Marcus Hutchin's attorney Adrian Lobo:
  - Twitter video (very brief)
  - Facebook video (later and longer)
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Aug 2017 @ 7:57pm
    
    Re: Re: Representation
    
    … attorney Adrian Lobo … Facebook video
    
    Fwiw, Dan Goodin asked whether anyone knew for certain whether Marcus Hutchin had entered a plea.
    
    In KSNV News 3 reporter Christy Wilcox's Facebook video posted earlier this afternoon, I believe that Mr Hutchin's attorney Adrian Lobo answers that question.
    
    About the “-6:05” mark in the video (counting up with negative time):
    
    Adrian Lobo: He pled not guilty.… That was yesterday's hearing.
    
    [ link to this | view in chronology ]
  - Anonymous Coward, 4 Aug 2017 @ 11:43pm
    
    Re: Re: Representation
    
    … attorney Adrian Lobo
    
    Incidentally, I was looking at what I presume is Ms Lobo's website. Her list of “Criminal Practice Areas” does not appear to show the CFAA as a specialty.
    [ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 1:10pm

the main purpose of the USA, certainly the law enforcement side, seems to be to find someone, charge them with something, regardless of whether they actually did what they are charged with or anything at all, come to that, then get them into court, convicted and imprisoned for a life term, even if all they had done was really to spit in the gutter! this paranoia that everyone except law enforcement are bad is ridiculous and has to stop! the country is being turned into a penal nation with just law enforcement supposedly doing no wrong! we know already that that is not the case and in actual fact, those who are supposed to uphold and live by the law are the worst offenders! perhaps how they are conducting themselves is to try to cover up all of their own illegal activities? if so, they need to remember that sooner or later, the truth comes out and severely bites you in the ass!!
[ link to this | view in chronology ]
Peter (profile), 4 Aug 2017 @ 1:23pm

Hutchins real crime? He took away fantastic opportunity from the FBI
Finally, with WannaCry, the big, nasty Cybermonster showed its head. Big money on the horizon for the FBI, lots of new people to be hired. Promotions. Brave FBI-cyberwarriors protecting America from the evil Cyberthreat.

But no. Along comes Hutchins, and pulls the plug on this Fairy tale. The FBI is back to hunting UFOs or mysterious Russian Hackers that no sane person believes in. Back to propping up some misfits with FBI bombs and FBI undercover terrorist cells to get a few fleeting moments of media attention.
[ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 1:32pm

Conspiracy...
...to commit software. Subversion (the very name!?) and Git users beware the FBI!
[ link to this | view in chronology ]
Roy (profile), 4 Aug 2017 @ 1:48pm

3rd party liability protection
This is the most important part of this whole thing. If I'm the NRA I'd be filing an amicus brief over this. Eroding 3rd party liability protection is the path to punishing gun makers for murders. If I can build something that someone else can use to harm another - I can become a target of the DOJ. That can go a long way beyond software.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 2:00pm
  
  Re: 3rd party liability protection
  Not to mention Budweiser et al.
  [ link to this | view in chronology ]
- Toom1275 (profile), 4 Aug 2017 @ 4:51pm
  
  Re: 3rd party liability protection
  Doing security research in a laboratory environment, such as those engineers studying air-gap-defeating malware and suffer a malicious breach that sees your "proof-of-concept" used against the world? Now the government can attack you instead of an actual criminal.
  
  All they need is your "intent" for the software to "harm" a computer, even if it's your own.
  
  Of course, none of this applies if you're the NSA cultivating and distributing malware.
  [ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 2:00pm

"Two people working together does not a conspiracy make."
Actually, yes it can. If two or more people agree to participate in a criminal act or if two or more people agree to participate in an act that is legal in and of itself BUT which becomes illegal when done by multiple people.
[ link to this | view in chronology ]
- teka, 4 Aug 2017 @ 10:31pm
  
  Re: "Two people working together does not a conspiracy make."
  Can you point out an activity that is legal in and of itself but illegal when done by multiple people?
  [ link to this | view in chronology ]
  - Anonymous Coward, 4 Aug 2017 @ 11:00pm
    
    Re: Re: "Two people working together does not a conspiracy make."
    
    Can you point out an activity that is legal in and of itself but illegal when done by multiple people?
    
    15 USC § 1 (Sherman Act § 1)
    
    DoJ Antitrust Primer: Price Fixing, Bid Rigging, and Market Allocation Schemes
    
    But this is going way off-topic.
    [ link to this | view in chronology ]
Pronounce (profile), 4 Aug 2017 @ 2:38pm

The Register Picked Up on This Story
The commenters were warning against traveling to the U.S., and I agreed with their assessment. But it seemed to me that they failed to consider that Britain is still a member of Five Eyes, and so it's doubtful the UK would afford you much protection if the U.S. wanted you bad enough. (for evidence see the case against Kim Dotcom)

The smell of this is very Aaron Swartz, or Tamerlan Tsarnaev, -ish to me.

The U.S. government is notorious for first demonizing you in the media, and then eliminating you as a threat.

Good luck to you, Marcus Hutchines, your life might be cut short, but at least you did good before getting the U.S. government treatment.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 2:54pm
  
  Re: The Register Picked Up on This Story
  
  The commenters were warning against traveling to the U.S., and I agreed with their assessment.
  
  The IETF have already moved a meeting because of the US travel ban and this will just make it look like a very good decision.
  [ link to this | view in chronology ]
That Anonymous Coward (profile), 4 Aug 2017 @ 3:10pm

Well when the NSA loses all of it toys & no researchers want to work for them... you have to get creative to force them into taking a plea deal that involves them rearming the empty cyberweapon silos.
[ link to this | view in chronology ]
- Anonymous Coward, 4 Aug 2017 @ 6:11pm
  
  Re:
  His real crime was figuring out how some of their favorite toys worked and helping to stop them from harming us.
  [ link to this | view in chronology ]
Nicola, 4 Aug 2017 @ 5:36pm

Didn't Sony get prosecuted over thier rootkit?
I'm sure I recall Sony distributing a rootkit a few years ago, then distributing a "removal tool" that just made the whole thing worse.

I don't recall the discussion of when the FBI investigated, arrested executives, and prosecuted people there though. Can someone remind me please?
[ link to this | view in chronology ]
tin-foil-hat, 4 Aug 2017 @ 6:32pm

No good deed goes unpunished
Or any deed if you're in the US. People who know stuff threaten the power structure so if they know you know stuff then you're at risk of being punished.
[ link to this | view in chronology ]
Anonymous Coward, 4 Aug 2017 @ 7:17pm

Look no farther
than what the FBI might want from someone they have leverage against.
- In a sting operation.
- Purely as bait
- (The DEA does this too.)
- As a weapon against an Eastern European 'cyber' 'gang'.
How many folks have the funds to afford a competent defense in a criminal trial? (Don't cry to me that public defenders can make it all better either.)
[ link to this | view in chronology ]
Coyne Tibbets (profile), 5 Aug 2017 @ 12:07am

Governments irritation
More and more it appears that the Marcus Hutchins indictment isn't about malware. It looks like the government is irritated with Hutchins and is using this as a cover to get even. Makes you wonder if Wanna Cry was a government attack.
[ link to this | view in chronology ]
Bruce C., 5 Aug 2017 @ 11:47am

The other part that's weird to me is that they aren't charging him with 500 counts or more of each offense. How many computers did Kronos infect? I'll be interested to see their timeline. There are way too many plausible scenarios where Hutchins may have inadvertently given/sold Kronos to someone under the impression they were a researcher, or an accidental release due to a gap in a sandbox environment.

Also, is anyone actually accusing him of writing the malware other than the media? The indictment appears to speak to small scale distribution consistent with research.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Aug 2017 @ 12:02pm
  
  Re:
  
  Also, is anyone actually accusing him of writing the malware other than the media?
  
  According to KSNV News 3 reporter Christy Wilcox's story yesteday, “Malwaretech hailed hero gets bail after allegation of producing malicious malware” (Aug 4, 2017), in court before Magistrate Judge Nancy Koppe, AUSA Dan Cowhig accused Mr Hutchins of writing the malware.
  
  Nevada Assistant Attorney General Dan Cowhig told the court Hutchins admits he wrote Kronos bank malware, he then sold it and profited from the sale.
  
  (Note that “Nevada Assistant Attorney General” appears to be an unusual way to refer to an assistant United States attorney (AUSA).)
  
  Also see 4.a. on p.3 of the indictement, where it is alleged:
  
  Defendant MARCUS HUTCHINS created the Kronos malware.
  
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Aug 2017 @ 12:23pm
    
    Followup [was Re: Re: ]
    
    Also, is anyone actually accusing him of writing the malware other than the media?
    
    According to KSNV News 3 reporter Christy Wilcox… AUSA Dan Cowhig accused Mr Hutchins of writing the malware.
    
    The transcript of the Aug 4 hearing contains, on pp.7-8:
    
    MR. COWHIG: [...] In his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another.
    
    Among the evidence that the Government will present at his trial will be that there are chat logs in which Mr. Hutchins discusses with an associate the sale of the Kronos banking trojan through his associate splitting the proceeds of the Kronos trojan with his associate, where he complains about the amount of money that he received for the sale of the banking trojan and where he received a request from that associate to update the Kronos banking trojan. The associate in these chats is the person from whom the law enforcement agents purchased the Kronos trojan on AlphaBay as specified in the indictment.
    
    (Note that I'm seeing this transcript for the first time on Fri, Aug 11, 2017. This story is no longer on Techdirt's front page.)
    [ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2017 @ 6:30am

There are several disturbing issues here:

1. If you do something that is completely legal and socially acceptable in your home country, say burp, and then go to a foreign country does the foreign have the right to prosecute you for burping? According to the concept of:

Wikipedia
https://en.wikipedia.org/wiki/Universal_jurisdiction

Universal jurisdiction allows states or international organizations to claim criminal jurisdiction over an accused person regardless of where the alleged crime was committed, and regardless of the accused's nationality, country of residence, or any other relation with the prosecuting entity. Crimes prosecuted under universal jurisdiction are considered crimes against all, too serious to tolerate jurisdictional arbitrage.

The point here is nationalism. Does a country have the right to claim a legal action in one's home country and performed there is a prosecutable and illegal actin their country.

2. Under universal jurisdiction does a country not only have the right to declare that legal actions in one's home country are not only illegal but are extraditable/ If I recall correctly that is exactly what the US did to a UK subject. Extradite him to the US for trial and conviction for performing legal actions in the UK.

3. What is going to happen when China, Russia, Arabia decide that free speech made in the US violates their laws, that universal jurisdiction applies, and then foreseeable extradite (kidnap from US perspective) US politicians to stand trial followed by lengthy prison terms?
[ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2017 @ 11:23pm

If it is illegal to sell malware, will the DOJ also be prosecuting the FBI/CIA/NSA etc suppliers of malware and exploits?

How about the FBI/CIA/NSA for actually deploying the malware? seems like a really weird case to prosecute.
[ link to this | view in chronology ]
Anonymous Coward, 8 Aug 2017 @ 2:32pm

....leading [Orin] Kerr to ask the fairly obvious question:

This raises an interesting legal question: Is it a crime to create and sell malware?

Vendors of security hardened systems have a legitimate interest in buying or otherwise acquiring malware in order to test the security of their hardened systems.
[ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2017 @ 11:53am

Aug 4, 2017 Hearing Transcript
Transcript of Aug 4, 2017 hearing in US v Marcus Hutchins (2:17-MJ-0825-NJK): “Continued Initial Appearance In Rule 5(c)(3) Proceeding” before Magistrate Judge Nancy Koppe.

(Via Lorenzo Franceschi-Bicchierai.)
[ link to this | view in chronology ]
Anonymous Coward, 11 Aug 2017 @ 5:05pm

Eastern District of Wisconsin Docket
CourtListener (RECAP) finally has a page up copying the docket from the Eastern District of Wisconsin.

US v Hutchins docket (E.D.Wis. 2:17-cr-00124)

Document 6: Redacted Indictment as to Marcus Hutchins

The link to (another) copy of the indictment is just an indicator that this is in fact the docket for the Hutchins case. Currently, CourtListener still has this docket page titled as “United States v. SEALED”.
[ link to this | view in chronology ]