A white hat is being accused of black hat behaviour. There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way. He's accused of creating and distributing malware. He may be found innocent of that, but the crimes he is accused of are very definitely crimes, and he shouldn't get a pass just because he's been publicly acting as a white hat.
If the government has evidence, he should be charged and tried. And that appears to be what's happening here.
Again, no contradiction here. There is a fear that a white hat is being accused of black hat behavior. Not a claim. A fear. And a reality that a person (maybe white hat, maybe black hat, we don't know) is being accused of black hat behavior. Nothing surprising here. He may, or may not, be a black hat. The fear of unjust accusation is still valid. We will have to see if the DOJ will share the evidence, and what that evidence says.
Then why isn't there a chill sent every time anyone is arrested on accusations of black hat crimes? If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.
I think it was just a lazy way to write a headline about how everyone in the security community is talking about this case --- which they are. It's a lot more interesting for readers if something important is at stake --- which I think really nothing is.
> If a cop is arrested under accusation of dealing drugs on the side, it doesn't suddenly send a chill through the law enforcement community that works to take down drug dealers.
How do you know that it doesn't? White hats are counterintel agents effectively. If a counterintel agent is arrested for doing something that could be deemed as part of his job, why wouldn't it 'send a chill' through the community?
You're not quite making the right analogous scenario. It's more like if a neighbor you know who has some strong vocal opinions agaist the current regime suddenly gets arrested on some charges like conspiracy to incite revolt. I would be rightful to be afraid of being charged similarly if I had similar beliefs and had knew I'd had similar conversations as my neighbor.
> There is no indication that the government is seeking to charge him with any activities related to behaviour that could be interpreted as "white hat" in any way.
There is only the thinnest of lines between the two.
White hats have to traffic in malware and exploits because it's necessary to understand a threat in order to defend against it, and in order to test that your defenses are effective. In may even be necessary to infiltrate black hat collectives.
The clearest way to tell the difference is that a real black hat will be breaking some other law. Committing credit card fraud or misappropriation of trade secrets or something like that.
But that doesn't appear to be the case here. And the fear is that because the law around this is so uncertain, if the government is going to use it in cases like this without any independent bad acts then nobody knows where the line is supposed to be.
> "White hats" do not in fact routinely sell software intended almost solely to harvest financial information from botnets.
The indictment doesn't allege that the defendant sold it, only that he wrote it and someone else sold it.
And as you know, white hats create proof of concept code all the time. And give it to various people (including, in the end, anyone) for various meritorious reasons.
So, to make an analogy representing your position:
Watch the video of this horrendous deadly baseball bat attack. Baseball players do not bludgeon people to death with bats all the time. Therefore, baseball players should never worry that they might be falsely accused of an attack. Oh, and the crime was horrible, so that means the evidence must be pretty good. Q.E.D.
That's not analogous as the Bat was not developed for Bludgeoning. This was software designed to steal money / cause issues regardless of whom sold it. I don't know anyone in infosec that regularly creates fully functional and marketable platforms. It's also different than exploit proof of concepts, as again, this is designed to steal.
We don't know that he created the malware. He is accused of creating it. How hard is it to understand the difference between being accused and being guilty? It's been explained to death here that they are not the same thing.
You are suggesting he spent time and energy to build a proof of concept whose explicit task was to demonstrate banking theft from browsers, and he chose to never release it but keep it secret, and a friend decided to sell it on the dark web?
And as a malware researcher when he became aware that his proof of concept was indeed being used to conduct fraud, he turned a blind eye?
None of that sounds particularly implausible, to be honest. People build proof-of-concepts for their own amusement. If there's no unique vulnerability to be patched, there's no value to releasing it. People share things with their friends, who are sometimes unscrupulous. And if I found out that software I wrote was being used maliciously, I'm not so sure that my first email would be to the FBI either - especially after this.
The least plausible part of this chain of events is that Kronos, from what I can see, is not a very interesting piece of software - more a tedious exercise in plumbing than an interesting proof-of-concept.
While the tools, methods and knowledge might be similar or the same... to say "the thinnest of lines between the two" exists is a bit disingenuous.
There is a MASSIVE difference between researching security holes... and then selling the exploits for those security holes or tools that use said security holes.
Again... if the chatter here is accurate, he's not being "arrested" for research... he's being arrested for tools created and sold with the knowledge gained by said research.
There's a difference between discovering a hole in a banks security... and robbing a bank using that hole.
What if it turns out that his "co-conspirator" stole and sold his PoC malware? We're talking about thieves and fraudster after all so this doesn't seem like it is outside of the realm of possibility. The only proof to the contrary would be if Hutchins profited from the sale of the malware.
Writing malware should not, in and of itself, be a crime. Security researchers need to create proof of concept programs in order to do their jobs. I don't think that he should get off scott free because someone else handled the actual marketing, sales, etc but if he didn't gain anything from those sales, or fraud perpetrated in connection with the malware, then - having been arrested and indicted and such - he is just as much a victim as those who were infected.
To use your bank analogy, he found a hole in the bank's security. Someone took knowledge of that hole and sold it to some bank robbers who went on to rob the bank. The seller of that information says that he got it from Hutchins. Unless Hutchins got a cut of the sale, did he do anything illegal? Is there anything really connecting him to the robbery other than evidence that he knew about the hole first and the word of the hole seller?
Then he'll have an extremely strong defense at trial, and the DOJ will be wasting its time. Which is why it's a little bit unlikely that that's what happened.
There's evidence he knew of Kronos in the wild on his twitter feed. Why wouldn't he alert someone that his research proof of concept had been leaked? Provided the source code to LEA.
Creating and selling is also normal course of operation, penetration testing tools, offensive tools used by various gov. entities, rootkits used by some entertainment conglomerates to "protect their ip" they are routinely created and sold.
This is not the kind of thing you develop for "research". It's extremely boring code that is essentially just a user interface for seeding HTML trojans across a botnet.
This thread gives the impression that people not in the field see some sort of mystique to malware research and development. Malware isn't vulnerability research or exploit development. Most of the malware deployed in the real world is code that virtually anyone on HN could develop, from first principles without any additional research.
That's not true of exploit development, which can be extraordinarily difficult and almost always depends on specialized insider knowledge. There's lots of research reasons to work on exploit code. But that's just not true for the kind of malware we're talking about in this case.
This is important to understand, because the premise of the story is that prosecution over banking trojan malware is having a chilling effect in the industry. It is not. Very few people in the industry build stupid-looking PHP interfaces to HTML injection on botnet victims, not because it's illegal but because it's pointless and dumb and you wouldn't learn anything from doing it.
How does a person accused of development and direct distribution of malware qualify as a white hat? Because he pulled the plug on some ransomware and put his name in global households?
There are a lot of logic jumps here that you have simply glossed over.
That itself is a huge logic jump that is being made, both by the DoJ and the infosec community. His bail was set at 30k, the 10% rule makes his bail 3k, so he should be out by tomorrow if he really deved that malware.
If not, you're all being targeted so you should grab a new career before you get feds at the door.
No the "10%" rule makes his BOND $3,000 which he would pay to a Bail bondsman and and lose forever.
You can put up $30,000 Cash or some other asset as BAIL then that is returned to you in full after the trail
Or you can pay a Bails Bondsmen 10% of that, as a fee, they will put up the court a 30K BOND then assure the court they will make you appear or pay the court the 30K if skip
He makes great points, but I intuitively feel like certain acts of creating and selling malware should be illegal, even if only by the spirit and not the letter of the law.
If someone manufactures guns, doesn't register them, and knowingly sells them to street gangs, it kind of seems like they're aiding and abetting illegal activities for profit.
Of course there are instances of selling malware you created to parties who generally won't use it illegally, but that's not what's alleged here.
Whether Hutchins truly violated the law, I don't know, but if the allegations are true then he did something very unethical and something I feel should be illegal.
Do you think there should be a market for building/selling malware? I feel like it would aid in zero day disclosures. But it could also incentivize black hats.
Fuck no. Malware and exploits are not the same thing. Anyone can write malware; you just have to have the stones and a broken enough moral compass to make money by immiserating strangers. There is an infinite amount of malware; we don't benefit from its "disclosure".
There is a market already, the only diff. from this case is who is the end buyer. If you are building a rootkit for Sony Entertainment to use on it's customers none minds much.
The "chill" comes from legal activities potentially getting you detained and brought up on charges. That's a real cost, even assuming a perfect justice system that can tell they made a mistake.
For an analogy, suppose you wanted to rehabilitate some drug addicts in a bad part of town, and as a result, frequented that part of town, and bought books on drug dosages. If that could get you arrested because the cops couldn't tell the difference between you wanting to help drug addicts and being a drug dealer, and arrested you based on frequently being in the wrong part of town and showing an interest in drug literature, then it would send a clear message to go no where near these people in need. And that would be a shame.
is there any indication that's the case here? the FBI isn't a bunch of complete incompetents. He could be found innocent, but what makes this case different than the presumption of innocence that every person charged with a crime is supposed to be given?
The FBI is human and therefor make mistakes, and they are a large organization and therefor have an structural inertia that occasionally directs a lot of power and effort at the wrong target.
Also, the price of democracy is eternal vigilance. Citizens have a duty to check the government's use of power. We should be worrying every time the government acts against a citizen until we also see proper due process including any necessary evidence.
> He could be found innocent
He is innocent until proven otherwise.
> what makes this case different
The government hasn't yet shown that they can handle this kind of case properly. That is partly due to the novel nature of situations involving new technology, but it is also from the government's own history of bad behavior. Their reputation means they do not get the benefit of the doubt, and until we see actual evidence that this case (regardless of the outcome) is being handled properly, it's prudent to worry that this might be an overreaching prosecutor (or worse).
I don't know what these terms even mean. "White hat hacker"? Is that what we call "everyone who does anything in infosec but doesn't sell stolen financial information obtained from botnets"?
The attempt to divide the whole world into "people irrationally attacking 'hackers' and 'the good kind of hackers'" isn't doing anyone any favors.
If Hutchins has nothing to do with a criminal conspiracy to profit from a truly awful banking trojan, then his arrest and indictment is a travesty. But if he does have something to do with it, then his status as any kind of "hacker" should have nothing to do with anybody's take on the situation. I'm not sure how much lower you can go than deliberately making money by stealing bank logins from ordinary people, which is what he's accused of doing.
People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth. In every case like it, from NanoCore to Albert Gonzales and Stephen Watt, there's been a basis for the charges.
>People love to talk about how the FBI has a history of framing people --- and in other fields they might. But there is no track record I'm aware of for the FBI to make up a story like this out of whole cloth.
No? It is fairly common in Terrorism cases. I fail to see why they could not do it for Cyber Crime as well
Well, yes, since none of those are actually examples of the FBI framing anyone. Stings are not the same thing as framing, no matter how much sarcasm techdirt uses to describe them.
A sting is law enforcement creating a situation where someone can demonstrate clear evidence of their intent to break the law. Framing is law enforcement MANUFACTURING evidence that someone broke or intended to break the law.
In the terrorism cases, a sting would be the FBI giving someone a fake bomb and that person trying to blow people up. Framing would be the FBI arresting someone and falsely claiming they found a bomb and plans for the local stadium in the persons's house. It's an important distinction. In the former case, the person clearly tried to kill people while in the latter case they did not.
>In the terrorism cases, a sting would be the FBI giving someone a fake bomb
No that should be entrapment
A Sting is where they get a tip that criminal action might be happening and they are there to catch the criminals in the act
Not where the FBI creates the plan, induces people into the plan, provides support for the plan, provide materials for the plan, then arrests everyone.
That is or should be considered entrapment, which I also consider framing someone
The definition of "wouldn't normally" looks like some hairy case law, but it isn't as simple as you are saying. If they are offered a bomb for sale after a lengthy conversation about how great terrorism is and how important it would be for them to take the bomb, you could possibly have an entrapment case for example.
Wen-Ho Lee. Evidence showed that the leaked/stolen documents could only have come from a downstream contractor, not from Lee's lab. And yet the FBI latched on to him and wouldn't let go. Everything you think you know about the case is likely built on flawed reporting fueled by deliberate government leaks. Don't get me started... just know that what you think you know about that case is probably wrong. I was at most of his hearings and watched the judge apologize to him for the DOJ's behavior.
But as you say maybe that's another field. But still skepticism is not without basis imho.
> is there any indication that's the case here? the FBI isn't a bunch of complete incompetents.
if they arrested someone selling the malware (which they did), and to get free that person say they can deliver the author (which they did), but instead point to any random security researcher he found working on that malware (we dont know). now, this plus the person whitehat research, the circle is closed and it would take one lifetime and imense legal fees to prove otherwise.
What about, say, Brian Krebs? According to his blog posts, he hangs out a lot on blackhat/cybercrime forums, particularly Eastern European and Russian (?) ones. He has contact with people there, posing as another blackhat, to lure information from them. It's possible, perhaps, that he also leaves out certain interactions that might cross further into a legal grey area (I'm not saying that he has), benign to his research.
That's bound to set off some alarm bells, somewhere some day, at some agency or bureau.
Now, Krebs keeps a relatively high profile pertaining to his work, so it's not improbable that they think twice when they read who he is, and see he's one of the "good guys" obviously.
But there's a lot of white hat researchers who aren't Internet-famous (in the tech world, not just security). Quite a few by choice, too.
So now they're worried if there's anything they might have done in the past that could get them into this kind of trouble. That is, being charged with something over having done (perhaps legally grey) security research. And yes they'll be given a fair trial, except that it seems that in the US proving one's innocence also depends on whether you have sufficient funds (I feel like I'm stereotyping here, but I see so many people casually mention these scenarios as if it's a given).
And then, being one of the "good guys"--by, say, single-handedly stopping the first wave of a global ransomware epidemic--doesn't seem to warrant a bit more considerate and less aggressive approach any more, either.
If the government has evidence, he should be charged and tried. And that appears to be what's happening here.