I've read a few articles but I feel like I'm missing something. What's with the sensational quotes like "I had folks afraid that their own involvement in investigating WannaCry would get them arrested."?
Everything I've read points that he created banking Malware "Kronos" which was sold on various "underground forums" (whatever that means). What's with the WannaCry conspiracies? He wasn't arrested for being a security research, he was arrested for being a malware creator selling malware. Why is this "sending a chill through the security community"?
The concern is that a lot of behaviour that a security researcher would do in the course of their research, taking over C&C server addresses such as with Wannacry, soliciting for samples of malware, such as Hutchins did with the Kronos trojan, and having contacts with black-hat hackers, might look to the DOJ as if he is the culprit who created the malware.
People think that an innocent white hat hacker could get swept up in this kind of arrest, and there has been so little evidence released, nobody knows what actually happened.
There's a tweet dating back to 2014 [1] where he asks for a sample of Kronos.
A number of people have pointed out that would be taking the extremely ridiculously long game for an alibi - why would the author ask for a copy of his own code?
There's also little/no published information to back up the statement that he ever sold Kronos.
The quotes came from people who only knew him as a WannaCry researcher, due the fact that the DoJ took forever to say why they were arresting him. It's as if a prominent anti-spammer were to get arrested with no explanation. A naive guess would be that it was due to their anti-spam work. Even though this arrest wasn't related to his WannaCry, that was his most recent exposure to the public and I think assuming it was related to that can be forgiven
As far as I've been able to figure out, he wrote an open source API hooking engine that was used as a key component of the Kronos malware.
When he found his hooking code in a malware sample (presumably Kronos), he expressed his disappointment / frustration with this (ab)use of his work on twitter. Whether or not this is truthful or just public posturing remains to be seen.
None of this is recent news - it played out in early 2016, so his arrest now is a little odd, unless the DOJ has uncovered new details that have not been publicly disclosed.
If it turns out he is arrested for some of his public code in a piece of malware, it should worry both security researchers and open source developers a lot.
> He's not a "hacker" who is doing security research, he's a malware creator selling malware.
There's no reason he can't be both. We can both like him for stopping WannaCry, and dislike him for (if true) marketing/distributing malware based on Kronos.
Although I agree with your general sentiment, I'm confused as to why the security community is chilled by this. The court case should be public, so we'll be able to judge the evidence ourselves.
I think people who write malware to steal banking info should be prosecuted when possible. It will be interesting to see whether this goes to trial and if so how solid any evidence against him is.
However, I do not doubt that a mix of fear & incompetence could have resulted in his arrest as much as any concrete evidence of his involvement in Kronos. I think there's (perhaps rightfully) a culture of distrust and paranoia around law enforcement's interaction with ethical hacking. It's difficult to detach from that when legitimate prosecution happens.
You state he is a malware creator b cause the FBI and their indictment told you he is.
The FBI claim he created the software in July 2014, the exact month that he asked on twitter for a copy of the software. Now I am not saying he is innocent but I am also not assuming his guilt because the FBI said he was guilty.
What proof do you have that he is a malware creator selling malware?
People love a "lone hero" story and journalists/Twitter personalities are trying to squeeze as much milage as they can out of the genius who saved the entire world from malware.
Writing malware is not a crime. Using it is. What gets me about this case is that, if I understand it correctly, he is being punished for writing software.
I've read the indictment but we'll have to wait and see how the government argues its case when this comes to trial.
>>Why is this "sending a chill through the security community"?
because a lot of legitimate security research when viewed through the myopic and cynical lens of a Federal Agent can be seen as illegal, this is an ongoing and ever present fear for people in the field.
The FBI claims he is a malware creator and arrested him for it, you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.
The government has routinely, time and time again, over extended and prosecuted several people wrongly under CFAA, which is a terrible and broad law that can be applied at will to many innocent every day computer actions.
I feel like no one here remembers when Dmitry Sklyarov was arrested under similar circumstances. The US government has no obligation to seek out every potential arrestee no matter where they are in the world for every single crime that the US has laws for. But if the target of an investigation (whether they know it or not) sets foot in the US, then we shouldn't be surprised when they are arrested. And this is just another case with Def Con (so no, it's probably not moving out of the US, it didn't 15 years ago), I'm quite certain that these sorts of things happen frequently for other crimes of (relatively) low priority that are just outside our primary focus on this forum (technology).
And is the US any worse for this than other nations? Probably not. They just get more publicity when it happens. But every nation that has a legal system will do the same thing. If the Russians or the Brits or the Germans or the Swiss decide that Jtsummers is a suspect in a crime, and I visit and they realize it, I shouldn't be surprised to find myself arrested and barred from leaving the country.
Realistically, DEF CON should move to the Caribbean.
Marcus Hutchins is a British citizen. Extradition before the event was feasible and would have been a far more honorable path than the snatch and grab that transpired.
British security experts might insist on Grand Cayman for any further conferences in the Americas.
You think the FBI is going to interdict a computer criminal before they spend a week in Las Vegas associating with computer security professionals, any of whom could be criminal co-conspirators?†
That would be exceptionally nice of them, but also extremely poor investigative practice.
I will say, though, as one of the many people in my field that is bone-tired of schlepping out to the worst place in the United States every damn year for these events, any other location in the world would be fine for me, and I endorse the actual suggestion you're making.
† (Yes, obviously, I know virtually nobody who attends Defcon is a criminal).
I was just at this past DEF CON. The good majority of attendees were from the United States.
It doesn't make sense to move it to the Caribbean. That would cause attendance to drop by a lot, and some other organization would just start another conference in the US, and most people would go to that one.
Extradition needn't have come into it. The US authorities could have sent their evidence to the UK police to deal with (assuming the UK police didn't have it to start with).
If we want justice to be seen to be done, we shouldn't encourage "forum-shopping" by law-enforcement, letting them bring prosecutions in a country where the defendent will be artificially disadvantaged.
[0] is an interesting article about this. It doesn't matter where it is, if they want you they will get you. They have done this private plane on the runway thing a few times now.
> Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States. U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam
Personally - I think in this Hutchins case they just wanted a new hire.
I'm pretty sure every year someone arrested because they attended DEF CON. Considering the US are one of the main countries seeking out and arresting cyber criminals why on earth is the main security conference in the world in what could be considered a hostile country.
It's somewhat challenging to get to the Caribbean without risking IRROPS in USA.
>Extradition before the event was feasible
It wasn't feasible for political reasons. By attempting to extradite yet another sympathetic character from the UK the US would have risked undermining the extradition treaty for no gain.
Anyway, I don't understand how extraditing him from the UK would've been any more honorable.
If your code is used in an exploit and that is now a punishable crime, maybe next the NSA will be in the hot seat since the code that was used in wanacry was their own. Or perhaps Israel for their effort in Stuxnet.
I hope he takes it to trial and we find out what is really happening here. Pretty suspicious that this happens years after the fact and only weeks after he helped prevent the further spread of wannaCry. WannaCry being created on top of the leaked NSA exploits they held on to instead of responsibly disclosing to Microsoft.
As someone who's not sure where I stand on this, I feel like Hutchins supporters are doing themselves a disservice by overly-conflating this with WannaCry. I think there's potentially a good argument to be made along the lines of "Hutchins good work w.r.t. WannaCry is the only reason that anyone (including law enforcement) is aware of semi-historical Kronos, so going after him for Kronos is equivalent to going after him for WannaCry." Additionally, there may well be other arguments in his favor that I'm not even thinking of.
But those arguments need to be made (and the one I outlined would need decent factual details). That said...maybe glossing over (or even totally ignoring) Kronos is the best way for Hutchins supporters to go...but if it is, that seems an unfortunate reflection on society.
I don't think that's what these researchers are saying. I think they are saying more along the lines of: "Hutchins has shown that he is a security researcher through his work on wannacry. As a security researcher, he probably has researched other problems as well, possibly including Kronos. The fact that he was arrested with little to no evidence could be showing that the DOJ is willing to arrest people who have copies of virus source code on their computers, even if they only accessed it for research purposes. In fact he may have updated Kronos code or written some part of Kronos as part of research to validate a hypothesis or test a theory. Such actions are ordinary actions for researchers, so this puts at risk most computer security research across the world."
Another piece of information that seems very shady from the US is they tried to say he was breaking felony gun laws going to the shooting ranges on the strip and using that as a reason to stop his bail
Why? The arrest of a mall cop who was also doing burglaries wouldn't send a chill through the security guard community, except perhaps for those who were moonlighting as burglars.
> The indictment does not say Hutchins designed Kronos or sold Kronos. Rather, it says that he provided computer code to a second party to update Kronos.
> Overt Acts in Furtherance of the Conspiracy
> a. Defendant MARCUS HUTCHINS created the Kronos malware.
Lot's of comments about moving DEFCON out of US jurisdiction. DEFCON officially flaunts the fact that both criminals and law enforcement attend the event.[0] If that is the approach of the con, this interaction is built-in.
> It is unclear from the indictment if Hutchins would have been aware his work was being used maliciously
The indictment specifically states he sold the malware. Unless he was completely convinced the buyers of Kronos were using it for research into browser malware, it's pretty damned obvious.
I'd be interested to talk to malware researchers that are genuinely scared about this.
We dont know what was actually sold, or what was paid for, or who paid for it.
Of course the government in a government indictment will states "he sold malware" but the government is known to lie, exaggerate, and use terms incorrectly or out of context when talking about technology.
Taking the indictment at face value is IMO extremely naive
Why didn't the FBI ask for an extradition to the UK? If the case was solid they should use the proper channel to deal with foreign (supposed) criminals.
When you use this strategy, you deprive the arrested of the right he would have in his country and you add the crazy cost to defend yourself in a US court. So it's possible that the case is not that solid or need some Parallel construction. It's pure speculation but it seems fishy to me.
I can understand the use of shenanigans to arrest previous dictators or very powerful crime lords as a last resort for Justice but here it seems very unfair.
I think we may see a drop of attendee to US conference and/or a drop in tourism.
There's so much strange hand-wringing in a loud subset of the security community. The DoJ has a 93% conviction rate because they pursue strong cases that usually end in a plea-bargain. The FBI aren't spooks. The evidence will become public. If this guy profited off of banking trojans then I, for one, hope he ends up in the clink.
I think one factor not being accounted for is cybersecurity is a fairly big priority for law enforcement yet in a very large number of cases they are never able to find or prosecute people responsible. So they need to "make the numbers" to show that they are being effective and the easiest strategy is to go for easy targets.
Sad to see it confirmed that it's not worth the risk going to America to visit DEFCON. I hope they'll host it in Europe someday.. To see no statement by DEFCON on this whole thing is almost equally sad.
The lines between security researcher and malware creator is becoming increasingly murky.
When is it research, pretending to be a bad egg to get more info or actually being one?
As long as its was fun and games no one really minded, but now malware is used to hold schools and hospitals to ransom. Even criminals don't go after schools and hospitals. Extreme greed and criminality can't be minimized away as 'hacking'.
The infosec community likes to be edgy but they need to clean up their act and not give airtime and cover to criminals, and its difficult to believe they don't know who these are.
Is it me or the DOJ so the flight manifest and then went to a grand jury to indict? He did what he did in 2014-2015 and the charges were filed in July 2017, a couple of weeks before Defcon...
AlphaBay takedown. I suspect that they found something there.
If that's the case, this is a pretty fast turnaround, actually.
And, given the tiny amounts of money I have seen being quoted (Kronos banking trojan sold for $3000? really?), they probably arrested him with the intention to get him to roll over on somebody much bigger.
The question is whether they've shot themselves in the foot. Did the FBI intend for this to be a quiet nab, but his celebrity from WannaCry hosed them up? Given how quickly they seem to be moving, it's certainly possible.
If that is the case, it would not be remarkable. Prosecutors have a responsibility to only pursue cases that are likely to result in conviction. If extradition was considered impossible, then there would not be much point in pursing an indictment.
[+] [-] watty|8 years ago|reply
Everything I've read points that he created banking Malware "Kronos" which was sold on various "underground forums" (whatever that means). What's with the WannaCry conspiracies? He wasn't arrested for being a security research, he was arrested for being a malware creator selling malware. Why is this "sending a chill through the security community"?
[+] [-] NateyJay|8 years ago|reply
People think that an innocent white hat hacker could get swept up in this kind of arrest, and there has been so little evidence released, nobody knows what actually happened.
[+] [-] manarth|8 years ago|reply
A number of people have pointed out that would be taking the extremely ridiculously long game for an alibi - why would the author ask for a copy of his own code?
There's also little/no published information to back up the statement that he ever sold Kronos.
[1] https://twitter.com/MalwareTechBlog/status/48837379416825446...
[+] [-] biggerfisch|8 years ago|reply
[+] [-] sspiff|8 years ago|reply
When he found his hooking code in a malware sample (presumably Kronos), he expressed his disappointment / frustration with this (ab)use of his work on twitter. Whether or not this is truthful or just public posturing remains to be seen.
None of this is recent news - it played out in early 2016, so his arrest now is a little odd, unless the DOJ has uncovered new details that have not been publicly disclosed.
If it turns out he is arrested for some of his public code in a piece of malware, it should worry both security researchers and open source developers a lot.
[+] [-] tetrep|8 years ago|reply
There's no reason he can't be both. We can both like him for stopping WannaCry, and dislike him for (if true) marketing/distributing malware based on Kronos.
Although I agree with your general sentiment, I'm confused as to why the security community is chilled by this. The court case should be public, so we'll be able to judge the evidence ourselves.
[+] [-] hughes|8 years ago|reply
However, I do not doubt that a mix of fear & incompetence could have resulted in his arrest as much as any concrete evidence of his involvement in Kronos. I think there's (perhaps rightfully) a culture of distrust and paranoia around law enforcement's interaction with ethical hacking. It's difficult to detach from that when legitimate prosecution happens.
[+] [-] celticninja|8 years ago|reply
The FBI claim he created the software in July 2014, the exact month that he asked on twitter for a copy of the software. Now I am not saying he is innocent but I am also not assuming his guilt because the FBI said he was guilty.
What proof do you have that he is a malware creator selling malware?
[+] [-] brainfire|8 years ago|reply
[+] [-] AndyMcConachie|8 years ago|reply
I've read the indictment but we'll have to wait and see how the government argues its case when this comes to trial.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] edzc92|8 years ago|reply
[+] [-] syshum|8 years ago|reply
because a lot of legitimate security research when viewed through the myopic and cynical lens of a Federal Agent can be seen as illegal, this is an ongoing and ever present fear for people in the field.
The FBI claims he is a malware creator and arrested him for it, you seem to believe fully this narrative of the FBI with no room for the FBI to view completely innocent actions as something else. No room for the FBI to be in error, no room for the FBI to be wrong.
The government has routinely, time and time again, over extended and prosecuted several people wrongly under CFAA, which is a terrible and broad law that can be applied at will to many innocent every day computer actions.
[+] [-] Jtsummers|8 years ago|reply
And is the US any worse for this than other nations? Probably not. They just get more publicity when it happens. But every nation that has a legal system will do the same thing. If the Russians or the Brits or the Germans or the Swiss decide that Jtsummers is a suspect in a crime, and I visit and they realize it, I shouldn't be surprised to find myself arrested and barred from leaving the country.
[0] https://www.cnet.com/g00/news/russian-crypto-expert-arrested... - may not be the best article, it's the first one that came up on Google for me.
[+] [-] kbody|8 years ago|reply
[+] [-] chasil|8 years ago|reply
Marcus Hutchins is a British citizen. Extradition before the event was feasible and would have been a far more honorable path than the snatch and grab that transpired.
British security experts might insist on Grand Cayman for any further conferences in the Americas.
[+] [-] tptacek|8 years ago|reply
That would be exceptionally nice of them, but also extremely poor investigative practice.
I will say, though, as one of the many people in my field that is bone-tired of schlepping out to the worst place in the United States every damn year for these events, any other location in the world would be fine for me, and I endorse the actual suggestion you're making.
† (Yes, obviously, I know virtually nobody who attends Defcon is a criminal).
[+] [-] CydeWeys|8 years ago|reply
It doesn't make sense to move it to the Caribbean. That would cause attendance to drop by a lot, and some other organization would just start another conference in the US, and most people would go to that one.
[+] [-] mjw1007|8 years ago|reply
If we want justice to be seen to be done, we shouldn't encourage "forum-shopping" by law-enforcement, letting them bring prosecutions in a country where the defendent will be artificially disadvantaged.
[+] [-] rhinoceraptor|8 years ago|reply
[+] [-] us0r|8 years ago|reply
> Seleznev, the identity thief who is the son of the Duma deputy, chose to vacation at a five-star resort in the Indian Ocean archipelago nation of the Maldives in 2014 precisely because it has no extradition treaty with the United States. U.S. officials got word and persuaded Maldives authorities to intercept Seleznev at the airport, where in a fast-paced operation he was bundled on a private plane to Guam
Personally - I think in this Hutchins case they just wanted a new hire.
http://hamodia.com/2017/04/02/u-s-sweeping-russian-hackers-b...
[+] [-] strictnein|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] johnnyfaehell|8 years ago|reply
A case of smart people doing stupid things.
[+] [-] OzzyB|8 years ago|reply
[+] [-] ryanlol|8 years ago|reply
>Extradition before the event was feasible
It wasn't feasible for political reasons. By attempting to extradite yet another sympathetic character from the UK the US would have risked undermining the extradition treaty for no gain.
Anyway, I don't understand how extraditing him from the UK would've been any more honorable.
[+] [-] devhead|8 years ago|reply
[+] [-] mnarayan01|8 years ago|reply
But those arguments need to be made (and the one I outlined would need decent factual details). That said...maybe glossing over (or even totally ignoring) Kronos is the best way for Hutchins supporters to go...but if it is, that seems an unfortunate reflection on society.
[+] [-] jxcole|8 years ago|reply
[+] [-] icpmacdo|8 years ago|reply
https://twitter.com/ChristyNews3LV/status/893603855266492416
[+] [-] ajarmst|8 years ago|reply
[+] [-] calafrax|8 years ago|reply
> Overt Acts in Furtherance of the Conspiracy
> a. Defendant MARCUS HUTCHINS created the Kronos malware.
https://www.documentcloud.org/documents/3912524-Kronos-Indic...
[+] [-] loteck|8 years ago|reply
This isn't about DEFCON.
[0] https://defcon.org/html/links/dc-faq/dc-faq.html
[+] [-] wepple|8 years ago|reply
The indictment specifically states he sold the malware. Unless he was completely convinced the buyers of Kronos were using it for research into browser malware, it's pretty damned obvious.
I'd be interested to talk to malware researchers that are genuinely scared about this.
[+] [-] syshum|8 years ago|reply
Of course the government in a government indictment will states "he sold malware" but the government is known to lie, exaggerate, and use terms incorrectly or out of context when talking about technology.
Taking the indictment at face value is IMO extremely naive
[+] [-] noshbrinken|8 years ago|reply
[+] [-] DomreiRoam|8 years ago|reply
When you use this strategy, you deprive the arrested of the right he would have in his country and you add the crazy cost to defend yourself in a US court. So it's possible that the case is not that solid or need some Parallel construction. It's pure speculation but it seems fishy to me.
I can understand the use of shenanigans to arrest previous dictators or very powerful crime lords as a last resort for Justice but here it seems very unfair.
I think we may see a drop of attendee to US conference and/or a drop in tourism.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] thomble|8 years ago|reply
[+] [-] qaq|8 years ago|reply
[+] [-] duxup|8 years ago|reply
We've seen bumbling investigations and misguided legal threats before... that didn't stop people and this one doesn't seem to yet be either of those.
[+] [-] betaby|8 years ago|reply
https://www.cnet.com/news/russian-crypto-expert-arrested-at-...
[+] [-] flipp3r|8 years ago|reply
[+] [-] watty|8 years ago|reply
[+] [-] sschueller|8 years ago|reply
[+] [-] throw2016|8 years ago|reply
When is it research, pretending to be a bad egg to get more info or actually being one?
As long as its was fun and games no one really minded, but now malware is used to hold schools and hospitals to ransom. Even criminals don't go after schools and hospitals. Extreme greed and criminality can't be minimized away as 'hacking'.
The infosec community likes to be edgy but they need to clean up their act and not give airtime and cover to criminals, and its difficult to believe they don't know who these are.
[+] [-] tryingagainbro|8 years ago|reply
[+] [-] bsder|8 years ago|reply
If that's the case, this is a pretty fast turnaround, actually.
And, given the tiny amounts of money I have seen being quoted (Kronos banking trojan sold for $3000? really?), they probably arrested him with the intention to get him to roll over on somebody much bigger.
The question is whether they've shot themselves in the foot. Did the FBI intend for this to be a quiet nab, but his celebrity from WannaCry hosed them up? Given how quickly they seem to be moving, it's certainly possible.
[+] [-] thehardsphere|8 years ago|reply
[+] [-] syshum|8 years ago|reply