For people who believe the marketing: why would a legitimate sysadmin tool include a cryptocurrency miner and a feature to turn off the webcam indicator light?
This was used to exploit people, plain and simple. While I don't think blanket arresting people who downloaded it is reasonable (someone may have fallen for the marketing and used it for legit reasons), shutting down the C&C servers to disable it from working and aiding in exploitation & blackmail is a net good.
From a purely consequentialist perspective, it's not clearly a net good if it has a chilling effect on legitimate research, increases economic costs due to regulatory uncertainty, or has other negative second-order effects concomitant with arbitrary and overly subjective legal systems.
From a deontological perspective, it's not clear that this is good if one of your values is clearly and consistently enforced law.
For the people that think this is legitimate software, this is not legitimate software. It is sold and encouraged as malware, used to blackmail girls (barely women) - that's what "cam capture" is for - keylogger, general malware, backconnect proxy, auto-start and persistence.
I don't think anyone seriously doubts the intended, arguable unethical, use of IM-RAT. The question is whether authoring and or selling these tools is or should be illegal. I'd argue that would set a dangerous precedent allowing governments to go after any security researchers whenever they feel it convenient to do so.
> Robbins v. Lower Merion School District is a federal class action lawsuit,[2] brought in February 2010 on behalf of students of two high schools in Lower Merion Township, a suburb of Philadelphia.[3] In October 2010, the school district agreed to pay $610,000 to settle the Robbins and parallel Hasan lawsuits against it.[1]
> The suit alleged that, in what was dubbed the "WebcamGate" scandal, the schools secretly spied on the students while they were in the privacy of their homes.[4][5] School authorities surreptitiously and remotely activated webcams embedded in school-issued laptops the students were using at home.[6][7] After the suit was brought, the school district, of which the two high schools are part, revealed that it had secretly taken more than 66,000 images.[8][9] The suit charged that in doing so the district infringed on its students' privacy rights.[6][10][11] A federal judge issued a preliminary injunction, ordering the school district to stop its secret webcam monitoring, and ordered the district to pay the plaintiffs' attorney fees.[12][13][14]
> The lawsuit was filed after 15-year-old high school sophomore (second year student) Blake Robbins was disciplined at school for his behavior in his home.
Acknowledging that the school was found to have been in the wrong and that the courts came down on the side of privacy, is the company which sold the school district the software they used to violate privacy guilty of anything? Should it be?
... said its software was intended to be used for theft recovery. Easier to recover stolen goods if the laptop can surreptitiously take pictures of its surroundings and send them home, see? Is that software inherently bad, like the software you're talking about is? It could certainly be used for the same thing.
>By seizing control of the website, police will have been able to "take a good look at what the site has been up to, including who has bought the illegal items", said Prof Alan Woodward, a cyber-security expert from the University of Surrey. //
When did the law pass making owning software illegal, as opposed to using it for nefarious means? (Last time I looked CMA required use.)
No charges seem to have been brought yet – but it's an offence under Section 3A of the Computer Misuse Act 1990 (CMA) to obtain articles for use in offence under Sections 1, 3, or 3ZA CMA, even if you don't actually use them.
Obviously, the prosecution would need to prove intent but it's possible the mere presence of the software could suffice for mens rea — people don't typically buy this software accidentally.
Presumably most people who bought the software will have used it, making a prosecution under S1 CMA more likely.
It's probable that the CPS will only charge people they are likely to get an S1 conviction from and discard any S3A charges as S3A charges will be difficult to prove.
This was my thought as well. It has to be some sort of UK law? But I can't find it. The laws apply to surreptitiously installing the software on someone else's phone or computer. But then owning (and/or buying) the software shouldn't be illegal and the site shouldn't have been able to come down.
Hacking tools aren't illegal by default, that I know of anyway.
From what I gleaned from that article, IM-RAT was publicly marketed as a remote management tool.
The article further states: "With the amount of reports of this tool being used for malware and the discussion on illegal forums, it would be very hard for the developer to argue that he did not know how the software was being used."
This seems pretty thin. Would the authors of say nmap be liable because people can/do use it for illegal purposes?
Assuming judges signed of on the raids and domain seizure, I sure hope there was evidence of actual criminal activity beyond what is mentioned in the media.
People have been calling trojan horses "administration software" since at least Back Orifice in 1998 - probably before.
This is "administration software" in the same way the cannabis-leaf-engraved glass smoking pipes sold in your local weed shop are "for tobacco use only"
I suspect the marketing materials on other websites give it a different purpose. It's pretty common with this type of software to have a clean website for paypal, but to then be telling people on forums or support chats exactly how to infect unsuspecting people with it.
Check the archive.org link elsewhere in the thread. Seems like it was marketed like a remote admin tool for servers, not a stalking tool.
Unless they have a history of specifically targeting stalkers with their marketing and/or aiding stalkers or something else I hope the case gets thrown out.
Even then I hope the courts take a good look at this case.
Note: I'm not very happy about stalkers, but we should stick to the laws and not go after people without a good reason.
Currently downvoted but very valid point, ref the Sherlock tool posted the other day: it is not hard for me to imagine more bad uses for it than good, but that alone shouldn't make it illegal.
[+] [-] Rotten194|6 years ago|reply
This was used to exploit people, plain and simple. While I don't think blanket arresting people who downloaded it is reasonable (someone may have fallen for the marketing and used it for legit reasons), shutting down the C&C servers to disable it from working and aiding in exploitation & blackmail is a net good.
[+] [-] kauffj|6 years ago|reply
From a deontological perspective, it's not clear that this is good if one of your values is clearly and consistently enforced law.
[+] [-] scoot|6 years ago|reply
I naively always assumed that a webcam indicator light was hard wired to turn on when the camera was in use. If it isn't, why on earth not?
[+] [-] nested_callback|6 years ago|reply
See https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-d... for more details and screenshots/quotes of posts by the creator of the tool.
This is _not_ for server administration.
This is _not_ like PuTTY or Remote Desktop. This is like Blackshades or Orcus. It is malicious, only sold for malicious usage.
[+] [-] jascii|6 years ago|reply
[+] [-] msla|6 years ago|reply
> Robbins v. Lower Merion School District is a federal class action lawsuit,[2] brought in February 2010 on behalf of students of two high schools in Lower Merion Township, a suburb of Philadelphia.[3] In October 2010, the school district agreed to pay $610,000 to settle the Robbins and parallel Hasan lawsuits against it.[1]
> The suit alleged that, in what was dubbed the "WebcamGate" scandal, the schools secretly spied on the students while they were in the privacy of their homes.[4][5] School authorities surreptitiously and remotely activated webcams embedded in school-issued laptops the students were using at home.[6][7] After the suit was brought, the school district, of which the two high schools are part, revealed that it had secretly taken more than 66,000 images.[8][9] The suit charged that in doing so the district infringed on its students' privacy rights.[6][10][11] A federal judge issued a preliminary injunction, ordering the school district to stop its secret webcam monitoring, and ordered the district to pay the plaintiffs' attorney fees.[12][13][14]
> The lawsuit was filed after 15-year-old high school sophomore (second year student) Blake Robbins was disciplined at school for his behavior in his home.
Acknowledging that the school was found to have been in the wrong and that the courts came down on the side of privacy, is the company which sold the school district the software they used to violate privacy guilty of anything? Should it be?
The company involved:
https://en.wikipedia.org/wiki/HEAT_LANrev
... said its software was intended to be used for theft recovery. Easier to recover stolen goods if the laptop can surreptitiously take pictures of its surroundings and send them home, see? Is that software inherently bad, like the software you're talking about is? It could certainly be used for the same thing.
[+] [-] pbhjpbhj|6 years ago|reply
When did the law pass making owning software illegal, as opposed to using it for nefarious means? (Last time I looked CMA required use.)
Anyone have details of the exact charge?
[+] [-] moksly|6 years ago|reply
https://www.europol.europa.eu/newsroom/news/international-cr...
No idea what law it breaks, but apparently the developer of a similar Trojan got 30 months in prison in a similar case: https://thehackernews.com/2018/10/hacking-tool-luminositylin...
I’m sure glad that wasn’t a thing when I was a teenager and cult of the dead cow was cool.
[+] [-] matthewheath|6 years ago|reply
Obviously, the prosecution would need to prove intent but it's possible the mere presence of the software could suffice for mens rea — people don't typically buy this software accidentally.
Presumably most people who bought the software will have used it, making a prosecution under S1 CMA more likely.
It's probable that the CPS will only charge people they are likely to get an S1 conviction from and discard any S3A charges as S3A charges will be difficult to prove.
[+] [-] heyyyouu|6 years ago|reply
Hacking tools aren't illegal by default, that I know of anyway.
[+] [-] jascii|6 years ago|reply
From what I gleaned from that article, IM-RAT was publicly marketed as a remote management tool.
The article further states: "With the amount of reports of this tool being used for malware and the discussion on illegal forums, it would be very hard for the developer to argue that he did not know how the software was being used."
This seems pretty thin. Would the authors of say nmap be liable because people can/do use it for illegal purposes?
Assuming judges signed of on the raids and domain seizure, I sure hope there was evidence of actual criminal activity beyond what is mentioned in the media.
[+] [-] rhizome|6 years ago|reply
Don't give them any ideas.
[+] [-] atypeoferror|6 years ago|reply
e.g.
- Zerodium - https://zerodium.com
- Exodus Intelligence - https://www.exodusintel.com
- Hacking Team - https://en.wikipedia.org/wiki/Hacking_Team (now dead due to the actions of a very skilled gray hat)
[+] [-] rahuldottech|6 years ago|reply
What it looks like now: https://imminentmethods.net/
Their YouTube channel is still up: https://www.youtube.com/channel/UCRgeFHip2Iz97P25_qGkPfw/fee...
As is their Twitter account: https://twitter.com/imminentmethods
From what I can tell, this is just server administration software, but I haven't taken a close look.
Edit: Yeah, apparently it was just disguised as that.
[+] [-] michaelt|6 years ago|reply
This is "administration software" in the same way the cannabis-leaf-engraved glass smoking pipes sold in your local weed shop are "for tobacco use only"
[+] [-] goatsi|6 years ago|reply
https://krebsonsecurity.com/2018/07/luminositylink-rat-autho...
https://krebsonsecurity.com/2016/07/canadian-man-is-author-o...
[+] [-] mirimir|6 years ago|reply
I can't imagine how people are so clueless.
I mean, is it like "Sure, we're doing iffy stuff, but it's all in good fun, so why would anyone ever bother us?"
[+] [-] MercuryRising13|6 years ago|reply
[+] [-] blowski|6 years ago|reply
[+] [-] eitland|6 years ago|reply
Unless they have a history of specifically targeting stalkers with their marketing and/or aiding stalkers or something else I hope the case gets thrown out.
Even then I hope the courts take a good look at this case.
Note: I'm not very happy about stalkers, but we should stick to the laws and not go after people without a good reason.
[+] [-] dylz|6 years ago|reply
[+] [-] Quarrelsome|6 years ago|reply
[+] [-] stebann|6 years ago|reply
[+] [-] dk3|6 years ago|reply
[+] [-] Quarrelsome|6 years ago|reply
Here's the old scrap of the site: https://web.archive.org/web/20191012003358/https://imminentm...
Bung some code whereever but make profit and market it and you've crossed a line.
[+] [-] eitland|6 years ago|reply
Same with guns.
[+] [-] sschueller|6 years ago|reply
[+] [-] rwmj|6 years ago|reply
[+] [-] pjc50|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]