back to article Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev

British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. He is now on his way to Milwaukee to face charges of selling malware online. Hutchins, 23, who shot to fame after finding a way to kill off the WannaCry ransomware outbreak that crippled parts of Britain's National Health …

Anonymous Coward

Blind support

I don't know if he's guilty or not but the FBI claims to have his admission to developing and selling the malware. If true, his arrest and charges are not unreasonable. There's a process and this is just the first step.

Any reasonable person should shut up and see how this plays out before jumping to conclusions.

4
37
Anonymous Coward

Re: Blind support

"The technology community has rallied around Hutchins"

Er... not really. Some noisy, blind support without any new information or facts.

2
27

Re: Blind support

A confession seemingly gained during interrogation for up to 24 hours without a lawyer present? Thanks but I'll err on the side of innocent until proven guilty.

71
1
Anonymous Coward

Re: Blind support

Sorry but no, did you read the article and I quote,

"Hutchins was nabbed by the Feds on Wednesday, and was held for more than 24 hours at an FBI field office without access to a lawyer or any contact with his family before the Department of Justice announced he'd been arrested."

If you were taken for 24 hours without a lawyer you would probably admit to something.

There's a reason we have laws to stop that happening however when in someone else's country they don't apply.

41
1
Silver badge

Re: Blind support

Please! It is "innocent unless proven guilty", you should not presume that an arrest will automatically lead to conviction as that is (or should be) the jury's decision.

33
2
Anonymous Coward

Re: Blind support

"The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money."

http://www.bbc.com/news/technology-40833951

Yes, innocent until proven guilty, but it appears there was enough here to arrest him and make charges.

No one can say he is guilty yet.

5
6
Anonymous Coward

Re: Blind support

Are you arguing he shouldn't have been charged based on what is publicly available?

1
9
Silver badge

Re: Blind support

One has to question whether he 'admitted' anything to the Feds, given the lack of a lawyer, and whether they would even understand what he was saying. e.g. as a security researcher, writing a script to look for holes in banking systems is probably a reasonable thing to do. Writing a script to look for any vulnerability is what they do. Would the Feds describe that as 'malware'?

I'd be more impressed if the Feds did something useful, like find the bastard (possibly in Israel) who hacked one of my servers via an ancient phpMyAdmin hole that the hosting providers hadn't fixed, and then deleted my databases! Obviously no sensitive info on it, but even so. Life in Sing-sing with Big Bubba as a cellmate is probably excessive, but staked out in the blazing sun on an antheap and smeared with honey would be okay.

22
3
Silver badge

Re: Blind support

"Yes, innocent until proven guilty, but it appears there was enough here to arrest him and make charges."

The one bit of solid evidence that's emerged seems to be that he wrote an explanatory post about some code which was then sent to a Github repository and subsequently incorporated in the trojan. If that's what the FBI mean by writing malware then I'm sure a lot of people who've pubished code on Github or elsewhere, answered questions on Stackexchange and the like should avoid visiting the US.

We don't have much info on this chat exchange to put it in context or even determine whether it was Hutchins or some other person using the same handle.

And the from some of the quotes in the article it rather sounds as if some of those who knew him fear it's a case of TPTB starting to shoot the messenger.

In the meantime I can't help wondering why, if this is a true bill, why he would have gone anywhere near the US.

If this ever gets to court it'll be interesting to hear a comparison between his contribution to Kronos and the NSA's contribution to Wannacry. I'm sure the defence would want to raise it.

40
1

Re: Blind support

Did YOU actually read the article? The bit about the proof-of-concept code? Which was well known, so how could he NOT admit to it?

18
0
Silver badge
Unhappy

Re: Blind support

It is "innocent unless proven guilty"

You are right, of course. The trouble is that given all the hysteria over the "dark net", "cyber war" and so on I reckon the Feds will keep pushing this on and on and not take no for an answer until he is found guilty.

Whether he is or not is immaterial, he's just going to be collateral damage in the war on "computer crime".

"Something must be done."

16
1
Anonymous Coward

Re: Blind support

Not me - I've been nicked before and I tell them nothing. Only my name.

This is standard procedure. They give up asking questions pretty quickly once they know you absolutely will not answer a single question, ever.

I've done this without a lawyer - you don't need to pay a lawyer to tell you what you already know - say nothing.

12
1
Silver badge

Re: Blind support

Please! It is "innocent unless proven guilty", you should not presume that an arrest will automatically lead to conviction as that is (or should be) the jury's decision.

Except it isn't.

Article 11 of The Declaration of Human Rights clearly says until.

Although it's pedantry: "until" in this context doesn't mean "they will be". It more or less means "unless" - blame the ambiguities of the English language for that one - but still, "innocent until proven guilty" is the correct phrase.

13
0
Silver badge

Re: Blind support

> innocent until proven guilty

If you squint the right way that phrase is ok. The problem with it is that there is an indirect implication of guilt and the problem is simply proving that.

> innocent unless proven guilty

That phrasing is better but it still allows people (usually the shock jocks) to focus on the proven bit and not the innocent/guilty question. "We know t'was you what done it. We just aren't allowed to waterboard a confession (mutters something about partisan activist judges).

I prefer something like "starts from the presumption of innocence". The exact legal principle we are talking about comes from the Latin

"ei incumbit probatio qui dicit, non qui negat"

The burden of proof is on the one who declares, not on one who denies

It is based on the knowledge that our capabilities to investigate are limited by skills, resources, technology and environmental factors. Because of these limitations, sometimes we cannot know for sure one way or the other. Sometimes we might be 99% sure of innocence or 99.99% sure of guilt, but convicting an innocent person is much more abhorrent than wrongly releasing a guilty person.

I'm proud of that legal tradition. It's a shame that our elected representatives so often come up with brain farts that counter this principle.

So on this case, Hutchins denies the charge. He might be innocent. He might be guilty. Each and every reader of this comment is in one of those two categories for this crime. He has been charged (declared), so at least the authority there thinks that they have a case. Well fine, but theirs is the burden of proof, not him.

12
0
Anonymous Coward

Re: Blind support

On the other hand, when in court Hutchins pleaded "not guilty" to all charges, which does raise reasonable doubt about the veracity of the FBI's claims of what he told them when under FBI questioning behind closed doors without a lawyer present.

11
1
Alert

Re: Blind support

"Thanks but I'll err on the side of innocent until proven guilty."

Indeed ...

As should everyone.

*Including* the state.

6
0
Anonymous Coward

Re: Blind support

Of course, because it's completely normal to haggle about being paid for a Github contribution?

3
2
Anonymous Coward

Re: Blind support

Did you read the part that he was looking to get paid for that "proof of concept"?

1
4
Silver badge

Re: Blind support

Homer Cummings refused to prosecute a confessed murderer in 1924 because the confession was coerced and made in a state of exhaustion. I suspect the feral bureau of incontinence/incompetence will find themselves wishing they had played straight up and above board.

4
2
Anonymous Coward

Re: Blind support

Or it's people who KNOW him or know someone who knows him and they know he's innocent. So NOT blind support.

The FBI have balls up, 99% sure of that. Arresting him after the talks at Vegas was also their attempt to grab any info he got during that weekend during the talks where they don't like the feds being present for this very reason.

5
1
Anonymous Coward

Re: Blind support

The prosecution lawyer. Obviously they'll say stuff like that to aid their case even if untrue as they aren't in the court house under oath.

1
0
Anonymous Coward

Re: Blind support

e.g. I'll continue to do this until hell freezes over.

I'll continue farting in my bed until the police arrest me for it.

Until the style-police take over, I'll continue to wear these shorts...

0
0
Facepalm

Re: Blind support

He's a security researcher. How else is he supposed to make a living? Begging?

In answer, though, yes I did read it. I don't necessarily believe it or ascribe the same motivations to it that you obviously do but then I have this a{rse|ss]hole thing I do called "thinking for myself" which is probably the next big thing to have "The War on" added to it. What we'll probably never see is The War on Wars on Things, which is a shame as it falls so prettily from the tongue...

3
1
Silver badge
Boffin

Re: Blind support

you don't need to pay a lawyer to tell you what you already know - say nothing.

Have you not heard the revised "you have the right to remain silent" speech?

It now sounds like its been redesigned by a committee and goes like this:

"You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."

4
0
Silver badge

Re: Blind support

"blame the ambiguities of the English language for that one"

The original would have been stated in medieval French so anything else is a translation or restatement.

0
0
Silver badge

Re: Blind support

"There's a reason we have laws to stop that happening however when in someone else's country they don't apply."

Based on my watching of various US TV crime dramas, once a lawyer is asked for there should be no further questioning. Any verbal evidence gathered once the request for a lawyer has been made is inadmissible unless it's clearly volunteered by the accused. IANAL etc. So is this just Hollywood wishful thinking or actual US law? I find it hard to believe he didn't ask for a lawyer over such a prolonged period of questioning.

1
0

Re: Blind support

Before lawyer present:

"Your family don't know where you are, no one does, you've disappeared off the planet."

"Admit you did it and we'll let you go"

"....."

"Admit you did it and we'll let you go"

"....."

"Admit you did it and we'll let you go"

"....."

"Admit you did it and we'll let you go"

"ok, I did it."

"HAHA!! We were only joking! Ok, let his lawyer in now, and tell his family where he's admitted to hacking"

2
1
Headmaster

Re: Blind support

"So on this case, Hutchins denies the charge. He might be innocent. He might be guilty."

<pedant>

He is is definitely innocent, since he has not been proven guilty.

That's what presumption of innocence means.

It's why the verdict is either guilty or not guilty, since one is presumed to be innocent, there is no need to be declared 'innocent'

</pedant>

3
1
Anonymous Coward

Re: Blind support

I would like to know how they've linked the chat logs to Hutchins. Seeing as we have such an unbalanced extradition treat with the US if they had any real evidence they would have attempted to extradite him.

I'm sure they have logs between author and seller, but I imagine that nothing in the logs gives away the identity of the author. The claim that he's the author and his confession is going to be turn out to be that his blog post on hooking was used by the actual virus author. That this happened isn't secret as it's covered in the BBC article you linked to. I'm sure it will be presented by the prosecution as a buff to hide his actual role of (alleged) author.

2
1

Re: Blind support

Someone wants to use your code for "commercial ends"? Then you kind of expect to get paid for it.

1
0

Re: Blind support

That's only in the UK. You can remain silent in the USA without dodgy inferences being made.

2
0
Silver badge

Re: Blind support

> He is is definitely innocent, since he has not been proven guilty

He is not definitely innocent. Simply, no judgement about his innocence/guilt has occurred. He retains the same right to be treated as innocent as someone who has not been accused. By the way, my sentence you quoted is out of context without the one that followed pointing out that every person is in one of those categories.

> since one is presumed to be innocent, there is no need to be declared 'innocent'

Correct. I used declare in the context of the English translation of the Latin quote to tie it together. Basically, being accused of something doesn't imply anything about your guilt. Big problem is that it doesn't stop people inferring it, which is why reporting about it is such a difficult thing to get right.

1
0
Anonymous Coward

Re: Blind support

>Please! It is "innocent unless proven guilty"

Not here in the Land O' The Free!

1
1
Silver badge

Re: Blind support

"convicting an innocent person is much more abhorrent than wrongly releasing a guilty person."

Whilst I agree with that statement, there are circumstances where it could be argued the other way. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc. Detaining an innocent person affects one person + family/friends etc.

Of course, they're not really linked in any way, so it's not really a fair comparison, but I could see some people arguing the case. The rebuttal is that if you convict an innocent person of a crime, the guilty goes free and he could be the one who goes on to murder a further 12 people.

It all depends on whether the person arguing the case is prepared to think more deeply than surface effect - something which is distinctly lacking in these 'sound-byte' days of hell.

0
0
Silver badge

Re: Blind support

"convicting an innocent person is much more abhorrent than wrongly releasing a guilty person."

Whilst I agree with that statement, there are circumstances where it could be argued the other way. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc. Detaining an innocent person affects one person + family/friends etc.

But it's not a simple numbers game. It's about "avoid punishing an innocent person at any cost" - which is why people go free who are "known" to be guilty.

'better 10 (U.S. 100) guilty go free than an innocent person is convicted", or something like that.

https://en.wikipedia.org/wiki/Blackstone%27s_formulation

0
0
Silver badge

Re: Blind support

. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc.

That, however, is likely the status quo if you hadn't caught them in the first place. Unpleasant, but still.

Convicting and punishing an innocent person though isn't something that wouldn't have happened without your involvement, and therefore is arguably far more unjust.

1
0
Silver badge

Who hasn't written "malware" code?

By the definitions that seem to float around the FBI, I believe that I need to turn myself in for having once supplied a small executable to a friend who slipped it into the hospital director's computer - whenever his boss turned his PC on, it displayed a dialog box "Do you have a small penis? Yes or No" and would move around the screen so that he could only ever click "Yes" with "No" always avoiding the cursor...

I plead guilty.

19
1
Silver badge

Re: Who hasn't written "malware" code?

Mildly entertaining, if it self-destructed before it got too irritating. But almost certainly malware within the meaning of the current law.

Time to wander down to the local cop-shop and throw yourself on their mercy.

11
0
Silver badge

Re: Who hasn't written "malware" code?

You can't call that malware if he had no idea what the friend was going to do with it.

He could have written it as a fun thing to put on his own PC as a sorta screenlock when he's away from his desk.

3
0
Silver badge

Re: Who hasn't written "malware" code?

I once wrote a small service that ran on a colleague's machine. When issued a command from a client application running in my system tray, it would eject his CD ROM tray. Entertained us for the better part of a week. Now I'm older and wiser, I wish to publicly apologise for authoring botnet.beverageHolder

8
0
Silver badge

Re: Who hasn't written "malware" code?

Going back a few decades to early DOS PCs, I had endless fun writing Terminate and Stay Resident code that loaded from autoexec to play practical jokes on colleagues.

Bad man.

3
0
Silver badge

Re: Who hasn't written "malware" code?

Not since at school on BBC micros.

A cute little bit of BASIC that faked the valid '>' prompt and spat out fake error messages to most commands and locked out break but otherwise piped some commands for normal output (like 'dir').

Endless fun when you got to load it on the teachers machine when they stepped away from their machine for a moment, 'students' just gave up too quick to be any amusement.

6
0
Silver badge

Re: Who hasn't written "malware" code?

"... for normal output (like 'dir')..."

Wouldn't that be *. (or *Cat if I recall the full command)?

2
0
Anonymous Coward

Re: Who hasn't written "malware" code?

A have a disciplinary certificate for writing password capturing front end at college back in the dos / novell days.

very proud :)

0
0
Silver badge

Re: Who hasn't written "malware" code?

Years ago myself and two colleagues were allowed to use our own build PC's at work - so we all had new kit and installed FreeBSD.

Apart from a few teething troubles* it was great, but since we were all running 'X' and all on the same LAN one person thought it would be fun to run some little programs in the background - you know the kind of thing - ants running over the screen, googley-eyes popping up everywhere etc., so we all did it to each other - the goal being to see how many you could get to run before the target noticed (ants running over the desktop aren't easy to see when you have 20 windows open at a time!).

Unfortunately, boys being boys it all escalated rather quickly, and I will have to admit I decided to employ The Art of War tactics on my fellows. Whilst they were busy tapping away and creating single key-press commands to inject programs onto my system, I decided to write a script to detect the source IP and then just run as many programs against that IP on port 6000 that my little CPU could handle.

It was quite funny to see one of my colleagues sneak a glance at my screen to see if I would notice anything before starting to send over his little ants and father christmas's, closely followed by 'what the fuck' as his PC descended into background app hell :)

Our manager decided to put a stop to it at that point, so I basically declared myself the winner :D

1
0
Silver badge

Re: Who hasn't written "malware" code?

*All three PC's were delivered with network cards that had cloned MAC addresses. One of us would be mid-build (we had backbone connections to Sun's servers hosting the files) and it would suddenly stop, whilst someone else was building theirs quite merrily. Took a while to figure that one out - never expected duplicate MAC addresses on three different PC's!

0
0
Anonymous Coward

Re: Who hasn't written "malware" code?

I wrote a sort of keylogger back in the DOS days just to see if it would work. Written in Pascal from code found in the help file. Before going into Windows people would have to go to the network drive, I think it was H or something so:

CD H:

If I remember right. Then type "login" and then type "win". People would forget and type "login" while on the C drive. So I stuck my logger there. It would write user names and passwords to a file that you'd pick up later. File would be called something like assignment.doc because people would forget to save to floppy sometimes and because the PCs weren't cleaned, you had lots of student work lying around on the root of C.

Trouble is, if someone found the assignment.doc file and opened it, it was then obvious what was going on and that there was a keylogger going around.

I remember picking up the assignment.doc file one day and finding a few users and passwords in it. IT HAD WORKED!!!. One of the passwords I remember was "masterofpuppets". Logged into the users account but never did anything. Was just pleased it had worked as I was never a good programmer and had thought of the idea myself after seeing the help code in Pascal. Ideas never normally came to me without help :)

A few years later my cousin asked me about it and I re-coded it for their Uni. This time I added very basic encryption I found in the 2600 magazine. So that if you found the assignment.doc it looked scrambled so hopefully you'd just ignore it. All the encryption did was lets say you type A. It would +25 to the ASCII number of A and then write the result back to the assignment.doc file. Then to decrypt, you used the decrypter that, obviously just -25 of whatever was in the assignment.doc.

Fun.

0
0
Silver badge

Legal Blasphemy.

I've been trying to think of a way of describing the American attitude to breaches of their law.

The closest parallel I can come up with is the way some other states regard blasphemy. The 'law' is an unchallengeable absolute, and the sin of transgression, whatever the alleged offence, is deemed so unpardonable that hostile popular opinion and the full powers of law enforcement are applied unthinkingly.

Just follow the flame wars between the trump republicans and liberals where the sanctions being demanded against either for percieved crimes are extreme.

Whether Marcus has a case to answer or not, now the machine has him his life is totally out of his control.

With states requiring the skills of people like Marcus; I can think of no better way to alienate them than how the FBI et al has gone about his case.

30
0
Silver badge
Boffin

Re: kmac499 Re: Legal Blasphemy.

"....The 'law' is an unchallengeable absolute, and the sin of transgression, whatever the alleged offence, is deemed so unpardonable that hostile popular opinion and the full powers of law enforcement are applied unthinkingly....." Actually the reality is completely the opposite. UK law is very prescriptive - "you cannot do X or you will be charged with offence Y which has punishment Z". That was why Assange's argument of "it wasn't really rape" was so quickly debunked as it was very easy for the CPS to show it fitted the UK's tight definition. The US legal system is a lot more ambiguous, which is why lawyers have become so rich in the States. There they can argue over definitions of a law with the jury (and the judge, who can direct the jury) then having to decide which legal argument has best merit.

1
4
Silver badge

Re: kmac499 Legal Blasphemy.

re Matt Bryant

Your description may well be the situation when a case get's to court. I admit to having no legal knowledge.

My point was purely about the initial almost reflex reaction in the US to anyone 'breaking the law' which is almost a bigger crime than the actual physical crime committed.

(I believe the figure are; US population is about 320 million 5% of the worlds population but 25% of the worlds lawyers. with I think 2 million plus people behind bars. That's a big industry. )

6
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017