is there more to this story?
Because the service allowed anonymous uploading and did not share any of samples
Is that the illegal part?
The US Federal government has got its second conviction in the dismantling of a service that helped malware writers get around security software. A jury in the Eastern Virginia District Court convicted 37 year-old Ruslan Bondars, on charges of computer intrusion, conspiracy to commit wire fraud, and conspiracy to violate the …
for accepting money from criminals to give them critical assistance (apparently) in causing millions of dollars of damages.
If it had been assisting 'bank fraud' for millions of dollars, I think the 35 years would be about right. "white collar crime" needs to be punished like anything else, to put a stop to it. Long jail terms are a deterrent to OTHERS who might try this, thinking "slap on the wrist" at worst. nope. IRON BAR HOTEL STAY for half your life, instead.
Yeah, KEEP THEM OUT of law abiding society, k-thanks.
Don't a lot of services do this? I know many of them make you identify yourself, but it wouldn't be all that hard to start one of these. I'm surprised people who are willing to pay haven't just built one of those themselves, or that there isn't a convenient one that doesn't pretend to be a business and just stays hidden.
Also, exactly what do you have to do with a business like this to make yourself legal? Is it just the fact that they were being used for malicious purposes and they knew it, or is there something inherently illegal about the type of business?
Aiding and abetting.
Handling stolen goods.
Conspiracy to rob.
Failure to report criminal activity.
Those ideas are just for starters, I am sure that some jurisdictions could come up with some more colourful ideas.
It would have been a shame if they were paid using a stolen credit card...
What is wrong with 35 years, it would be best if they were put to some useful activity while serving as guests of the country's hospitality.
"I'm trying to figure out what the difference is between something like this and VirusTotal."
You and me both. The most I can think of is Virustotal might be using scanners that let the scanner's maker take a look at anything that triggers an alarm - which would be rather counter-productive for a malware writer - while this guy probably used strictly offline scanners. Still nowhere near law-breaching IMHO, but it's all I got...
... living in Latvia at the time of his arrest,
OK, two guys with names suggestive of not merely living in Latvia but having roots in that part of the world. Convicted in the US.
So were they:
(a) legally arrested and extradited?
The link to the attorney's office document does give a little more:
Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.
I personally don't think that is good enough, but the prosecutors obviously did. Does that show intent? There are lots of reasons for favouring anonymity, for example when working on proprietary software.
>Scan4you instead informed its users that they could upload files anonymously and promised not to share
>information about the uploaded files with the antivirus community.
What if for instance I received a document via email that purported to be be some sort of personal or private information pertaining to me, lets say a bank statement and I wanted to scan it before opening it.
I might want to use a service that promises not to share that bank statement with security researchers and companies.
I do find it hard to believe that not sharing some information with an anti-virus company can be considered a criminal offence. It doesn't make what they were doing illegal. They were providing a service that others provide, but with the ability to keep things anonymous, as someone else stated, you might be testing proprietary software and not want an analysis of it shared with security researchers, if it flagged up a false positive.
I'm not saying they weren't in business to help malware authors, but I'm sure it was all written in a way that made it look legit, they didn't call it test-your-malware.com. Which brings it down to, they didn't do anything to stop criminals using their service. But then, there are many services used by criminals, WhatsApp isn't called TerroristSafeChat, they don't actively stop criminals using it, because its encrypted, they can't see who is talking about what, so can't do anything about it.
Just seems a bit of a stretch to me.
The whole extradition thing is crazy. Jurisdiction is such a grey area now the internet is a thing.
Obama era judges. They take a whole different approach to the 4th and 5th amendments. It will take years before many of them are out of the system.
I get the wire fraud charge, but this is the only one which makes sense. The other two just don't make sense, unless they can, without a doubt, prove the intent was only for use by criminals and not security research and/or academia.
Biting the hand that feeds IT © 1998–2019