Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. He is now on his way to Milwaukee to face charges of selling malware online. Hutchins, 23, who shot to fame after finding a way to kill off the WannaCry ransomware outbreak that crippled parts of Britain's National Health …
I don't know if he's guilty or not but the FBI claims to have his admission to developing and selling the malware. If true, his arrest and charges are not unreasonable. There's a process and this is just the first step.
Any reasonable person should shut up and see how this plays out before jumping to conclusions.
It is "innocent unless proven guilty"
You are right, of course. The trouble is that given all the hysteria over the "dark net", "cyber war" and so on I reckon the Feds will keep pushing this on and on and not take no for an answer until he is found guilty.
Whether he is or not is immaterial, he's just going to be collateral damage in the war on "computer crime".
"Something must be done."
Please! It is "innocent unless proven guilty", you should not presume that an arrest will automatically lead to conviction as that is (or should be) the jury's decision.
Except it isn't.
Article 11 of The Declaration of Human Rights clearly says until.
Although it's pedantry: "until" in this context doesn't mean "they will be". It more or less means "unless" - blame the ambiguities of the English language for that one - but still, "innocent until proven guilty" is the correct phrase.
Before lawyer present:
"Your family don't know where you are, no one does, you've disappeared off the planet."
"Admit you did it and we'll let you go"
"....."
"Admit you did it and we'll let you go"
"....."
"Admit you did it and we'll let you go"
"....."
"Admit you did it and we'll let you go"
"ok, I did it."
"HAHA!! We were only joking! Ok, let his lawyer in now, and tell his family where he's admitted to hacking"
> innocent until proven guilty
If you squint the right way that phrase is ok. The problem with it is that there is an indirect implication of guilt and the problem is simply proving that.
> innocent unless proven guilty
That phrasing is better but it still allows people (usually the shock jocks) to focus on the proven bit and not the innocent/guilty question. "We know t'was you what done it. We just aren't allowed to waterboard a confession (mutters something about partisan activist judges).
I prefer something like "starts from the presumption of innocence". The exact legal principle we are talking about comes from the Latin
"ei incumbit probatio qui dicit, non qui negat"
The burden of proof is on the one who declares, not on one who denies
It is based on the knowledge that our capabilities to investigate are limited by skills, resources, technology and environmental factors. Because of these limitations, sometimes we cannot know for sure one way or the other. Sometimes we might be 99% sure of innocence or 99.99% sure of guilt, but convicting an innocent person is much more abhorrent than wrongly releasing a guilty person.
I'm proud of that legal tradition. It's a shame that our elected representatives so often come up with brain farts that counter this principle.
So on this case, Hutchins denies the charge. He might be innocent. He might be guilty. Each and every reader of this comment is in one of those two categories for this crime. He has been charged (declared), so at least the authority there thinks that they have a case. Well fine, but theirs is the burden of proof, not him.
"So on this case, Hutchins denies the charge. He might be innocent. He might be guilty."
<pedant>
He is is definitely innocent, since he has not been proven guilty.
That's what presumption of innocence means.
It's why the verdict is either guilty or not guilty, since one is presumed to be innocent, there is no need to be declared 'innocent'
</pedant>
> He is is definitely innocent, since he has not been proven guilty
He is not definitely innocent. Simply, no judgement about his innocence/guilt has occurred. He retains the same right to be treated as innocent as someone who has not been accused. By the way, my sentence you quoted is out of context without the one that followed pointing out that every person is in one of those categories.
> since one is presumed to be innocent, there is no need to be declared 'innocent'
Correct. I used declare in the context of the English translation of the Latin quote to tie it together. Basically, being accused of something doesn't imply anything about your guilt. Big problem is that it doesn't stop people inferring it, which is why reporting about it is such a difficult thing to get right.
"convicting an innocent person is much more abhorrent than wrongly releasing a guilty person."
Whilst I agree with that statement, there are circumstances where it could be argued the other way. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc. Detaining an innocent person affects one person + family/friends etc.
Of course, they're not really linked in any way, so it's not really a fair comparison, but I could see some people arguing the case. The rebuttal is that if you convict an innocent person of a crime, the guilty goes free and he could be the one who goes on to murder a further 12 people.
It all depends on whether the person arguing the case is prepared to think more deeply than surface effect - something which is distinctly lacking in these 'sound-byte' days of hell.
"convicting an innocent person is much more abhorrent than wrongly releasing a guilty person."Whilst I agree with that statement, there are circumstances where it could be argued the other way. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc. Detaining an innocent person affects one person + family/friends etc.
But it's not a simple numbers game. It's about "avoid punishing an innocent person at any cost" - which is why people go free who are "known" to be guilty.
'better 10 (U.S. 100) guilty go free than an innocent person is convicted", or something like that.
. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc.
That, however, is likely the status quo if you hadn't caught them in the first place. Unpleasant, but still.
Convicting and punishing an innocent person though isn't something that wouldn't have happened without your involvement, and therefore is arguably far more unjust.
Sorry but no, did you read the article and I quote,
"Hutchins was nabbed by the Feds on Wednesday, and was held for more than 24 hours at an FBI field office without access to a lawyer or any contact with his family before the Department of Justice announced he'd been arrested."
If you were taken for 24 hours without a lawyer you would probably admit to something.
There's a reason we have laws to stop that happening however when in someone else's country they don't apply.
"The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant - who has yet to be arrested - where the security researcher complained of not receiving a fair share of the money."
http://www.bbc.com/news/technology-40833951
Yes, innocent until proven guilty, but it appears there was enough here to arrest him and make charges.
No one can say he is guilty yet.
"Yes, innocent until proven guilty, but it appears there was enough here to arrest him and make charges."
The one bit of solid evidence that's emerged seems to be that he wrote an explanatory post about some code which was then sent to a Github repository and subsequently incorporated in the trojan. If that's what the FBI mean by writing malware then I'm sure a lot of people who've pubished code on Github or elsewhere, answered questions on Stackexchange and the like should avoid visiting the US.
We don't have much info on this chat exchange to put it in context or even determine whether it was Hutchins or some other person using the same handle.
And the from some of the quotes in the article it rather sounds as if some of those who knew him fear it's a case of TPTB starting to shoot the messenger.
In the meantime I can't help wondering why, if this is a true bill, why he would have gone anywhere near the US.
If this ever gets to court it'll be interesting to hear a comparison between his contribution to Kronos and the NSA's contribution to Wannacry. I'm sure the defence would want to raise it.
I would like to know how they've linked the chat logs to Hutchins. Seeing as we have such an unbalanced extradition treat with the US if they had any real evidence they would have attempted to extradite him.
I'm sure they have logs between author and seller, but I imagine that nothing in the logs gives away the identity of the author. The claim that he's the author and his confession is going to be turn out to be that his blog post on hooking was used by the actual virus author. That this happened isn't secret as it's covered in the BBC article you linked to. I'm sure it will be presented by the prosecution as a buff to hide his actual role of (alleged) author.
He's a security researcher. How else is he supposed to make a living? Begging?
In answer, though, yes I did read it. I don't necessarily believe it or ascribe the same motivations to it that you obviously do but then I have this a{rse|ss]hole thing I do called "thinking for myself" which is probably the next big thing to have "The War on" added to it. What we'll probably never see is The War on Wars on Things, which is a shame as it falls so prettily from the tongue...
Not me - I've been nicked before and I tell them nothing. Only my name.
This is standard procedure. They give up asking questions pretty quickly once they know you absolutely will not answer a single question, ever.
I've done this without a lawyer - you don't need to pay a lawyer to tell you what you already know - say nothing.
you don't need to pay a lawyer to tell you what you already know - say nothing.
Have you not heard the revised "you have the right to remain silent" speech?
It now sounds like its been redesigned by a committee and goes like this:
"You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."
"There's a reason we have laws to stop that happening however when in someone else's country they don't apply."
Based on my watching of various US TV crime dramas, once a lawyer is asked for there should be no further questioning. Any verbal evidence gathered once the request for a lawyer has been made is inadmissible unless it's clearly volunteered by the accused. IANAL etc. So is this just Hollywood wishful thinking or actual US law? I find it hard to believe he didn't ask for a lawyer over such a prolonged period of questioning.
One has to question whether he 'admitted' anything to the Feds, given the lack of a lawyer, and whether they would even understand what he was saying. e.g. as a security researcher, writing a script to look for holes in banking systems is probably a reasonable thing to do. Writing a script to look for any vulnerability is what they do. Would the Feds describe that as 'malware'?
I'd be more impressed if the Feds did something useful, like find the bastard (possibly in Israel) who hacked one of my servers via an ancient phpMyAdmin hole that the hosting providers hadn't fixed, and then deleted my databases! Obviously no sensitive info on it, but even so. Life in Sing-sing with Big Bubba as a cellmate is probably excessive, but staked out in the blazing sun on an antheap and smeared with honey would be okay.
Or it's people who KNOW him or know someone who knows him and they know he's innocent. So NOT blind support.
The FBI have balls up, 99% sure of that. Arresting him after the talks at Vegas was also their attempt to grab any info he got during that weekend during the talks where they don't like the feds being present for this very reason.
By the definitions that seem to float around the FBI, I believe that I need to turn myself in for having once supplied a small executable to a friend who slipped it into the hospital director's computer - whenever his boss turned his PC on, it displayed a dialog box "Do you have a small penis? Yes or No" and would move around the screen so that he could only ever click "Yes" with "No" always avoiding the cursor...
I plead guilty.
I once wrote a small service that ran on a colleague's machine. When issued a command from a client application running in my system tray, it would eject his CD ROM tray. Entertained us for the better part of a week. Now I'm older and wiser, I wish to publicly apologise for authoring botnet.beverageHolder
Not since at school on BBC micros.
A cute little bit of BASIC that faked the valid '>' prompt and spat out fake error messages to most commands and locked out break but otherwise piped some commands for normal output (like 'dir').
Endless fun when you got to load it on the teachers machine when they stepped away from their machine for a moment, 'students' just gave up too quick to be any amusement.
Years ago myself and two colleagues were allowed to use our own build PC's at work - so we all had new kit and installed FreeBSD.
Apart from a few teething troubles* it was great, but since we were all running 'X' and all on the same LAN one person thought it would be fun to run some little programs in the background - you know the kind of thing - ants running over the screen, googley-eyes popping up everywhere etc., so we all did it to each other - the goal being to see how many you could get to run before the target noticed (ants running over the desktop aren't easy to see when you have 20 windows open at a time!).
Unfortunately, boys being boys it all escalated rather quickly, and I will have to admit I decided to employ The Art of War tactics on my fellows. Whilst they were busy tapping away and creating single key-press commands to inject programs onto my system, I decided to write a script to detect the source IP and then just run as many programs against that IP on port 6000 that my little CPU could handle.
It was quite funny to see one of my colleagues sneak a glance at my screen to see if I would notice anything before starting to send over his little ants and father christmas's, closely followed by 'what the fuck' as his PC descended into background app hell :)
Our manager decided to put a stop to it at that point, so I basically declared myself the winner :D
*All three PC's were delivered with network cards that had cloned MAC addresses. One of us would be mid-build (we had backbone connections to Sun's servers hosting the files) and it would suddenly stop, whilst someone else was building theirs quite merrily. Took a while to figure that one out - never expected duplicate MAC addresses on three different PC's!
I wrote a sort of keylogger back in the DOS days just to see if it would work. Written in Pascal from code found in the help file. Before going into Windows people would have to go to the network drive, I think it was H or something so:
CD H:
If I remember right. Then type "login" and then type "win". People would forget and type "login" while on the C drive. So I stuck my logger there. It would write user names and passwords to a file that you'd pick up later. File would be called something like assignment.doc because people would forget to save to floppy sometimes and because the PCs weren't cleaned, you had lots of student work lying around on the root of C.
Trouble is, if someone found the assignment.doc file and opened it, it was then obvious what was going on and that there was a keylogger going around.
I remember picking up the assignment.doc file one day and finding a few users and passwords in it. IT HAD WORKED!!!. One of the passwords I remember was "masterofpuppets". Logged into the users account but never did anything. Was just pleased it had worked as I was never a good programmer and had thought of the idea myself after seeing the help code in Pascal. Ideas never normally came to me without help :)
A few years later my cousin asked me about it and I re-coded it for their Uni. This time I added very basic encryption I found in the 2600 magazine. So that if you found the assignment.doc it looked scrambled so hopefully you'd just ignore it. All the encryption did was lets say you type A. It would +25 to the ASCII number of A and then write the result back to the assignment.doc file. Then to decrypt, you used the decrypter that, obviously just -25 of whatever was in the assignment.doc.
Fun.
I've been trying to think of a way of describing the American attitude to breaches of their law.
The closest parallel I can come up with is the way some other states regard blasphemy. The 'law' is an unchallengeable absolute, and the sin of transgression, whatever the alleged offence, is deemed so unpardonable that hostile popular opinion and the full powers of law enforcement are applied unthinkingly.
Just follow the flame wars between the trump republicans and liberals where the sanctions being demanded against either for percieved crimes are extreme.
Whether Marcus has a case to answer or not, now the machine has him his life is totally out of his control.
With states requiring the skills of people like Marcus; I can think of no better way to alienate them than how the FBI et al has gone about his case.
"....The 'law' is an unchallengeable absolute, and the sin of transgression, whatever the alleged offence, is deemed so unpardonable that hostile popular opinion and the full powers of law enforcement are applied unthinkingly....." Actually the reality is completely the opposite. UK law is very prescriptive - "you cannot do X or you will be charged with offence Y which has punishment Z". That was why Assange's argument of "it wasn't really rape" was so quickly debunked as it was very easy for the CPS to show it fitted the UK's tight definition. The US legal system is a lot more ambiguous, which is why lawyers have become so rich in the States. There they can argue over definitions of a law with the jury (and the judge, who can direct the jury) then having to decide which legal argument has best merit.
re Matt Bryant
Your description may well be the situation when a case get's to court. I admit to having no legal knowledge.
My point was purely about the initial almost reflex reaction in the US to anyone 'breaking the law' which is almost a bigger crime than the actual physical crime committed.
(I believe the figure are; US population is about 320 million 5% of the worlds population but 25% of the worlds lawyers. with I think 2 million plus people behind bars. That's a big industry. )
There's more people in prison in the United States that any other place in the world (or in the rest of history), so there's not much point in using it as a comparison with normal justice systems.
You need to make a comparison with countries that don't regard incarceration as the sole reason for the existence of their security forces Even somewhere like Stalin's Russia wasn't as extreme (at least he wasn't trying to turn a profit from his GULags).
Land of the free. lol :D
"I am withdrawing from dealing with the NCSC [UK National Cyber Security Centre] and sharing all threat intelligence data and new techniques until this situation is resolved," said fellow UK researcher Kevin Beaumont.
Maybe that's what the FBI wants. The whole intelligence community (at least in the US) has to have some egg on their face after the leak of some of their exploits (and the application of those exploits by various malware applications). Perhaps the FBI is bullying security folks on behalf of the CIA, NSA, etc... If nothing else, those agencies need some new vulnerabilities to exploit, and having a bunch of white hats find those vulns and report them to the public or the software manufacturers only makes their jobs harder.
The enemy of the state is the free flow of information.
I'm kinda wondering whether this is a case of some prosecutor / agent seeking to cash in on a bonus scheme that pays by results. Foreign guy, probably easily coerced, etc.
This wouldn't be the first time US prosecutors have laid charges against a foreigner who has no idea there's even an indictment open on them. Ask all those businessmen running online gambling sites who by accepting custom from Americans fell foul of the US authorities citing laws that are themselves inconsistent with trade treaty obligations which the USA has signed up to.
Whilst it's very movie plot, I'm not entirely convinced that there wasn't a "we can make those Milwaukee charges go away if you just help us out here" conversation going on.
The time gaps - and voluntary interview without lawyer - seem strange to my UK experience. If there's an arrest warrant in England it'd just get executed, certainly no conversation beforehand. Maybe the Americans work differently.
Arresting when the court's not sitting so the suspect has to spend the weekend in the cells... that's standard procedure for police forces everywhere if they don't like you.
"A Sin City court granted Hutchins bail of $30,000 on Friday. However, the decision came at 3.30pm local time, and his attorney wasn't able to make it to the bail office to pay the money before it closed at 4pm."
The one place I'd actually expect to find a 24-hour bail office is .... Las Vegas.
That is quite unjust. I get that bail offices need to close, particularly in smaller regions*, but given the probability** that the accused may turn out to be innocent, there has got to be a better way. Again, assuming that all is in place except the money, why can't they accept payments via bitcoin or direct transfer or PayPal or ...... Of course some of these won't work, but it's worth trying to make the process a bit fairer.
* Not that this is the case here
** Even if it is small, it is definitely non-zero
the state plays the same games with those that aren't famous too.
Imagine your on holiday, about to come home and are misidentified as someone they are after, you'd get the same treatment too.
The thing that bothers me the most is that if we heard of this behaviour in Russia, North Korea, China or some other country we have been brought up to expect poor treatment of their citizens, we'd all be moaning about how inhumane they are for treating their citizens in this way. If a foreign country had arrested a US citizen in this way, guilty or not, they'd be sending in the black hawks and parking the Reagan of the coast.
the behaviour of the US towards its citizens and world neighbours over the last 17 years has been getting more and more questionable.
What's the bet no U.S. law enforcement or three letter agency will arrest anyone in connection with any of the Wanna'Sploits!!!?
No way! It leads back to the NSA. Everyone knows it.
Everyone the world over knows the NSA harvested those exploits, and that it was the NSA who were ultimately responsible for, well, _not_ securing the code they wrote to take advantage of them!
Who the fuck is gonna arrest them for writing malicious code that took down big networks like the NHS in the UK? WHO?
[phew! chest. off.]
(oh FFS, Chrome is blocking me from inserting a URL)
"Cybercrime remains a top priority for the FBI," said special agent in charge Justin Tolomeo. "Cybercriminals cost our economy billions in losses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice."
Don't over think what happened to Marcus. Sounds like someone offered his name, he's gotten famous enough to be easily tracked and "captured", and as a malware researcher he's always involved with dangerous code. The Feds need a pelt to nail to the side of the barn.
Cops are lazy - I remember what happened to the rent-a-guard who found a bomb during the 1996 Summer Olympics in Atlanta (https://en.wikipedia.org/wiki/Centennial_Olympic_Park_bombing). Basically, when he reported finding a bomb, he got investigated for knowing the bomb was there. Simply doing the job he was hired to do made him a "person of interest", got his house turned over and nearly got him arrested. He certainly got pilloried in the press. At least he got his name cleared when the real bomber was eventually caught.
Sounds like what has happened before is destined to happen again. Admittedly, I have almost no information on which to reach my conclusion, but I do know human nature. This is all way too pat, getting famous made him a target, and got him arrested. He'll be extremely lucky to avoid doing serious time on this one. The best thing the security community can do for Marcus is to figure out who made Kronos. Just be careful while on the case!
Am I the only one who made the Godfather connection..... I think it went something like this:
Caller; "Don Vlad, someone in Britain has blocked with our internet extortion racket, can you do us a favour and teach him a lesson"
Don Vlad.; "No problem, let me have a word with Donna Theresa and he will suffer"
Caller; "But he's in America at present"
Don Vlad; "In that case I'll talk to Don Don, he owes me a big favour"
Don Vlad; "Don Don, remember that big favour I did you, well I need a little favour from you"
Don Don; "Anything my friend"
Don Vlad; "Well there's this British guy that's stopped some of my friends from making money on the internet and he needs teaching a lesson he will never forget and he's in America right now"
Don Don; "No problem, our Justice Dept has record of blaming other countries citizens for our IT security cockups and trying to extradite them to cover up US messes, what's his name and Ill let my contact know"
and so on
Apollogies to Mario Puzo
However as we don't know where the problem is, either with Marcus or the authorities I'm minded to side with him, innocent until proven guilty and the narrative we're getting from the authorities doesn't make a huge amount of sense for anyone in the infosec world.
It's almost as if they are simply squeezing him for info for other cases, put pressure on him, prevent him leaving the country and see if he'll squeal on any contacts he has.
I would estimate that, if you were caught by the FBI, you would be charged with causing about a billion dollars of damage to government computers.
10 GOTO 10
There, fixed it for you - nothing to indicate that anything is happening but the CPU is at 100%, OMG, I've just written Malware!
> "Cybercrime remains a top priority for the FBI," said special agent in charge Justin Tolomeo.
If Justin were literate, he might have said something like "Investigating cybercrime remains a top priority for the FBI". Instead, he effectively said "The FBI devotes most of its efforts to committing cybercrime."
But now I come to think of it...
And watching the film Infiltrator that was based in the 80s and based on a true story. You find out each year (either at that time or not) several trillion dollars is laundered every year. Not that it's right but, I assume without that illegal money the American economy would tank.
Or am I not understanding economics right?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
