I pulled the indictment from PACER. The story is oversimplifying the case.
The indictment is far more concerned with Huddleston’s affiliation with Zachary Shames, who was convicted (apparently dead-to-rights) for selling a keylogger called “Limitless”. The indictment mentions Limitless more than it mentions NanoCore. Shames wasn’t very smart: the DOJ has records of him providing tech support to users who were clearly using his keylogger to harm people.
Huddleston has two big problems. The first is that he sold licensing software to Shames for the Limitless keylogger. The second is that the DOJ apparently has Huddleston and Shames in a Skype group together talking about this stuff.
The Beast article snarks about the indictment mentioning HackForums repeatedly. But the Beast article doesn’t think it’s important for you to know about the HackForums Skype group Huddleston and Shames shared; in fact, Shames himself gets only a tiny sliver of the article, despite being the fulcrum of the indictment.
RAT software theoretically has legitimate uses. But, obviously, we all know that most RAT software isn’t legitimate. NanoCore sure wasn’t. It has a DDoS botnet tab, for Christ’s sake. Huddleston’s attempts to position it as legitimate software are about as compelling as the “no copyright claimed” comments on a Youtube video.
But having said that: it’s unlikely Huddleston would be in the amount of trouble he is in had he simply written a malicious RAT. His problems are his connections to a criminal conspiracy that got busted.
we all know that most RAT software isn’t legitimate. NanoCore sure wasn’t. It has a DDoS botnet tab, for Christ’s sake.
Well, maybe the tool was intended to be sold to the government.
Maybe the sale of the tool was actually an interpretive dance performance art.
‘a’ government. Don’t know about that. Just pointing out there’s more than one.
[Comment removed by author]
It’s especially dangerous in the modern era, where we have precedent for innocuous items and actions being used as “evidence” for a crime. Loose leaf tea and shopping at hydroponic garden stores; kitchen scales and Ziploc bags. If creating software of any sort is a crime, them eventually the innocent tools associated with creating that software will be used as justification for police raids and criminal charges.
If a physical item can ONLY be used for a crime, it is a crime to sell it. That’s why head shops insist a lot of glassware is for “juice cooling” or something along those lines. Why should software be any different?
There are very few things that legitimately meet that description. Sure, you can turn anything into an object that can only be used for crime by outlawing the object, regardless of how it’s used, but if you discount that kind of silliness it’s hard to imagine how a mere physical object could have the power to frustrate all intentions to use it in a good way. A piece of software is more likely to qualify for such an honor, but I still don’t believe in it.
A key logger doesn’t have to be used for a crime though.
Dude makes HackForums accounts, writes a RAT (Trojan) claimed to be for “budget conscious school administrators” and the like, sells it for $25 a pop, gets arrested and charged with creating and selling a hacking tool.
Seems reasonable enough. I’m not a fan of the FBI but I don’t see this guy’s defense standing up. He’s using the tired excuse of “it’s for Windows administrators, I had no idea hackers would use this for bad stuff!” while he exclusively sold it on HackForums. Get real.
This seems like a really dangerous argument. The vast majority of security research tools are created with the certainty that they will be used for illegal purposes as well as (and possibly more than) for legal ones.
Should the creators of metasploit or the aircrack suite or Kali Linux be sent to prison?
I think there’s an educational aspect to metasploit. I’m having a harder time figuring what I’d learn from a tool that remote enables webcams without activating the recording light.
It’s a gray area, but I don’t think it’s impossible to discern whether one is rgb(1, 1, 1) or rgb(254, 254, 254) flavored gray. And maybe the FBI has their gamma adjusted a little differently, but not that differently.
Despite daily beast’s best efforts at sugar coating it, I didn’t feel all that sympathetic.
I didn’t feel sympathetic either, but feelings are not objective, and there is some life on the line here. I believe this tool is sort of like the knives that we give to children, who get immense enjoyment from them. I liked knives as a small child, and I liked learning about security later, and because of indulging myself in knowledge about tools like that, I became far more capable as an engineer who actually makes useful things for society. I think the world would be a better place if more people played with these sorts of malicious tools. Our systems and rules would benefit, in my opinion.
Well, like I said, I don’t think this is a great tool for learning. I thought about this a bit more, and there’s some comparisons one can make to the last pass vuln taviso just disclosed. Certainly there’s enough detail in his report to allow someone with malicious intent to do something naughty. But what didn’t tavis do? He didn’t make a weaponized Wordpress plugin that harvests passwords. He didn’t sell it for $25. He didn’t impose a license key to limit who could learn from his work. There’s more security information in more places than ever before. The education of future generations will be just fine.
Oh, thanks for mentioning firesheep. I think that’s a good case. But the author of Fire sheep never got a visit from the FBI? So worth considering what’s different.
They didn’t try to sell it, and they credibly didn’t know what the people downloading it were doing with it (at least in part because they weren’t selling it). Also, I’m not aware of any crimes linked to use of Firesheep.
I feel incredibly sympathetic. I don’t actually want it to be illegal at all to sell a tool that can be used for malicious purposes, and this attitude of “the guy was probably not really on the up-and-up even if he wasn’t actually hacking anyone himself” is incredibly dangerous to everyone’s freedom. I hope the FBI loses hard in court.
I don’t think it is illegal to sell a tool that can be used for malicious purposes. What’s illegal is knowingly transmitting such a tool to someone who is using it for malicious purposes. The intent is what’s important, not the particular features of the applications.
(This is 18 USC 1030 (a)(5)(A)).
If you’re a gun seller, and someone comes into your shop and says, “I’m looking for a weapon to use to murder someone. Do you have any good murder-guns?” you can’t sell him a murder-gun without committing a crime, even given the ridiculous argument that guns have non-murder uses.
Selling it, especially on a forum called “HackForums”, feels qualitatively different from producing it in the first place.
If this were advertised on Hacker News, most people would feel the same way. Do you know anything about HackForums? It’s important to go beyond how things feel, especially when life-destroying consequences are at hand.
I’m not sure that’s germane here. The “hack” in “HackForums” does in fact refer to the kind of “hacking” “most people” think of when they hear the word.
It’s obvious to us what “hack” in “HackForums” stands for, but even if it was “cannibalrecipes.com” it doesn’t mean it’s malicious or harmful act to sell cookbooks there. This is not the same as giving a gun to a criminal. While the tool he sold was prefered by some malicious users, the tool’s existence didn’t impact availability of interchangeable ones.
Of course not, but nobody is saying they would be.
Metasploit wasn’t sold at all, let alone on “HackForums”.
The article seems to indicate that he’d been active on that forum as a young kid.
If you wrote a new tool, wouldn’t you tell your online friends about it?
It looks bad, but his proactive efforts to prohibit illegal use should be sufficient to demonstrate that criminal use was not the only use and not his sole intent.
He was more than simply active on HackForums. He was part of a secret Skype group of people who met on HackForums that included Zachary Shames, who was selling keyloggers to people specifically for them to use to own up machines, and he sold services to Shames.
Probably at least one layer away from somebody explaining their criminal plot to you.
Is HackForums suspicious? I was under the impression it was mostly a place where curious security enthusiasts traded tutorials, rather than a carder market or something like that.
People can visit the site and come to their own conclusions, but that’s not the impression I got browsing around the hackforums site for a few minutes.
If it’s not suspicious, sketchy, and borderline illegal, then I don’t know what would be. “We’re just learning and having fun,” is not at all the message I got.
I would hold off on hacking no one. The House of Black and White has memory and talent.