Outside of the clear concerns about if this person is falsely accused of creating malware for the purposes of victimizing people one concern I still have not seen addressed widely is the issue of US enforcing laws on an international level
Even if all of the charges are true, these "crimes" would have taken place in the UK or where ever this person is living outside the US, so how then can the US justify charging them with violation of US law.
I know this is not the first time this has happened, nor will it be the last time this happens, but it is increasingly concerning that crimes completely committed online are open to US Jurisdiction and sets a TERRIBLE precedent.
As a US Citizen I do not want to be held to another nations laws, laws I may not be familiar with, because of my online activities.
It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.
As a Canadian citizen, open source developer, free minded tinkerer (I don't dare to say hacker in this context) I am fucking scared to enter the USA. The law in question was written largely as an answer to the Wargames movie, it was not a good law then and 30 years later it's downright terrifying.
If they think I broke some USA law they better issue a warrant and ask Canada to extradite me. That's a thing. But this sort of ... ambush ... or what do I call it, that's just scary. Let's say I scrape a website whose ToS said, don't scrape me. Is that a felony? Perhaps. Want to crank it to eleven? Let's say I left accidentally a security hole in Drupal (I have 1299 commit mentions in Drupal) which powers, well, certainly more than ten websites in the United States. Is that a felony? Can it be twisted into a felony? Is it likely? No? Possible? Fuck knows.
You could say, hey the CFAA is older than my boots, nothing has changed, why are you scared only now? My answer is, you know, the leader of the executive branch is an old man without political experience who certainly shows signs of dementia and while I can't professionally evaluate how it changes the situation I have a bad feeling it makes it worse than it was.
Yes. The legal code is so byzantine that most citizens (and most visitors) are permanently in breach somehow, somewhere: an error in some form you filed, a permit you didn't know you needed, a clause that's very rarely enforced, a law worded vaguely that can be made to fit.
This is the origin of the cliche "to throw the book at someone" - to threaten or exact retribution, by hunting for all the ways they are breaking the law, related to the original arrest or not. It is also why the advice is not to speak to police voluntarily.
Fortunately for most folks the US is a mostly benign state (which is why exceptions are somewhat notable). But this is not a unique US issue. It is only a change of intent away from the widespread persecution of political opponents.
As long as most of us believe a 'political enemy' is our enemy too (like those evil hackers), the state is free to throw the book where it pleases with public indifference or even support.
> As a Canadian citizen [...] I am fucking scared to enter the USA
Add Thailand to the list:
> The operation included the arrest on 5 July of of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen detained on behalf of the US in Thailand. Cazes, 25, died a week later while in Thai custody. [1]
I am well aware of Dmitry Skylarov (he was charged under the DMCA, though) and, of course, poor Aaron. Nonetheless, somehow I have evaluated the risk of entering the USA acceptable. I feel the risk grew under Trump.
GP didn't say things weren't already bad, just speculated that if the new president's personality has an effect it would probably be to make things worse.
There are only very few countries which will not extradite you to the US.
Recently they even got a russian hacker from the Maledives, which has no extradition treaty with the US.
Out of my head the list of recent cases was: Cyprus, Maledives, Thailand, UK, Canada, Mexico, Poland, Czech, New Zealand (not clear yet. Police did support the NSA, but law still refuses to extradite Dotcom), and all interpol countries with a few exceptions.
The reverse list is shorter: Germany refuses to extradite the VW managers but who knows what they'll do with hackers. Italy and Spain is risky. Ecuador and Bolivia, who knows? Venezuela probably.
Only Russia and some of its allies should be safe for criminals.
China? Probably also according to Snowden. But they'll probably kill you before sending you over, as they have interesting fraud laws.
This is exactly why the "the Internet is a different place" arguments (such as [1]) make me sad. Because, without a formal worldwide treaty (seems unlikely), it will never be the case. Whilst you might perceive your actions on the Internet to be either only policeable on the Internet or in the worst case in the location you perform them from, the law (in multiple countries, over and over again) sees your actions as occurring in any place they affect. You may have initiated the activity in country A - but if that action is then caused to happen/repeated/perhaps even observed in country B, you probably shouldn't be surprised that if it breaks country B's laws then they might want to speak to you about it.
Guess what - if you (as an example) encourage Chinese dissent online and it gets past the Chinese firewall - you stand a good chance of being picked up by the Chinese authorities should you go there. The only way the Internet is a different place is if you never leave the Internet/your home jurisdiction. The good news for US citizens is an extradition along the lines you mention seems unlikely (unless you also broke US law). In the UK (for example), the situation is far more bleak as their extradition treaties with the US and others are less protective.
P.S. this is in no way commentary on MalwareTech's guilt - that is for a judge and/or jury to decide - just discussing a common perception
Your assertion is that the US should not arrest someone on US soil for crimes committed against US citizens by the person while they were in another country. That doesn't make sense to me. If an American was mailing handguns that are legal in the US to people in the UK I think no one would have a problem with them being arrested if they visited the UK. Disagreeing with the laws of another country is reasonable and your home country has the ability to at least try to intervene in your behalf. But when you are traveling to another country you are subject to its judicial system. If this minimum of enforcement is not acceptable how are any of us to defend ourselves against criminals in developing countries that will never enforce their own laws?
The concept that we get to take our home legal system waltzing around the world with us as we travel is arrogant. You may be morally and legally free to post a cartoon mocking Mohammed on your Facebook page, but don't be surprised if you get detained on a trip through Saudi Arabia.
At least in the US he's innocent until proven guilty and will probably get a fair trial. And he wasn't arrested for posting his opinions on social media or bashing the president. The software in question was designed to steal people's access to their shopping and banking accounts. And the accusation is he conspired to sell it and offer support to criminals to help them abuse their victims. I would have no problem with an American getting arrested under similar circumstances while visiting another country.
> If an American was mailing handguns that are legal in the US to people in the UK I think no one would have a problem with them being arrested if they visited the UK
I would. I would fully expect the UK to engage with the US, not ambush someone.
That's a good point. But there was an article in the BBC that stated at least one agency in the UK was aware of the situation. Given that the guy is temporarily at least a hero, the short time frame since Alphabay was taken down and the evidence discovered, and the fact he was traveling to the US, it was probably better for everybody that it happened in the US. I don't think politicians in the UK would have enjoyed the prospect of extraditing him to the US. My impression is not that they were sitting on this for a couple years, but that the Alphabay operation unveiled a lot of info that they couldn't act on until it was finished. But that's all pure speculation on my part.
I still have not seen addressed widely is the issue of US enforcing laws on an international level
It's simple: if you do something which causes something illegal-in-the-US to happen on computers-located-in-the-US, you can be prosecuted by the US for it. There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea. There wasn't anything new about it recently when some bitcoin people were busted because they laundered their proceeds through US institutions. There isn't anything new about it when someone in another country hacks a US company's systems.
"The internet" is not a magical extra-territorial location which wipes away all concept of countries having jurisdiction. As long as a computer in one country can cause things to happen to/on a computer in another country, there's an opportunity for either country, or both, or others in between them on the network, to have jurisdiction over things that go wrong.
And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
Hypothetical: A Pornhub executive flies from New York to Seoul on Etihad Airways. While transiting in Abu Dhabi airport, they are arrested on charges of obscenity. What would be the reaction in the US?
Factual: In 2006, David Carruthers was arrested while transiting through Dallas-Fort Worth Airport. He was convicted under the RICO act and sentenced to 33 months imprisonment. He was the CEO of the online gambling company BetOnSports, which operated in full compliance with the regulations in the UK and Costa Rica, but accepted bets from American gamblers. Gary Kaplan, another BetOnSports executive, was extradited from the Dominican Republic.
The precedent set in the BetOnSports case is either utterly hypocritical or extraordinarily dangerous. If we give every country the right to impose their laws across the whole internet, we don't have an internet any more. A Facebook user posts a comment critical of the Thai royal family; Zuckerberg is sentenced to life imprisonment for lèse-majesté. A Chinese internet user accesses anti-government material via a VPN hosted on AWS and a Google search; Bezos, Page and Brin are all sentenced to 10 years hard labour for subversion.
If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country. This is only a strange idea to a certain segment of internet commenters. The rest of the world has just treated this as the way things are for a long, long, long time. The new, strange, radical idea out of step with established norms is the notion that "on the internet" is some magical lawless, stateless, jurisdictionless place where anything is fair game since nobody could ever prosecute for something that happened in this magical fairyland.
It really is time to stop being surprised that you can be arrested and prosecuted for your interactions and business relationship with people, property or other entities in a country of which you aren't a citizen.
Also, don't look now, but large tech companies headquartered in the US routinely make changes to their products/services to comply with other countries' laws. If Facebook wants to operate in Thailand, Facebook has to be prepared to comply with Thai law, for example. "We're on the internet" doesn't work as an out.
> If you run a business, and decide to do business with people in another country
I understand this to an extent if specific technical work was done to make a system function in a particular nation (e.g. if the betting site did technical work to accept USD as a payment).
But, it's very possible to build a website and not decide to do business with people in another country. It's possible to be running an online business and not need to know what country a user is from. If I never decided to do business with people from a particular country, am I still subject to its laws?
In the example, what if Facebook didn't specifically want to operate in Thailand? What if Facebook simple hadn't taken specific technical steps to block Thai users?
If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
Again: this is not a bizarre new unprecedented never-before-considered hypothetical.
In the gambling case, it's actually even easier, by the way, to create jurisdiction since the gambling site needs a way to actually pay out to its customers, which makes it very hard to avoid certain countries' financial rules. I don't particularly care for the US' stance on online betting (but let's face it, those folks aren't caught up in some kind of "how could I have known" situation -- they're like the people who ran the original p2p file-sharing networks saying they were shocked, shocked! to discover that what must have been a tiny, insignificant, sub-microscopic fraction of their users were openly violating laws), but the legal framework around being able to arrest/extradite people and prosecute for crimes which involve people on multiple sides of a border is pretty well-understood and I know of no way in which this is some sort of unprecedented abuse of it.
Again, look to the auction sites which got notice from Germany to either stop being accessible at all there, or start filtering out the Nazi stuff so Germans couldn't purchase it.
>If Facebook doesn't want to account for a country's laws, Facebook needs to make sure it never hires employees in that country, never has any key personnel visit that country even briefly, etc.
In practice, that means that nobody can ever travel internationally. It's impossible for anyone to know for sure that they've never broken the laws of another country. It's barely possible to know if you're abiding by the laws of your own country[1].
Facebook might filter out lèse–majesté comments to Thai users, but how can they be sure that the filters caught everything? How can they be sure that a user didn't circumvent their filtering? How can they be sure that the Thai judiciary will accept their defence that "we did everything we could to stop it, but something slipped through the net"? Even if Facebook employees never travel to Thailand, how can they be sure that they won't be extradited from a country that's sympathetic to Thailand's lèse–majesté laws?
I don't know what the solution is, but there are clearly immense risks here. America's habitual snatch-and-grab arrests of foreign nationals has legitimised all manner of human rights abuses.
So let's say a country enacts the two hypothetical laws:
- Any operating website which renders services to the greater internet must make its service available to traffic originating from this hypothetical country.
- Pornographic materials fall under obscenity laws
Now any website offering pornographic materials ends up in a catch 22; the only way to avoid violating a law of that country is to comply with the latter law, and not serve pornographic materials (even if one's own country has no laws outlawing it).
You see how this can be problematic given the global nature of the internet, with hundreds of countries each enacting their own laws? You shouldn't need to be able to solve the world's most complex constraint satisfiability problem to operate a website; you should only be required to comply with the laws in your own country, while making no active attempts to violate laws in other countries.
You see how this can be problematic given the global nature of the internet
You seem to be thinking that there's some sort of old sci-fi robot here that if you present it with a logical contradiction it will start yelling DOES NOT COMPUTE and its head will explode.
I suggest you stop thinking in those terms; laws don't work like computer programs, and the sooner you understand that, the better off you'll be. Legal frameworks can deal just fine with contradictions. And, yes, a sufficiently-malicious government could pass combinations of laws designed to force someone to commit a crime.
Yet somehow the world continues to work. And if there's a foreign jurisdiction with laws sufficiently odious to your business, well, you just stay home. Typical extradition treaties require that the alleged act be criminal in both countries in order to extradite for it, so as long as you stay in a country whose laws match what you want to do, or which has no extradition, you're good (this also is why so many criminal hacking cases are dead ends trailing off into countries that won't extradite to wherever the victims were, but this appears to be the outcome you want).
> If you run a business, and decide to do business with people in another country, it's your responsibility to figure out if the business you're doing is legal for that country.
I'd say it's the responsibility of the people in the other country to know their own laws. It's not reasonable for the business to know the laws of every country in the world, which is the only other option.
This is how it has traditionally worked. If it's illegal to possess a particular item in country A but not country B, and someone living in country A places a mail order from country B for one, one would normally expect that person in country to be held culpable under his or her own laws, not the business in country B legitimately selling it.
If there is an item that is illegal to possess, typically both the buyer and seller can be prosecuted. That's nothing new. You're just continuing to push the idea that "it is legal in my country" as a defense that's already been established as not a valid defense. This type of prosecution has been established way before the internet even existed.
Well, the legal system's that state that buying and/or selling a restricted or illegal item is punishable by law. I'm not familiar with the laws of every jurisdiction on the planet in this particular manner.
I'll admit I'm assuming that in cases where it is illegal to possess the item it is also likely illegal to sell said item. But I'm sure there are exceptions to the rule.
The owner is not in the US, has never been to the US the servers are not in the US and what they are doing is not illegal in their home nation but they are being sued in US courts
>>And your "only a matter of time" slippery slope has already happened: several EU nations have taken legal action against US-based online retail/auction sites to require compliance with laws against selling Nazi symbols or memorabilia. And I hope you'd understand that no matter how much you might argue "but I wasn't even in Germany", Germany will come after you if you offer to sell and ship items to Germany which are illegal to sell/ship there.
No that is infact not what my "slippery slope" argument is.. No where even remotely close to it
Shipping an item INTO the nation means clearly you must abide by their laws, what I am talking about would be Germany attempting to take legal action because I operate a website that has nazi symbols on it that a german person happens to visit.
>> There is nothing new, radical, revolutionary, terrifying, unprecedented, etc. about this idea.
Seems to me that there is since the US is not just prosecuting people for their direct actions against US Computers but seem to be going after people many many steps removed from those actions that have the thinnest of connections to US Interests. This seems to be new and radical and terrifying from my point of view
Do you support the US in doing this? You seem to imply you have no problems with the current state of affairs
So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time. Which of the following do you think most accurately describes the situation?
1. No crime has been committed, because these actions took place on the internet, where no laws apply and no country has jurisdiction.
2. A crime may have been committed, but only if breaking into computer systems is against the law of the country the person was in at the time, and so only that country could prosecute.
3. A crime was committed in the United States, but the United States cannot prosecute someone for a crime if some element of that crime took place physically outside the borders of the United States.
4. A crime was committed in the United States, and the United States can prosecute the person responsible, and has the power either to arrest that person if they happen to visit the US voluntarily, or to extradite that person from the country they're in if an extradition treaty exists between the United States and that country.
The accepted view, for the record, is (4), and appears to be the basis of this case: the indictment claims computers physically located in the US were affected, which gives the US jurisdiction to arrest and prosecute.
>>So, let's just put it clearly: suppose someone who is, at the time, not physically present in the US, breaks into a computer system which is physically present in the US at that time.
So your strawman has nothing to do with the topic at hand
The US Government in this case is not claiming this person broke into any computer system, they are saying this person developed a tool that was then sold (outside the US) to others that then may have been used by unnamed 3rd parties to break into computers.
So to make up a true hypothetical, if a person A in Russia make a small computer program that cracks passwords. Then sells that computer program to person B in Russia, then person B uses that program to break into a US Computer, did person A break US law, and be charged under US Law?
The indictment seems to think he was a bit more involved than that.
What you seem to want him to be is, to spin out an analogy, an innocent shopkeeper who happens to sell sporting goods, and is now saddened to learn that someone bought a cricket bat from him and used it to beat someone up. The indictment is alleging something more like "Anybody here looking to beat someone up? I've got cricket bats that are great for this, and am happy to provide assistance and pointers and work with you as you choose who to beat up and how!"
Seriously, read the indictment. If they can prove he either was involved in deploying/using/explaining how to use the malware against specific US victims, or that he knew who the intended victims were and provided the malware for use against them with that knowledge, then he's dead to rights on a US charge.
I have, and to the extent a conspiracy occurred that conspiracy was completely in another nation so to apply this to your analogy if this shop selling cricket bats with a owner that provides pointers to beat people up with it is located outside the US, then the person they provided pointers to travels to the US to beat someone up do you still believe the shop keeper has violated US law?
If the conspiracy was to break into or attack US computer systems, it's a crime the US has jurisdiction over.
If it had been a conspiracy to break into or attack French computer systems, France would have jurisdiction over it. If it were a conspiracy to break into or attack Mongolian computer systems, Mongolia would have jurisdiction over it.
The problem with all these approaches is that they sidestep what the internet is and isn't and change the rules as they see fit when they want a certain outcome.
If the internet is a digital territory made up of computer ETS, then we first have do solve the question of how to determine, who'se territory it is.
If it is only a communication tool to reach physical objects on a countries soil, then the usual treaties regulate a very different approach as the one taken.
Going back to the territory problem, a state as a person of international law should possess the following qualifications: (a) a permanent population; (b) a defined territory; (c) government; and (d) capacity to enter into relations with the other states. Good luck trying to use this on the internets.
State agents can't even identify themselves in a secure way so I could also nuke them virtually when they enter my virtual home... all the questions like taxation or citizen rights not even mentioned - you see the problems?!
States use arbitrary interpretations of clauses of often mutually exclusive treaties covering civil and criminal law to basically claim, that each one has dominion over all of the internets.
The real situation is more like international spaces, where states have some control over their systems, just like coastlines and out in the high seas it's everyone on it's own with the states neither willing nor able to enforce the rights of their citizens...
Ah, I see. You're going to derive a system contrary to Westphalian states from first principles in an effort to show why it's unjust that someone who hacks computers in Country A from Country B can be arrested and prosecuted by Country B, since the entire notion of state sovereignty is flawed!
Let me know when your treatise on this is finished.
Don't attack, just verify. The system is in place (hint: high seas), the states, especially those not in a state of denial of the applicability of international law, have to offer definitions for their regulations, especially those in Roman law countries, where the first section is always definitions... not doing so allows them to be challenged by other states.
In other news the kind of system you think is used is exactly why there ARE international treaties... to avoid those situations.
But perhaps you are right and we should have more cases based upon the Pinnochet precedent... e.g. Int. extradition of US border officials looking into protected communication a british lawyer takes to his client in the us - something that is prohibited and punishable both in civil and criminal law in most of the world?!
4. but you need to understand a very significant different: they kept the warrant secret to ensnare him. If they issued a warrant and then he visited the USA and gets arrested -- that's stupid. But he had no idea, worse he couldn't have any idea. Do you get my problem here?
Plenty of people have warrants out against them that they don't know about. Lots of jurisdictions, including developed modern Western nations other than the US, don't send you warning in advance that you're going to be arrested. They just show up with the handcuffs.
On foreign soil? They set a warrant out for you waiting for you to travel there, kept in secret? Not sending it to the home authorities? What's wrong with this picture?
As hard as it may be for you to believe, police in many countries are generally not in the habit of warning people in advance that they're going to be arrested. I know it's rude of them since it may inconvenience someone's travel plans, but that's just kinda how it is.
Going by your logic, US could proactively import a computer that is a victim of a crime from somewhere in the world onto US territory, and arrest the person responsible.
If you read the indictment, the claim alleged is that some of the computers affected were in the US at the time the crime occurred. Which would give the US jurisdiction.
This is not a new, dangerous, slippery, radical, unprecedented idea in law. It doesn't lead to people digging up murder victims' corpses and importing them to other countries to give those countries jurisdiction over the murder, etc., because the law has worked this way for a very long time.
The problem here, as I wrote above, is arresting a UK citizen in the USA. If they would've issued a warrant and the UK police decides to arrest him and then extradite him, that's fine.
But this sort of thing... this could potentially halt international travel. I am not kidding: how do you dare to travel anywhere if you can be arrested for something you did years ago which very well might have been legal in the country you resided in but not in the country you travel to?
What Malwaretech has been charged with here would likely be illegal under UK law as well as US law (section 37 of the Computer Misuse Act [1] appears to be analogous to the charges being brought against him). And regardless, the UK-US extradition treaty is written in such a way that the US charges do not have to be illegal under UK law for an extradition to take place (although the converse is not true).
Now, it may well have been the case that when the inevitable court case to challenge the extradition in the UK took place, it might have gone all Gary McKinnon on them [2], due to public support after WannaCry etc. which I'd suggest is probably why the FBI chose to arrest him in the US rather than put in a formal extradition request or work directly with the UK authorities (AFAIK).
But yes, I do agree that with the advent of a worldwide communications network, travel to countries with oppressive, obscure, or stricter legal regimes has become more dangerous for some. The thing I find curious is that others haven't perceived this change in risk.
I wouldn't necessarily say this is a bad thing either - note there have been a number of (accused) botnet operators/cyber-criminals originating from Russia who were arrested whilst holidaying in the EU, and then extradited to the US. Since Russia has a reputation for being lax about prosecuting such "crimes" (especially if they only target people outside of Russia), and also tends to refuse to extradite Russian nationals, it doesn't seem that there are many other options.
Why is it a problem that if you commit a crime and then visit a geographic location where the local governing entity has jurisdiction, you could get arrested?
If he had robbed a gas station in Las Vegas, would you be upset if Las Vegas police arrested him?
Do you believe that "I am not a citizen of your country" automatically provides exemption from a country's laws even when on their soil?
If I went on travel to a foreign country and committed a crime, I would expect to be arrested there. Where the damage was done is the key, not where I was at the time. If I create some malware that takes out UK servers, I would expect to be arrested for that if I ever set foot on UK soil.
If you ever posted a sickle-and-hammer to the web, visible to the Hungarian public -- distributing it -- then you possibly could be fined for it. If you visit Hungary and you got fined, would you consider it just? Here's the Hungarian Criminal Code article in question:
Article 335(1). Any person who
a) distributes;
b) uses in public;
c) exhibits in public;
a swastika, the SS sign, an arrow-cross, a hammer and sickle, a five-pointed red star or a symbol
depicting the above, – unless a graver crime is realised – commits a misdemeanour, and shall be liable to
punishment with a fine.
(2) The person who uses a symbol of despotism for the purposes of the dissemination of knowledge,
education, science, or art, or with the purpose of information about the events of history or the present
time shall not be punishable.
(3) The provisions of subsections (1) and (2) do not extend to the official symbols of states in force.
As I've already noted, Germany and other countries have enforced their no-Nazi-stuff laws against US-based entities.
If you do a thing that's illegal in Hungary, and then put yourself on Hungarian soil, I'm not going to be surprised when you get arrested. In other words, this is not the knock-down "that'll really show him!" counterexample you're looking for.
This seems untenable. Now, to travel to another country for holiday, I need to look back on everything I've ever done, (even something so minute as distribute an image of a hammer and sickle) and pore over the laws of that country and determine I have not ever been in violation of _any_ of them?
I don't think most people would say that's how it should be, it's just the way it currently is. Law enforcement typically does not care about your convenience.
While I agree that the US should arrest people or entities that tries to harm its citizen; it's important to note that the US doesn't really look for that criteria.
For example, they attacked Syria for crimes committed by Syrian against Syrian. The US wanted to carry the attack, and then found the excuse.
But why would this surprise anyone? Do anyone think that the US is spending billions on military weapons just for the fun of it?
> It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.
Writing even this software wouldn’t have been illegal. It’s mentioned in the indictment as a concrete act in furtherance of a conspiracy, part of the technical abstraction of prosecuting a conspiracy in US law.
What is illegal is stealing from banks, and conspiring to steal from banks—and so they’ll show communication, an illegal agreement, and concrete acts in support of the conspiracy. If they weren’t pretty sure they could persuade a jury of those, they wouldn’t have gotten this far.
There are also some devices it’s illegal to build—bombs, for example, and other devices whose only or nearly-only purpose is illegal. Some software is included there, including software whose only purpose is illegal wiretapping.
That makes it legal to write and exchange proofs of concept for vulnerabilities, but you have to be really careful not to make the PoC too pointy.
In Germany, even the act of writing[1] software whose purpose is to access data without authorization[2] or intercept data transmissions intended for someone else[3] is a felony.
The Washington post has an article[1] talking about this. It looks like the FBI did some digging to come up with the charges. Counts 2 through 4 are related to
violations of 18 U.S.C. 2512 [2] which criminalizes making, selling, or advertising for sale illegal wiretapping devices. That's pretty interesting because as far as I know it would be a first to categorize malware as such a "device".
Except that a handgun's primary purpose is just that; it's a pretty blunt tool. But software can have many purposes, even if it is security related: research, practice, proof-of-concept, curiosity, ...
We better hope they have some real evidence beyond just some random code; if mere possession is enough, they can throw all of us security people in jail, together with anybody who has any DRM circumvention or file-sharing software and whatnot. Seems any computer could contain something to detain just about anybody if twisted around enough.
I guess only the future will bring clarity if this is gross overreach or if they really have substantial evidence that he is both the source and had the intent.
A gun's primary purpose is not to kill a human being by default.
A gun is designed to fire bullets, the bullet is designed to inflict intended levels of damage upon the target of choice. A single gun can have ammunition that ranges from no damage whatsoever to any target up to beyond lethal to a living target.
In other words, your gun's primary purpose is what you decide it is.
What about someone who manufactures guns and knowingly sells them to street gangs without registering them? That's closer to what Hutchins is alleged to have done.
What is also amazing is that the American activity and responsibility in this mess is unpunished. Objectively, the victims of WannaCry should trial America and request a repair.
While I do appreciate and support the backpressure on illegal activities on the internet to make it a safe place, it should also apply to state activity.
It looks like they put together the minimum needed to indict, put together a grand jury, indicted and arrested. This was the prosecutor's "ham sandwich" of the week.
The preceding paragraph says "we saw them putting the parcels in the mail box and arrested him"
He might have only admitted to things the cops had seen him do a few minutes before. I can understand someone thinking there was no point in denying such things - although asking for a lawyer would surely be a smarter move.
Given that the Alphabay takedown (and law enforcement's control of the servers for at least six weeks) was more than a month ago, Huthchins' blithely travelling to the States for Blackhat seems a level of confidence completely at odds with known facts and the apparent allegations of the indictment.
I don't see why Alphabay getting taken down would really put him at risk. He wouldn't have put his bank account or credit card on the site. This isn't even like drugs where physical mailing addresses are involved. The worst would be the money in his account getting seized.
No, it could be much worse than that. Law enforcement didn't immediately shut Alphabay down---they let it run compromised for several weeks, gathering evidence. If Hutchins made transactions during that period, he was at signficant risk, especially if he was under surveilance at the time---simple traffic analysis would be enough to connect him to activity on the site. It's very hard to hide the content of a conversation from one of its participants.
I would think that when operating any type of illegal online enterprise, you should always operate under the assumption that everyone you're talking to is a government agent. So you should never reveal anything about yourself. The government is obviously making many undercover purchases.
Traffic analysis is a risk, but questionable. If it was used in this case, I want to follow this case closely to see more details. Because I haven't heard of a case of the government using traffic analysis to identify users except extremely basic stuff such as "we saw him walk into his house, then saw some Tor traffic, then saw a post appear on the forums".
"This raises an interesting legal question: Is it a crime to create and sell malware?
The indictment asserts that Hutchins created the malware and an unnamed co-conspirator took the lead in selling it. The indictment charges a slew of different crimes for that: (1) conspiracy to violate the Computer Fraud and Abuse Act; (2) three counts of violating 18 U.S.C. 2512, which prohibits selling and advertising wiretapping devices; (3) a count of wiretapping; and (4) a count of violating the Computer Fraud and Abuse Act through accomplice liability — basically, aiding and abetting a hacking crime.
Do the charges hold up? Just based on a first look at the case, my sense is that the government’s theory of the case is fairly aggressive. It will lead to some significant legal challenges. It’s hard to say, at this point, how those challenges will play out. The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts. So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case. As always, we’ll have to stay tuned.
Here’s an overview of the six counts in the indictment, together with my tentative thoughts on them."
We can't know anything at this stage, but from the looks of it, it doesn't seem like the guy wasn't anything but a white hat.
There's also this:
> Hutchins’ employer, cybersecurity firm Kryptos Logic, had been working closely with the US authorities to help them investigate the WannaCry malware. Hutchins handed over information on the kill switch to the FBI the day after he discovered it, and the chief executive of the firm, Salim Neino, testified in from of the US House of Representatives Committee on Science, Space & Technology the following month.
If true, then the guy would have to be incredibly stupid and naive to live such a double life. Not to mention traveling to the US.
Anything is possible, of course. The problem is that the guy has become well-known, and retracting such a mistake would be politically costly. This guy will probably have the book thrown at him.
It's also a very bad thing for cyber security if researchers cannot do their jobs out of fear.
> If true, then the guy would have to be incredibly stupid and naive to live such a double life.
If they're suggesting the crimes were committed 2014-2015 there's a good chance he found a legit income and retired from selling malware. But his past has caught up with him.
> We can't know anything at this stage, but from the looks of it, it doesn't seem like the guy wasn't anything but a white hat.
Yes, we can know. Did you even bother reading the indictment?
He broke six US cyber laws in 2014, and that's why he was arrested.
> If true, then the guy would have to be incredibly stupid and naive to live such a double life. Not to mention traveling to the US.
Yes, I think you nailed that one. He's certainly not as smart as he thought for flying to the US after breaking US cyber laws just three years ago and thinking the US law enforcement would not notice.
> It's also a very bad thing for cyber security if researchers cannot do their jobs out of fear.
What are you talking about? He broke US law.
Felonies don't go away just because you do one good deed.
It makes one wonder why anyone who has cyber dirt on their hands would step foot on US ground, after the Snowden/NSA revelations which made it clear to everybody on this planet that the NSA is literally everywhere.
Or crawled a webpage outside of the TOS, shared files through torrents, alerted some website that they had a security hole, ran a business legal abroad but illegal in the United States that had US customers, ran afoul of any one of the US laws without knowing about it and in places not normally under US jurisdiction and so on.
That is a non-sequitur response, as this person has not been arrested for violating terms of service, sharing files through torrents, alerting people to security flaws, selling Canadian pharmaceuticals, or trafficking in undersized lobsters.
They were arrested for building and selling software used to harvest Amazon logins, bank account logins, and credit card numbers from botnets.
Your logic could just as easily be used to dismiss an indictment of any crime, from undersized lobsters to murdering someone with an undersized lobster.
As I read it, you Thomas were pointing out that the indictment contains a number of overt and recognizably 'bad' acts, and Jacques was pointing out that there are a number of actions that are arguably 'non bad' that could also get you in trouble.
What I took away from this is that Marcus probably shouldn't have come to the US if there really were trails on a computer system tying him to malware. And that Jacques believes it will eventually be a bad idea to come to the US if you have done anything the US disapproves of, even if such things are both acceptable and legal where you did them and when.
Me, I'm just trying to move my deck chair so that I can get a good look at the icebergs floating nearby away from all the screaming and panicing.
While it's a different situation, it's still not a good one. The lack of rights for foreigners, the NSAs reach, the willingness to prosecute citizens of other countries, long detentions and harsh penalties for computer crimes etc. puts people in a situation where the US government can make things very uncomfortable for them. I do think some risks with e.g. mass surveillance have been exaggerated, like being pursued on a basis of keywords. But if the US government actually has evidence against you of things they consider illegal, your legal protection against abuse will have weakened. So while it's unlikely that the FBI has a list of dissidents that they've correlated with collected evidence and are just waiting for people to cross the border, it's still not a situation people should have to, or have to, accept.
This is not true at all. There is no Due Process when you're under the purview of USCIS/INS, CBP and ICE. This why visa holders in good standing can get turned-away at the border or destination airport and sent back immediately, even if they have done nothing wrong or violated the terms of their visa - just on the suspicion or hunch of the immigration officer - and they can extend their reach even after you pass through immigration. There's a reason they're called "constitution-free zones": https://www.aclu.org/know-your-rights-governments-100-mile-b...
This is false, and the ACLU should take this page down. In fact, in the 1970s, the Border Patrol tried to rely on this notional "sphere of influence", and was smacked down by the Supreme Court. Searches concomitant with the Border Search Exemption must have some nexus to an actual, recent border crossing.
This is claimed by DHS and not backed by law or legal precedent in the manner you imply.
ICE and CBP do conduct arrests pertaining to border violations within that 100 mile zone, but they aren't shaking down random passers-by for their iCloud passwords. They do have to follow due process.
I don't have citations because I can't prove a negative.
They could presumably investigate you with much greater power outside of the US where you don't have the same rights. I don't know if they could later use that in court, but that was at least what someone argued regarding Silk Road.
"In any event, even if the FBI had somehow 'hacked' into the SR Server in order to identify its IP address, such an investigative measure would not have run afoul of the Fourth Amendment," Turner wrote. "Because the SR Server was located outside the United States, the Fourth Amendment would not have required a warrant to search the server, whether for its IP address or otherwise."
Except those things have happened to other people and thus anyone who has done those things (that aren't necessarily immoral or even illegal in other places) should avoid the US.
Didn't you guys write an OS X rootkit back in the day?
Although I can see the line between that and this, I find it worringly thin. Throw in a leaked IRC log joking about using it for criminal purposes and an overzealous prosecutor, and you'd probably be done.
Not to mention, it's idiotic to spend resources on prosecuting this guy. His life is effectively over, as he can now only ever use his skills for illegitimate work. Nobody will hire him. Since he was no longer an active accessory to crime and had already spent several years focused on legitimate work, society was far better off allowing him to continue on that path. He probably even more than made up for it by enabling hospitals to treat patients with the wannacry thing.
Instead, we have thrown all that away so some prosecutor can put a notch on his belt and brag about taking down something insignificant because he couldn't get anybody that really mattered. Who, by the way, has a long line of other sellers and is still looting bank accounts.
This logic makes sense if you suck the concept of "intent" out of criminal law. Otherwise, not so much.
But also, please don't corner me into defending the prosecution here. I get that it's easy to do that; just make absurd statements about how law enforcement works, as other people in this thread have done, and I'll probably take the bait.
But really, I have no idea who any of these people are. I don't work in the part of this field that gives a shit about "the Kronos banking malware", I didn't follow "MalwareTechBlog" on Twitter, I'm faintly allergic to the concept of any twitter account with "Malware" in the name, and more than anything else I think that anyone who would write PHP code to help plant HTML trojans across a botnet needs to set the bar a little higher for themselves.
I do not have a strong opinion about whether this person should be prosecuted.
Exactly! Even I worked on some ZeuS scripts back when i was freelancing. Not sure if qualifies for weapon. It may kill a JS programmer if they look at it though.
Upd. Oh it was sarcasm.
Joking, black hats are pain to deal with on payment side before bitcoin, so I havent got anywhere with that task.
Initially it was explained "create some inputs and ask for some numbers from the user" but later I realized what it is for: it's kind of a script that is injected in a banking page to leak credentials. Then I decided to not proceed with this shady task.
"Because, really, who among us hasn't built and sold software used to harvest Amazon logins, bank account logins, and credit card numbers from botnets?"
You don't need that. Adding up all the torrents I have downloaded during my life would probably amount to gazillions of dollars (according to DCMA, of course) and land me in jail for several life times. Just a hyperbole of course, but it highlights the fact that I would be scared to enter USA, because who knows, I might have offended some local laws sometime in the past I wasn't even aware of.
If the NSA were law enforcement, that might be a reasonable conclusion. NSA shares a lot more than many people think they should[1], but it isn't like German or Australian local police, or (usually), even local US cops have access. To have reason to seriously consider them in your threat model[2], need to do something that encroaches on the interests of particular power centers. Aside from what most people think of as actual national security-type things, drugs are a good way, as is, apparently, majorly pissing off the copyright cartel.
All that said, I do suspect that we will hear more about surveillance from the various spook agencies (not just the NSA) being laundered to more mundane criminal cases over time. We know this happens with the DEA and FBI; we know the DEA feeds local law enforcement carefully laundered intelligence; I'm really curious about DHS, ICE and major-metro police agencies like the NYPD's relationships, possibly through what amount to cutouts.
[1] Interestingly, different people hold irreconcilable motivations for thinking that.
When a website is seized off the dark web by the government, you can bet that it is a treasure trove of information for new and existing investigations. This is probably just the first of many indictments that we will see connected to AlphaBay.
This does not make a lot of sense since he has been in the public eye for awhile now. But who knows. I wonder if he had a presentation to give at Defcon. So far his actions have been very whitehat.
Weren't you detained in a similar way when you traveled to the US to attend Defcon (without the arrest part)? Are you able to discuss how that all went down?
Hotel rooms searched before con by the FBI, seized some tech and left me alone. Pretended to arrest a "friend" who was with me.
On my way back, switching planes at JFK there were a bunch of FBI agents waiting in the tube whom served me a subpoena and suggested that I'd be arrested if I tried to continue my trip.
Ended up being dropped off at the courtyard Marriott in Newark by the FBI (after very little arguing they paid for it, rather strange). Stayed there overnight, got interviewed in the morning about things I knew little about.
After the interview I got driven to JFK (maybe EWR, not sure) in a FBI car, with the agent at the wheel demonstrating some impressive skills in the heavy traffic, mostly going around it by driving on the shoulder.
Never going to the US again I guess, not voluntarily nor involuntarily.
So if I'm following right, the FBI tried to keep you away from a hacker conference and -- I'm inferring here -- because you were a foreigner, and possibly a kid ( no offense meant)?
Member/associate of HTP and Lizard Squad, hacked Linode (at least once), Lenovo, the Python wiki, some game companies; called in a bomb threat on a plane a Sony executive was flying (might've just been a friend of his who did that, can't remember), DDoSed video game services and 8chan for ages, possibly involved with the creation of the GayFgt and Mirai botnets, and much more. Got off scot free because he did it all before he turned 18.
I believe his use of ryan / ryanlol is a mocking reference to Ryan Cleary, whom he hated and considered incompetent. (Could be wrong.) It may have an (unintentional?) double meaning, since that's also the name of the aforementioned "friend" who secretly snitched on him and led to his detainment.
Nothing against the guy. He's intelligent and a good HN commenter. By sheer coincidence I sat in many disparate IRC channels under different aliases over the years that he would always seem to find his way into (probably not a coincidence in retrospect; he just loves IRC). He was very open about most things and generally appeared to be driven by e-cred, revenge/competition, and comedy over financial gain. But some people say he was involved with carding, too. No idea if that's true.
Because of a bunch of silly shit I did as a kid. I've got more details in past comments but it was the typical things that happen when you grow up spending too much time on hacker IRCs.
And we don't really know if names from sealed indictments like this are cross checked with passenger manifests or if Hutchins's recent attention in the media helped to trigger this.
And I hate to go down a more "conspiracy theory" line of speculation, but if his history hasn't always been on the white-hat side of the line, then his Wanna Cry involvement looks more questionable as well.
"Hours after Hutchins was arrested by the FBI, more than $130,000 (£100,000) of the bitcoin ransom taken by the creators of WannaCry was moved within the bitcoin network for the first time since the outbreak."
I think the other "UK hacker" being referenced is Gary McKinnon, and the ten-year legal wrangle* to try to get him extradited to the US on charges of breaking into US government/military computer systems.
Rather than fight the UK on a hacker extradition again, the US seems to've taken advantage of the convenient fact that their target voluntarily placed himself on US soil.
*The core of the McKinnon fight seems to have been the fact that he was offered a chance at a much-reduced sentence if he cooperated and provided information about what he'd done and how he broke in, but on the UK side that was spun as a form of extortion (in other words, rather than a "be helpful and you'll get a lighter sentence" they read it as "fight us and we'll try to lock you up forever").
I was actually referring to Lauri Love, a British hacker currently in a situation very similar to the one McKinnon was in. https://freelauri.com/
These extradition fights are largely played out in the media, it would probably have been unwise for the US to request the extradition of another sympathetic character with lots of community support behind them.
It's an oddly uninformative document. It says that they believe he created the Kronos malware but gives absolutely no clue why they think that. All the other overt acts listed appear to have been carried out by his unnamed alleged co-conspirator alone. What makes this particularly bizarre is that he was begging on Twitter for a sample of the malware in question at around the same time: https://twitter.com/MalwareTechBlog/status/48837379416825446...
Indictments are lists of charges; expecting them to be informative for questions other than “what is the defendant being charged with” is irrational. (And “what is the evidence supporting the charges” is a separate question.)
> All the other overt acts listed appear to have been carried out by his unnamed alleged co-conspirator alone.
A conspiracy charge only requires any of the conspirators to have taken an overt act in furtherance of the conspiracy.
This is much less informative than other indictments have been. The NanoCore indictment, for instance, went into much more detail than this one did, and for an uncannily similar crime. Other "controversial" indictments, such as the one for Kim Schmitz, have practically been small books about the alleged criminal conspiracies.
I'm assuming at some point there will be a superseding indictment that goes into more detail.
I'm asking since I do not know the answer. Is the boilerplate nature of the language in this indictment typical?
The indictment seems to essentially recite the statutes named, even to the point of preserving the original text in the face of grammatical error.
I am particularly curious about instances where it is clear that the statute was violated by one set, in particular, of several alternate conditions.
Is it the role of the indictment to convey the nature of the alleged acts which broke the law, or to convey the nature of the laws that were broken, irrespective of the details of the acts?
The assertion by a grand jury that a person did one thing OR some other thing, especially, comes across as a little peculiar to a naive reader.
Not sure how this works in the US, but "fair trial" means (at least in German law) that the defendant has full access to all evidence brought against him before it is brought to court, right?
Marketing and selling can be considered more damning than the other thing.
For example, many times you will not be prosecuted for pirating content/counterfeiting merchandise/using drugs for your own personal interest, but if you try to advertise/sell such things you're much more likely to become a target.
It's a trojan whose purpose is to be installed on large numbers of compromised end-user machines, and to inject fake web pages into browsers to collect credentials and credit card numbers. The DOJ prosecutes people who do that; see, for instance, the recent NanoCore case.
This phrase piques my FBI informant radar, and for anyone paying attention often they are worse than the people they rat out, but now get magically protected as useful assets.
Surely they have something concrete to tie him to this, regardless, I could very easily see this being the making of a new Sabu. I could also very easily see the unnamed be inventing stuff to get out of the hot seat.
They aren't supposed to give their full investigative details; this is just a summary of the allegations they're making against him. We will likely see evidence and details in the coming months.
> but gives absolutely no clue why they think that
Well, first, it's an indictment, not a trial. The evidence was presented to a grand jury which found it sufficient to try before a criminal court. It will be presented again at trial, along with whatever else the DoJ has (or else he'll plead out and we'll never see it).
Second, it sounds kinda damning to me: they apparently have him actually selling this thing. If they can prove that, he's toast.
People said this about the Page deposition as well yesterday. I'm not sure what to say except that every document we can find does not necessarily exist for our edification.
> The operation included the arrest on 5 July of of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen detained on behalf of the US in Thailand. Cazes, 25, died a week later while in Thai custody.
What's this about? The US told Thailand to arrest a Canadian tourist, who they subsequently murdered? People don't die by accident in police custody.
He had been living there for several years and owned multiple houses. Not a tourist.
>The Bangkok Post reported Cazes was discovered in the bathroom of his cell hanging from a towel. The NSB’s Major General Soontorn Chalermkiat told the paper there are “no clues that suggest he didn’t hang himself.”
In 2012, 4,309 inmates died while in the custody of local jails or state prisons [in the US]. (...) The number of deaths in local jails increased, from 889 in 2011 to 958 in
2012 (...) More than a third (36%) of deaths in local jails occurred within 7 days of admission
I imagine that, when you have been the mediator of a bunch of drug trade transactions, "getting caught" can be something of an indirect act of suicide.
From the pictures on Facebook there was no sign of a struggle, the woman in the cell next to him and the cop monitoring the cells both told the same story. It is unlikely that the Thai police would suicide someone for drug crimes that were committed outside the Kingdom. There is just no angle in it.
The Thai Police were looking at huge publicity for arresting him. They would want him alive. Clearly he didn't have the connections he needed to be a rich criminal in the Kingdom otherwise he'd have evaded arrest (they had him under surveillance for a while.)
I think it is likely that he chose suicide on his own terms over a lifetime sentence in a US jail. Given the lifestyle he was used to, facing a lifetime in US jail would be pretty depressing.
Why is DEFCON still hold in the US? At this point it's basically the biggest IRL honeypot on the planet. It should probably be moved somewhere a bit safer, like Toronto, shouldn't it?
Even Toronto wouldn't necessarily be safe since a fair few people are going to have to transit the US to get there - a quick search on Hipmunk suggests at least 50-60% of the London to Toronto flights involve a US layover.
I expect most DEFCON people would gladly accept the inconvenience of a smaller choice of flights, if it removed the possibility of being detained while ensuring the conference is still well-attended. You can't realistically move DEFCON too far, and the other options (Mexico, Caribbeans...) are not exactly a step forward in terms of liberal rule of law.
I think the main problem will always be people who can't (or won't) cross the US border at all, no matter how easy it is. I expect this number is significant among the DEFCON crowd. Still, at some point, the organisers will have to consider whether keeping those types around is worth putting all their non-US guests at risk of draconian imprisonment.
Ironic that some sources suspect he authored Kronos too, haha.
That's the best joke I've heard all day. Keep in mind MT is the guy who made a blog article about HVNC and was like "yeah, sorry, can't release my own implementation because.. reasons.. (hehe winkface; tips black fedora)" and then links his GitHub, where a terrible example of CreateDesktop's usage can be found. This guy's profession is to open up IDA Pro and use the pseudo-C output plugin and then vaguely stay on-top of "threat intelligence". Here's my threat intelligence for these people: don't run with scissors.
MT is a dreadful programmer. There's logs of MT in his IRC telling people "you can't use the -> operator on references in C++!". He also said he's been writing formgrabbers since before other members of the IRC were born (seriously, nonchalantly). He's barely a programmer at all; never mind a programmer capable of completing malware projects.
MT's past is pretty shady. He's been mixed around with other skids for years with actual ill-intent and that's why this incident has happened.
The fact people take MT, and people in his league like MalwareUnicorn, seriously is completely beyond me. They're all literal skids. It seems anyone with a twitter handle and the ability to retweet real researchers' work is an "infosec researcher". The 'profession' has devolved into something worthy of a meme. And before you try defend these people, just remember that the "whitepapers" people so often love to reference when defending such Twitter skids are literally just 5 page pamphlets where they advertise their employer and talk about things that were discovered in 2004.
Next thing you know, LinkCabin will be giving his rundown of the events. Every moron likes to get involved when they know nothing of MT nor
Also, as far as the "TouchMyMalware" alias is concerned: that alias was taken by someone else (who has no vested interests in malware) long after MT abandoned it. So, any recent activity you see relevant to that alias isn't MT. If you want MT's old aliases, you're gonna have to beat the real ones out of him.
The state of information security is in total disarray.
In 2017, security research is just unskilled skids on Twitter engaging in a giant circle-jerk. Shame, where did it all go wrong?
I don't think he would have pulled the plug so early if he was making money from it. Probably just a coincidence or someone got spooked by everything going on.
The big stories at the time were that hospitals in the UK were getting shut down by it. If whoever did it lived in the UK they may have had a change of heart.
yeah, the thing about shutting down hospitals is that instead of looking at fraud and computer crimes that probably won't even be investigated you are potentially looking at manslaughter.
The confusing part for me is I thought malware was an establish (albeit evil) business i which the US govt and many others did a brisk business. For example Gamma Group [1].
So is this just someone without the right connections?
Mostly likely the US confusing investigation with being involved with the criminal activity.
They probably didn't even know about his job or previous good deeds when they arrested him. It's probably a blanket arrest based on communication metadata and relationships between involved parties. They're probably trying save face right now.
Please don't accuse other users of astroturfing or shilling unless you have evidence. It degrades discussion, badly. In this case it even crosses into personal attack, which we ban people for, so please don't.
Not him. I made a throwaway because of the nature of the discussion and to eliminate the very small chance he or someone else could infer who I might be. No point giving them my main account's history to help them guess.
I'm not a fan of his at all. I do think he and his talents are interesting, and he's arguably one of the most notorious black hats of the past 5 years. I spoke nicely of him to counterbalance the listing of objectively very unethical crimes he committed against people and organizations. I did not mean "this guy stole credit cards" in an adulating way - I meant the opposite.
Please don't respond to someone else breaking the HN guidelines by breaking them yourself? We all need to take care of this place or it will get way less interesting and eventually not be worth preserving.
> knowingly and inentionaly endeavored to intercept and procure certain electronic communications, namely computer keystrokes of others without the knowledge or consent of said others.
I think that would be a tough sell, and open too many undesirable side effects to pass legal muster. It would provide any bad actor legal cover via open sourcing.
With the validity of click-wrap license agreements, the water is muddied further: If users are responsible for complying with their terms, a case could be made that users are, for legal purposes, NOT responsible for being compliant or cognizant of anything not in those terms or other explicitly stated capabilities. For an open source package, that may only be a package digest or readme.md file. (and of course the distribution license e.g. GPL etc.)
Even if all of the charges are true, these "crimes" would have taken place in the UK or where ever this person is living outside the US, so how then can the US justify charging them with violation of US law.
I know this is not the first time this has happened, nor will it be the last time this happens, but it is increasingly concerning that crimes completely committed online are open to US Jurisdiction and sets a TERRIBLE precedent.
As a US Citizen I do not want to be held to another nations laws, laws I may not be familiar with, because of my online activities.
It is only a matter of time before a EU nation attempts to extradite or arrest a US Citizen traveling abroad for a hate speech law violation or some other violation that occurred online from the US which is not a violation of US law but is a violation of EU Law.