The quote is fine, but the attribution to "people" rather than an individual is frankly odd. Multiple people said that exact same quote? I believe one person on Twitter originated it.
If it has been retweeted then maybe it does make sense? And one person saying that isn't newsworthy, but many people backing it up is (slightly) more relevant.
He's absolutely a hero, if only an accidental one. His actions thwarted a large scale cyber attack on some pretty crucial services, so he definitely deserves recognition for it.
Let us also not forget that these are allegations against him and until he is tried and found guilty, he is still an innocent person with only said good deeds to his name. If that changes, so be it, but let's not get ahead of ourselves until justice has ran its course.
Sadly, the justice system is so broken we're likely not to see a resolution any time soon, and if he's forced to plead guilty, it may not even be true.
I don't have to have the same standard of evidence as courts to judge someone though.
'Beyond a reasonable doubt' doesn't have an agreed upon numerical probability AFAIK, but let's say it's 95%.
I can say, sure, don't put people in jail until it's 95% certain they're a bad guy, but if I think it's 75% likely they're a bad guy, I'm still gonna think they're probably not the most lawful person ever.
(I have zero evidence either way w.r.t to this case specifically, I'm not saying he's guilty, but I just don't think it's as black and white as you make it sound. If someone is accused of murdering children, and there is some evidence pointing to that, but not enough to reach 'beyond a reasonable doubt' so he is found not guilty, it's quite sane to refuse to hire him as a babysitter.)
Whats the issue with that statement. It is early and I haven't had my coffee yet but I am a security researcher and while I have my questions about his past many of my counter parts in the UK have raised some very very valid questions about the legitimacy of the allegations against him. So unless I am missing a grammatical or syntactical error whats the issue with that statement?
There are companies providing tools to 'hack' other devices/systems -- and they sell those tools to the U.S. Government. Similar to what Mr. Hutchins is being accused of, only the U.S. Government wasn't a customer.
Are we going to start pretending the identity of the customer or employer doesn't matter? It's accepted practice for the government to have a monopoly on certain goods & services.
It boils down to what Mr. Hutchins thought the buyers were going to do with the malware. Were they going to use it for malicious purposes or was it for educational use?
If Mr. Hutchins was selling malware to the U.S. Government, then his thought would more likely be it was to be used for malicious purposes. i.e espionage. However, this is not illegal -- but the other is?
There are some things you can only sell to certain customers. All of those things could, in theory, be used for "educational" purposes. I can't legally manufacture & sell anthrax to my neighbor even if he swears on a bible that he only intends to study it.
What disturbs me is the idea he can be arrested and his place of incarceration is not known. Unless he is subject to harm I see no reason that this should be the case. Is this merely the BBC not asking?
> The arrest was initially confirmed by a screenshot that a friend of Hutchins captured of the facility website. When the friend visited the detention center on Thursday morning, he was told Hutchins was no longer there. The website mention of Hutchins was also gone. PJ Thomas, an administrator at the US Marshals office that the website referenced, said the agency has no record of Hutchins. The friend, citing privacy concerns, asked not to be identified by name in this article.
My nose suggests the arrest is using the tool of prosecutorial discretion in an attempt to create better alignment between Hutchins' work and Anglo American intelligence and security interests...one or the other or both. If pursuing justice regarding the criminal complaint was the primary goal and the case was strong, the US could have sought his extradition from the UK in the past.
Yes they did not know him before. He was only recently publicly identified as malwaretech having been doxxed by British media as a 'reward' for stopping the wannacry virus.
Some journos bought him dinner in Vegas - did they know something, were they really just there for BHDC?. He got all the way to airport and was moaning about the delay with his priority boarding but looking forward to getting back to a debugger.
The dude in question they really want is called TouchMe/TouchMyMalware. There are some old chat logs but no hard evidence in them even on TouchMe. If something as ephemeral as an IRC nick is then well then I'm bruceschneieier. They joke about putting Brian Krebs in it and I do recall this was a meme for a while. There is some stuff on hacker forum but kids stuff.
It is not illegal even in US/UK to write code.
He researches malware, maybe hung out with the creators in IRC. Actual evidence suggests that he did not create or distribute either Kronos or Wannacry.
Some people say he wrote and did a video for a RAT. So what - it is a RAT.
It is interesting to note the reaction of various hackers. Spot the fed. Used to be a game at BHDC now it is spot the hacker. I think that an alternate con - maybe in Estonia - would be a good idea? There must be many who won't travel to US now or even before.
Only last week some UK Police Squad were touting their hacker rehab for kids with some lulzsec dude. Recent UK legislation was brought in that means the government can force you to work for them. They want to make it easier for themselves to spy/hack and to lock up and/or press-gang everybody else. Do what we say not what we do.
What OPSEC lessons are we learning kids? Privacy? Getting involved? Helping out?
The confusing part for me is I thought malware was an establish (albeit evil) business i which the US govt and many others did a brisk business. For example Gamma Group [1].
Maybe he started it all, became the hero, withdrew his BitCoin balance and then tried to gamble it all to look like he won it legitimately at the casino in Vegas.
32 comments
[ 3.3 ms ] story [ 71.1 ms ] threadWho on earth let this article go out with that in it?
> It is thought to be named after a mythological creature.
This article has some interesting framing issues. Aside from being simply incorrect in this case.
I'd call him a Hero for that.
Let us also not forget that these are allegations against him and until he is tried and found guilty, he is still an innocent person with only said good deeds to his name. If that changes, so be it, but let's not get ahead of ourselves until justice has ran its course.
'Beyond a reasonable doubt' doesn't have an agreed upon numerical probability AFAIK, but let's say it's 95%.
I can say, sure, don't put people in jail until it's 95% certain they're a bad guy, but if I think it's 75% likely they're a bad guy, I'm still gonna think they're probably not the most lawful person ever.
(I have zero evidence either way w.r.t to this case specifically, I'm not saying he's guilty, but I just don't think it's as black and white as you make it sound. If someone is accused of murdering children, and there is some evidence pointing to that, but not enough to reach 'beyond a reasonable doubt' so he is found not guilty, it's quite sane to refuse to hire him as a babysitter.)
> It's just poor writing. Either you paraphrase what people are saying, or you cite someone specific.
- companies selling 0-day malware/spyware to U.S. Government
- companies offering software to 'root' a device to extract information (cell phone data extraction), used by law enforcement.
Are we going to start pretending the identity of the customer or employer doesn't matter? It's accepted practice for the government to have a monopoly on certain goods & services.
If Mr. Hutchins was selling malware to the U.S. Government, then his thought would more likely be it was to be used for malicious purposes. i.e espionage. However, this is not illegal -- but the other is?
Should we start selling tanks anyone just because they could be taken apart for educational purposes?
No.
https://arstechnica.com/tech-policy/2017/08/researcher-who-s...
Or maybe they found out (or at least suspected) that he planned to attend DefCon and figured it would be easier if he came to them.
Some journos bought him dinner in Vegas - did they know something, were they really just there for BHDC?. He got all the way to airport and was moaning about the delay with his priority boarding but looking forward to getting back to a debugger.
The dude in question they really want is called TouchMe/TouchMyMalware. There are some old chat logs but no hard evidence in them even on TouchMe. If something as ephemeral as an IRC nick is then well then I'm bruceschneieier. They joke about putting Brian Krebs in it and I do recall this was a meme for a while. There is some stuff on hacker forum but kids stuff.
It is not illegal even in US/UK to write code.
He researches malware, maybe hung out with the creators in IRC. Actual evidence suggests that he did not create or distribute either Kronos or Wannacry.
Some people say he wrote and did a video for a RAT. So what - it is a RAT.
It is interesting to note the reaction of various hackers. Spot the fed. Used to be a game at BHDC now it is spot the hacker. I think that an alternate con - maybe in Estonia - would be a good idea? There must be many who won't travel to US now or even before.
Only last week some UK Police Squad were touting their hacker rehab for kids with some lulzsec dude. Recent UK legislation was brought in that means the government can force you to work for them. They want to make it easier for themselves to spy/hack and to lock up and/or press-gang everybody else. Do what we say not what we do.
What OPSEC lessons are we learning kids? Privacy? Getting involved? Helping out?
Whoever they also lifted has a SSN, any ideas?
[1]: https://en.m.wikipedia.org/wiki/Gamma_Group
Can see a movie plot coming on...