35 comments

[ 6.2 ms ] story [ 95.0 ms ] thread
This is low quality writing. And the author seems ignorant of the subject matter. I expect better from the New York Times.
It's a very bizarre read. Not sure how any of their logic follows at all.
Please elaborate a little more as your criticism is unsubstantiated.
The article makes it seem like he's a hero who was intent on stopping WannaCry, so should be pardoned for crimes he commited when he was younger. The reality is that he had no idea what registering the hard coded domain name would do, and got lucky that it was an ineffective method of VM detection that was effectively a kill switch. For all he knew, registering the domain name could have made the malware self-destruct and delete all the encrypted data. People shouldn't be pardoned for accidentally doing something good.
> People shouldn't be pardoned for accidentally doing something good.

Following the same reasoning we should remove the nobel prize to Alexander Fleeming because trying it was "just good luck". In the end we would all live in a ungrateful and miserable society.

This sends a strong message that you must care just for your own problems and let the other people fall, or you have a fair probability of be punished by being a smartass

(comment deleted)
Sarah Jeong op-ed.
As much as I like Malwaretech, and followed him long before WannaCry was around, stopping malware isn't a reason for a pardon.

Arresting him by waiting until he came to the US rather than issuing when they knew they wanted him should be a reason, or the fact that when the crimes were commited he was a minor. But being famous for stopping malware is no reason to pardon someone.

All the best to him though, I still can't believe it's legal to detain people for so long without a trial.

Pardons can be issued for any reason, or no reason. They are entirely at the discretion of the executive
That the executive has this power does not make it a good/just thing. Lowpro is discussing the latter.
Parent was arguing whether or not a pardon should be made, not whether it could be made, which or more or less orthogonal.
> I still can't believe it's legal to detain people for so long without a trial.

At least if the article is to be believed, this is probably partially on the defense, in terms of filing a lot of motions and so on. Apparently there are "complex legal issues" that could have been appealed. Wrangling all that takes time.

That the crimes were committed when he was a minor, and that he grew up and channeled his interest into becoming a highly productive member of society (as demonstrated by his work including stopping WannaCry) would be a very good reason for a pardon I think. I'm not sure how much we actually disagree, but while we're talking semantics I'd say stopping malware in this context is a reason for a pardon.
Crimes committed when he was ages 17-20, according to the article. He was only a minor for the first year.
>or the fact that when the crimes were commited he was a minor

One of the charges he plead guilty to had him updating and still selling the banking malware in 2015, when he was 20, and was already acting publicly as a whitehat.

In many places you can be tried as a minor even after turning 18.

  I still can't believe it's legal to detain people for so long without a trial.
It isn't, unless the defense chooses to waive its right to a speedy trial for strategic reasons.
Keep in mind that Hutchins had no idea what registering the domain would do at the time of registration. It was pure dumb luck that it turned out for the best, it could very well have been a disaster. In fact he even admits that he went through a panic phase after domain registration where he thought he'd triggered the malware [1]. Which makes all the "He's a hero" articles bogus if not amusing to say the least.

"After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic."

This nytimes article is just terrible. Absolutely terrible. Sarah Jeong should be ashamed. After this and the way she treated Naomi Wu [2], I don't think I'm going to be giving her any journalistic credence.

[1] https://www.malwaretech.com/2017/05/how-to-accidentally-stop...

[2] https://medium.com/@therealsexycyborg/shenzhen-tech-girl-nao...

> registering the domain

What if the malware had bound to www.google.com or www.fbi.gov? Would we hold these companies accountable for registering a domain?

> Hutchins had no idea what registering the domain would do

This doesn't seem like a good faith reading of the situation. The blog post you link to as a source for this claim describes how he was doing something he'd done thousands of times before in the service of tracking and disabling botnets, and that he considered it to be his job. But you make it sound like he was a total amateur who saw a domain name string and registered it on a whim with no intuition as to whether it would be more likely to do something helpful or harmful.

It sounds like he did in fact know a lot about what he was doing, such that he could make sensible inferences under uncertainty in the middle of a time-sensitive crisis. That's the best we ever get to expect from someone.

That's exactly what he did, registered the domain on a whim with no actual facts to back his decision. I think that much is obvious.

My reading of the situation is also based on additional data that's public if you care to look. His skill level and intuition can be extrapolated if you watch a few of his youtube videos. Or if you happened to talk with him on IRC. You'd realize he's little more than a script kiddie.

Hutchins is not what he has been portrayed as by the media.

It seems weird to simultaneously argue that he shouldn't get a pardon because he's a dangerous hacker, and also that when he was being a dangerous hacker he was just a skill-less script kiddie kid.
There are lot of script kiddies in the malware-for-profit business, it doesn't take a lot of skill really. He's not at the bottom of the barrel but he's definitely not very far from it.
>"After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic."

this is insane, why not try localhost/local dns server first?

He's gotta get in line between Edward Snowden and Reality Winner
Snowden can't be pardoned since he hadn't been convicted.
I wasn't around then but, if I'm not mistaken, Nixon hadn't been convicted when Ford pardoned him shortly after assuming the Presidency.

ETA: According to Wikipedia [0]:

> The pardon may be granted before or after conviction for the crime, depending on the laws of the jurisdiction.

It seems that, in the U.S. at least, one can be preemptively pardoned.

[0]: https://en.m.wikipedia.org/wiki/Pardon

I normally really like what Sarah Jeong has to say but . . . I don't think typically criminals get pardons just because they do something nice later on in life? And I mean not that later on either? Would he deserve a pardon if he had gone and worked all day in a soup kitchen for two years? On some level, that would actually demonstrate a higher level of altruism, because stopping Wanna Cry was definitely in his own personal best interest -- his fame as a result has surely been good for business.

>But Mr. Hutchins, had no stomach for an interminable fight, and pleaded guilty last week to two counts under the Computer Fraud and Abuse Act and the Wiretap Act,

How do we know that it's not just because he thought he was most likely to be convicted and didn't want to roll the dice?

Also, I apologize for derailing my own comment, but what is up with the grammar in that paragraph and the one before. "amid complex legal questions that could have gone been appealed"? I've never seen an NYT piece with this many errors.

> How do we know that it's not just because he thought he was most likely to be convicted and didn't want to roll the dice?

It doesn't really matter. We want to incentivise guilty people pleading guilty mainly to lighten the load on the justice system. Being lenient to sincerely repenting people is a desirable side effect that nevertheless should not be pursued too hard.

You normally really like what a notorious racist has to say.. I guess that says a lot about who you are too.
> I don't think typically criminals get pardons just because they do something nice later on in life?

It is this very question that the article poses, and it goes so much deeper than merely tech. "Do the sins of your past define you as a person today?"

Abraham Lincoln was likely raised as a racist and likely believed in racism for at least the decade that his parents' beliefs dominated his. Clearly his actions redeemed not only himself, but humanity; and I therefore believe that the person today is the more important person.

I've seen countless examples of people who have said stupid shit in the 90's or the 00's, who have changed their ways, who have been slaughtered by the larger internet. If you are to be ridiculed by Earth, why change your ways at all? Lose if you do, lose if you don't. If change is the goal, why attack people who actually change?

I struggle with my biases daily, I learned them from the South African government, but by hell I will better them and forget them. I am not the same person today as I was yesterday, nor are you and nor is Hutchins.

Reform is only one of the four major reasons for incarceration. You've addressed that he's reformed, and I'll stipulate that he has for the purpose of this discussion. I don't think that alone is enough that we should give him a pass. Plenty of people reform before they are convicted of any crime. Most murderers would never reoffend and sincerely regret their actions. But nobody speaks of letting them skip jail solely on this basis.
I see many infosec individuals supporting Marcus out of the idea that many have dabble in black hat activities in the past, and that exploration and "playful" hacking shouldn't result in years of prison time. However I feel that carding and fraud should not be seen in the same light. Marcus has admitted to creating malware with the sole goal of immiserating many to enrich himself and his co-conspirators. You don't code webinjects for the thrill of surpassing security.
People that hacked and released NSA exploit: still free

People that weaponized NSA exploit and released Wannacry bitcoin ransom: still free (I think?)

People that weaponized NSA exploit for Monero mining: richer than Wannacry creator and still free

People that made silly exploit at NSA: still free

Moral of the story is dont get caught.