[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Hal Martin Sentencing Leaves All Questions Unanswered

/4 Comments/in , , /by

Hal Martin was sentenced Friday. He received the nine years agreed upon as part of his plea agreement. But — as the many reports of his sentencing emphasize — closure on this case still doesn’t offer closure on the Shadow Brokers case. Of course the sentencing hasn’t solved the Shadow Brokers case, which has been true since Martin was charged in 2018 but was recently reiterated by AP.

But it also hasn’t provided much clarity on some of the other issues about this case. For example, his lawyer Jim Wyda seems to have confirmed that the cryptic DMs sent to some Kaspersky researchers in advance of the original Shadow Brokers release were his, denying that Martin intended the “Shelf life, three weeks,” DM to be an offer to sell the NSA’s exploits that would be offered for sale less than an hour later. [Note: this sentencing was difficult to cover remotely because the filings weren’t released in PACER, so I’m particularly grateful for other’s coverage, especiall this excellent CyberScoop story on it.]

Jim Wyda, Martin’s public defender, said Friday there was no indication Martin intended for any transaction to take place by that tweet.

I had noted that, given the lack of 2FA at the time of the DMs, hacking Martin’s Twitter account to send the DMs would have been child’s play, something an account claiming to be Shadow Brokers responded to fairly aggressively.

The government, however, offered no comment on those DMs. In response to Judge Richard Bennett’s reminder that the Tweets had been the subject of a Martin challenge to the warrants searching his house, prosecutor Zachary Myers refused to comment, even though classification wouldn’t prevent comment.

Bennett reminded U.S. attorneys of the tweet and the timeline on Friday in court. Assistant U.S. Attorney Zachary Myers said the U.S. government would not be commenting further than noting that the timeline is, indeed, in the facts of the case.

Then there’s the question of whether Martin was a hoarder or a thief. His attorneys insisted his collection of documents was an expression of mental health issues. But the government pointed to how organized it all was (which is hard to square with the descriptions of the chaos of his house from the time of the arrest).

“This is not a case of hoarding, this is stealing,” Myers said Friday at a federal court house in Baltimore. The stolen information “was not in a disorganized manner,” he said, adding what the government found was “logical” and “repetitive.”

Bennett noted Friday he had concerns about the case regarding whether Martin’s alleged hoarding problem, noting that for someone who is a hoarder, he seemed well organized.

Martin’s wife described to CBS how he had recognized his illness before his arrest, but was afraid that if he sought treatment, he would lose clearance and his job.

Mental illness may explain why parts of Martin’s statement expressing remorse make no sense. WaPo:

Martin spoke for about 20 minutes, his voice calm, soft and sometimes difficult to hear as he read nearly verbatim from a letter he’d written earlier this month to the judge.

He made clear that what he’d done was wrong.

“The manner and method of my approach was unorthodox, unconventional, uncanny,” he wrote. “But also unauthorized, illegal and just plain wrong. One step beyond black. Please do not copy this. It is not the easy or correct path. I took shortcuts, went backwards, sideways and around things, crossing major borders and boundaries. It is not good, it’s very, very BAD.”

NYT:

He stood in a striped jersey labeled “Inmate” and read for nearly 30 minutes a rambling statement apologizing to family, friends and his former colleagues at the N.S.A.

“I have been called a walking encyclopedia,” he said, describing himself at another point as “an intellectually curious adventurer.” His words were often cryptic, at one point addressed to “that cool dude in a loose mood” and at another citing the N.S.A. motto, “They serve in silence.”

All that said, one of the most telling details from coverage of yesterday’s sentencing is in the the government’s press release on the sentencing. It emphasizes the resources diverted to investigating Martin’s activities, which sure makes it sound like they don’t think he’s the culprit behind the Shadow Brokers leak.

In court documents and at today’s sentencing hearing, the government noted that crimes such as Martin’s not only create a risk of unauthorized disclosure of, or access to, highly classified information, but often require the government to treat the stolen material as compromised, resulting in the government having to take remedial actions including changing or abandoning national security programs.  In addition, Martin’s criminal conduct caused the government to expend substantial investigative and analytical resources.  The diversion of those resources resulted in significant costs.

Bennett believes the nine year sentence will serve as deterrent for other intelligence personnel. But it’s not clear whether those are the people who need to be deterred.

Share this entry

Cloud Computing and the Single Server

/63 Comments/in , , , /by

[NB: Check the byline, thanks. /~Rayne]

I’ve been meaning to write about this for a while. Push came to shove with Marcy’s post this past week on Roger Stone and the Russian hack of the DNC’s emails as well as her post on Rick Gates’ status update which intersects with Roger Stone’s case.

First, an abbreviated primer about cloud computing. You’ve likely heard the term before even if you’re not an information technology professional because many of the services you use on the internet rely on cloud computing.

Blogging, for example, wouldn’t have taken off and become popular if it wasn’t for the concept of software and content storage hosted somewhere in a data center. The first blogging application I used required users to download the application and then transfer their blogpost using FTP (file transfer protocol) to a server. What a nuisance. Once platforms like Blogger provided a user application accessible by a browser as well as the blog application and hosting on a remote server, blogging exploded. This is just one example of cloud computing made commonplace.

Email is another example of cloud computing you probably don’t even think about, though some users still do use a local email client application like Microsoft’s proprietary application Outlook or Mozilla’s open source application Thunderbird. Even these client applications at a user’s fingertips rely on files received, sent, managed, and stored by software in a data center.

I won’t get into more technical terms like network attached storage or storage area network or other more challenging topics like virtualization. What the average American needs to know is that a lot of computing they come in contact every day isn’t done on desktop or laptop computers, or even servers located in a small business’s office.

A massive amount of computing and the related storage operates and resides in the cloud — a cutesy name for a remotely located data center.

This is a data center:

Located in Council Bluffs, Iowa, this is one of Google’s many data centers. In this photo you can see racks of servers and all the infrastructure supporting the servers, though some of it isn’t readily visible to the untrained eye.

This is another data center:

This is an Amazon data center, possibly one supporting Amazon Web Services (AWS), one of the biggest cloud service providers. Many of the sites you visit on the internet every day purchase their hosting and other services from AWS. Some companies ‘rent’ hosting space for their email service from AWS.

Here’s a snapshot of a technician working in a Google data center:

Beneath those white tiles making up the ‘floor’ are miles and miles of network cables and wiring for power as well as ventilation systems. More cables, wires, and ventilation run overhead.

Note the red bubble I’ve added to the photo — that’s a single blade-type server inserted into a rack. It’s hard to say how much computing power and storage that one blade might have had on it because that information would have been (and remains) proprietary — made to AWS specifications, which change with technology’s improvements.

These blades are swapped out on a regular maintenance cycle, too, their load shifted to other blades as they are taken down and replaced with a new blade.

Now ask yourself which of these servers in this or some other data center might have hosted John Podesta’s emails, or those of 300 other people linked to the Clinton campaign and the Democratic Party targeted by Russia in the same March 2016 bulk phishing attack?

Not a single one of them — probably many of them.

And the data and applications may not stay in one server, one rack, one site alone. It could be spread all over depending on what’s most efficient and available at any time, and the architecture of failover redundancy.

~ ~ ~
Some enterprises may not rely on software-as-a-service (SaaS), like email, hosted in a massive data center cloud. They might instead operate their own email server farm. Depending on the size of the organization, this can be a server that looks not unlike a desktop computer, or it can be a server farm in a small data center.

(The Fortune 100 company for which I once worked had multiple data centers located globally, as well as smaller server clusters located on site for specialized needs, ex. a cluster collecting real-time telemetry from customers. Their very specific needs as well as the realistic possibility that smaller businesses could be spun off required more flexibility than purchasing hosted services could provide at the time.)

And some enterprises may rely on a mix of cloud-based SaaS and self-maintained and -hosted applications.

In 2016 the DNC used Microsoft Exchange Server software for its email across different servers. Like the much larger Google-hosted Gmail service, users accessed their mail through browsers or client applications on their devices. The diagrams reflecting these two different email systems aren’t very different.

This is a representation of Google’s Gmail:

[source: MakeInJava(.)com]

This is a representation of Microsoft Exchange Server:

Users, through client/browser applications, access their email on a remote server via the internet. Same-same in general terms, except for scale and location.

If you’ve been following along with the Trump-Russia investigation, you know that there’s been considerable whining on the part of the pro-Trump faction about the DNC’s email server. They question why a victim of a hack would not have turned over their server to the FBI for forensic investigation and instead went to a well-known cybersecurity firm, Crowdstrike, to both stop the hack, remove whatever invasive tools had been used, and determine the entity/ies behind the hack.

A number of articles have been written explaining the hacking scenario and laying out a timeline. A couple pieces in particular noted that turning over the server to the FBI would have been disruptive — see Kevin Poulsen in The Daily Beast last July, quoting former FBI cybercrime agent James Harris:

“In most cases you don’t even ask, you just assume you’re going to make forensic copies…For example when the Google breach happened back in 2009, agents were sent out with express instructions that you image what they allow you to image, because they’re the victim, you don’t have a search warrant, and you don’t want to disrupt their business.”

Poulsen also quantified the affected computing equipment as “140 servers, most of them cloud-based” meaning some email and other communications services may have been hosted outside the DNC’s site. It would make sense to use contracted cloud computing based on the ability to serve widespread locations and scale up as the election season crunched on.

But what’s disturbing about the demands for the server — implying the DNC’s email was located on a single computer within DNC’s physical control — is not just ignorance about cloud computing and how it works.

It’s that demands for the DNC to turn over their single server went all the way to the top of the Republican Party when Trump himself complained — from Helsinki, under Putin’s watchful eye — about the DNC’s server:

“You have groups that are wondering why the FBI never took the server. Why didn’t they take the server? Where is the server, I want to know, and what is the server saying?”

And the rest of the right-wing Trumpist ecosphere picked up the refrain and maintains it to this day.

Except none of them are demanding Google turn over the original Gmail servers through which John Podesta was hacked and hundreds of contacts phished.

And none of the demands are expressly about AWS servers used to host some of DNC’s email, communications, and data.

The demands are focused on some indeterminate yet singular server belonging to or used by the DNC.

~ ~ ~
The DNC had to shut down their affected equipment and remove it from their network in order to clean out the intrusion; some of their equipment had to be stripped down to “bare metal,” meaning all software and data on affected systems were removed before they were rebuilt or replaced. 180 desktops and laptops had to be replaced — a measure which in enterprise settings is highly disruptive.

Imagine, too, how sensitive DNC staff were going forward about sharing materials freely within their organization, not knowing whether someone might slip and fall prey to spearphishing. There must have been communications and impromptu retraining about information security after the hack was discovered and the network remediated.

All of this done smack in the middle of the 2016 election season — the most important days of the entire four-year-long election cycle — leading into the Democratic Party’s convention.

(This remediation still wasn’t enough because the Russians remained in the machines into October 2016.)

If the right-wing monkey horde cares only about the DNC’s “the server” and not the Google Gmail servers accessed in March 2016 or the AWS servers accessed April through October 2016, this should tell you their true aim: It’s to disrupt and shut down the DNC again.

The interference with the 2016 election wasn’t just Russian-aided disinformation attacking Hillary Clinton and allies, or Russian hacks stealing emails and other files in order to leak them through Wikileaks.

The interference included forcing the DNC to shut down and/or reroute parts of its operation:

(excerpt, p. 22, DNC lawsuit against Russian Federation, GRU, et al)

And the attack continues unabated, going into the 2020 general election season as long as the right-wing Trumpists continue to demand the DNC turn over the server.

There is no one server. The DNC shouldn’t slow or halt its operations to accommodate opponents’ and suspects’ bad faith.

~ ~ ~
As for Trump’s complaint from Helsinki: he knows diddly-squat about technology. It’s not surprising his comments reflected this.

But he made these comments in Helsinki, after meeting with Putin. Was he repeating part of what he had been told, that Russia didn’t hack the server? Was he not only parroting Putin’s denial but attempting to obstruct justice by interfering in the investigation by insisting the server needed to be physically seized for forensic inspection?

~ ~ ~
With regard to Roger Stone’s claims about Crowdstrike, his complaints aren’t just a means to distract and redirect from his personal exposure. They provide another means to disrupt the DNC’s normal business going forward.

The demands are also a means to verify what exactly the Special Counsel’s Office and Crowdstrike found in order to determine what will be more effective next time.

The interference continues under our noses.

This is an open thread.

Share this entry

The Commander-in-Chief Keeps Instructing His National Security Officials Not to Protect the Country

/235 Comments/in , , , , /by

One of the most alarming passages in the Mueller Report describes how, in an effort to get Corey Lewandowski to convince Jeff Sessions to reverse his recusal in the Russian investigation, Trump suggested that Mueller could be limited to investigating future election hacks. (h/t to TC who has been emphasizing this passage)

During the June 19 meeting, Lewandowski recalled that, after some small talk, the President brought up Sessions and criticized his recusal from the Russia investigation.605 The President told Lewandowski that Sessions was weak and that if the President had known about the likelihood of recusal in advance, he would not have appointed Sessions.606 The President then asked Lewandowski to deliver a message to Sessions and said “write this down.” 607 This was the first time the President had asked Lewandowski to take dictation, and Lewandowski wrote as fast as possible to make sure he captured the content correctly.608 The President directed that Sessions should give a speech publicly announcing:

I know that I recused myself from certain things having to do with specific areas. But our POTUS . .. is being treated very unfairly. He shouldn’t have a Special Prosecutor/Counsel b/c he hasn’t done anything wrong. I was on the campaign w/ him for nine months, there were no Russians involved with him. I know it for a fact b/c I was there. He didn’t do anything wrong except he ran the greatest campaign in American history.609

The dictated message went on to state that Sessions would meet with the Special Counsel to limit his jurisdiction to future election interference:

Now a group of people want to subvert the Constitution of the United States. I am going to meet with the Special Prosecutor to explain this is very unfair and let the Special Prosecutor move forward with investigating election meddling for future elections so that nothing can happen in future elections.610

The President said that if Sessions delivered that statement he would be the “most popular guy in the country.”6 11 Lewandowski told the President he understood what the President wanted Sessions to do.612

In June 2017, the Commander-in-Chief of the United States suggested that the FBI should not investigate a historic cyberattack by an adversary on the United States. The investigation Trump was obstructing was not just of his own conduct, but also that of Russia.

That revelation puts two other events in dramatically different light.

First, recall that when Congress was considering bills to ensure election integrity last year, Trump pre-empted the effort with an Executive Order imposing a two step review, after the fact, to see if foreign adversaries had attempted to interfere in the election. First, ODNI does a report on the election, then he delivers it to other Executive Branch Officials. Then DHS Secretary and the Attorney General deliver a report based on that describing whether the effort to interfere had had a material effect. That report, too, just gets delivered to Executive Branch officials.

Section 1. (a) Not later than 45 days after the conclusion of a United States election, the Director of National Intelligence, in consultation with the heads of any other appropriate executive departments and agencies (agencies), shall conduct an assessment of any information indicating that a foreign government, or any person acting as an agent of or on behalf of a foreign government, has acted with the intent or purpose of interfering in that election. The assessment shall identify, to the maximum extent ascertainable, the nature of any foreign interference and any methods employed to execute it, the persons involved, and the foreign government or governments that authorized, directed, sponsored, or supported it. The Director of National Intelligence shall deliver this assessment and appropriate supporting information to the President, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, and the Secretary of Homeland Security.

(b) Within 45 days of receiving the assessment and information described in section 1(a) of this order, the Attorney General and the Secretary of Homeland Security, in consultation with the heads of any other appropriate agencies and, as appropriate, State and local officials, shall deliver to the President, the Secretary of State, the Secretary of the Treasury, and the Secretary of Defense a report evaluating, with respect to the United States election that is the subject of the assessment described in section 1(a):

(i) the extent to which any foreign interference that targeted election infrastructure materially affected the security or integrity of that infrastructure, the tabulation of votes, or the timely transmission of election results; and

(ii) if any foreign interference involved activities targeting the infrastructure of, or pertaining to, a political organization, campaign, or candidate, the extent to which such activities materially affected the security or integrity of that infrastructure, including by unauthorized access to, disclosure or threatened disclosure of, or alteration or falsification of, information or data.

The report shall identify any material issues of fact with respect to these matters that the Attorney General and the Secretary of Homeland Security are unable to evaluate or reach agreement on at the time the report is submitted. The report shall also include updates and recommendations, when appropriate, regarding remedial actions to be taken by the United States Government, other than the sanctions described in sections 2 and 3 of this order.

Predictably, when the deadlines for these reports came due after the mid-term elections last year, the Trump Administration balked at sharing all this reporting with the Senate Intelligence Committee.

Then there’s this NYT report revealing that the Mick Mulvaney told DHS Secretary Kirstjen Nielsen not to involve the Commander-in-Chief in any effort to keep this country’s elections safe, which (the report implicitly suggests) made it far more difficult for Nielsen to make protecting elections a priority.

Ms. Nielsen left the Department of Homeland Security early this month after a tumultuous 16-month tenure and tensions with the White House. Officials said she had become increasingly concerned about Russia’s continued activity in the United States during and after the 2018 midterm elections — ranging from its search for new techniques to divide Americans using social media, to experiments by hackers, to rerouting internet traffic and infiltrating power grids.

But in a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it “wasn’t a great subject and should be kept below his level.”

Even though the Department of Homeland Security has primary responsibility for civilian cyberdefense, Ms. Nielsen eventually gave up on her effort to organize a White House meeting of cabinet secretaries to coordinate a strategy to protect next year’s elections.

[snip]

Ms. Nielsen grew so frustrated with White House reluctance to convene top-level officials to come up with a governmentwide strategy that she twice pulled together her own meetings of cabinet secretaries and agency heads. They included top Justice Department, F.B.I. and intelligence officials to chart a path forward, many of whom later periodically issued public warnings about indicators that Russia was both looking for new ways to interfere and experimenting with techniques in Ukraine and Europe.

[snip]

A second senior administration official said Ms. Nielsen began pushing after the November midterms for the governmentwide efforts to protect the 2020 elections, but only after it became increasingly clear that she had fallen out of Mr. Trump’s favor for not taking a harder line against immigration.

That official said Ms. Nielsen wanted to make election security a top priority at meetings of Mr. Trump’s principal national security aides, who resisted making it a focus of the discussions given that the 2020 vote was, at the time, nearly two years away.

Trump’s refusal to protect elections accompanies a de-emphasis — one enforced by John Bolton — on cybersecurity generally.

This is, quite literally, a case where the Commander-in-Chief is refusing to take the action necessary to protect the country from being attacked in the same way were most recently were attacked.

Update: Earlier this week Politico reported on the effects of a reorganization in Office of Management and Budget’s cybersecurity office before Mulvaney left OMB to become Chief of Staff.

Few Americans may have heard of the Office of the Federal Chief Information Officer, but the unit inside the Office of Management and Budget coordinates tech improvements across the government, helping agencies boost cybersecurity and manage technology and cybersecurity budgets that totaled $105 billion in the past fiscal year.

But many OFCIO employees are overwhelmed by unclear and changing priorities, while others are simply checked out or feeling increasingly marginalized, according to an internal February staff survey that POLITICO obtained, along with data from an annual governmentwide report and interviews with a current OMB employee, five former OFCIO employees and three former senior federal officials familiar with the office.

The unit is grappling with “high turnover,” “a lot of infighting,” a “crushing workload” and “inaction from leadership,” said the current employee, who — like others interviewed for this story — requested anonymity to discuss sensitive personnel matters.

“Things do slip through the cracks,” the OMB employee said. OFCIO’s guidance “impacts the long-term implementation strategy out in the agencies,” and if that’s lacking, there will be “a debilitating effect on overall cybersecurity in the long run,” the person said, adding that there was “real concern at the staff level that if this continues, something bad will happen and we won’t be ready for it.”

[snip]

“This organization looks like it’s in free fall,” said a former senior federal IT official who worked closely with the office.

[snip]

[A] November reorganization appeared to cause significant confusion and discontent among employees. It replaced a structure built around three core units — agency oversight, cybersecurity and policy development — with one centered on “workstreams” for activities such as cybersecurity risk and data strategy.

But the reorganization was “built on the fly” and poorly explained, said a former staffer. More than 80 percent of survey respondents said it was unclear how the reorganization improved office communication.

Adding to these woes is significant frustration with OFCIO’s senior leaders, especially Kent, a former Ernst & Young consultant who took over the office in March 2018 after the team went more than a year without a leader.

Kent, who lacks a cybersecurity or IT background, has fostered “a closed-door culture,” the current OMB employee said.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

Share this entry

MalwareTech Pleads Guilty

/19 Comments/in /by

Marcus Hutchins signed a plea agreement that was entered today. He pleads guilty to two charges of conspiracy, and the other eight charges are dismissed. If I’m doing the math on the sentencing guidelines correctly, he may be facing 6-12 months, though the government has the option of making a significant upward departure.

I’m still buried in the Mueller Report, so won’t have more on this now. It’s a sad result. And testament that justice is a lot different for people like MalwareTech than for Don Jr.

Share this entry

Three Things: Boeing Boing

/76 Comments/in , , , /by

[NB: The byline – check it. /~Rayne]

That U.S. flights of Boeing’s model 737 Max aircraft were suspended is a good thing, I think we can agree though perhaps not all for the same reasons. I’ve had suspicions about Boeing for some time now and not because of the company’s products or its management. Three things have bothered me and the deadly crash on March 10 has only added to previous concerns.

~ 3 ~

I’ve noted before that Boeing has been a possible target for stock manipulation; in fact I wrote about my suspicions a year ago:

You can imagine my surprise on December 6, 2016, when then-president-elect tweeted about Boeing’s contract for the next Air Force One, complaining it was too expensive. Was it Boeing the spies were discussing? But the company didn’t fit what I could see in the indictment, though Boeing’s business is exposed to Russia, in terms of competition and in terms of components (titanium, in particular).

It didn’t help that Trump tweeted before the stock market opened and Boeing’s stock plummeted after the opening bell. There was plenty of time for dark pool operators to go in and take positions between Trump’s tweet and the market’s open. What an incredible bonanza for those who might be on their toes — or who knew in advance this was going to happen. …

And while Boeing 737 Max equipment safety was under public debate after Sunday March 10th crash, Trump tweeted this Luddite position on contemporary aircraft complexity on March 12:

How interesting that he avoided naming Boeing specifically, but at the same time he managed to post the first of these two tweets at exactly 10:00 a.m.; the second tweet didn’t publish for another 12 minutes, leaving those following his tweets closely to assume he was going to discuss Boeing specifically during the interim.

I can’t help think Trump has an ulterior motive with regard to Boeing considering how often he has stepped into their business one way or another since December 6, 2016.

It’d be nice to know who’s been shorting NYSE:BA before his tweets and in which stock exchanges.


[Graphic: NYSE:BA moving average and trading volume from midday Monday 11-MAR-2019 to midday Tuesday 12-MAR-2019 via Barron’s.]

~ 2 ~

Trump’s personal demands have also affected Boeing directly with regard to system updates. The government shutdown delayed for five weeks work by the Federal Aviation Administration toward certification of a software “fix” for the 737 Max flight control system.

In other words, eight more American citzens traveling on the doomed flight this past weekend may have paid the ultimate price for Trump’s gross incompetence and corruption, not to mention the other truly marvelous human beings lost to the world when that flight met the earth two weeks ago.

Boeing’s business model needs to be revisited, though, if the flight control system “fix” wasn’t treated with adequate urgency based on feedback from Boeing to the FAA. There’s a fundamental question of a product’s safety for its intended purpose if it must have a software update to fly safely but that update is an additional feature outside the product’s purchase agreement and must bought before it can be added. Smells like product liability with a whiff of extortion.

Would we tolerate this business model in other situations where so much is at stake? Imagine your computer’s operating system needs a patch before you can use it — and you must pay for the patch, it’s not included in the licensing agreement for the operating system. Oh, and the computer runs your insulin pump or your pacemaker wihout which you are likely to die.

~ 1 ~

The FAA as well as Boeing need to be reevaluated based on complaints the government agency is too closely linked to the aerospace company to provide appropriate oversight. The FAA has been relying on Boeing to self-monitor via component safety inspections because the FAA doesn’t have adequate personnel or resources.

Recall recent reports of supply chain vulnerabilities — is it at all possible Boeing components have been as compromised as other military suppliers have been? How would the public know if it has relied on the FAA’s self-inspection “designee program”?

This sounds eerily familiar, like the claims related to firmware updates needed on servers when it was possible the Supermicro motherboard hardware had been compromised.

~ 0 ~

Treat this as a open thread. We could use a break from what will continue to be a flood of news relate to the Special Counsel’s Office report, especially after the Golfer-in-Chief parks his cart for the weekend and begins shit posting on Twitter in earnest again.

Share this entry

The Future of Regulation in the Perma-Cyber-Infowar

/137 Comments/in , /by

[NB: Check the byline, thanks! /~Rayne]

Looks like we could use an open thread to discuss all the stuff not directly related to the Trump-Russia investigation.

I do want to toss out a topic we should visit given the transition of power in the House from one political party to another and the sea change over the last several years in public awareness about information security.

Most regular readers here have been aware of the dynamic tension between civil liberties and national security, individuals’ rights to privacy and autonomy too frequently falling victim to the state’s efforts to surveil and control.

This site has wrestled with the threats to privacy and security posed by hardware (like cell phones and servers) and software (like vulnerabilities, ransomware, cyberweapons).

But how do we address the threats social media and other information platforms pose? Can we really ignore that Facebook has been weaponized against its country of origin let alone other host nations from the U.K. to Myanmar? Does Sen. Elizabeth Warren’s proposal to break up the largest social media platforms and label them ‘platform utilities’ under a new regulatory structure adequately address users’ privacy rights, information security, and national security?

How far should we push for disclosure of proprietary intellectual property like the platforms’ algorithms? How do we regulate the operation of these without jeopardizing their viability?

Do we need a mandatory ethical standard to which startups must build and existing platforms must comply? Facebook’s iffy interpretation of user consent to use in academic research, for example, was key to its weaponization. What regulatory standard would have prevented the abuse of users’ trust and their data?

Does the likely permanence of cyber warfare as well as information warfare require more or less than Warren has proposed?

Hash it out here in comments. Bring all the stray dog-and-cat issues as well.

Share this entry

MalwareTech’s Judge Seems More Sympathetic to Hutchins about the Intent of Prosecution than the Law

/12 Comments/in /by

JP Stadtmueller, the judge who will preside over MalwareTech (Marcus Hutchins’) case, last week denied his pretrial motions to get his post-arrest interview and all the charges of his indictment thrown out. The order starts this way:

On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation (“FBI”) agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket #55)

We are almost 11 months into the pre-trial process and we’re virtually the same place we started. Just two things have happened in that time: the FBI Agents who arrested Hutchins had badly damaged their credibility, and Stadtmueller has given a read of how he views the case.

Stadtmueller scolds the already discredited FBI Agents for violating Federal Rule of Criminal Procedure

As to the first issue, in ruling against Hutchins on his Miranda claim (which I’ve always suggested was a way to discredit Hutchins’ incriminating comments at trial), Stadtmueller makes it clear he finds the conduct of the FBI agents problematic. He sides with Hutchins on the dispute whether Agent Chartier showed him an arrest warrant in a stairwell exchange that appears to have been improperly referenced in his 302.

The Court notes that the agents’ testimony is somewhat contradictory on this point. Chartier stated that they showed Hutchins the warrant before the interrogation was recorded. By contrast, Butcher stated that they first showed Hutchins the warrant over an hour into the interrogation. The recording of the interrogation suggests that Butcher is correct. Specifically, over an hour into the recording, Chartier says: “Okay. Well, here’s the arrest warrant. And just to be honest—just to be honest, hey, now I’m going to tell you the truth…If I’m being honest with you, Marcus, this has absolutely nothing to do with WannaCry.” The balance of the evidence strongly suggests that Hutchins was not shown the arrest warrant until over an hour into the interrogation.

More importantly, he criticizes the Agents for what he calls an “abject failure of the agents to abide by the Federal Rules of Criminal Procedure.”

At one point in the interrogation, he made a comment that showed that he did not realize he had even been indicted. There is no reason why the government could not have told him exactly why he was arrested, as he requested, and as was required of them by Federal Rule of Criminal Procedure 4(c), unless they were concerned that he would not be cooperative with them. There is certainly an element of deception to this set of events that the Court does not endorse.

[snip]

The Court is concerned by the abject failure of the agents to abide by the Federal Rules of Criminal Procedure 4(c), but their obvious interest in Kronos—including providing Hutchins with a string of code related to Kronos—leads the Court to conclude that there is not clear and convincing evidence that they acted with intent to deceive.

[snip]

Hutchins does not argue the effect of the violation of Federal Rule of Criminal Procedure 4(c)(3)(A), which governs execution of a warrant:

Upon arrest, an officer possessing the original or a duplicate original warrant must show it to the defendant. If the officer does not possess the warrant, the officer must inform the defendant of the warrant’s existence and of the offense charged and, at the defendant’s request, must show the original or a duplicate original warrant to the defendant as soon as possible.

Few courts have had moment to consider whether a violation of this rule would warrant exclusion of evidence, though it certainly might, for deterrent purposes, if the violation compromised a substantive constitutional right and the officers acted bad faith. Bryson v. United States, 419 F.2d 695, 701–02 (D.C. Cir. 1969); Murray v. United States, 855 P.2d 350, 353–56 (Wyo. 1993); United States v. Hamilton, 2017 WL 9476881, at *5 (N.D. Ga. Jan. 3, 2017). However, Hutchins did not raise this issue, so the Court will not consider it. Additionally, even if his statements were excluded, it is likely that the physical evidence still would be admissible. See United States v. Patane, 542 U.S. 630, 637–38 (2004) (failure to give Miranda warnings requires suppression of voluntary statements, but does not require suppression of physical evidence acquired as a result of those voluntary statements).

Taking Stadtmueller’s hint, Hutchins’ lawyers have renewed their motion to suppress the statements on that ground, but it may be too late. Whatever happens, though, this adds to the list of the things the FBI agents whose credibility will be deployed to enter Hutchins’ statements fucked up during his arrest. And that’s before you get into their technical knowledge.

Stadtmueller shows sympathy for the stupidity of prosecuting the guy who killed WannaCry

Along the way, Stadtmueller seems to get how stupid prosecuting the guy who killed WannaCry is.

However, Hutchins’s recent triumph with WannaCry had vaulted him into the public eye as a “white hat” hacker. Thus, Hutchins could have been reasonably confused about the FBI’s interest in him. In assessing whether he voluntarily waived his rights, some consideration must be given to the fact that white hat hacking is a complex and relatively novel field that can toe an already blurry line vis-à-vis online criminal activity. The agents did not tell Hutchins why he was under arrest, and did nothing to explain the nature of the charges against him until the end of his interrogation. Hutchins, who had no cause for concern regarding his role in WannaCry, and who had distanced himself from nefarious internet activity, cooperated.

And, having reviewed the interrogation, he seems to regard Hutchins’ attempts to help the FBI Agents identify the real criminals they are pursuing as good faith.

Almost eighty minutes into the recorded interrogation, the agents finally provided him with the warrant, and told him that it had “nothing to do with WannaCry.” The interrogation continued for about twenty minutes after that. Throughout the remainder of the interrogation, Hutchins tried to be helpful but noted that he had been “out” of so-called “black hat” hacking for so long that he did not have any helpful connections.

In comments throwing out the statutory challenges, Stadtmueller generally favors the prosecution

That said, in his language rejecting Hutchins’ attempt to throw out his indictment charge by charge, Stadtmueller significantly sides with the prosecution, as follows:

Counts One and Seven: Whether the malware in question damaged computers

Stadtmueller argues the requisite details are there for the CFAA damage charges, but suggests the government may not be able to prove their case.

These terms are sufficient to allege intent to cause damage. The burden will be on the government to prove this at trial.

Counts One Through Six: Whether software counts as a device

Perhaps Stadtmueller’s most troubling ruling is that the wiretapping charges were sound (I say that because some very smart lawyers had suggested this was problematic from the start). He argues that the Seventh Circuit precedent doesn’t cite case law and a bunch of cases (from other circuits) do.

The majority of courts to consider this issue have entertained the notion that software may be considered a device for the purposes of the Wiretap Act. See Luis v. Zang, 833 F.3d 619, 630 (6th Cir. 2016) (accepting that a software could be a “device” for the purpose of the Wiretap Act); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1087 (N.D. Cal. 2015) (concluding that a software was an “electronic, mechanical or other device”); Klumb v. Goan, 884 F. Supp. 2d 644, 661–62 (E.D. Ten. 2012) (analyzing spyware software as a device under Wiretap Act); Rene v. G.F. Fishers, Inc., 817 F. Supp. 2d 1090, 1094 (S.D. Ind. 2011) (holding that keystrokes are not electronic communications for the purpose of the Wiretap Act, but accepting the notion that software could be a device); Shefts v. Petrakis, 2012 WL 4049484, at *8–9 (C.D. Ill. 2012) (analyzing software as a device under the Wiretap Act); see also United States v. Barrington, 648 F.3d 1178, 1203 (11th Cir. 2011) (accepting that a keylogger software could be considered a scanning receiver, or a device, under 18 U.S.C. § 1029(e)(8)).

The Court is in accord with the majority of courts to consider this issue. The Court also agrees with the government’s position that Section 2510(5)’s reference to “mechanism,” which is commonly defined as a “process, technique, or system for achieving a result” seems to encompass software. Mechanism, Merriam-Webster Dictionary, https://www.merriamwebster.com/dictionary/mechanism (accessed Jan. 22, 2019); see also United States v. Mitra, 405 F.3d 492, 495 (7th Cir. 2005) (acknowledging that general technology statute should be read broadly in order to accommodate new developments).

Counts One, Four Through Eight, and Ten: Whether malware researcher MalwareTech intended to hack and wiretap

There are a bunch of problems with the way prosecutors claim Hutchins intended to do something it’s not clear he did. To this complaint, Stadtmueller basically punts to trial, without hinting how he feels about the issue.

These are arguments that go to the merits of the case, i.e., whether Hutchins had the requisite intent to commit the crimes charged.

Counts Two and Three: Whether you can charge wiretapping left and right

In its superseding indictment, the government tried to cover itself by charging both of two advertising related wiretapping charges. Hutchins challenged this, arguing they were trying to do the same thing (they are, practically). Stadtmueller ruled they weren’t, legally.

Each count contains an element required to prove the offense that is not required in the other count, and the counts require proof of different facts. There is no multiplicity.

Count Seven: Whether aid and abet without intent counts

This challenge is another intent based one, arguing that you can’t aid and abet a crime that you didn’t intend to accomplish in the first place. Stadtmueller seems skeptical but finds it passes this level of muster.

Hutchins argues that he cannot be charged with attempt to aid and abet an attempt to violate the CFAA because Count Seven is pled “without reference to the intentional causing of damage,” as stated in the statute. (Docket #92 at 5). The superseding indictment alleges that Hutchins attempted to cause damage, which encompasses the intent element. Whether the government can actually prove this at trial is a question for another time.

Counts Two and Three: Whether Hutchins can be charged in the UK for a YouTube

Stadtmueller dismisses Hutchins’ extraterritoriality challenge by saying that the government has at least alleged facts that meet this bar. In some of these details he gets the facts wrong, such as when he says that Hutchins himself pushed Kronos on YouTube.

It also alleges that Hutchens used a YouTube video to promote the sale of Kronos, and referred interested purchasers of Kronos to Individual A.

This YouTube ploy by prosecutors was a key complaint by Hutchins’ lawyers. Nevertheless, Stadtmueller rules that the government has at least alleged activities in EDWI.

However, as stated, the charges sufficiently allege activity in the United States, specifically in the Eastern District of Wisconsin. There is no extraterritorial activity at issue.

That said, Stadtmueller lays this marker, disputing the government’s view of extraterritoriality.

However, because there is confusion about the proper standard to apply in the extraterritorial analysis, the Court takes this opportunity to clarify the issue in case it should arise in the future. There is a presumption against applying statutes extraterritorially because “Congress generally legislates with domestic concerns in mind.” Small v. United States, 544 U.S. 385, 388 (2005) (quotations and citations omitted). This broad presumption applies in all cases, “preserving a stable background against which Congress can legislate with predictable effects.” Morrison v. Nat’l Australian

Therefore, the proper rule to apply is that of RJR Nabisco: if Congress has not evinced an affirmative intent to apply the statute extraterritorially, the Court must assess the focus of the statute, and determine whether the conduct relevant to the focus occurred in the United States. Under RJR Nabisco, some conduct could occur outside of the United States as long as the conduct relevant to the focus of the statute occurred inside the United States. However, as stated above, the conduct that the superseding indictment alleges took place in the United States. Therefore, the Court need not evaluate Sections 2512, 1343, or 1001 for extraterritorial application.

For example, if, as it is alleged, Hutchins promoted his malware to individuals in the Eastern District of Wisconsin, then he could reasonably foresee being haled before this Court for trial on that issue.

Counts One Through Eight and Ten: Whether Hutchins can be charged in EDWI

Similarly, Stadtmueller dismisses another jurisdictional claim based on language that may get back to the intent issue.

For example, if, as it is alleged, Hutchins promoted his malware to individuals in the Eastern District of Wisconsin, then he could reasonably foresee being haled before this Court for trial on that issue.

Count Nine: He’s fucked on false statements until the other challenges work

This one, claiming that he can’t be charged with false statements if he shouldn’t be under FBI’s jurisdiction in the first place, unsurprisingly fails so long as those Stadtmueller other charges.

The Court finds that the FBI was properly within its jurisdiction to investigate these claims. Therefore, the charge that Hutchins lied to the FBI must also go forward.

It’s hard to read what to take from all this. Stadtmueller clearly views some of these charges as flimsy. His views on the wiretap charge are the most surprising to me, and probably the most legally problematic for Hutchins (because of the advertising charges).

That said, Stadtmueller seems to have read this appropriately for what it is, the government effort to use any means available to punish Hutchins for being unable or unwilling to become the FBI’s informant solely because he came to their attention for killing WannaCry.

Share this entry

FBI Finally Moves to Fix Its Text Retention Problem — and Mobile Phone Security

/10 Comments/in , /by

Back when DOJ IG released a report explaining its efforts to ensure it had reconstructed all of Peter Strzok and Lisa Page’s text messages, I pointed out that most people were missing the really important part of the story: FBI was making do with a vendor who — even after that scandal — still missed 10% of texts.

And in trying to invent an obstruction claim out of normal bureaucratic thriftiness, they are ignoring the really damning part of the IG Report. The government contractor whose “bug” was responsible for the text messages that weren’t originally archived (but which were later recovered) still can’t ensure more than 90% of FBI’s texts are recovered.

Among the other excuses FBI offers for implementing a fix to a 20% failure with one that still results in a 10% failure is to say, “complete collection of text messages is neither required nor necessary to meet the FBI’s legal preservation obligations” (which goes back to how they’re requiring retention via policy, but not technologically-assisted procedure). The FBI also says that it “is not aware of any solution that closes the collection gap entirely on its current mobile device platforms,” which makes me wonder why they keep buying new Samsungs if the Samsungs aren’t serving their needs? Aside from the question of why we’d ask FBI Agents to use less secure Korean phones rather than more secure American ones (note, Mueller’s team is using iPhones)?

This is a huge problem in discovery in criminal prosecutions. Just as an example, DOJ claims it didn’t have texts between the Agents who were officially staking MalwareTech out in Las Vegas before they arrested him in 2017 and … other Agents. But if FBI doesn’t actually competently archive those texts, how can they make that claim?

More troubling still, FBI didn’t have a handle on what privileges their unnamed and squirrely data retention vendor had onto FBI Agents’ phones.

As DOJ IG was trying to puzzle through why they couldn’t find all of Strzok and Page’s texts, the unnamed vendor got squirrelly when asked how the retention tool interacts with administrative privileges.

Upon OIG’s request, ESOC Information Technology Specialist [redacted] consulted with the FBl’s collection tool vendor, who informed the FBI that the collection application does not write to enterprise.db. [Redacted] further stated that ESOC’s mobile device team and the vendor believed enterprise.db is intended to track applications with administrative privileges and may have been collecting the logs from the collection tool or another source such as the Short Message Service (SMS) texting application. The collection tool vendor preferred not to share specific details regarding where it saves collected data, maintaining that such information was proprietary; however, [redacted] represented that he could revisit the issue with the vendor if deemed necessary.

Maybe it’s me, but I find it pretty sketchy that this unnamed collection tool vendor doesn’t want to tell the FBI precisely what they’re doing with all these FBI Agents’ texts. “Proprietary” doesn’t cut it, in my opinion.

DOJ IG has now done what I was hoping they would: use the Strzok-Page incident as an opportunity to identify recommendations to fix the problem more generally. Most alarmingly, it says that the Subject Matter Expert it consulted in this process identified security vulnerabilities in its collection process.

[D]uring the OIG’s forensic examination of FBI mobile devices that were used by the two employees, the OIG discovered a database on the mobile devices containing a plain text repository of a substantial number of text messages sent and received by those devices.

Neither ESOC nor the vendor of the application was aware of the existence, origin, or purpose of this database. OIG analysis of the text messages in the database compared to ESOC productions of text messages during the same time periods when the collection tool was functional identified a significant number of text messages found in the database that were missing from the ESOC production. Furthermore, the Subject Matter Expert with whom the OIG consulted in connection with its forensic analysis of the devices identified additional potential security vulnerabilities regarding the collection application. The OIG has provided these findings to the FBI.

Remember: these phones were used by people read into the most sensitive counterintelligence investigations. They weren’t texting a lot about those investigations on those phones, but they were texting unclassified information about the investigations.

So now, two years after these texts were identified, DOJ’s Inspector General is recommending that FBI fix what even I recognized was a security vulnerability — as well as the other, unnamed ones their SME identified.

Coordinate with the collection tool vendor to ensure that data collected by the tool and stored on the device is saved to a secure or encrypted location.

Verify and address the security vulnerabilities identified by the Subject Matter Expert with whom the OIG consulted, which have been provided to the FBI. Current and future mobile devices and data collection and preservation tools should be tested for security vulnerabilities in order to ensure the security of the devices and the safekeeping of the sensitive data therein.

Accused defendants should not have to guess whether or not the FBI Agents investigating them discussed their case via texts that have disappeared forever. And the country, generally, should not have to worry that the phone of its top counterintelligence Agent might be compromised because of a dodgy vendor FBI hired to collect (some of) his texts.

Sadly, DOJ IG doesn’t include another recommendation that seems like a no-brainer: that FBI switch to iPhones over the Samsungs they currently issue, both because iPhones have better security, but also because there is better visibility on the supply chain.

Share this entry

Twitter Only Had SMS 2FA When Hal Martin’s Twitter Account DMed Kaspersky

/11 Comments/in /by

In a post late last month, I suggested that the genesis of FBI’s interest in Hal Martin may have stemmed from a panicked misunderstanding of DMs Martin sent.

What appears to have happened is that the FBI totally misunderstood what it was looking at (assuming, as the context seems to suggest, that this is a DM, it would be an account they were already monitoring closely), and panicked, thinking they had to stop Martin before he dropped more NSA files.

Kim Zetter provides the back story — or at least part of one. The FBI didn’t find the DMs on their own. Amazingly, Kaspersky Lab, which the government has spent much of the last four years demonizing, alerted NSA to them.

As Zetter describes, the DMs were cryptic, seemingly breaking in mid-conversation. The second set of DMs referenced the closing scenes of both the 2016 version of Jason Bourne and Inception.

The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name “HAL999999999” to send five cryptic, private messages to two researchers at the Moscow-based security firm. The messages, which POLITICO has obtained, are brief, and the communication ended altogether as abruptly as it began. After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

The first message sent on Aug. 13, 2016, asked for him to arrange a conversation with “Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky. The message didn’t indicate the reason for the conversation or the topic, but a second message following right afterward said, “Shelf life, three weeks,” suggesting the request, or the reason for it, would be relevant for a limited time.

The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. Shadow Brokers, which is believed to be connected to Russian intelligence, said it had stolen the material from an NSA hacking unit that the cybersecurity community has dubbed the Equation Group.

[snip]

The sender’s Twitter handle was not familiar to the Kaspersky recipient, and the account had only 104 followers. But the profile picture showed a silhouette illustration of a man sitting in a chair, his back to the viewer, and a CD-ROM with the word TAO2 on it, using the acronym of the NSA’s Tailored Access Operations. The larger background picture on the profile page showed various guns and military vehicles in silhouette.

The Kaspersky researcher asked the sender, in a reply message, if he had an email address and PGP encryption key they could use to communicate. But instead of responding, the sender blocked the researcher’s account.

Two days later, the same account sent three private messages to a different Kaspersky researcher.

“Still considering it..,” the first message said. When the researcher asked, “What are you considering?” the sender replied: “Understanding of what we are all fighting for … and that goes beyond you and me. Same dilemma as last 10 min of latest Bourne.” Four minutes later he sent the final message: “Actually, this is probably more accurate” and included a link to a YouTube video showing the finale of the film “Inception.”

As it is, it’s an important story. As Zetter lays out, it makes it clear the NSA didn’t — couldn’t — find Martin on its own, and the government kept beating up Kaspersky even after they helped find Martin.

But, especially given the allusions to the two movies, I wonder whether these DMs actually came from Martin at all. There’s good reason to wonder whether they actually come from Shadow Brokers directly.

Certainly, that’d be technically doable, even though court filings suggest Martin had far better operational security than your average target. It would take another 16 months before Twitter offered Authenticator 2 factor authorization. For anyone with the profile of Shadow Brokers, it would be child’s play to break SMS 2FA, assuming Martin used it.

Moreover, the message of the two allusions fits solidly within both the practice of cultural allusions as well as the themes employed by Shadow Brokers made over the course of the operation, allusions that have gotten far too little notice.

Finally, that Kaspersky would get DMs from someone hijacking Martin’s account would be consistent with other parts of the operation. From start to finish, Shadow Brokers used Kaspersky as a foil, just like it used Jake Williams. With Kaspersky, Shadow Brokers repeatedly provided reason to think that the security company had a role in the leak. In both cases, the government clearly chased the chum Shadow Brokers threw out, hunting innocent people as suspects, rather than looking more closely at what the evidence really suggested. And (as Zetter lays out), Martin would be a second case where Kaspersky was implicated in the identification of such chum, the other being Nghia Pho (the example of whom might explain why the government responded to Kaspersky’s help in 2016 with such suspicion).

Mind you, there’s nothing in the public record — not Martin’s letter asking for fully rendered versions of his social media so he could prove the context, and not Richard Bennett’s opinion ruling the warrants based off Kaspersky’s tip were reasonable, even if the premise behind them proved wrong — that suggests Martin is contesting that he sent those DMs. That said, virtually the entire case is sealed, so we wouldn’t know (and the government really wouldn’t want us to know if it were the case).

As Zetter also lays out, Martin had a BDSM profile that might have elicited attention from hostile entities looking for such chum.

A Google search on the Twitter handle found someone using the same Hal999999999 username on a personal ad seeking female sex partners. The anonymous ad, on a site for people interested in bondage and sado-masochism, included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and “technical advisor and investigator on offensive cyber issues.” The LinkedIn profile didn’t mention the NSA, but said Martin worked as a consultant or contractor “for various cyber related initiatives” across the Defense Department and intelligence community.

And when Kaspersky’s researchers responded to Martin’s DM, he blocked their accounts, suggesting he treated the communications unfavorably (or, if someone had taken over the account, they wanted to limit any back-and-forth, though Martin would presumably have noted that).

After each researcher responded to the confusing messages, HAL999999999 blocked their Twitter accounts, preventing them from sending further communication, according to sources.

Martin’s attorneys claim he has a mental illness that leads him to horde things, which is the excuse they give for his theft of so many government files. That’s different than suggesting he’d send strangers out-of-context DMs that, at the very least, might make him lose his clearance.

So I’d like to suggest it’s possible that Martin didn’t send those DMs.

Share this entry

Prosecutors Cite Osiris in an Attempt to Resuscitate Dead Law against Marcus Hutchins

/12 Comments/in , /by

I’ve been meaning to do an update on a series of filings in the MalwareTech (Marcus Hutchins’) case in which his defense challenged the magistrate’s recommendations, the government responded, and MalwareTech replied. As I’ll get to, those filings reveal a bit more about what the government was really up to in their prosecution of Hutchins.

First, however, I want to look at something the government does in the first paragraph of their response. The paragraph starts with a succinct statement about the case that smooths over a lot of legally suspect moves they make in the case.

Marcus Hutchins is charged with developing and distributing malware capable accessing and damaging computers without the owners’ knowledge and stealing personal information. See Doc. #86. As set forth in the superseding indictment, he worked with others to sell this malware in online forums. Doc. #86. Hutchins did this to earn money for himself. He essentially admitted his crimes in online “chats” that were later obtained by law enforcement.

Effectively, this statement obscures all the problems with charging Hutchins for making malware that he never intended to use to damage computers as understood by the Computer Fraud and Abuse Act and which doesn’t equate to a device that might amount to wiretapping.

Immediately after having done that, the government points to an entirely different generation of malware than Hutchins wrote — which has since been dubbed Osiris — to suggest Hutchins’ own work has led to damage.

The malware developed and sold by Hutchins and his coconspirators, and variants of that malware, particularly Kronos, have been used to compromise computers around the world for years. See, e.g., “Kronos Reborn,” Proofpoint, July 24, 2018, available at https://www.proofpoint.com/us/threat-insight/post/kronos-reborn (last visited November 30, 2018) (discussing 2018 campaigns involving Kronos variants).

The link describes a much later version of the underlying malware used in campaigns in Germany, Poland, and Japan.

In April 2018, the first samples of a new variant of the banking Trojan appeared in the wild [2]. The most notable new feature is that the command and control (C&C) mechanism has been refactored to use the Tor anonymizing network. There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets. In this blog, we present information on the German, Japanese, and Polish campaigns as well as a fourth campaign that looks to be a work in progress and still being tested.

Even if Hutchins’ code formed a key part of this module (I’m sure if this ever gets to trial Hutchins’ team will be able to mock this as a possibility), attacks in three other countries do not justify a prosecution of a British citizen in Milwaukee.

Remember, early on in this case, the government admitted they don’t believe Hutchins continues to engage in criminal activity.

Effectively, Hutchins is on trial for code he wrote years ago, some of it while he was a minor. Because people associated with later generations of that code — with its literal rebirth as a new product — are causing havoc, the government is intent on holding him accountable.

Share this entry