Ar­rest of hacker Hutchins called ‘bizarre’

Com­puter law ex­pert pre­dicts con­vic­tion of British man will be ‘prob­lem­atic’ for U.S.

The Hamilton Spectator - - CANADA & WORLD - DANICA KIRKA

A com­puter law ex­pert on Fri­day de­scribed the ev­i­dence so far pre­sented to jus­tify the ar­rest of a British cy­ber­se­cu­rity re­searcher as be­ing prob­lem­atic — an in­dict­ment so flimsy that it could cre­ate a cli­mate of dis­trust be­tween the U.S. gov­ern­ment and the com­mu­nity of in­for­ma­tion-se­cu­rity ex­perts.

News of Mar­cus Hutchins’ ar­rest in the United States for al­legedly cre­at­ing and sell­ing ma­li­cious soft­ware able to col­lect bank ac­count pass­words has shocked the cy­ber­se­cu­rity com­mu­nity. Many had ral­lied be­hind the British hacker, whose quick think­ing helped con­trol the spread of the Wan­naCry ran­somware at­tack that crip­pled thou­sands of com­put­ers in May.

Lawyer Tor Eke­land told The As­so­ci­ated Press that the facts in the in­dict­ment fail to show in­tent.

“This is a very, very prob­lem­atic prose­cu­tion to my mind, and I think it’s bizarre that the United States gov­ern­ment has cho­sen to pros­e­cute some­body who’s ar­guably their hero in the Wan­naCry mal­ware at­tack and po­ten­tially saved lives and thou­sands, hun­dreds of thou­sands, if not mil­lions, of dol­lars over the sale of al­leged mal­ware,” Eke­land said. “This is just bizarre, it cre­ates a dis­in­cen­tive for any­body in the in­for­ma­tion se­cu­rity in­dus­try to co-op­er­ate with the gov­ern­ment.”

Hutchins, who worked for Los An­ge­les se­cu­rity firm Kryp­tos Logic, was de­tained in Las Ve­gas as he was re­turn­ing to his home in south­west Bri­tain from an an­nual gath­er­ing of hack­ers and in­for­ma­tion se­cu­rity gu­rus. A grand jury in­dict­ment charged Hutchins with cre­at­ing and dis­tribut­ing mal­ware known as the Kronos bank­ing Tro­jan.

Such mal­ware in­fects web browsers, then cap­tures user­names and pass­words when an un­sus­pect­ing user vis­its a bank or other trusted lo­ca­tion, en­abling cy­bertheft.

The in­dict­ment, filed in a Wis­con­sin fed­eral court last month, al­leges that Hutchins and an­other de­fen­dant — whose name was redacted — con­spired be­tween July 2014 and July 2015 to ad­ver­tise the avail­abil­ity of the Kronos mal­ware on in­ter­net fo­rums, sell the mal­ware and profit from it. The in­dict­ment also ac­cuses Hutchins of cre­at­ing the mal­ware.

The prob­lem with soft­ware cre­ation, how­ever, is that of­ten a pro­gram can in­clude code writ­ten by mul­ti­ple pro­gram­mers.

Eke­land said that what is no­table to him from the in­dict­ment is that it doesn’t al­lege any fi­nan­cial loss to any vic­tims — or in any way iden­tify them. Be­sides that, laws cov­er­ing as­pects of com­puter crime are un­clear, of­ten giv­ing pros­e­cu­tors broad dis­cre­tion.

“The only money men­tioned in this in­dict­ment is ... for the sale of the soft­ware,” he said. “Which again is prob­lem­atic be­cause in my opin­ion of this, if the le­gal the­ory be­hind this in­dict­ment is cor­rect, well then half of the United States soft­ware in­dus­try is po­ten­tially a bunch of felons.”

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.