The featured image comes from @MalwareTechBlog, the Twitter feed of Marcus Hutchins.
Louise Mensch is an independent British/American journalist.
Remember the reluctant WannaCry hero?
WannaCry was ransomware that made big headlines in mid-2017 for two important reasons.
First, it was a true computer worm, or virus, that automatically propagated itself to the next guy, and the next guy…
…and so on, meaning that although it drew attention to itself very quickly, it was nevertheless able to spread far and fast.
SophosLabs estimated that it infected 200,000 computers in 150 countries within four days of showing up in the wild.
Second, WannaCry’s spreading mechanism used a exploit code known as ETERNALBLUE, allegedly developed by the US National Security Agency for secret intelligence-gathering purposes.
That exploit, along with many others, was subsequently stolen in a data breach at the NSA, offered for sale for a while at an outrageous price, and finally dumped for anyone to use for free around the start of 2017.
Microsoft pushed out a patch at the start of 2017 that effectively immunised everybody who applied it, but those who neglected or declined that update ended up at risk.
Enter our hero
Amongst the WannaCry panic, a youngster in the UK calmly analysed the virus and quickly spotted what turned out to be a “kill switch” in its programming.
He found a specific, weirdly named server in the code.
For reasons we shall probably never know, the crooks who wrote WannaCry hadn’t purchased the domain name for this server, so the youngster quietly registered the domain himself.
It turned out that if the ransomware could connect to this server, it would let you off and not scramble your files.
But if the call-home failed then the ransomware attack went ahead and you ended up facing a $300 extortion fee to get your files back.
In other words, when our soon-to-be-hero set up a webserver using the name he’d just registered, he turned on WannaCry’s safety valve.
Activating that “kill switch” almost certainly saved many innocent users from those pay-$300-in-Bitcoin-right-now demands and prevented plenty of global heartache.
Reluctant stardom
At first, our hero kept a low profile, but he was soon identified by the UK media – to an understandably warm welcome – as Marcus Hutchins.
His disarming likeability made his initial reticence seem like little more than youthful shyness, but a more serious reason for him to have avoided the spotlight soon appeared.
Pitched suddenly into cybersecurity stardom, Hutchins was invited to attend the 2017 DEF CON hacker convention, so he jetted off to Las Vegas, Nevada, where the event is held.
Unfortunately for Hutchins, US law enforcement, in the form of the FBI, already had their eyes on him; indeed, it seems he’d been a “person of interest” to them for a while, despite his youth (he had just turned 23 at the time of his DEF CON trip).
The FBI had formed the opinion that Hutchins had not only written malware as a youngster but also sold it on, knowing that the purchasers wanted it for criminal purposes.
Writing viruses might not itself be a crime, in the US at least, but using malware to attack computers, steal data and make money is another matter.
Anyway, in the week or so that Hutchins was in Nevada, the Feds got their paperwork together, and at the last moment – apparently while he was waiting for his flight home at McCarran airport in Las Vegas – they showed up to arrest Hutchins and take him into custody.
Presumption of innocence
The initial reaction from many in the cybersecurity community was an efflux of scorn and hatred against American law enforcement.
Even amongst those who knew him only in passing or via his online presence, Hutchins was a hero who’d spent his own money on helping other people, so he was very widely assumed to be innocent, and the charges to be a pile of rot.
Investigative journalist Brian Krebs admits that he too wanted to believe in Hutchins’s innocence, but figured that he’d better dig into Hutchins’s background a bit before forming an opinion.
After three weeks of “joining the dots”, Krebs published a piece in which he said:
At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge.
Admission of guilt
Hutchins pleaded not guilty at the outset of his case and managed to get bail, but had to hand over his passport and stay in the US.
And so things stood until last week, when Hutchins himself tweeted:
https://twitter.com/MalwareTechBlog/status/1119322882578866176The article linked to by the tweet is short and simple:
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
This isn’t the typical sort of mea culpa we’ve seen in the past from cybercriminals.
Hutchins isn’t trying to blame his victims for not patching, for example; or to blame the operating system vendors for writing buggy code; or to blame the world in general for not paying attention to bug reports in the first place; or claiming that cyberattacks don’t really count because they don’t hurt anyone like violent crime does.
We’re aware, of course, that the words and structure of this terse and carefully formed statement were probably devised by Hutchins’s lawyers as a formal requirement of his plea arrangement…
…but in this case, we’re inclined to believe him.
He hasn’t been sentenced yet, so we can’t tell you what effect, if any, this statement will have.
Apparently the maximum jail time allowed for his offences is five years, but a lot of people in the cybersecurity community seem to be rooting for Hutchins to be treated leniently, even though he’s now officially a convicted cybercriminal.
What next?
We’re not expecting Hutchins to get away with a suspended jail term or a fine followed immediately by deportation to the UK, however effective such a sentence might sound.
After all, the US courts may want to establish a clear disincentive for other youngsters who are toying with the idea of a “career” that involves attacking the online lives of innocent victims with malware.
So we’re guessing that he’ll go to prison to serve some sort of custodial sentence, although we can’t see him getting a full five-year stretch, and given his guilty plea and his public admission of wrongdoing, we hope he doesn’t.
Hutchins does seem genuinely remorseful, and has even taken to Twitter with some wise advice for those following in his footsteps:
https://twitter.com/MalwareTechBlog/status/1119694262440882176Have your say
What do you think he’ll get?
And what do you think he deserves, given that he’s now convicted of making and selling malware for criminal purposes?
Tell us in the comments below.
Anonymous
What will he get? A killer job offer once his debt to society is paid.
Nonya B. Ness
You’re saying Krebs did not jump to his first emtional reaction and instead waited for more information and facts before stating a conclusion? What is this strange policy you speak of?
TreFunny
Krebs is one of the few journalist that puts emotions and politics aside and just digs for the evidence…
Dave Anderson
“Amongst the WannaCry panic, a youngster in the UK calmly analysed the behaviour of the virus and quickly spotted what’s known as a “kill switch” in its programming.” is not accurate. Hutchins looked at the ASCII strings within the WannaCry code, recognized a domain name, and registered it. He did this because he works to track malware infections through sinkholes that are monetized via Kyptos Logic (his employer) through their Telltale subscription service. Registering the domain he found within the WannaCry code and setting up the sinkhole of course had the useful side-effect of stopping the malware, but it was accidental. Please realize that he is financially motivated, and the work he undertakes is ultimately for personal gain and profit — whether writing code that was used within the Kronos banking Trojan (and being compensated) or sinkholing domains to track infected hosts and sell that data via Kryptos Logic.
Paul Ducklin
Well, I’m going to stick with giving him credit for “analysing the malware” (I carefully didn’t say he disassembled it in detail or anything like that). Even if all he did was to run strings across the file and register everything that looked like a domain name, let’s not take away from him that no one else had got that far. Thus he emerged as an unexpected hero. I think we can let him have that.
As for being “financially motivated… for personal gain and profit”, well, if the personal gain was legally acquired and he paid tax on it, I think that’s just “he had a job”. Most of us do – it’s tough to get by without one. (Even the US courts admitted that, AFAIK, by allowing him to support himself on bail by working for his employer in the US.)
The moral of this story is pretty simple: just because everyone thinks you’re a cybersecurity hero doesn’t automatically obliterate any criminality in your past. And it is an important reminder to kids – as Hutchins now admits – that you don’t need to be a crook first to become a first class cybersecurity expert.
PS. I get your point about causality so I am rewording the bit about the “kill switch” so that it doesn’t invite you to infer that he registered the domain with the specific intention of stopping the malware.
Anonymous
In title: “now officially a convicted cybercriminal”
Last few lines: “He hasn’t been sentenced yet”
Thanks for wasting my time with a clickbait title.
Paul Ducklin
In law you are a convicted criminal the moment you are found guilty by the court. That seems self-evident to me. There is no more “presumption of innocence” once the court officially pronounces you guilty. You are no longer “the accused” or “the defendant” because the accusation is considered proved and your defence has failed.
In many jurisdictions, sentence is not passed immediately – both the court and the guilty party typically get time to prepare arguments about what sentence ought to be imposed. During this period the guilty person may be allowed to remain out on bail.
Remember that in many countries an accused person does not have to declare any previous convictions while on trial. Defendants are entitled to be judged as if from a clean slate, to avoid possible prejudice against them. But previous convictions are very definitely taken into account in sentencing, thus the two processes are handled separately.
Mahhn
Sadly many people who lost their life savings due to software he wrote and helped write will die in poverty after working a life time to build financial security. You reap what you sow, and he has made a lifetime of bad karma to come back to himself.
Faceache
Surely you realise that for karma to be playing a part in this the people who “lost their life savings” and “will die in poverty” must have done something to deserve it in the first place?
Anonymous
So, I disagree with his stance on, “There’s misconception that to be a security expert you must dabble in the dark side. It’s not true. You can learn e… twitter.com/i/web/status/1…
—
MalwareTech (@MalwareTechBlog) April 20, 2019” There is a major difference between knowing security and practicing security. Its the same with military combat training, training only takes you so far, but until the bullets are actually flying past you and its not training, you do not know how you will act. Same with cybersecurity, if your training then there isn’t much at risk, it’s when that element of risk is added that things get real. If the US Courts and FBI are smart, they would give him a good paying job with them in return for his skills. Just my opinion, as cybersecurity is already short staffed as it is, at least they could keep an eye on him then, and one less bad guy to deal with.
Paul Ducklin
Suddenly, just being a malware writer makes you a brilliant cybersecurity expert?
By that sort of argument, if I steal enough bicycles, ride them into the ground and then dump them in the canal, I ought to start getting podium finishes in competitive cycling events. Heck, that would make anyone with access to a decent pair of bolt cutters into a potential Grand Tour competitor.
Unsurprisingly, however, that’s not how it works.
Laurence Marks
McArran–>McCarran
And Duck continued “This isn’t the typical mea culpa admission we’ve seen in the past from cybercriminals.
Hutchins isn’t trying to blame his victims for not patching, for example; or to blame the operating system vendors for writing buggy code; or to blame the world in general for not paying attention to bug reports in the first place; or claiming that cyberattacks don’t really count because they don’t hurt anyone like violent crime does.”
Ahh, perhaps you meant to say “This mea culpa is not the typical approach we’ve seen from cybercriminals in the past.”
Mea culpa> is Latin for “I am culpable (guilty)” which is exactly what he did indeed write.
Paul Ducklin
I meant that his mea culpa was untypical because he didn’t trot out excuses. So you are right that I was tautological given that a mea culpa is already an admission. So I will reword that.
And correct the airport typo – thanks for spotting.
Ian
“we’re inclined to believe him”
Why is that? Because he has been so honest in the past? Like when he continually denied writing the bank trojan until it wasn’t possible to deny it any further and then he cut a deal?
Please stop glorifying what he did and treating him as a hero. He is a criminal and deserves jail time.
Paul Ducklin
I am not glorifying anyone – indeed, the headline expressly states that he is now “officially a cybercriminal” – just as you said in your comment – and I expressed the opinion that he almost certainly would get a custodial sentence rather than a suspended or a fine.
I happen to think that justice could be done without banging him up for the maximum term, and I am satisfied that I can hold that opinion without downplaying the seriousness of cybercrime, without praising Hutchins, and without glorifying anyone.
Do I think he’s a gifted and excellent cybersecurity researcher? No. He doesn’t yet have the knowledge or experience. (If you look at his recent posts about learning to code I think he agrees with that.) Do I think he’s a prolific and unreconstructed cybercrook who will inevitably be a recidivist? No. I don’t have any science for that and I can’t prove it – but on the balance of probabilities I think he was a small-time player drawn into the malware scene as a kid and that he’d be nuts to try to get back into that game when he gets out.
Mahhn
even with my very cynical views, I had to give your post a thumbs up.
FauxUnreal
Maybe Louise Mensch is a Russian spy.