So Marcus Hutchins, of #WannaCry fame and who had been arrested in the US has pleaded guilty to writing banking #trojan software. Over on the birdsite there's lots of strong opinions. I blogged my opinion that it's a big world out there and trying to dismiss him as a criminal or pardon him because he's a hero are fundamentally misguided. https://blog.paco.to/2019/marcus-hutchins-infosec-soul-searching/
@paco I like your rounding metaphor. I tend to agree here. I’ve been following along, but am still fuzzy on a detail. Was writing the software his only crime, or did he perform other actions which contributed to his crime?
In a way, writing malware, if you don’t use it, is like writing a plan to rob a bank but not participating in a heist. But I suppose under the law that’s still conspiracy to commit the crime.
I guess even the non-zero crime could come from arbitrary rounding.
@paco I generally lean toward the “he committed a crime” side of the fence, but I understand why the issue is so polarizing.
@nbering me too. But I also think it is possible to change and to prove one has changed. So while he has to pay some consequences, at some point we must allow for the possibility of rehabilitation and restoration. One can argue he’s already rehabilitated. He’s kinda proven that point. So when he has served his time, we should consider that.
@paco Yes, I think it falls to the justice system to decide during sentencing what is fair given the circumstances.
There is precedent in the US for criminals having committed this sort of intellectual crime to secure an early release for co-operating with authorities in catching other criminals (ie. Frank Abagnale Jr.).
@nbering I think there’s 2 things. Writing it isn’t a crime in the us. Selling and/or distributing can be. I think that’s what he pleaded on. Second: #infosec folks push the boundaries a lot on what is strictly legal. Some either go too far or get unlucky and face consequences. The connection between actions and consequences is far from even, equitable, or fair. So it’s also hard to make judgements until you dive deep and get the details.
@paco Certainly, the legal environment around vulnerability research is in itself charged with controversy.
I’m not sure we’ll ever settle into a position where all parties will be satisfied with that situation. It’s such a tangled web of opposing points of view.
@nbering @paco a significant element of the charges against Marcus was not only that he wrote Kronos, but sold is with the knowledge of how it would be used. I don’t think there is a good metaphor in the physical world - for example creating and selling lock picks (or a gun) could result in someone using them to rob a bank. But that is not how those items are intended to be used. A banking Trojan, by contrast, has basically one purpose: committing bank fraud.
@jerry @nbering I don’t disagree. I think as a society it is important that we don’t make these lifelong scarlet-letter judgements on people. He has the benefit of years of positive contributions before the criminal bit came out. It helps us support the case that he has changed. He will pay his debt and then return to the workforce. How many similar people never get the chance to make their case after serving their punishment because our judgment is stubborn and we ostracise them?
@paco hard agree there. Thank you for writing this.
Particularly this paragraph is important, I feel:
"Infosec is just one of many big places. The world is a big place. Our communities are big. Humanity is an infinitely large space. Dichotomous reasoning does not work well here. Tribalism is tearing the online English-speaking world apart."
The online English-speaking world is not the only one affected, obviously. All the more reason why your message here is important.
A Mastodon instance for info/cyber security-minded people.