I generally think it's crazy to hold someone responsible for the software they wrote, even if it has no theoretical "good use". The person using the software should be responsible. That being said it's even crazier if there is a legitimate use (network monitor etc.) which seems to be the case here. Where exactly do you draw the line? If an attacker uses Windows or Linux...is that evil software. If they phish with some mail-tool is that evil software etc. etc.
Totally agree. It's a freedom of speech issue. Just like you can't hold the Beatles responsible for the Manson murders, you can't hold someone expressing themselves in code responsible for malicious use. See: NRA lobby white papers.
It isn't a freedom of speech issue. Free speech doesn't cover using words to commit a crime. Saying "handover the cash or I'll slit your throat" is still robbery.
The law handles this fairly well in theory. You are only responsible for aiding a crime if you acted to assist the crime with the required mental state. The required mental state for most crimes is recklessness.
So you can sell someone a gun but you can't sell someone a gun if they say "I'm going to murder my wife."
Doing something totally legal to assist a crime is a crime if you were acting intentionally to assist the crime. You can be charged for giving the Gettysburg Address if the point was to get people in one place to bomb it.
Here the FBI is wrong. As of now, there is no evidence he intended to assist in these crimes.
But if you created some software designed to hack a company you hated and then released it widely hoping that someone would use it? That is a crime.
The standard for when words are criminal is much more narrow than that in the US. It isn't just words implicated in crimes. Off the top of my head, there are quite narrow interpretations of libel, slander, and incitement to imminent lawless action. Even in cases such as insider trading, it's the acting that makes the crime, not the fact someone said something.
Absolutely agree. I hope he has attempted to contact the EFF over this for counsel.
As I understand it, what under similar policies, they could arrest a mapping product programmer for some nefarious third parties who plan terrorist attacks.
> they could arrest a mapping product programmer for some nefarious third parties who plan terrorist attacks.
What if the programmer distributed and supported the product on a terrorism planning site, and worked to ban anyone who mentioned using the mapping product for terrorism? And who knew of a plugin for his software designed to calculate bomb shrapnel distribution?
The guy sells his software through a hacking site, provides a plugin API, but states that it shouldn't be used for hacking. The situation seems similar to ROM sites that say "only download if you own the original game", smoking stores that sell bongs "for use with tobacco products only", etc. He'd have a better defense if he sold the software through a forum for Windows enthusiasts, or something.
Let's hope they don't throw 50 years of prison or plea deal at him, as they tend to do, and that he doesn't take the plea deal. Since software has already been defined as free speech, I think there's a very good chance he should win this.
At the very least, if we're holding people responsible for their software, we should be holding car manufacturers responsible for crashes and firearms makers responsible for murders. "Oh, you were drunk and crashed your Prius? Put the engineering team in jail!"
I know, I know. I'm in the uncomfortable position of being both pro gun, and pro gun-control, so I get the worst of both worlds. On one side people think you should be free to transfer a gun without a scrap of record keeping, and the other thinks that if you beat someone to death with a cell phone, you should sue Samsung.
It seems like the Feds' case depends pretty heavily on the fact that he initially advertised the software on a forum that was devoted to malicious computer hacking.
"I am able to crash a RHEL7'ish
system with the above PoC quickly."
So, someone takes down some critical system running RHEL7 with this (even if it is just a crash) - and the author is on the hook because the only use for the code was educational and "crashing a system"?
The issue is that this person wrote the software and then profited and advertised it specifically for malicious uses. That implies intent, and intent matters.
I mean, there is such a thing as ethics. A programmer writing software with malicious intent or with the explicit purpose to defraud, undermine, or otherwise harm another person and/or their property should absolutely be held responsible for the code they write.
> A programmer writing software with malicious intent or with the explicit purpose to defraud, undermine, or otherwise harm another person and/or their property should absolutely be held responsible for the code they write.
Then I think Cisco, Microsoft, and all the other NSL, backdoor inserting, government roll-over companies count in this category too. Do you not see how slippery the slope is you are arguing for?
I don't know if it's that simple -- if I print out fake dollar bills it'll probably be treated differently if I sell them as movie props than if I sell them as counterfeit money you could pass off as real.
> Owning prop money in itself is not a crime. But it's a crime if people try to pass the prop bills off as real money, said Capt. Jim Duering of the Grand Island Police Department.
Seems like the same principle would apply if you were selling it for the purpose of enabling fraud.
From the article: "Essentially what this law says is that bills must be either 75% smaller than or 150% larger than the size of a real bill and one color, one side."
So printing fake money could be a crime even if you don't attempt to pass it as real.
The action makes it wrong not the code itself. Writing code cannot be evil, it's the user's decision to exploit the code for own selfish gain.
ex. See people using cars or knives or guns as weapons to commit crimes, we don't throw in Toyota or H&K executives in jail. Just because an item was used by someone, the inanimate object by itself do not display intent, intent is something that can only be held in the minds of a person.
Intent is what matters. Writing code can most definitely be evil when written with evil intentions, or with the expectation of having the code used in malicious ways.
It's a very different thing to write code with good intentions, only to have it repurposed by others for nefarious intent.
It's obviously not a black and white matter, or we wouldn't be having this discussion. The important thing to remember, though, is intent. What was that code or feature originally intended to do? If it was intended to be malicious, then why write the code?
I actually do not believe this is really a legal issue, and is instead a moral and ethical issue on a personal level. It is only becoming a legal issue because we have no other way to deal with it, since not every person operates on the same moral code. If more software developers went out of their way to hold themselves to a higher ethical standard, maybe fraud wouldn't be as prevalent as it is today, and we wouldn't need to have this discussion in the first place.
code itself cannot show intent. the code is executed when the person chooses to run it to fulfill their intent which can be judged to be bad in hindsight if it caused harm to others.
a gun by itself doesn't show intent to commit assassinations. only when it's taken by a revolutionary and aimed at the heart of capitalist pigs will the intent be realized.
the gun maker cannot be held responsible for creating a device that intended to kill someone important.
I guess you are trying to tie this back to HackForums as a way to suggest intent, this is a pretty weak argument. Unless there's private messages like "oh hell yeah my nanocore is going to be loved by criminals, I'm going to code the best keylogger ever.", there's no intent whatsoever to pin here.
> I mean, there is such a thing as ethics. A programmer writing software with malicious intent or with the explicit purpose to defraud, undermine, or otherwise harm another person and/or their property should absolutely be held responsible for the code they write.
Congratulations. You've just publicly stated you should remove your game from Steam and anyone else who distributes DRM rootkits. Rootkits are re-purposable into malware too.
I'm confident there is an extremely large gap between a game developer with an open-source video game on Steam (which does not use Steam's DRM feature or any 3rd party DRM) and a developer who writes a malware rootkit.
borderline industries such as drug and gun production are heavily licensed and controlled by the state. I believe this case should fall into a similar category.
>Where exactly do you draw the line?
You can kill with a hammer too, but noone will hold hammer maker complicit.
How could that possibly work? Gun manufacture requires machinery and resources, and drug production requires specific knowledge that's not widely disseminated. Anyone can learn how to write software.
"As shipped, Ghost Gunner manufactures mil-spec AR-15 and AR-308 lower receivers to completion. With simple tools and point and click software, the machine automatically finds and aligns to your 80% lower to get to work. No prior CNC knowledge or experience is required to manufacture from design files. Legally manufacture unserialized AR rifles in the comfort and privacy of your home."
"I'm not selling guns, I'm selling machines that automatically make guns."
"I'm not selling malware. I'm selling random bitstrings. Here's the email of someone who sells a different kind of random bitstrings, and here's a URL where you can download an AES implementation."
You still need someone with the technical know-how to make that machinery, and the commercialization of such machinery is very easy to regulate because pretty much only industries use CNC machines.
Gun manufacturing equipment is not prohibitive. Zip guns and 3-d printers facilitate it.
Drug production for cocaine, heroin, cannabis and others is as simple as a garden.
Not that I agree the kid should be arrested. I simply perceive the feasibility of software prohibition via government license to be as effective as it is for guns and drugs.
>I simply perceive the feasibility of software prohibition via government license to be as effective as it is for guns and drugs.
In other words, not effective at all against the people you're attempting to target (criminals) and only negatively affecting the people who don't deserve or need to be targeted (law abiding citizens)?
Do you mean sales of the software itself? There's no way that could work. Secretly transferring a bitstring is one of the easiest things to do. At best you could catch the money laundering.
> Drug production for cocaine, heroin, cannabis and others is as simple as a garden.
I was thinking of drugs in general. Including for example antibiotics and cancer drugs. AFAIK, practically no one knows how to make stuff like that.
> Do you mean sales of the software itself? There's no way that could work.
Loaning a gun is even easier, but it seems regulated too. I've seen a friend verbally say in front of others that he was transferring full ownership a gun when a friend asked to borrow one for the range because that's what the laws of his state required (WA). He then informed his friend that he would certainly appreciate the gun being transferred back in a week but he had no recourse if not.
