This was used to exploit people, plain and simple. While I don't think blanket arresting people who downloaded it is reasonable (someone may have fallen for the marketing and used it for legit reasons), shutting down the C&C servers to disable it from working and aiding in exploitation & blackmail is a net good.
From a deontological perspective, it's not clear that this is good if one of your values is clearly and consistently enforced law.
I naively always assumed that a webcam indicator light was hard wired to turn on when the camera was in use. If it isn't, why on earth not?
> If it isn't, why on earth not?
The same reason for nearly every other design defect in retail-grade hardware: cost vs. margins.
Because its simpler to do it in software and the users won't notice anyway.
See https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-d... for more details and screenshots/quotes of posts by the creator of the tool.
This is _not_ for server administration.
This is _not_ like PuTTY or Remote Desktop. This is like Blackshades or Orcus. It is malicious, only sold for malicious usage.
I don't think I've ever seen people gone after for the former, even when it's been abused by miscreants.
At least in the US, people already "go after" security researchers all the time (at least the companies not smart enough to realise just how much a well meaning email can save them).
Do you mind picking a non-trollish username and letting us rename it for you?
If someone explicitly asks you to hack their systems (and they have permission themselves), or if you want to do pentesting and hardening or your own systems, you should be fine.
The grey area here is how likely it is that someone would buy this tool for legitimate security analysis.
Most people wouldn't, which puts it on a slippery slope. A good defending lawyer should be able to make a good case for genuine legitimate use, but of course that's still going to leave some risk, not to mention a lot of stress and inconvenience before a case even gets to trial.
> Robbins v. Lower Merion School District is a federal class action lawsuit, brought in February 2010 on behalf of students of two high schools in Lower Merion Township, a suburb of Philadelphia. In October 2010, the school district agreed to pay $610,000 to settle the Robbins and parallel Hasan lawsuits against it.
> The suit alleged that, in what was dubbed the "WebcamGate" scandal, the schools secretly spied on the students while they were in the privacy of their homes. School authorities surreptitiously and remotely activated webcams embedded in school-issued laptops the students were using at home. After the suit was brought, the school district, of which the two high schools are part, revealed that it had secretly taken more than 66,000 images. The suit charged that in doing so the district infringed on its students' privacy rights. A federal judge issued a preliminary injunction, ordering the school district to stop its secret webcam monitoring, and ordered the district to pay the plaintiffs' attorney fees.
> The lawsuit was filed after 15-year-old high school sophomore (second year student) Blake Robbins was disciplined at school for his behavior in his home.
Acknowledging that the school was found to have been in the wrong and that the courts came down on the side of privacy, is the company which sold the school district the software they used to violate privacy guilty of anything? Should it be?
The company involved:
... said its software was intended to be used for theft recovery. Easier to recover stolen goods if the laptop can surreptitiously take pictures of its surroundings and send them home, see? Is that software inherently bad, like the software you're talking about is? It could certainly be used for the same thing.
Back to the matter at hand, I think the installation process can serve as a litmus test. If the software requires effective ownership of the device for initial installation, it would be of limited use as malware. Typical DRM software has characteristics of malware.
When did the law pass making owning software illegal, as opposed to using it for nefarious means? (Last time I looked CMA required use.)
Anyone have details of the exact charge?
No idea what law it breaks, but apparently the developer of a similar Trojan got 30 months in prison in a similar case:
I’m sure glad that wasn’t a thing when I was a teenager and cult of the dead cow was cool.
I really don't mean to flame-bait, but I've noticed HN has a mild pro-EU/anti-Brexit bias, so I would be remiss if I didn't draw attention to the fact that this is part of what Brexiteers are against.
Here we (apparently) have a case in which the law of the land is at odds with EU regulation. I leave it as an exercise to the reader to research how EU regulations are drafted and ratified.
Disclaimer: I'm a remoaner, but I'm also trying to understand just WTF is going on.
Also AFAIK Europol is a co-operation facility, not a front line policing organisation. It is a means by which the member states co-operate and share intelligence, but not (yet) a source of rules and regulations.
Also the UK relations to Europol is a a bit freestanding, and we opted out of the Justice and Home Affairs stuff, then asked to opt back in to making use of Europol.
Obviously, the prosecution would need to prove intent but it's possible the mere presence of the software could suffice for mens rea — people don't typically buy this software accidentally.
Presumably most people who bought the software will have used it, making a prosecution under S1 CMA more likely.
It's probable that the CPS will only charge people they are likely to get an S1 conviction from and discard any S3A charges as S3A charges will be difficult to prove.
I guess that it's OK if you're a "government" user.
Edit: To unpack that a little, I've read that repressive/authoritarian governments have used these sorts of malware to harass, arrest, and kill people.
And furthermore, I wouldn't be surprised if the UK government itself is using these sorts of malware.
The Security Services of the UK Government have statutory exemptions allowing them to use these tools. These statutory exemptions are contained within the Intelligence Services Act 1994 Section 5 and the Investigatory Powers Act 2016 Section 99.
Hacking tools aren't illegal by default, that I know of anyway.
Also it seems like taking down the website stopped the software working. If it was centralised then there is a link between the theft of bank logins and the associated fraud directly to the website. Of course it might just be dialing in and checking the license as opposed to the website facilitating functionality.
Edit. Just seen an archived page for the tool, looks like a legitimate network access and monitoring tool. If that's the case then arresting the dev seems excessive. I did note that the page provided support, so I wonder if there was some entrapment along the lines of "how do I monitor for bank logins ?" Perhaps with enough info to make it clear the tool was being used to perform illegal activity, and that support is what fucked the dev?
A large portion of common law revolves around intent - I think the technical term is "mens rea" (mentioned by another poster).
If a site sold knives as "neighbor killers", with the comment "use this and you can definitely kill your neighbor, $19.95", then all the same considerations would come into play. And knives aren't illegal, at least to cook with.
It's a crime to own the software intending to use it even if you don't actually use it. Arguably, the purchaser intended to use it at the point they made the purchase; people don't typically purchase software like this accidentally (of course there are obvious exceptions like perhaps security researchers wanting to decompile it to understand how to block it in the future, etc.)
AFAIR that's different to how the act was prior to SCA2015. Indeed this section including "material kind" strongly suggests that the original intent was that the Act would punish material damage, rather than a trumped up suggestion by the CPS (on whomevers behalf) that an act might be reckless as to whether it creates an increased risk of serious damage.
This legislation seems to work like "well you went on a road near some property, which is exactly what a criminal who was going to destroy that property would do, so you're clearly guilty". It seems somewhat over-reaching to me.
However, they do have to actually take action and material damage is defined by s3ZA(2) with "damage to human welfare" (s3ZA(2)(a)) constrained by s3ZA(3).
It is unlikely that the threshold for a charge under S3ZA would be met. The more likely charge is S1 (unauthorised access) or S3A(3) which makes it an offence to obtain any article intending to use it to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA — you don't even have to actually use the software to be criminalised, merely possessing it is enough provided the prosecution can prove your intent beyond reasonable doubt.
You can read the Explanatory Notes for the SCA 2015 amendments that altered the CMA 1990 at http://www.legislation.gov.uk/ukpga/2015/9/notes/division/3/... for background on why these changes were made.
Presumably there would have to be some allegation of UK law-breaking in order to get a search warrant for properties in the UK.
From what I gleaned from that article, IM-RAT was publicly marketed as a remote management tool.
The article further states: "With the amount of reports of this tool being used for malware and the discussion on illegal forums, it would be very hard for the developer to argue that he did not know how the software was being used."
This seems pretty thin. Would the authors of say nmap be liable because people can/do use it for illegal purposes?
Assuming judges signed of on the raids and domain seizure, I sure hope there was evidence of actual criminal activity beyond what is mentioned in the media.
Don't give them any ideas.
- Zerodium - https://zerodium.com
- Exodus Intelligence - https://www.exodusintel.com
- Hacking Team - https://en.wikipedia.org/wiki/Hacking_Team (now dead due to the actions of a very skilled gray hat)
What it looks like now: https://imminentmethods.net/
Their YouTube channel is still up: https://www.youtube.com/channel/UCRgeFHip2Iz97P25_qGkPfw/fee...
As is their Twitter account: https://twitter.com/imminentmethods
From what I can tell, this is just server administration software, but I haven't taken a close look.
Edit: Yeah, apparently it was just disguised as that.
This is "administration software" in the same way the cannabis-leaf-engraved glass smoking pipes sold in your local weed shop are "for tobacco use only"
I can't imagine how people are so clueless.
I mean, is it like "Sure, we're doing iffy stuff, but it's all in good fun, so why would anyone ever bother us?"
Unless they have a history of specifically targeting stalkers with their marketing and/or aiding stalkers or something else I hope the case gets thrown out.
Even then I hope the courts take a good look at this case.
Note: I'm not very happy about stalkers, but we should stick to the laws and not go after people without a good reason.
I'll add however I've seen more than one sketchy dev hide behind the "It's just server admin software" angle. I'm not familiar with the software from TFA so I can't comment where that one stands.
Does ssh not qualify as one? If that's the answer you could have just said so.
For what it's worth: "methods to disable the camera LED" was not a feature, that functionality was provided by an external plugin.
How about if your customers request a function that encrypts the root C:\ and puts up a message with a linked bitcoin address? We still on plausible deniability?
Of course, that doesn't apply to all circumstances and all tools that might be possibly used to commit crime, and it's a valid discussion topic on where exactly the line should be drawn; but that line between crime and not-a-crime definitely has some "I'm just producing tools" people on the crime side of it, not only morally but also legally, and not in some indeterminate future, but for as long as some of these "tool producers" have been alive.
Here's the old scrap of the site: https://web.archive.org/web/20191012003358/https://imminentm...
Bung some code whereever but make profit and market it and you've crossed a line.
Same with guns.
Handguns aren't entirely illegal in the UK. If I'm not mistaken then, roughly speaking, what the law prohibits is rifles below a certain size. In the UK it is possible, for example, to legally own long-barrelled pistols and old flintlock pistols. Another caveat is that the ban doesn't apply in Northern Ireland.
I don't think this really detracts from your point at all.
The law mostly concerns itself with the length of the barrel, the firing mechanism, and the ammo cartridge size, as well as the ability to discharge noxious substances.