The Hacker Who Saved the Internet
May 13, 2020 12:45 AM   Subscribe

From WIRED: "The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet" A level headed account of the man who stopped the WannaCry ransomware, and his subsequent arrest.
posted by benoliver999 (34 comments total) 34 users marked this as a favorite
 
I'm very happy for Marcus Hutchins, but the me of 20-something years ago is wondering what the fuck happened? Mitnick and Zimmermann must be so pissed right about now. Why is it the one mercurial, slightly miraculous judge that's the bright spot rather than the prosecutor who should've known better? Oh wait I know. Everything remains awful.
posted by axiom at 1:55 AM on May 13, 2020 [5 favorites]


I remain annoyed that US prosecutors have this habit of prosecuting people for crimes committed in other jurisdictions when said jurisdictions have reasonably functional justice systems of their own. We shouldn't get to substitute our judgement for that of a person's home society just because Internet.

Absent extenuating circumstances like state sponsorship or an ineffective or nonexistent justice system where the crime was actually committed, absent an explicit request from said jurisdiction.
posted by wierdo at 4:34 AM on May 13, 2020 [8 favorites]


God, this was gripping. Thanks for posting.
posted by ominous_paws at 4:48 AM on May 13, 2020


I remain annoyed that US prosecutors have this habit of prosecuting people for crimes committed in other jurisdictions when said jurisdictions have reasonably functional justice systems of their own. We shouldn't get to substitute our judgement for that of a person's home society just because Internet.

Except that they didn't - they prosecuted him for crimes committed in the US, where they have jurisdiction. The internet doesn't stop being transnational because it becomes inconvenient.
posted by NoxAeternum at 7:08 AM on May 13, 2020 [5 favorites]


So Wannacry almost shut down the entire internet by evildoers who mistakenly employed an internet kill switch before registering the domain, which would have eliminated modern healthcare, travel and industry in a matter of days. This was shown to be the work of North Korean agents, a nation who avoids and suppresses the internet internally. So the lesson here is that most of humanity is doomed to fail if we fix the internet to the point where criminals and despots no longer make their living on it.
posted by Brian B. at 8:18 AM on May 13, 2020


Except that they didn't - they prosecuted him for crimes committed in the US, where they have jurisdiction. The internet doesn't stop being transnational because it becomes inconvenient.

When did Devon become part of the US? When did the UK become unable to prosecute crimes committed within its borders?
posted by wierdo at 8:25 AM on May 13, 2020 [2 favorites]


When did Devon become part of the US? When did the UK become unable to prosecute crimes committed within its borders?

This is where you're missing the point - the principle you're articulating would wind up screwing all of us over, because it wouldn't just apply to one white hat hacker in the middle of the UK. No, it would also apply to large businesses who would make themselves even more functionally immune to regulation and punishment by headquartering in the friendliest locales they could find, then argue that if someone wants to pursue them, they have to do so in those jurisdictions.

Again, the Internet doesn't stop being transnational just because it suddenly becomes inconvenient for you - if you commit crimes transnationally, then you are opened to transnational jurisdiction.
posted by NoxAeternum at 8:57 AM on May 13, 2020 [6 favorites]


At least with regard to the crime in question, the person convicted wasn't the one that spread the malware into the US. That person was sitting in a bedroom in Devon. It's clear no good will come of this conversation, so I'll leave it now.
posted by wierdo at 9:20 AM on May 13, 2020


A bunch of people where sitting in bedrooms in Moscow and St Petersburg, yet we seem to not be happy with Russia interfering with the 2016 US election.
posted by sideshow at 9:40 AM on May 13, 2020


Maybe read the entire comment before being dismissive of a person's point of view. It's not like I wrote a three page screed.

I explicitly mentioned state sponsorship of the crime and jurisdictions with non-functional or ineffective criminal justice systems as reasonable exceptions to the rule.
posted by wierdo at 10:24 AM on May 13, 2020


I'm dismissive of your point of view because I read it all, and how it ignores why courts have rejected the argument you make for cases both criminal and civil when dealing with acts conducted over distances. Principles like the doctrine of minimum contacts came about because the legal system realized that asking those hurt by an individual or an entity to have to seek justice by going to a location far away to petition the courts there for redress is a good way to close the door to the courts.

The argument of "the crime happened in Devon" is trying to have your cake and eat it too - to have transnational, global impact without acknowledging the repercussions of that impact as well. And to his credit, Hutchins seems to have rejected it as well, most likely because of his work showing him the scale of harm that malware does.
posted by NoxAeternum at 10:55 AM on May 13, 2020 [2 favorites]


I explicitly mentioned state sponsorship of the crime and jurisdictions with non-functional or ineffective criminal justice systems as reasonable exceptions to the rule.

If I stand on one side of a border and fire a gun across the border, killing someone, should I be allowed to claim that I committed the crime in a different jurisdiction and should not be extradited?
posted by parliboy at 11:02 AM on May 13, 2020


If you sell a gun to someone who crosses a border and shoots someone else, should you be extraditable? That's the difference here.

We aren't talking about civil cases where you personally have to go to some foreign jurisdiction to bring charges, we're talking about governments. Don't confuse the issue.
posted by wierdo at 11:11 AM on May 13, 2020


I have a feeling you have strong (and hypocritical) opinions on the UK holding Julian Assange, and it really isn't the "crime is in jurisdiction A, but criminal is in jurisdiction B!" part off this you have an issue with.
posted by sideshow at 11:20 AM on May 13, 2020


If you sell a gun to someone who crosses a border and shoots someone else, should you be extraditable? That's the difference here.

If you do so with full knowledge that the gun will be used to commit a crime? Yes, that makes you an accessory and you should be extradited. Hutchins knew that his rootkit (especially the later revision tuned for bank fraud) was being sold for criminal purposes - he couldn't even plead ignorance (not that ignorance should be a defense, either.)

We aren't talking about civil cases where you personally have to go to some foreign jurisdiction to bring charges, we're talking about governments. Don't confuse the issue.

I'm not - the principle is mostly similar between criminal and civil law. Whether we're talking a crime or a tort, the courts have held that the locality where the victim was harmed has jurisdiction. Hutchins knowingly created a tool to commit crimes which was then used to do so in the US - the US government was well within their rights to go after him.
posted by NoxAeternum at 11:39 AM on May 13, 2020 [4 favorites]


This is not the idiosyncratic derail I expected in this thread.
posted by biogeo at 12:26 PM on May 13, 2020 [14 favorites]


The article was an enjoyable read, at least.
posted by ominous_paws at 1:37 PM on May 13, 2020


I dunno, I have this thing where the Black-hats come into the good graces of the world and make bank on White-hat activities. Perhaps, don't do that Black-hat shiz and there'd be less _waves arms around_
posted by 922257033c4a0f3cecdbd819a46d626999d1af4a at 3:09 PM on May 13, 2020 [1 favorite]


I have a feeling you have strong (and hypocritical) opinions on the UK holding Julian Assange

You'd be wrong. People who flee from a jurisdiction in which they committed a crime should be extradited to that jurisdiction to face trial, absent some extenuating circumstance that requires an exception in the interest of justice. Thanks for playing, though!
posted by wierdo at 3:16 PM on May 13, 2020


Perhaps, don't do that Black-hat shiz and there'd be less _waves arms around_

That seems to be more or less the way Hutchins feels about it now, too.
posted by atoxyl at 3:21 PM on May 13, 2020 [1 favorite]


That seems to be more or less the way Hutchins feels about it now, too.

I mean Mitnick's profiteering off his 'hacker' image these days too.
posted by 922257033c4a0f3cecdbd819a46d626999d1af4a at 3:40 PM on May 13, 2020 [1 favorite]


This is not the idiosyncratic derail I expected in this thread.

There's always been a longstanding trend to valorize hackers in the tech community and ignore the actual damage that they do. Yes, Hutchins wound up doing a lot of good as a white hat - but it doesn't change the fact that for a time, he was a malware writer who was knowingly creating code that would be used for criminal ends that had real victims. It's to his credit that he accepted the reality of his past instead of ignoring it (and I have a feeling that his demonstrating true contrition did a lot to sway the judge.)

I would have thought the whole weev fiasco would have woken people up, but sadly it hasn't.
posted by NoxAeternum at 3:50 PM on May 13, 2020 [5 favorites]


Literally nobody commenting on this post has valorized anyone. Maybe you could stop with the repeated strawmanning.
posted by wierdo at 5:42 PM on May 13, 2020 [1 favorite]


I mean Mitnick's profiteering off his 'hacker' image these days too.

My work uses his videos for our security training. It's weird, some of the lessons felt like inside out callbacks to that one conman memoir book of his I read way back when.
posted by EatTheWeek at 7:13 PM on May 13, 2020 [1 favorite]


I don't know enough about the details of this case, but the problem I see with jurisdiction in this type of hacking case is there are victims of the malware worldwide and most western countries do not share the US perspective on appropriate consequences for computer crimes. When a person is prosecuted by a country that does not share the same sense of justice for the offense, and that act is an offense in the country in which that person resides, there is a sense (to me, at least) that justice is not served.

The US treats computer crimes far more severely than most other western nations. However, I think there is another factor in play now too. Outside the US, it is apparent that prosecutions in the US have become overtly political. The rich, the powerful and those (mostly white people) in positions of authority are treated far more leniently than others. While this is no doubt true in other countries too, it appears to have become explicit, if not accepted, in the US.
posted by bigZLiLk at 7:22 AM on May 14, 2020 [2 favorites]


> I don't know enough about the details of this case, but the problem I see with jurisdiction in this type of hacking case is there are victims of the malware worldwide and most western countries do not share the US perspective on appropriate consequences for computer crimes. When a person is prosecuted by a country that does not share the same sense of justice for the offense, and that act is an offense in the country in which that person resides, there is a sense (to me, at least) that justice is not served.

This is not a morally consistent principle due to the simple fact that TCP/IP datagrams don't stop at borders, nor do the financial transactions and illegal products that the hackers are buying and selling. Turn your logic around from the victim's standpoint: is justice done if a hacker resides in a country that doesn't punish computer crimes at all and victimizes people who reside in countries that do? "Sorry, we tried to go after the guy who stole your life savings, but their country says they can't be prosecuted." It's just not a workable principle once you consider that victims deserve rights along with the accused.
posted by tonycpsu at 7:39 AM on May 14, 2020 [3 favorites]


tonycpsu, people in different countries have different perceptions of justice. Someone who lives in a country that cuts off the arm of the one who stole may feel agrieved that another country only sends them to prison. People (or their communities) are not morally consistent, so the justice systems aren't going to be either. I think there is room for countries to acknowledge different expectations of justice outcomes when there is in principle agreement on the offense.
posted by bigZLiLk at 8:00 AM on May 14, 2020


Let's be honest - a good part of the reason that computer crimes aren't taken seriously in many places (including large parts of the US) is because there's been a push by the tech community to downplay them and the damage that they do. Furthermore, the US never demanded any other country arrest or extradite Hutchins - they just went after him when he decided to travel to the US for DefCon, and thus entered into the US' jurisdiction of his own volition.

And let's be honest about another thing - if Hutchins was a US citizen, there'd be some other argument brought up as to why it was a horrible travesty of the law for the FBI to arrest him. I've seen this dance happen several times, and there's always a reason that the law is in the wrong. As I said previously, I would have thought that the community's defense of weev blowing up in their face might have gotten people to start rethinking things, but it really hasn't.
posted by NoxAeternum at 8:13 AM on May 14, 2020 [1 favorite]


> I think there is room for countries to acknowledge different expectations of justice outcomes when there is in principle agreement on the offense.

We have international law to resolve these contradictions when countries must share resources like the Internet. The state of international law with respect to computer crimes allows for Hutchins to be prosecuted for crimes he committed against victims in the U.S. Countries that don't like that are under no obligation to connect their computers to the Internet, or to extradite their citizens to the US.

You will get no argument from me on the racial / class / power dynamics of which you speak, but the idea of nation states getting to set their own parameters for prosecuting cybercrime that supersede those of the countries that operate the Internet backbones seems pretty far-fetched.
posted by tonycpsu at 8:16 AM on May 14, 2020


I'm confused, since last I checked England has no trouble whatsoever prosecuting computer crimes. Also, it seems a pretty shitty thing to do to lie in wait so that the accused has to defend themselves in an unfamiliar legal system far from home and the support networks they may have. Sometimes that's unavoidable for the reasons I outlined in my first comment and probably some others besides, but it should be a last resort, not the first choice.

Waiting until the absolute last moment before making an arrest you know you're going to make anyway seems kinda shitty (and a bit stupid), too. Why delay if it's so crucial that he be prosecuted in the US? Had he been slightly more paranoid, he could have easily skipped town.

Also, it would be really nice if you'd stop being a jackass with your repeated insinuations and strawmen, NoxAeternum. At no point has anyone here said he should have escaped any consequences for his crime. We are all careless with our writing from time to time, but continuing after you've been asked to knock it off is rude at best.
posted by wierdo at 9:32 AM on May 14, 2020


To be clear, it would be perfectly reasonable to prosecute someone in Nevada who flew there, got drunk, and battered someone on the strip. Not only would there there be geographic proximity in that case, but also temporal proximity.

Justice would have been done a lot sooner (and he may well have been penalized more harshly, as it turned out) had Hutchins been prosecuted in England.
posted by wierdo at 9:40 AM on May 14, 2020


The UK is free to prosecute Hutchins (or not) for any of his crimes that harmed UK citizens as they see fit. They could have also reached out through the proper channels to talk to their good friends in the US if they felt one of their citizens was being treated unfairly.

I happen to think the FBI was just doing their job and did it well, but that the case shouldn't have been prosecuted. Prosecutorial discretion exists for a reason, and if it's not for cases like Hutchins', I don't know what it's for other than letting the powerful off the hook.
posted by tonycpsu at 9:42 AM on May 14, 2020


Wait, there was a chance we could destroy the internet and someone stopped it?? The mind boggles.
posted by slogger at 10:05 AM on May 14, 2020 [1 favorite]


Mod note: One comment removed, and I'm going to ask folks going in circles with each other to step away in general. I'm also going to underscore the idea that "here's how I feel about this" is an okay tack for commenting and "here's you I've decided you feel about this" is a crappy one that folks need to avoid. Speak for yourself, don't tell people what opinion you've decided they have.
posted by cortex (staff) at 10:31 AM on May 14, 2020


« Older Doctor Who and Maybe You   |   Robert Pattinson: A Dispatch from Isolation Newer »


This thread has been archived and is closed to new comments