Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com) 181
An anonymous reader quotes Motherboard:
A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.
Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.
The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
Illegal product? (Score:5, Insightful)
Re: (Score:1)
Heavy-handed over-reaction. 10 years?!
It has great propaganda value.
The FBI/DEA/DHS/etc would love to hire him, but he wasn't smart enough to evade capture
Re: (Score:1)
Re: (Score:2)
That would make a great movie. Fucking Hollywood, they'd rather do a 19th remake of The Great Gatsby.
Re:Illegal product? (Score:5, Interesting)
Congratulations, the marketing speak of the headline worked 100% on you, you must be proud of the fact that you fall into the headline writers perfect audience demographic of suggestibility.
He won't get anything like 10 years, that's the maximum possible. The headline is designed to whip you into an outraged state, nothing more.
Re: (Score:2)
Popehat has addressed this issue [popehat.com] several times [popehat.com] about how the reported maximum penalty for such a case means little.
Re: (Score:2)
This is completely inexcusable on part of the Slashdot editors. I'd like to hear how they justify something like this for their allegedly intended audience.
Re: Illegal product? (Score:2)
The answer is simple: the editors aren't as smart as the nerds that previously frequented this site.
I've never met them, but my guess would be thst the current owners just found people who "like computers" and hired them, rather than searching for the more intellectual types who sometimes were involved in the past (not always, though: remember Jon Katz?).
Re: (Score:2)
Who wants to risk 10 years in prison?
Evidently this kid did.
Re:Illegal product? (Score:5, Insightful)
Perhaps he shouldn't have been engaged in criminal activity and his life would be just fine.
Contrariwise, perhaps selling software shouldn't be criminal activity.
Re: (Score:2)
fail.
Re: (Score:1)
It could also be used by an employer to monitor employee actions. Most employers use this same exact technology branded as "data loss prevention software" to record all employee actions. It's designed to hide in the OS so an employee can't disable it, it uploads all of it's details to the servers for analysis, and it monitors everything an employe does, sometimes including keystrokes.
Like anything, in the wrong hands it can be used for nefarious purposes.. cars can be used to run people down, fertilizer and
Re: (Score:1)
Selling guns to criminals and terrorists should also be legal since you aren't actually pulling the trigger.
Oh, wait. It is legal.
Selling guns to law abiding citizens who use them to protect themselves and others is as well and happens far more often than sales to future criminals/terrorists.
So is selling terrorists/criminals a truck they use to mow down a crowd of people. It too is used far more often for legitimate purposes.
You, on the other hand, probably shouldn't be trusted with a spork without supervision.
Re: (Score:2)
So is selling guns to individuals with mental heath problems (been in the whowho house) and a myriad of other reasons
Guns are not specifically designed for illegal activity, as this software was.
Re: (Score:2)
And all those laws are unconstitutional. The 2nd amendment is pretty simple, as long as you're a person, you're right to have a gun is not to be infringed. Unluckily when the government does illegal stuff, it's hard to do anything about it besides ignore them if possible.
Re: (Score:3)
The 2nd amendment is pretty simple, as long as you're a person, you're right to have a gun is not to be infringed.
Your right to have a gun in order to form a well regulated militia shall not be infringed. Show me what well regulated militia you are joining, and I'll sell you the gun.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'll bet he signed something to get that job which stated he was not a crook...
And God help him if that software is found on anything that related to his work or any other government system, because that takes it to a whole new level.
Re: (Score:2)
c) Committed felonies while employed by a defense contractor.
I'll bet he signed something to get that job which stated he was not a crook...
Legally he wasn't a "crook", since he hadn't been convicted of anything at that time.
Re: (Score:2)
Legally he wasn't a "crook", since he hadn't been convicted of anything at that time.
It would seem that he was a crook who just hadn't been caught or convicted yet.
Under your view, if you murder a person but but aren't convicted of doing it, you're somehow not a murderer?
And for the record, I don't even buy the "legally" qualifier. You are what you are, whether a court confirms it or not.
If I murder someone but I'm not convicted of it, I'm still a murderer. A legal ruling (or lack of one) in the eyes of the law doesn't change the reality of what I did.
Re: (Score:2)
Your whole post is irrelevant to the point...
Have you ever applied for a job? They ask "have you ever been convicted of a felony?" not "will you ever be convicted of a felony?"
Re: (Score:2)
Have you ever applied for a job? They ask "have you ever been convicted of a felony?" not "will you ever be convicted of a felony?"
Yes, and for some jobs they ask things like, "Have you ever committed a crime for which you haven't been caught?"
The point is to find out if you engage in criminal activity, not just if you've been convicted.
Re: (Score:2)
Yes, and for some jobs they ask things like, "Have you ever committed a crime for which you haven't been caught?"
And because you say so makes it true? No major company (read: one who had any lawyers review the application forms) would ask that on a written application (at least today) because it's not even legally enforceable. Pretty much everyone has broken the law at some point and not been caught - most people have broken the law at least once and never known it. In fact, in this very case it's entirely possible that the defendant didn't think he was breaking the law - many /. users here are arguing (probably in
Re: (Score:2)
No major company (read: one who had any lawyers review the application forms) would ask that on a written application (at least today) because it's not even legally enforceable.
Really? Apply to the FBI, CIA, NSA, or other three-letter security agencies and you'll be asked this question. Apply to the DOE Security Forces and they'll ask this.
You've also never had a Secret or Top-Secret clearance, because they usually ask you this question for those as well. At least they did when I was applying for mine. Granted it's been a while but I'd be surprised if that question (or one with the same intent) isn't still asked.
In fact, in this very case it's entirely possible that the defendant didn't think he was breaking the law - many /. users here are arguing (probably incorrectly) that he in fact did not.
Sure, but that's not the point of the question; the point is to ask i
Re: (Score:2)
Apply to the FBI, CIA, NSA
We are not talking about government agencies with security clearance. Did you where I said COMPANY?
Fifteen years later you're applying for a TSC or above, and they ask you the question, usually while hooked to a polygraph.
See above, plus, did you see where I said WRITTEN APPLICATION?
Sure, but that's not the point of the question; the point is to ask if you have knowingly broken the law, and most people know whether they have or not. That's what the question is designed to get at.
And hence, the WHOLE ORIGINAL POINT - you called him a crook who hadn't been caught, but you have no idea whether HE thought what he did was illegal, and neither does anyone else. Since what he thinks is entirely up to him, it would be totally unenforceable in a job application in his case.
Re: (Score:2)
Did you where I said COMPANY?
did you see where I said WRITTEN APPLICATION?
Your CAPITAL LETTERS are very IMPRESSIVE.
Re: (Score:2)
Well, you missed those key words from my previous post, so I had to try something more drastic if I was going to repeat them, and unfortunately the blink tag is no longer supported...
Plus, it seemed like you expected me to be impressed with the specific caps you used in your comment, so I figured you'd find them impressive! ;)
Re: (Score:2)
Re: (Score:2)
Unlikely, because, once again, IT'S NOT A CRIME IN THE EYES OF THE LAW UNTIL YOU ARE CONVICTED.
And if you are convicted of a felony AFTER you start working for a company, they will have a right to fire you, anyway.
Re: (Score:2)
Under your view, if you murder a person but but aren't convicted of doing it, you're somehow not a murderer?
Have we abandoned the idea of "presumed innocent"?
Re: (Score:2)
Have we abandoned the idea of "presumed innocent"?
I'm not talking whether or not you've been convicted, I'm talking about the reality of one's actions.
If you murder someone then you are, in fact, a murderer whether or not you're taken to court and found guilty.
Re: (Score:1)
May as well murder someone. You get less jail time.
Re: (Score:2)
Heavy-handed over-reaction. 10 years?!
If I was King, he'd be getting burnt at the stake. Keep in mind that there are a wide variety of views on the appropriate punishment, and even on the type of crime committed. If he was part of an organized crime operation and distributed burglary tools to 3000 accomplices who burgled 16000 people, I would want to see a life sentence just to keep him off the street. That's a huge amount of crime to be responsible for! Anything less than a life sentence is a slap on the wrist IMO.
This wasn't some sort of nann
Re: (Score:3)
> " 16000 people had their property invaded for nefarious purposes!
Did he do it or did he make the tool?
Or are we going to start going after Smith & Wesson now too?
Re:Illegal product? (Score:4, Insightful)
The problem is, it's not illegal to manufacture or sell guns that are used in a crime. It's illegal to sell malware that is used to commit a crime.
Maybe we should go after Smith & Wesson. But not until it's made illegal. I think you are conflating legality with morality here.
Re: (Score:2)
Re: (Score:2)
No, I never said or even implied it was ok, if anything I implied that the law should be changed. But until it is, *laws* are what define criminal vs immoral.
Re: (Score:2)
Re:Illegal product? (Score:5, Insightful)
Smith & Wesson does not advertise their product as a tool to use for robbery. If they started putting posters up in rough neighborhoods telling people where to buy it without a background check, and then one of those weapons purchased that way was used in a murder, then they would be responsible.
That is the difference. Smith & Wesson makes a product and only advertises legal uses of their product, and there are many legal uses. So no problem!
This guy made a tool and advertised it as being useful in committing crimes. That is part of that he was accused of in the first place. If he had advertised it as a debugging tool for programmers, and advertised it in normal places, then no problem! Keyloggers are legal. But malware intended to be installed without permission is not. And if only advertised it in normal places, he might not get any sales, because programmers wouldn't pay for that they would just download and compile one, or use the one that came with one of their pen testing tools.
If you make security tools available to ignorant criminals who couldn't do it on their own, that will turn out to be provable and you will be punished.
Just like, if you opened a martial arts dojo and advertised it as a way to be better at assaulting people, and one of your students then assaulted somebody, you'd have problems! Whereas if you keep your mouth shut and don't try to capitalize on the illegal uses of fighting arts, then no problem! Then if your student assaults somebody it is only bad PR.
It isn't enough that there is some theoretical legal use for something. You have to also NOT be claiming that it is really for an illegal use. ;)
Re: (Score:2)
16000 people had their property invaded for nefarious purposes!
I know for a fact that it's mostly just people who want to snoop on their bf/gf. It's not nefarious.
Re: (Score:2)
Re: (Score:2)
He made and sold a tool to commit crimes. Willingly and knowingly. I love how people so desperately want to ignore intent.
Re: Illegal product? (Score:1)
It must suck to not have the capacity to understand that it is not in any way illegal to sell software that can be used for auditing a system. What is illegal is to use it on a system that is not your own. Afterball, commercial keyloggers have existed and been sold for decades.
Re: (Score:1, Informative)
Same AC as the GP. Please educate yourself on what the keylogger actually does: link to research paper [trendmicro.com].
Among other things, Limitless was designed to steal saved passwords in a number of applications, deny browser access to certain websites, and force logins to Steam. The behavior seems like malware to me.
Re: Illegal product? (Score:1)
So what, it's just software for a computer. Nothing that should be taken seriously, similar to the Internet - just for playing with.
Re: (Score:2)
Keyloggers are legal software. Often it is marketed for keeping track of what your kids are up to so you don't have to stand over them when they use computers. Saying that a keylogger by default is illegal is short sighted at the least, and incredibly far reaching of the FBI. There is nothing inherently illegal about the ability to track keystrokes, and many companies use keyloggers to monitor their employees, which has been deemed entirely legal. It is the use it is put to which can be legal or illegal
Re: (Score:3, Insightful)
If he had been consistent to market it as an auditing system, he might have been ok. But instead he marketed is on sites like "Hack Forums" specifically for the purpose of... hacking. And that was illegal. Intent matters (and in fact was probably what the case hinged on).
Re: (Score:2)
What case? He pled guilty, which means that he couldn't afford a lawyer and was afraid of getting the maximum sentence if he fought it.
Re: Illegal product? (Score:5, Insightful)
Someone should try to bring justice back to the justice system.
Re: Illegal product? (Score:4, Funny)
Someone should try to bring justice back to the justice system.
Sorry, I think that's been made illegal. How's a third-rate alcoholic prosecutor to make a name for himself that way?
Strat
Re: (Score:2)
Re: (Score:2)
href [wikipedia.org]
Re: (Score:2)
What is malware? Define it in a way that no legal software is included.
Re: (Score:2, Insightful)
Never write a keylogger. (Score:5, Insightful)
Write an input debugger with logging instead.
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
You know that isn't a keylogger?
I'm sure you could use it as such, but it's footprint is relatively huge. Also it's already in all the virus definitions.
Re: (Score:2)
Re: (Score:2)
Remote desktop, it's a keylogger like a car is a portable air conditioner.
Microsoft (Score:1)
Is also selling a keylogger in Windows 10 and nothing happens to them?
Illegal? (Score:5, Insightful)
I'm curious what aspect of this was illegal. The keylogging itself isn't illegal. If someone buys and installs keylogger software on devices they own, that's not illegal. If someone installs software of that kind on someone else's device, without the owner's permission, then the person who did the installation broke the law. Not the author of the software.
Both articles are vague in that regard, but one states,
intentionally cause damage without authorization
,
Which may mean the software had the capability to erase files or do something harmful besides capturing data.
Unless the software actively multiplied and installed itself without permission somehow, it would seem to me that the customers are (in some specific cases) the guilty parties.
Re: (Score:3)
And that's why you aren't a lawyer.
Re: (Score:2)
So are you saying cell phones manufacturers are guilty of manufacturing spy devices, because a cell phone can be hidden in a room and used to capture audio and video without the express permission of other people in that room? Or is the person who did the recording guilty?
Re: (Score:2)
This has already been stated by a bunch of people, but the difference is INTENT. This guy made a keylogger and sold it on hacking forums for the purpose of spying on people.
Your analogy only makes sense if the cell phone manufacturers marketed them as spy devices, which obviously they don't. If they did, they would be criminally liable for selling hacking/spying devices as well.
Re: (Score:1)
You sell where the buyers are or you're not a very successful businessman unless you're lucky enough to break into a new demographic and corner the market.
Re: (Score:2)
Nice theory. Now call your local locksmiths and ask them to sell you lockpicks.
There are restricted classes of buyers everywhere. From police (certain weapons and body armor) to geotechnical and demolitions experts (detonating caps and industrial explosives) to the everyday people known as patients (antibiotics and narcotic prescriptions).
You're free to
Re: (Score:2)
Mere possession of tools should not constitute illegality. Intent to use such tools, at a minimum, should be required. Most countries agree with regards to lock picking laws--computer programs should be no different. https://en.wikipedia.org/wiki/... [wikipedia.org]
Liabil
Re: (Score:2)
TL;DR
Designing keyloggers and selling them to people is, apparently (we'll see) illegal.
The legal system will sort it out.
You and I will not.
Re: (Score:2)
Lock picks aren't illegal either, but carrying burglary tools often is.
The Court doesn't care about, "Can the defendant show that the tool/weapon/whatever has a legit other use than he is accused of?" That would be silly. The Court instead tries to figure out what was actually going on in a particular instance. So nobody cares if it would be legal in another situation. In this situation we have victims whose devices were invaded in a way that is a crime. The government accused the defendant of having made t
Re: (Score:2)
> He was an idiot to become a defense contractor, ... If you've got an existing criminal enterprise, don't go there.
The only proof we've been given that there was a criminal enterprise is that the kid plead guilty.
Plenty of innocent people plead. Sometimes even at their lawyer's recommendation.
If you've evidence about this case not available in the DOJ press release, please share it with us.
Re: (Score:2)
If you're saying he might be a liar, that isn't making me think it is more likely that he is also innocent.
Re: (Score:3)
A liar for pleading guilty while innocent? You're really asking that.
What would your choice be?
- 2 years of probation, and a $6,000 lawyer bill that you can hope to pay off, or...
- 2 years in jail [techdirt.com] after losing a one year court fight, with an attorney fee of ~$150,000 that you have no hope of paying off in under 30 years.
Please, tell me whether you'd lie and plead guilty, or mortgage your future and go to jail anyway?
Re:Illegal? (Score:4, Insightful)
Re: (Score:2)
I think what's really interesting here is that the keylogger is described as an "illegal product" in a United States Attorney's Office press release. Those guys are lawyers, and they know the product itself is NOT illegal.
Well....not to put too fine a point on it, but lawyers have been known to lie and/or misstate the truth, especially when it furthers their case.
Shocking, I know, but there ya have it.
Re: (Score:2)
And yet .... (Score:2)
Re:And yet .... (Score:4, Insightful)
How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?
Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.
Yahoo is welcome to monitor your mouse movements and key strokes when you're on Yahoo, but If Yahoo could monitor your mouse movements and key strokes when you were on CNN or Google, then there would be a problem, no?
Re: (Score:1)
How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?
Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.
How naive. Of course they can. When I worked for the Russians, that was one of the tasks we were given. Did a proof of concept, but also managed to convince them that it was illegal as all hell (because it is) so it was never deployed. Leave it to the cocksuckers of Silly Valley to think that they're so far above the law that they can do anything because $$$+Internet.
Re: (Score:2)
Re: (Score:2)
I'll go ahead and be that guy (Score:2)
10 years for bad-evil-scary hacking, that is alleged to have affected 16,000 people, but nothing for the CEOs who burned down the economy and that were putting nearly 135,000 families per quarter out of their homes [wsws.org] in 2002.
Re: (Score:2)
firstly just because someone else got away with something doesn't mean you shouldn't punish someone who INTENTIONALLY broke the law for profit.
Straw man. You could just as easily read what I said to mean the bankers should have been punished. Which is what I meant.
secondly many of the people that lost their homes did so because of their own greed and stupidity
And many lost them because banks fraudulently filed paperwork that the homeowner wasn't aware of.
if you overleverage yourself without doing some basic research then you are at least partly responsible for the rod you created for your back.
And if the research you do is to ask the bank questions, and what they tell you is false, whose responsibility is that?
Many of those CEO's were definitely incompetent and should be sacked, being incompetent is not a criminal offense though.
Fraud is a criminal offense.
Damn... (Score:4, Insightful)
Re: (Score:1)
He didn't do anything other than sell a tool
He made, sold and advertised the tool with the exclusive purpose of having it used for crime. Coincidentally he is charged with helping criminals "aiding and abetting computer intrusions". Knowingly selling tools/services for a crime is illegal, had he advertised it for a legal purpose and cut contact with every potential buyer expressing interest in illegal activities he may have gotten away with it.
Exact wording. (Score:5, Interesting)
(All in violation of Title 18,United States Code, Section 1030(a)(5)(A) and 2)
https://regmedia.co.uk/2017/01... [regmedia.co.uk]
So what he plead guilty to was developing the software and then knowingly selling it people who would be breaking the law. If he had marketed it toward the general public instead of marketing to crackers it would of not been a problem. For example I can sell and train people in lock picking all I want, however if someone comes up to me and says they want to break into a house with type X lock and want training and tools and I sell it to them then I am in trouble.
Re: (Score:2)
Better start jailing .. (Score:1)
the sentence is much too light... (Score:1)
Personally, I'd like him to be sentenced to:
- 2 years jail.
- probation, where he must spend the remaining 70080hours (8years*365days*24hours) doing community service.
He can use his skills teaching basic computer usage to senior citizens, preschoolers, etc.
- no "personal access" to computers outside his community service work, until every last hour is worked off.
Re: (Score:2)
They are going to use existing laws to apply due process, so your post is a waste.
Re: (Score:2)
Re: (Score:2)
Damage done by guns can be tremendous, it's the manufacturers that really do deserve severe penalties.
Since in the US guns are used far more often by law abiding citizens to protect themselves and others than they are used by criminals, do we then give gun makers rewards? Fair is fair, right?
Example: http://www.dailymail.co.uk/new... [dailymail.co.uk]
Example: http://www.khou.com/news/local... [khou.com]
And those were just the examples that hit the news (most never do) in the last couple weeks that popped up at the top of Google results. There were many more.
We need a national program to treat the mass-hoplophobia that seems to be sprea
Re: (Score:2)
Re: (Score:2)
Yep. You think if a gun manufacturer marketed their product as "perfect for bank robberies and drive-bys", they wouldn't be held liable? Context - and intent - are absolutely key...
Re: (Score:2)
Legally it sure is... why else would politicians and lawyers be so good at it?
Re: (Score:2)
What's on MY computer is not the business of any private person unless I have
given them permission. This little shithead abetted invading the privacy of thousands of people.
If you find out someone recorded video of you undressing in your bedroom, are you going to go after the camera manufacturer?
Ad: "she'll never see this camera in her bedroom" (Score:2)
> If you find out someone recorded video of you undressing in your bedroom, are you going to go after the camera manufacturer?
If the manufacturer of "smoke alarm hidden camera" advertises on voyeur porn sites, with ads that say "She'll never notice this camera hidden in her bedroom!", then yes that would be a legitimate suit.
Re: (Score:2)
If you find out someone recorded video of you undressing in your bedroom, are you going to go after the camera manufacturer?
If the camera manufacturer advertised the cameras as "perfect for secretly recording people undressing" I sure would. And I'd win a bunch of money from it.
Re: (Score:2)
What's on MY computer is not the business of any private person unless I have given them permission. This little shithead abetted invading the privacy of thousands of people.
If you find out someone recorded video of you undressing in your bedroom, are you going to go after the camera manufacturer?
If the camera manufacturer was creating, marketing and selling the camera for the express purpose of secretly recording people undressing in their bedroom then you bet your fucking arse I would be going after the manufacturer in addition to the person that did it.