Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Crime Privacy The Courts

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers (vice.com) 181

An anonymous reader quotes Motherboard: A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim's keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice.

Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, "and continued to modify and market the illegal product from his college dorm room," according to the feds... While the feds only vaguely referred to it as "some malicious keylogger software," it appears the spyware was actually called "Limitless Keylogger Pro," according to evidence found by a security researcher who asked to remain anonymous... According to what appears to be Shames Linkedin page, he was an intern for the defense contractor Northrop Grumman from May 2015 until August 2016.

The Department of Justice announced that he'll be sentenced on June 16, and faces a maximum of 10 years in prison.
This discussion has been archived. No new comments can be posted.

Student Hacker Faces 10 Years in Prison For Spyware That Hit 16,000 Computers

Comments Filter:
  • Illegal product? (Score:5, Insightful)

    by sinij ( 911942 ) on Saturday January 14, 2017 @02:52PM (#53668123)
    Heavy-handed over-reaction. 10 years?! Unless this was self-spreading malware, the issue here is that kid a) talked to feds b) couldn't afford decent lawyer.
    • Heavy-handed over-reaction. 10 years?!

      It has great propaganda value.

      The FBI/DEA/DHS/etc would love to hire him, but he wasn't smart enough to evade capture

      • Why would they want to hire some kids who wrote a basic keylogger that was likely easily detectable? No real skills to that. Just some kid writing a piece of malicious code for a small profit, should've stuck to mowing lawns or flipping burgers Now he'll spend the next 10 years tossing salads
      • That would make a great movie. Fucking Hollywood, they'd rather do a 19th remake of The Great Gatsby.

    • Re:Illegal product? (Score:5, Interesting)

      by Richard_at_work ( 517087 ) <.richardprice. .at. .gmail.com.> on Saturday January 14, 2017 @03:02PM (#53668191)

      Congratulations, the marketing speak of the headline worked 100% on you, you must be proud of the fact that you fall into the headline writers perfect audience demographic of suggestibility.

      He won't get anything like 10 years, that's the maximum possible. The headline is designed to whip you into an outraged state, nothing more.

      • by cdrudge ( 68377 )

        Popehat has addressed this issue [popehat.com] several times [popehat.com] about how the reported maximum penalty for such a case means little.

      • by g01d4 ( 888748 )

        the marketing speak of the headline

        This is completely inexcusable on part of the Slashdot editors. I'd like to hear how they justify something like this for their allegedly intended audience.

        • The answer is simple: the editors aren't as smart as the nerds that previously frequented this site.

          I've never met them, but my guess would be thst the current owners just found people who "like computers" and hired them, rather than searching for the more intellectual types who sometimes were involved in the past (not always, though: remember Jon Katz?).

    • c) Committed felonies while employed by a defense contractor.
      I'll bet he signed something to get that job which stated he was not a crook...
      And God help him if that software is found on anything that related to his work or any other government system, because that takes it to a whole new level.
      • by Dahamma ( 304068 )

        c) Committed felonies while employed by a defense contractor.
        I'll bet he signed something to get that job which stated he was not a crook...

        Legally he wasn't a "crook", since he hadn't been convicted of anything at that time.

        • Legally he wasn't a "crook", since he hadn't been convicted of anything at that time.

          It would seem that he was a crook who just hadn't been caught or convicted yet.

          Under your view, if you murder a person but but aren't convicted of doing it, you're somehow not a murderer?

          And for the record, I don't even buy the "legally" qualifier. You are what you are, whether a court confirms it or not.

          If I murder someone but I'm not convicted of it, I'm still a murderer. A legal ruling (or lack of one) in the eyes of the law doesn't change the reality of what I did.

          • by Dahamma ( 304068 )

            Your whole post is irrelevant to the point...

            Have you ever applied for a job? They ask "have you ever been convicted of a felony?" not "will you ever be convicted of a felony?"

            • Have you ever applied for a job? They ask "have you ever been convicted of a felony?" not "will you ever be convicted of a felony?"

              Yes, and for some jobs they ask things like, "Have you ever committed a crime for which you haven't been caught?"

              The point is to find out if you engage in criminal activity, not just if you've been convicted.

              • by Dahamma ( 304068 )

                Yes, and for some jobs they ask things like, "Have you ever committed a crime for which you haven't been caught?"

                And because you say so makes it true? No major company (read: one who had any lawyers review the application forms) would ask that on a written application (at least today) because it's not even legally enforceable. Pretty much everyone has broken the law at some point and not been caught - most people have broken the law at least once and never known it. In fact, in this very case it's entirely possible that the defendant didn't think he was breaking the law - many /. users here are arguing (probably in

                • No major company (read: one who had any lawyers review the application forms) would ask that on a written application (at least today) because it's not even legally enforceable.

                  Really? Apply to the FBI, CIA, NSA, or other three-letter security agencies and you'll be asked this question. Apply to the DOE Security Forces and they'll ask this.

                  You've also never had a Secret or Top-Secret clearance, because they usually ask you this question for those as well. At least they did when I was applying for mine. Granted it's been a while but I'd be surprised if that question (or one with the same intent) isn't still asked.

                  In fact, in this very case it's entirely possible that the defendant didn't think he was breaking the law - many /. users here are arguing (probably incorrectly) that he in fact did not.

                  Sure, but that's not the point of the question; the point is to ask i

                  • by Dahamma ( 304068 )

                    Apply to the FBI, CIA, NSA

                    We are not talking about government agencies with security clearance. Did you where I said COMPANY?

                    Fifteen years later you're applying for a TSC or above, and they ask you the question, usually while hooked to a polygraph.

                    See above, plus, did you see where I said WRITTEN APPLICATION?

                    Sure, but that's not the point of the question; the point is to ask if you have knowingly broken the law, and most people know whether they have or not. That's what the question is designed to get at.

                    And hence, the WHOLE ORIGINAL POINT - you called him a crook who hadn't been caught, but you have no idea whether HE thought what he did was illegal, and neither does anyone else. Since what he thinks is entirely up to him, it would be totally unenforceable in a job application in his case.

                    • Did you where I said COMPANY?
                      did you see where I said WRITTEN APPLICATION?

                      Your CAPITAL LETTERS are very IMPRESSIVE.

                    • by Dahamma ( 304068 )

                      Well, you missed those key words from my previous post, so I had to try something more drastic if I was going to repeat them, and unfortunately the blink tag is no longer supported...

                      Plus, it seemed like you expected me to be impressed with the specific caps you used in your comment, so I figured you'd find them impressive! ;)

                • by nomadic ( 141991 )
                  There's nothing unlawful about asking the question, and if you lie on it and they find out, they can absolutely use that against you in a breach of contract action.
                  • by Dahamma ( 304068 )

                    Unlikely, because, once again, IT'S NOT A CRIME IN THE EYES OF THE LAW UNTIL YOU ARE CONVICTED.

                    And if you are convicted of a felony AFTER you start working for a company, they will have a right to fire you, anyway.

          • by AK Marc ( 707885 )

            Under your view, if you murder a person but but aren't convicted of doing it, you're somehow not a murderer?

            Have we abandoned the idea of "presumed innocent"?

            • Have we abandoned the idea of "presumed innocent"?

              I'm not talking whether or not you've been convicted, I'm talking about the reality of one's actions.

              If you murder someone then you are, in fact, a murderer whether or not you're taken to court and found guilty.

          • May as well murder someone. You get less jail time.

    • Heavy-handed over-reaction. 10 years?!

      If I was King, he'd be getting burnt at the stake. Keep in mind that there are a wide variety of views on the appropriate punishment, and even on the type of crime committed. If he was part of an organized crime operation and distributed burglary tools to 3000 accomplices who burgled 16000 people, I would want to see a life sentence just to keep him off the street. That's a huge amount of crime to be responsible for! Anything less than a life sentence is a slap on the wrist IMO.

      This wasn't some sort of nann

      • > " 16000 people had their property invaded for nefarious purposes!

        Did he do it or did he make the tool?

        Or are we going to start going after Smith & Wesson now too?

        • by Dahamma ( 304068 ) on Saturday January 14, 2017 @03:43PM (#53668359)

          The problem is, it's not illegal to manufacture or sell guns that are used in a crime. It's illegal to sell malware that is used to commit a crime.

          Maybe we should go after Smith & Wesson. But not until it's made illegal. I think you are conflating legality with morality here.

        • by Aighearach ( 97333 ) on Saturday January 14, 2017 @08:45PM (#53669685) Homepage

          Smith & Wesson does not advertise their product as a tool to use for robbery. If they started putting posters up in rough neighborhoods telling people where to buy it without a background check, and then one of those weapons purchased that way was used in a murder, then they would be responsible.

          That is the difference. Smith & Wesson makes a product and only advertises legal uses of their product, and there are many legal uses. So no problem!

          This guy made a tool and advertised it as being useful in committing crimes. That is part of that he was accused of in the first place. If he had advertised it as a debugging tool for programmers, and advertised it in normal places, then no problem! Keyloggers are legal. But malware intended to be installed without permission is not. And if only advertised it in normal places, he might not get any sales, because programmers wouldn't pay for that they would just download and compile one, or use the one that came with one of their pen testing tools.

          If you make security tools available to ignorant criminals who couldn't do it on their own, that will turn out to be provable and you will be punished.

          Just like, if you opened a martial arts dojo and advertised it as a way to be better at assaulting people, and one of your students then assaulted somebody, you'd have problems! Whereas if you keep your mouth shut and don't try to capitalize on the illegal uses of fighting arts, then no problem! Then if your student assaults somebody it is only bad PR.

          It isn't enough that there is some theoretical legal use for something. You have to also NOT be claiming that it is really for an illegal use. ;)

        • 16000 people had their property invaded for nefarious purposes!

          I know for a fact that it's mostly just people who want to snoop on their bf/gf. It's not nefarious.

    • The issue is that the kid sold the software to the wrong people. If he had sold it to the FBI instead, he'd be a 100,000$ richer now.
    • by SirSlud ( 67381 )

      He made and sold a tool to commit crimes. Willingly and knowingly. I love how people so desperately want to ignore intent.

  • by HornWumpus ( 783565 ) on Saturday January 14, 2017 @02:52PM (#53668125)

    Write an input debugger with logging instead.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      Or just upgrade to Windows 10.
    • by AK Marc ( 707885 )
      https://en.wikipedia.org/wiki/... [wikipedia.org] It's been around for years. Why write your own, when you could have just extended someone else's work and claim innocence?
      • You know that isn't a keylogger?

        I'm sure you could use it as such, but it's footprint is relatively huge. Also it's already in all the virus definitions.

        • by AK Marc ( 707885 )
          It isn't a keylogger? I only ever used it as such, and it made a great one, configured to send every keystroke to a central server in real time, or saving a local log with every keystroke. Used it to catch a person who clocked in for overtime, then went on Yahoo Chat and did things that would have gotten him fired without the outright theft of company time.
  • by Anonymous Coward

    Is also selling a keylogger in Windows 10 and nothing happens to them?

  • Illegal? (Score:5, Insightful)

    by Dan East ( 318230 ) on Saturday January 14, 2017 @02:57PM (#53668165) Homepage Journal

    I'm curious what aspect of this was illegal. The keylogging itself isn't illegal. If someone buys and installs keylogger software on devices they own, that's not illegal. If someone installs software of that kind on someone else's device, without the owner's permission, then the person who did the installation broke the law. Not the author of the software.

    Both articles are vague in that regard, but one states,

    intentionally cause damage without authorization

    ,
    Which may mean the software had the capability to erase files or do something harmful besides capturing data.

    Unless the software actively multiplied and installed itself without permission somehow, it would seem to me that the customers are (in some specific cases) the guilty parties.

    • And that's why you aren't a lawyer.

      • So are you saying cell phones manufacturers are guilty of manufacturing spy devices, because a cell phone can be hidden in a room and used to capture audio and video without the express permission of other people in that room? Or is the person who did the recording guilty?

        • by Dahamma ( 304068 )

          This has already been stated by a bunch of people, but the difference is INTENT. This guy made a keylogger and sold it on hacking forums for the purpose of spying on people.

          Your analogy only makes sense if the cell phone manufacturers marketed them as spy devices, which obviously they don't. If they did, they would be criminally liable for selling hacking/spying devices as well.

          • You sell where the buyers are or you're not a very successful businessman unless you're lucky enough to break into a new demographic and corner the market.

            • by DRJlaw ( 946416 )

              You sell where the buyers are or you're not a very successful businessman unless you're lucky enough to break into a new demographic and corner the market.

              Nice theory. Now call your local locksmiths and ask them to sell you lockpicks.

              There are restricted classes of buyers everywhere. From police (certain weapons and body armor) to geotechnical and demolitions experts (detonating caps and industrial explosives) to the everyday people known as patients (antibiotics and narcotic prescriptions).

              You're free to

      • Does that make Prey https://www.preyproject.com/ [preyproject.com] illegal? It has the ability to take pictures with the camera, upload files, take screenshots, and geolocate. Wireshark, similarly, can be used for significant malicious intent. As can lock picks.

        Mere possession of tools should not constitute illegality. Intent to use such tools, at a minimum, should be required. Most countries agree with regards to lock picking laws--computer programs should be no different. https://en.wikipedia.org/wiki/... [wikipedia.org]

        Liabil
        • TL;DR

          Designing keyloggers and selling them to people is, apparently (we'll see) illegal.

          The legal system will sort it out.

          You and I will not.

    • Lock picks aren't illegal either, but carrying burglary tools often is.

      The Court doesn't care about, "Can the defendant show that the tool/weapon/whatever has a legit other use than he is accused of?" That would be silly. The Court instead tries to figure out what was actually going on in a particular instance. So nobody cares if it would be legal in another situation. In this situation we have victims whose devices were invaded in a way that is a crime. The government accused the defendant of having made t

      • > He was an idiot to become a defense contractor, ... If you've got an existing criminal enterprise, don't go there.

        The only proof we've been given that there was a criminal enterprise is that the kid plead guilty.

        Plenty of innocent people plead. Sometimes even at their lawyer's recommendation.

        If you've evidence about this case not available in the DOJ press release, please share it with us.

        • If you're saying he might be a liar, that isn't making me think it is more likely that he is also innocent.

          • A liar for pleading guilty while innocent? You're really asking that.

            What would your choice be?

            - 2 years of probation, and a $6,000 lawyer bill that you can hope to pay off, or...

            - 2 years in jail [techdirt.com] after losing a one year court fight, with an attorney fee of ~$150,000 that you have no hope of paying off in under 30 years.

            Please, tell me whether you'd lie and plead guilty, or mortgage your future and go to jail anyway?

    • Re:Illegal? (Score:4, Insightful)

      by NoNonAlphaCharsHere ( 2201864 ) on Saturday January 14, 2017 @03:38PM (#53668347)
      I think what's really interesting here is that the keylogger is described as an "illegal product" in a United States Attorney's Office press release. Those guys are lawyers, and they know the product itself is NOT illegal.
      • I think what's really interesting here is that the keylogger is described as an "illegal product" in a United States Attorney's Office press release. Those guys are lawyers, and they know the product itself is NOT illegal.

        Well....not to put too fine a point on it, but lawyers have been known to lie and/or misstate the truth, especially when it furthers their case.

        Shocking, I know, but there ya have it.

        • Oh, I'm well aware of that: the only time a lawyer isn't being disingenuous is when his lips aren't moving - even when he's talking about his fee, he's undoubtedly lying. I'm just pointing out the legal notion they're advancing of an "illegal product".
  • How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?
    • Re:And yet .... (Score:4, Insightful)

      by JustAnotherOldGuy ( 4145623 ) on Saturday January 14, 2017 @03:56PM (#53668419)

      How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?

      Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.

      Yahoo is welcome to monitor your mouse movements and key strokes when you're on Yahoo, but If Yahoo could monitor your mouse movements and key strokes when you were on CNN or Google, then there would be a problem, no?

      • How is that all that different from web sites that monitor every mouse movement, key stroke, and web site that you visit?

        Presumably because they can't monitor your mouse movements and key strokes when you're on another site that isn't theirs.

        How naive. Of course they can. When I worked for the Russians, that was one of the tasks we were given. Did a proof of concept, but also managed to convince them that it was illegal as all hell (because it is) so it was never deployed. Leave it to the cocksuckers of Silly Valley to think that they're so far above the law that they can do anything because $$$+Internet.

    • It's different because one is about spying on people(which is apparently illegal), and the other is about spying on consumers(which is legal).
  • 10 years for bad-evil-scary hacking, that is alleged to have affected 16,000 people, but nothing for the CEOs who burned down the economy and that were putting nearly 135,000 families per quarter out of their homes [wsws.org] in 2002.

  • Damn... (Score:4, Insightful)

    by EmeraldBot ( 3513925 ) on Saturday January 14, 2017 @04:14PM (#53668493)
    Surely a stern talk and a 100 hours of community service would be a saner approach? He didn't do anything other than sell a tool, and while it's dubious where and who he sold it, he hasn't actually committed a crime yet, and it's not like a keylogger doesn't have legitimate purposes, nor is it illegal to possess one. Fucking over some kid for the rest of his life, in an environment where he's almost certain to repeat an offence, and turning him into a perpetual lifelong drain on the public, is not the answer - for either us or him. Yet another demonstration of my country's collective idocacy...
    • by Anonymous Coward

      He didn't do anything other than sell a tool

      He made, sold and advertised the tool with the exclusive purpose of having it used for crime. Coincidentally he is charged with helping criminals "aiding and abetting computer intrusions". Knowingly selling tools/services for a crime is illegal, had he advertised it for a legal purpose and cut contact with every potential buyer expressing interest in illegal activities he may have gotten away with it.

  • Exact wording. (Score:5, Interesting)

    by will_die ( 586523 ) on Saturday January 14, 2017 @05:30PM (#53668751) Homepage
    From on or about August 2013 through on or about March 17,2015, in the Eastern District of Virginia and elsewhere, the defendant, ZACHARY LEE SHAMES, knowingly and intentionally aided and abetted the commission of computer intrusions, in violation of 18U.S.C. ÂÂ 1030(a)(5)(A) and 2. In particular, attimes listed above, in the Eastern District of Virginia andelsewhere, SHAMES designed, marketed and sold certain malicious keylogger software, knowing that the software was going tobeused to knowingly cause the transmission ofa program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization to 10 or more protected computers during any one year period.
    (All in violation of Title 18,United States Code, Section 1030(a)(5)(A) and 2)

    https://regmedia.co.uk/2017/01... [regmedia.co.uk]
    So what he plead guilty to was developing the software and then knowingly selling it people who would be breaking the law. If he had marketed it toward the general public instead of marketing to crackers it would of not been a problem. For example I can sell and train people in lock picking all I want, however if someone comes up to me and says they want to break into a house with type X lock and want training and tools and I sell it to them then I am in trouble.
  • .. better start jailing ... gun manufacturers for any murders commited with guns they sold and crowbar makers for any burglary commited ... Fucking idiotic ....
  • he's only being sentenced to 5.4 hours/victim.. which isn't fair to the victims.

    Personally, I'd like him to be sentenced to:
    - 2 years jail.
    - probation, where he must spend the remaining 70080hours (8years*365days*24hours) doing community service.
    He can use his skills teaching basic computer usage to senior citizens, preschoolers, etc.
    - no "personal access" to computers outside his community service work, until every last hour is worked off.

A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe

Working...