MalwareTechs Arrest— A view on the Security Community and its reaction.
Jerk or knee jerk?
I’d like to talk about the recent arrest of @Malwaretech / Markus Hutchins, and more specifically the security community reaction to it. For the easily ‘spun up’ out there, at all stages I am assuming innocent until proven guilty, as is only correct and proper.
There has been a chorus of dismay about his being picked up for ‘reasons’. I’ll start by saying some of the ‘details’ of his actual physical arrest and detention seem to be not entirely kosher, with the lack of access to him, moving him minutes prior to visitation, not arresting him on entry into the US, and the like. These definitely warrant further investigation and scrutiny to ensure the law is being followed, and if it’s not, that’s an argument for a different day.
However, in the rather small world of ‘Information Security’ there are some prolific and high profile researchers, whom have immediately jumped to the defence of MWT, even prior to the case or charges being made public. Clearly some of these will be affiliates, friends and colleagues, some of these are also certainly part of the small conclave of researchers who do ‘extra-curricular’ works for a certain branch of the UK government, I only mention this as it becomes pertinent to the communities reaction.
Various parties have been extolling all the good work he has done in recent years, notably the WannaCry kill-switch, which arguably had an element of luck as to being the first to discover it, as many equally skilled people were also reversing it at the time (Not detracting from the achievement either) and generally pushing the court of public opinion before anything concrete came out of the situation. The thing here is, guilty or not, doing a good deed does not eradicate previous criminal activity. Again, I assume innocent until proven guilty, but regardless of person or charge, a crime is a crime. However the community firing into action about all the good work he has done seems to be pushing this very way of thinking, he’s done good things, it’s inconceivable he’s done bad! I can’t understand this mentality, although I genuinely appreciate the sentiment to jump to his defence, I think this is a little bit of a naive viewpoint. Once the charges actually came out into the cold harsh light of day, that he created a banking trojan and tried to monetise the sale of it, the same group that leapt to his defence, in some instances leapt to claim they had never heard of the Kronos Trojan. Trying to undermine the charge in the court of public opinion once again, basically implying that: I’m well respected and if I didn’t know about it, it cannot be that much of an issue!
These are respected researchers in the field and have many more years experience than I have, yet I’d personally heard of it, and I think I know the reason why they hadn’t. It was boring. I was working a SOC role when that thing was doing the rounds, it was part of our daily and weekly standup sessions, because it was essentially a mutation of the Zeus banking trojan. We had it defined as a run of the mill, aimed at the general population as opposed to our corporate customer base, but we kept an eye on it in case of any further mutations of interest. Now, that’s not to say I don’t believe that certain parties had not heard of this trojan, quite the opposite, it’s much more likely that it was ‘not interesting enough’ to land on their radar. Hence it popping up in my day to day grind whilst being a SOC monkey. My issue with this is, searching Kronos banking trojan chucks up loads of information. The people that claimed they needed to Google the thing don’t seem to comment on the fact it was a reasonable well documented Trojan, just that they were unaware of it’s existence.
Not being aware of a thing does not make it untrue, and security is such a wide ranging topic, that regardless of your standing and capability, you will not know all the things, all the time.
Next came the claims that, if true, he would have only benefited to the equivalent in the vicinity of $2000. Whilst the Alphabay takedown does seem to indicate this, I don’t think that’s the point. There are a great many trojans out their trying to earn their authors some bank, ability for it to gain traction or not doesn’t make it any less of an offence. What if it had gone wide? Would that make it worse? The intention is still their regardless of how effective it ultimately became.
So back on to certain researchers and their affiliations with government. They do fantastic work, of which I have no doubt, falling clearly into the ‘white hat’ bracket. However, a large number of them have effectively ‘downed tools’ unless the UK government gets involved in the case. Reading between the lines, their implied demand is ‘get our mate out of this or find someone else to help you’. Now I do believe the UK government has a duty of care to their citizen to ensure that he is treated fairly in this matter and that the law is followed, but to withhold previously offered assistance seems a somewhat draconian approach. It’s obvious that Governments need researchers much more than researchers need the Government, I don’t think their need means you throw your toys out of the pram when something you don’t like occurs, especially at such an early stage. I am making the assumption that those that do this work are not doing so for the money (let’s be fair that’s why most people work private sector anyway) but for the pride they take from their work and general love of ‘all things security’, there’s probably an element of nationalism in there too.
This to me feels like a knee jerk reaction and although the Government needs you more, as much as we don’t like it, with people like Amber ‘Bleeding Idiot’ Rudd representing our Country, any influence and sway we can maintain in these areas is something we should not look at forsaking. Especially for what could transpire to be a legitimate arrest for legitimate reasons.
All that being said, I hope this is both a swift and painless process for Markus and that it’s proven he was not involved in this activity. He’s a pillar of the information security community and it would be highly disappointing if this transpired to be true.
*Minor edit for spelling/grammar.
