Hutchin's contributions to information security have definitely benefited many. While it was "good" that he faced responsibility for his actions (well, not really -- a forced extended stay in the U.S. away from his family and dealing with X months of court bullshit is horrendous and should not happen), I'm glad he was spared from a decade in the U.S. prison system.
extended stay in the U.S. away from his family and dealing with X months of court bullshit is horrendous and should not happen
Curious, how do you think we should deal with crimes of this type, if not (at minimum) restraining suspects from leaving the country and having a judge preside over the legal proceedings?
That's a great question that I don't have a solid answer to. But one change that I think could be beneficial is at least an expedited judicial process for foreigners like Hutchins, visitors that only intended to stay in the United States for a short period of time before being arrested on suspicion of a crime.
Hutchins was fortunate that he had some money and a sort of safety net in the form of donations, a network of people who knew him, etc. For most people without that type of support, I would imagine being prevented from leaving the States for an extended amount of time would be nothing less than devastating.
You’re gonna have to explain what on earth you could possibly mean by that. Citizens and non-citizens have equal rights under the US justice system. Awaiting trial sucks for anybody, there’s no reason to give any class of people special entitlements.
There is quite a stark difference between waiting in your home, with your family, while being able to continue your day to day life (if you are a resident/citizen) and not being able to go back to your life, losing your job in your home country, while not being allowed to find a job either in the US, all the while you have to pay for accommodation and food for months or a year out of thin air (in the case of most non-residents).
How can you think both those situations equally suck?
Losing your job and not being able to get another one is a pretty common outcome of being on bail for serious charges. If you turn out to be guilty (like Marcus is), then it’s really no big deal. If you’re innocent, then the entire pre-trial experience is usually going to completely turn your life upside down. There is no reasonable justification for creating a two-tiered justice system where a certain class of people either have expedited trials, or completely outrageous bail conditions.
Other people get it, if you don't; you don't and can stop bothering me with aggressive questions. People on the internet don't, in general, "gonna have to explain". It's optional.
You said that a two tiered justice system was a justified response to a two tiered system based on citizenship. When I asked you to explain yourself, you started talking about income inequality. I’m not being wound up, I just can’t follow anything you’re saying, because it seems you can’t stick to one topic for more than one comment at a time.
Have a framework of handing over cases like that and the person back to their country of residence. Unless the case can be handled in less than a week.
Otherwise it's basically: Have you got access to lots of money, or are you going to spend years in prison? He was really lucky that he knew people who could offer him place to stay, contact lawyers, help with bail. Majority of people would be completely screwed in that situation.
I doubt handing over would always work. England has a decent coirt system, but what about, say, a chinese spy? Maybe you could then elect to hand over an Englishman but detain a chinaman? It works in some cases, but not necessarily as a general framework.
This sort of thing, at least in theory, is why we have human judges who can consider circumstances and context.
A "framework", here, would probably include factors like "are we friendly with the country in question and can we get their law enforcement to monitor the defendant", the nature and severity of the crime, "does the defendant have the resources to 'disappear' in their home country", etc, etc. Besides the first question, it's pretty much already what's considered when deciding whether to grant bail.
(Note- I'm not sure the idea of releasing a defendant to another country is a good one, but it's not like the courts wouldn't be able to tell the difference between an agent of a foreign country working in an espionage capacity and Marcus Hutchins.)
I think your example (international spy) is on a very different level than someone stealing private money. Spies are normally working with the approval of their country, so the prosecution there does not make sense.
Clearly he didn't think this is horrendous himself. He was out on bail, living in an apartment in LA, a place with better weather and a better infosec community than his native Britain. He clearly enjoyed his time here.
In spite of the district court's merciful sentence, he has committed an aggravated felony in the eyes of immigration law and so is barred from ever entering the US again. For life.
> he has committed an aggravated felony in the eyes of immigration law and so is barred from ever entering the US again. For life.
IANAL but it sounds like he may be able to appeal based on a recent SCOTUS ruling[0].
> The result is that people convicted of certain crimes -- such as the California crime of burglary -- that are not by definition necessarily violent, may not be deportable.
> IANAL but it sounds like he may be able to appeal based on a recent SCOTUS ruling[0].
For entry into the US on visa-waiver (ESTA) or visas (without a green card), you generally can't appeal to the courts, and court rulings about deportation aren't really relevant.
It is up to the discretion of CBP (and also the State Department for visa issuance). They can decide to disregard a criminal conviction - they are more likely to do that if it is relatively minor, if there are some unusual/special circumstances, if it is from many years ago, if a person shows evidence of being of good character since then. But it is totally up to their discretion.
If they rule against you, there is no formal right of appeal. You can talk to your own country's government, ask them to make diplomatic representations. If your own government decides to do so (they are under no obligation to do so), there is some chance they might change the US government's mind, but no guarantee.
I have no idea how exactly those kinds of decisions are made, but I feel like the "evidence of good character since then" clause has a decent chance to work here. The whole domain redirection thing he did definitely saved quite a lot of pain for people and businesses worldwide.
He said on Twitter earlier that a big part of the judge's decision to sentence him to time served was the character letters that a ton of people from the infosec industry that know him sent.
That kind of thing could definitely be relevant for showing good character since his bygone days as a malware creator rather than researcher.
Good character letters sometimes backfire. The judge in the Ross Ulbricht case said that she sentenced him so harshly partly because she got many letters attesting to his good character, so she decided she needed to set a very public example.
I think the difference is probably that in the eyes of the American government, everything Ulbricht did was bad. Whereas Hutchins did some good at some point that could be weighed against the crimes he committed. Character letters don't mean anything if the acts that gave that person their standing in the community are seen as wrong by the court.
Anyone can file a lawsuit at any time. The question is, what is the odds of success? Non-greencard holders who are refused visas for the US, or refused entry to the US, have a very low likelihood of success, given which most immigration attorneys will advise that (absent some special circumstances) filing such lawsuits is a waste of time.
(If you can make the case that the visa/entry refusal was due to some improper reason, such as racial or religious discrimination, political vendetta, government corruption, etc., then you might have some chance, but even then the odds are not that great. But if your case is simply "they won't let me in due to my prior felony conviction in a US federal court but I don't think that's fair", then your odds of success are almost exactly zero.)
Are you saying the article I’ve linked, published by immigration attorneys, is wrong? They’ve quite clearly stated the opposite of your claims, that there is legal recourse available.
I don't see a disagreement about whether your article is correct. Your article talks about which crimes are deportable, not which crimes may result in a later visa application to the US being denied.
Exactly. Deportation proceedings are a separate issue from visa issuance and entry. Courts show far greater deference to the executive on visa issuance and entry decisions to non-residents (and temporary residents) than they do in deportation.
I've looked into this an the USA is uniquely strict in their standards amongst western nations. Most countries give people a second chance in cases except for very serious crimes.
Canada is seemingly uniquely strict about people with a DUI, which is generally not a felony in the states, I know several people who are basically barred from Canada because of this.
Please don't post flamebait to HN. We ban accounts that do that. If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and posting in the spirit of the site from now on, we'd appreciate it.
I'm having a hard time finding out why they actually arrested him - for a long time it seemed that they were kangaroo-accusing him of somehow being responsible for wannacry because he registered the domain it pointed to. This article is saying it's because of malware he created in 2014?
It was definitely for the banking trojan he created and sold, that would later become Kronos. That said, he also became sort of a public figure in the field due to stopping the initial strain of Wannacry, so news articles were popping up talking about how he was at least tangentially related to Wannacry, and was recently arrested for malware charges. People saw that and started drawing the false conclusion that he created Wannacry.
> for a long time it seemed that they were kangaroo-accusing him of somehow being responsible for wannacry because he registered the domain it pointed to.
That certainly wasn't a long time. As far as I remember it was very shortly after his arrest (maybe a day or so) when it became public that it was for the Kronos malware and unrelated to the wannacry incident.
It seems that sensible judgements in cases like are few and far between. Hopefully we will see a trend in this direction instead of the hysteria usually surrounding hacking where the perpetrator is viewed in the same category as a mass murderer.
to sum it up, the US jails teenagers who deface websites (and foreigner journalists because why not). But if you created hacking tools specifically to steal money and provided support for those tools, you are in the clear?
* Hutchins (MalwareTech on social media) used to be a black hat, and developed/sold a banking trojan that would become Kronos.
* Since then, he's given up black hat activity and began reverse-engineering malware and providing educational material along the same lines.
* He came into the spotlight when he realized that the Wannacry ransomware was attempting to contact a particular web domain that was unregistered. He registered it to see what they were trying to send and why, and found out that it was a global killswitch, fully shutting down the initial strain of the malware.
* After Def Con 2017, he was arrested at the airport when attempting to leave the US. He was being charged with devleoping Kronos, and prosecutors were effectively adding new charges in retaliation every time he refused to plead guilty.
* He eventually caved and plead guilty, and today was sentenced to a year of supervised release, with no jail time (Though he likely won't be able to enter the US again). The judge strongly indicated that the lenient sentence was due to the fact that he stopped breaking the law of his own volition, and started using his skills to better the world.
* This article doesn't mention it, but the judge also suggested that he and his legal counsel seek a pardon, which could potentially allow him to enter the US again. They are planning to go forward with that path.
He initially told everyone that he was peripherally involved in writing some code as a teenager that, unbenknownst to him, ended up in some malware.
The feds unraveled his lies and showed beyond a doubt that not only did he work on that into his 20s, but he and his partner were actively involved in the business of selling a purpose-built banking trojan. They had logs of a “business dispute” between him and his parter from only 2 years prior to his arrest.
He had bad opsec, and many folks online exposed a lot of this. The feds had chat logs showing he was directly involved. It’s all in the court documents. He had no choice but to plea guilty.
In my mind, it does count for something that he seems to have turned everything around from being a black hat towards doing proper security research and generally trying to work towards the common good.
Maybe. I don’t know if I think he should be punished further or not and don’t have strong feelings on this outcome one way or another. I generally think hacking crimes are treated disproportionately harsh.
All that aside, I do not appreciate that he rallied support from the security community and raised legal defense money by convincing sympathetic folks that it was all untrue and he was being set up, when he was actually guilty the whole time.
Manipulate the legal system all you want for all I care, but manipulating good natured people in the community who put their own reputation and money on the line is not exactly a class act. I didn’t give him money, but I did fall for his original story.
What's the thought process for writing/selling malware to be illegal? What if the buyers wanted to test their own systems? What if they simply bought it to study it? Hutchins didn't necessarily know that it was going to be used illegaly. Should nmap, aircrack-ng et al be illegal too?
It is, in general, not illegal to write/sell something that can be used to commit a crime. What’s illegal is creating or selling tools to knowingly knowingly facilitate crimes. (Selling guns isn’t illegal, and indeed is constitutionally protected. Selling a gun to known mobsters under circumstances where one can reasonably conclude you knew they were going to use it to commit crimes, that’s illegal.)
