Some thoughts on U.S. v. Huddleston, the CFAA case that Kevin Paulson wrote about yesterday: The charges here are unusual.

Huddleston sold two programs: a software license management tool and a remote access tool (RAT). He licensed the former to someone who sold a widely-used keylogger program. He sold the RAT himself, with the license manager embedded to shut down pirated copies.

There are no allegations in the indictment that Huddleston himself hacked anyone using these tools. Instead, the government charges that he (in reverse order of the indictment):

1) aided and abetted unauthorized damage to protected computers by building the RAT and distributing to people he "knew intended to use, and were using, this malicious software for illegal and unauthorized computer intrusions," which he apparently knew because he marketed the RAT on;

Show thread

2) aided and abetted unlawful computer intrusions perpetrated via a third-party's keylogger, by virtue of the fact that Huddleston supplied the license key-management software used by the keylogger's developer (who appears to have flipped) and validated license keys held by purchasers of the keylogger; and

Show thread

3) *conspired* to aid and abet computer intrusions by selling the license-management software to the developer of the keylogger, allegedly knowing that his customer's users intended to use the keylogger to commit unauthorized intrusions.

Show thread

I find a few things odd about these charges. The first is that they are all inchoate "damage without authorization" charges under 1030(a)(5)(A) and (B). This requires the Government to prove that the installation of the keylogger or RAT, standing alone, "damaged" victims' systems within the meaning of 1030(e)(3). Courts have bought this (e.g. the SDNY in US v. Yucel), but it's not a slam dunk. Why not charge (a)(2)(C), unauthorized access to obtain information? Seems like the easier path.

Show thread

Second, the two keylogger-related counts charge Huddleston with aiding and abetting the keylogger's users by selling the license-management tool that the developer used to cut off unlicensed users. His activity helped the developer prevent unauthorized use, and perhaps sell more licenses, but how does it help the users accomplished their intrusions? The link here seems tenuous at best.

Show thread

Poulson's article says that Huddleston actively terminated the licenses of users he found to be using his tools unlawfully ("I had a very strict zero tolerance policy") and pared down the tool's more nefarious capabilities over time. These are good facts for Huddleston. But the indictment also says Huddleston, the keylogger's author, and several other HackForums users communicated regularly via Skype about their work. Expect some unhelpful logs to show up at trial, if there is one.

Show thread

@copiesofcopies reminds me of the CFAA charge in the Silk Road case (the weirdness of which was eclipsed by the other charges, for good reason)

@copiesofcopies conspiracy charge, for running the website that sold keyloggers and other such tools. During trial they didn't provide evidence that anyone in the jurisdiction had bought the tools or been affected by that activity (unlike the drug charges) but didn't seem to matter

@sarahjeong oh, yeah, that rings a bell. Juries don't like getting hung up on procedural requirements when they're sure you're guilty.

@copiesofcopies true, and in the end I'm not entirely sure that prosecutors kept that charge? They had to collapse a bunch of them after the verdict anyways because predicate offenses etc

@copiesofcopies but if I remember correctly they did keep the charge and the judge upheld that part of the verdict on the basis that there was jurisdiction because the website was directed "towards" the jurisdiction-- a really strange ruling that would have garnered more notice if it hadn't been for *waves hands* you know

@sarahjeong oh, and I guess that if it was a conspiracy charge the jury didn't have to find any actual conduct in the district, huh?


@sarahjeong I'm wrong about this. There has to be an overt act in the district. You don't recall evidence of any? (You should have written that book!)

· · Web · 0 · 0 · 0

@copiesofcopies upon further reflection I think the overt act was an undercover stationed in the local field office buying a license for a keylogger. But I could have sworn the judicial opinion in post trial motions focused on the site being directed towards SDNY.

@sarahjeong yeah, I don't think it's a conspiracy if the only other conspirator is an undercover agent.

@copiesofcopies well I think there's an implied third conspirator (the dude who sold the warez, who no one knows and did not testify and could not be identified)

@copiesofcopies very awkward in my eyes when the criminal activity is the sale of software

@sarahjeong yeah, but it's not too surprising for prosecutors to treat a criminal indictment like a Highlights word search.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!