Some thoughts on U.S. v. Huddleston, the CFAA case that Kevin Paulson wrote about yesterday: thedailybeast.com/articles/201. The charges here are unusual.

Huddleston sold two programs: a software license management tool and a remote access tool (RAT). He licensed the former to someone who sold a widely-used keylogger program. He sold the RAT himself, with the license manager embedded to shut down pirated copies.

There are no allegations in the indictment that Huddleston himself hacked anyone using these tools. Instead, the government charges that he (in reverse order of the indictment):

1) aided and abetted unauthorized damage to protected computers by building the RAT and distributing to people he "knew intended to use, and were using, this malicious software for illegal and unauthorized computer intrusions," which he apparently knew because he marketed the RAT on HackForums.net;

2) aided and abetted unlawful computer intrusions perpetrated via a third-party's keylogger, by virtue of the fact that Huddleston supplied the license key-management software used by the keylogger's developer (who appears to have flipped) and validated license keys held by purchasers of the keylogger; and

3) *conspired* to aid and abet computer intrusions by selling the license-management software to the developer of the keylogger, allegedly knowing that his customer's users intended to use the keylogger to commit unauthorized intrusions.

I find a few things odd about these charges. The first is that they are all inchoate "damage without authorization" charges under 1030(a)(5)(A) and (B). This requires the Government to prove that the installation of the keylogger or RAT, standing alone, "damaged" victims' systems within the meaning of 1030(e)(3). Courts have bought this (e.g. the SDNY in US v. Yucel), but it's not a slam dunk. Why not charge (a)(2)(C), unauthorized access to obtain information? Seems like the easier path.

Second, the two keylogger-related counts charge Huddleston with aiding and abetting the keylogger's users by selling the license-management tool that the developer used to cut off unlicensed users. His activity helped the developer prevent unauthorized use, and perhaps sell more licenses, but how does it help the users accomplished their intrusions? The link here seems tenuous at best.

Poulson's article says that Huddleston actively terminated the licenses of users he found to be using his tools unlawfully ("I had a very strict zero tolerance policy") and pared down the tool's more nefarious capabilities over time. These are good facts for Huddleston. But the indictment also says Huddleston, the keylogger's author, and several other HackForums users communicated regularly via Skype about their work. Expect some unhelpful logs to show up at trial, if there is one.

@copiesofcopies reminds me of the CFAA charge in the Silk Road case (the weirdness of which was eclipsed by the other charges, for good reason)

@copiesofcopies conspiracy charge, for running the website that sold keyloggers and other such tools. During trial they didn't provide evidence that anyone in the jurisdiction had bought the tools or been affected by that activity (unlike the drug charges) but didn't seem to matter

@sarahjeong oh, yeah, that rings a bell. Juries don't like getting hung up on procedural requirements when they're sure you're guilty.

@copiesofcopies true, and in the end I'm not entirely sure that prosecutors kept that charge? They had to collapse a bunch of them after the verdict anyways because predicate offenses etc

@copiesofcopies but if I remember correctly they did keep the charge and the judge upheld that part of the verdict on the basis that there was jurisdiction because the website was directed "towards" the jurisdiction-- a really strange ruling that would have garnered more notice if it hadn't been for *waves hands* you know

@sarahjeong oh, and I guess that if it was a conspiracy charge the jury didn't have to find any actual conduct in the district, huh?

@copiesofcopies mostly I thought it was weird because conspiracy? Really? Lots of discussion of drugs (even cyanide) in the logs and diaries, none of the hacking tools as far as I can recall. True that DPR was not a neutral platform operator but the CFAA charge always seemed bizarre.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!