“He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.”
The above snippet is the subhead of a story published last month by the The Daily Beast titled, “FBI Arrests Hacker Who Hacked No One.” The subject of that piece — a 26-year-old American named Taylor Huddleston — faces felony hacking charges connected to two computer programs he authored and sold: An anti-piracy product called Net Seal, and a Remote Administration Tool (RAT) called NanoCore that he says was a benign program designed to help users remotely administer their computers.
The author of the Daily Beast story, former black hat hacker and Wired.com editor Kevin Poulsen, argues that Huddleston’s case raises a novel question: When is a programmer criminally responsible for the actions of his users?
“Some experts say [the case] could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways,” Poulsen wrote.
But a closer look at the government’s side of the story — as well as public postings left behind by the accused and his alleged accomplices — paints a more complex and nuanced picture that suggests this may not be the case to raise that specific legal question in any meaningful way.
Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), said cases like these are not so cut-and-dry because they hinge on intent, and determining who knew what and when.
“I don’t read the government’s complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this,” Rumold said. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific, but unfortunately there is not a precise set of facts that would push this case from being about the valid reselling of a tool that no one questions can be done legally to crossing that threshold of engaging in a criminal conspiracy.”
Citing group chat logs and other evidence that hasn’t yet been made public, U.S. prosecutors say Huddleston intended NanoCore to function more like a Remote Access Trojan used to remotely control compromised PCs, and they’ve indicted Huddleston on criminal charges of conspiracy as well as aiding and abetting computer intrusions.
Poulsen depicts Huddleston as an ambitious — if extremely naive — programmer struggling to make an honest living selling what is essentially a dual-use software product. Using the nickname “Aeonhack,” Huddleston marketed his NanoCore RAT on Hackforums[dot]net, an English-language hacking forum that is overrun with young, impressionable but otherwise low-skilled hackers who are constantly looking for point-and-click tools and services that can help them demonstrate their supposed hacking prowess.
Yet we’re told that Huddleston was positively shocked to discover that many buyers on the forum were using his tools in a less-than-legal manner, and that in response he chastised and even penalized customers who did so. By way of example, Poulsen writes that Huddleston routinely used his Net Seal program to revoke the software licenses for customers who boasted online about using his NanoCore RAT illegally.
We later learn that — despite Net Seal’s copy protection abilities — denizens of Hackforums were able to pirate copies of NanoCore and spread it far and wide in malware and phishing campaigns. Eventually, Huddleston said he grew weary of all the drama and sold both programs to another Hackforums member, using the $60,000 or so in proceeds to move out of the rusty trailer he and his girlfriend shared and buy a house in a low-income corner of Hot Springs, Arkansas.
From the story: