On Marcus Hutchins

Long and nuanced story about Marcus Hutchins, the British hacker who wrote most of the Kronos malware and also stopped WannaCry in real time. Well worth reading.

Posted on May 15, 2020 at 6:43 AM • 15 Comments

Comments

EtienneMay 15, 2020 9:20 AM

A friend of mine in college asked me if he could use my computer for a couple of hours. This was back in the Windows 95 era. He said he had work to do, but needed to get away from his wife so he could concentrate.

I had known him to be a prankster on computers, so I accepted his request, just to see what he had as a surprise for me. I trusted him, like I trusted the malfunctioning safety on my rifle.

"Sure, come on on over!" While he worked I washed dishes and folded my laundry.

Speed forward he had installed some software that was essentially used to steal my password, which would mail it to him.

What he didn't know, is that I normally used a Linux machine for all my work. I had the image of my Windows hard drive stored on it, and just like that - could re-image it. But I did something a bit different, and stored both images so I could compare them.

Long story short, I found out he was a damned criminal. He had deleted a bunch of files I was using as references to my Thesis. I would have had to go and find these again, and some I had even paid people to scan.

The only computer I trust now, is my manual typewriter, and it has a locking case.

Carl ByorMay 15, 2020 9:58 AM

"The Man Who Saved the Internet"

Really, the whole Internet.

That doesn't seem the jibe with the facts of the story. This calls into question the credibility of the author. Makes you wonder what other distortions, half-truths, and lies by omission are there in this click-bait.

Doesn't matter. All the editors care about is that you click the links, and then watch the pretty ads. Never let the truth get in the way of a good story.

Right Andy?

MikeAMay 15, 2020 10:55 AM

I was guessing that @Mr Verhart was referring to the Soviet Selectric attack, but not to. To save the rest of you some time, the relevant info appears to be in the last paragraph of Page 7 of the document (Pg 8 of the 18-page PDF)

Who?May 15, 2020 2:50 PM

After reading the story about Marcus Hutchins it is clear to me an ethics-based Newton's third law applies: for every decision, there is a consequence.

Hutchins has not been very lucky on his choices, at least until now.

JaimeMay 15, 2020 3:07 PM

@Etienne: Why would a criminal delete important files after installing spyware? The files he deleted were sure to be missed and he was sure to be suspected - and it didn't provide him any gain. I understand that criminals aren't generally geniuses, but this is even worse than a guy that steals from his neighbor and leaves tracks in the snow back to his house.

metaschimaMay 15, 2020 4:51 PM

For the article, I'd have to say "cool story bro".

@Carl Byor
I totally agree. I'd like more facts on the subject, but from the article it seems like this guy is a intelligent young man who has taken a dark road. He somehow got saved at the last minute by an incredible stroke of luck, accidentally slowing down a massive malware campaign and gaining much popularity in the process. If it hadn't been for this I suspect he would be doing hard time no doubt.

AndersMay 16, 2020 9:32 AM

I think the most important thing is already said in the "Stealing the network" series:


"It’s strange how hackers’ minds work. You might think that white hat hackers would be on one end of the spectrum and black hat hackers on the other. On the contrary, they are both at the same end of the spectrum, with the rest of the world on the other end. There really is no difference between responsible hacking and evil hacking. Either way, it’s hacking. The only difference is the content. Perhaps that’s why it’s so natural for a black hat to go white, and why it’s so easy for a white hat to go black. The line between the two is fine, mostly defined by ethics and law. To the hacker, ethics and laws have holes, just like anything else.

Many security companies like to hire reformed hackers. The truth is that there is no such thing as a reformed hacker. These hackers may have their focus redirected and their rewards changed,but they are never reformed. Getting paid to hack doesn’t make them any less of a hacker."

EtienneMay 16, 2020 10:19 AM

@Jaime my theory was that he would make me beg for them back. Simple power trip. I'm sure he copied them before deleting. I'll never know though. I avoided him after that. He wasn't very good at what he did. Mostly a social disorder.

Cognitive ApathyMay 17, 2020 1:34 AM

"Hackers" invented all your security software (though occasionally said software is purchased by some businessmen), your hardware, and the infrastructure that it all now depends on. Hackers hacked together a device know as an atomic bomb, and another device, the thermonuclear bomb.

You may know some of these hackers by other names such as scientists & medical researchers to name a few. They make crazy stuff like MRI scanners, and some even injected diseases into themselves to create vaccines like the rabies vaccine, putting themselves, and occasionally others at risk, but in the end pulling off a discovery that has since saved millions of lives.

Though if one of those thermonuclear bombs should accidentally drop, it won't be a hacker with their finger on the button, it will likely be a president or a military commander. So don't worry too much about that.

name.withheld.for.obvious.reasonsMay 17, 2020 2:23 AM

It bothers me a bit to see the word hacker misused. As an original hobbyist, an electronics hacker, there used to be a nom-deplume for those with the skills and the wherewithal to make what doesn't seem possible, possible. Cracker is the termed that is used to identify one of those individuals that uses their skills with intent that is outside the bounds of ethics and morals. Hacker used to be a platitude that one wore with pride. I could go to a black hat conference and be greeted with welcoming prose. Today, hacker can be a word that can get you on a list...

From the U.S. Army Field Manual (FM 3 and JP-3 circa 2013) section 46 of chapter 3;
"A cyberspace threat can be characterized based on intent, sponsorship, training, education, skills, motivation and tools. Two examples include advanced cyberspace threats and hackers."

Also, "hackers" is a termed that is defined in the manual and the Joint Publication (JP-DOD) as synonymous with "Enemy Combatant". That is not good, a hacker can be treated to a drone strike if deemed appropriate irrespective of the nature of the acquired title "hacker".

The word hacker needs to be reclaimed...and the government has to step off the whole "a hacker is the enemy" BS.

Random CommentMay 19, 2020 8:55 AM

Only got to the fourth paragraph so far and the storytelling is leaving out detail which changes the story and perception.

It presents that he found the kill switch and activated it, leaving you to assume on purpose.

Hutchins himself said he just found the domain name in the code while reverse engineering it and registered the domain because no one owned it and he thought he could capture zombie traffic talking to it as the next stop. He had no idea that the domain coming online would be the kill switch.

If you are going to give an in depth story, be in depth and don't leave out detail.

I am with the other posters re clickbait.

Random CommentMay 19, 2020 9:56 AM

Oh, near the very end they explain how the kill switch activation was accidental.

So many articles had the wrong details before but at least this one has it right. After sensationalising and leaving the details out at the start, despite going as deep as what a hospital worker had for lunch in another part of the story that had no bearing whats-so-ever.

Still clickbait storytelling and leaving out details until the end. I'm surprised they didn't start with 'and you will never guess what happened next...' :P

Getting cynical and pick in my old age!

myliitMay 19, 2020 1:53 PM

I enjoyed the above as much or more than the article. And I enjoyed reading the article. Perhaps others know if this is an uncommon outcome. From the OP:

“... [ Before sentencing in Milwaukee, Hutchins ] walked through the halls to calm his nerves before the hearing was called to order.

When Judge Stadtmueller entered the court and sat, the 77-year-old seemed shaky, Hutchins remembers, and he spoke in a gravelly, quavering voice. Hutchins still saw Stadtmueller as a wild card: He knew that the judge had presided over only one previous cybercrime sentencing in his career, 20 years earlier. How would he decipher a case as complicated as this one?

But Hutchins remembers feeling his unease evaporate as Stadtmueller began a long soliloquy. It was replaced by a sense of awe.

Stadtmueller began, almost as if reminiscing to himself, by reminding Hutchins that he had been a judge for more than three decades. In that time, he said, he had sentenced 2,200 people. But none were quite like Hutchins. “We see all sides of the human existence, both young, old, career criminals, those like yourself,” Stadtmueller began. “And I appreciate the fact that one might view the ignoble conduct that underlies this case as against the backdrop of what some have described as the work of a hero, a true hero. And that is, at the end of the day, what gives this case in particular its incredible uniqueness.”

The judge quickly made clear that he saw Hutchins as not just a convicted criminal but as a cybersecurity expert who had “turned the corner” long before he faced justice. Stadtmueller seemed to be weighing the deterrent value of imprisoning Hutchins against the young hacker's genius at fending off malevolent code like WannaCry. “If we don't take the appropriate steps to protect the security of these wonderful technologies that we rely upon each and every day, it has all the potential, as your parents know from your mom's work, to raise incredible havoc,” Stadtmueller said, referring obliquely to Janet Hutchins' job with the NHS. “It's going to take individuals like yourself, who have the skill set, even at the tender age of 24 or 25, to come up with solutions.” The judge even argued that Hutchins might deserve a full pardon, though the court had no power to grant one.

Then Stadtmueller delivered his conclusion: “There are just too many positives on the other side of the ledger,” he said. “The final call in the case of Marcus Hutchins today is a sentence of time served, with a one-year period of supervised release.” ...”

emptywheel.net had numerous blog posts on Hutchin’s trial.

MartinJune 15, 2020 10:48 AM

The "omg i feel so guilty" garnish on the story is irritating. He got up to some naughty stuff but the way he clanks his chains is too much. There's no need for such drama.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.