MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense

from the piling-up-fatal-errors? dept

Marcus Hutchins, a.k.a. MalwareTech, went from internet hero (following his inadvertent shutdown of the WannaCry ransomware) to federal government detainee in a surprisingly short amount of time. Three months after saving the world from rampaging malware built on NSA exploits, Hutchins was arrested at the Las Vegas airport as he waited for his flight home to the UK.

When the indictment was published, many people noted the charges didn't seem to be backed by much evidence. The government accused Hutchins of creating and selling the Kronos malware, but the offered very little to support this claim. While it's true much of the evidence against Hutchins will be produced in court, the indictment appeared to be stretching legal definitions of certain computer crimes to their limits.

The government's case appears to be weak and reliant on dubious legal theories. It's not even 100% clear that creating and selling malware is an illegal act in and of itself. The charges the government brought rely heavily on proving Hutchins constructed malware with the intent to cause damage to computers. This isn't so easily proven, especially when the government itself is buying malware to deploy for its own purposes and has yet to bring charges against any of the vendors it buys from. Anyone selling exploits to governments could be said to be creating malware with intent to cause harm. That it's a government, rather than an individual, causing the harm shouldn't make any difference -- at least not if the government wants to claim selling of malware alone is a federal offense.

The case appears to be even weaker now that more paperwork has been filed by both parties. If the government has a lot of evidence to use against Hutchins, it has yet to present it to Hutchins' lawyers. What's detailed in the motion to compel recently filed by Hutchins' defense team shows the government is either playing keep-away with crucial information or simply does not have much evidence on hand.

Marcy Wheeler digs into the motion to compel [PDF] and notes it appears to show the government's case is incredibly weak. And if sketchy, minimal evidence doesn't undo the government's case, the actions of the FBI agents involved might.

First, there are some questions about the circumstances surrounding Hutchins' detainment at the Las Vegas airport. As the motion points out, there's a good chance Hutchins was in no condition to consent to an interrogation, having been up late the night before drinking and celebrating the wrap-up of the conferences he had attended.

The defense needs all communications and materials related to the surveillance and arrest of Mr. Hutchins to help establish that his post-arrest statements were involuntary and in violation of Miranda. The defense intends to argue that the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk. As such, his decision to speak with the agents was not knowing, intelligent, and made in full awareness of the nature of the right given up and the consequences of giving up that right, as the law requires. Coleman v. Hardy, 690 F.3d 811, 815 (7th Cir. 2012).

The Seventh Circuit recognizes that intoxication is relevant to the voluntariness—legally, in terms of a statement’s admissibility, and factually, in terms of the weight to be given to an admissible statement—of post-arrest statements. See, e.g., United States v. Carson, 582 F.3d 827, 833 (7th Cir. 2009). The defense believes the requested discovery will show the government was aware of Mr. Hutchins’ activities while he was in Las Vegas, including the fact that he had been up very late the night before his arrest, and the high likelihood that the government knew he was exhausted and intoxicated at the time of his arrest.

Note the mention of the Miranda warning. This poses its own problems for a couple of reasons. As the motion points out, it's unclear how (or when) [or if] Hutchins was Mirandized. The FBI could have given Hutchins the actual Miranda warning, which makes it clear arrestees have both the right to remain silent and the right to an attorney. Or the agents could have decided the UK version was more applicable for the British citizen. This version does not guarantee the right to an attorney and notes remaining silent can be used against you in court.

Given the fact Hutchins is being prosecuted in the US, it's likely agents would have given him the American version. But there's no way to tell which version Hutchins received because the FBI's recording of the interrogation doesn't contain any recording of a Miranda warning being delivered.

After Mr. Hutchins was taken into custody, two law enforcement agents interviewed him at the airport. The memorandum of that interview generically states: “After being advised of the identity of the interviewing Agents, the nature of the interview and being advised of his rights, HUTCHINS provided the following information . . .” A lengthy portion of Mr. Hutchins’ interview with the agents was audio recorded. Importantly, however, the agents did not record the part of the interview in which they purportedly advised of him of his Miranda rights, answered any questions he might have had, and had him sign a Miranda waiver form.

If the government plans to introduce the interrogation recording as evidence, the lack of a recorded Miranda warning or signed Miranda waiver should weigh against the admissibility of any incriminating statements Hutchins might have made. Combine that with Hutchins' alleged mental state (exhausted, intoxicated) at the time of the questioning and the FBI may have proactively destroyed a substantial amount of first-hand testimony.

The motion to compel goes on to point out there's plenty of information the government has yet to turn over to the defense. Hutchins' defense still hasn't seen anything related to his alleged co-conspirator (who still remains at large) -- not even the information the government apparently received as the result of an MLAT (Mutual Legal Assistance Treaty) request sent to the co-conspirator's home country.

The defense also wants more info on the FBI's witness known only as "Randy." The government is trying to have it both ways here. "Randy" appears to be a witness, but the government has downgraded "Randy" to a mere "tipster" to avoid turning any info over on "Randy" to the defense. Informant confidentiality can be maintained under some circumstances, but not if the government is hoping to use this informant as a witness.

Here, the government’s refusal to disclose even the identity of “Randy’s” attorney is apparently the result of miscategorizing an important witness as a mere tipster. “Randy” is a cooperating witness, one whose provision of information to law enforcement was facilitated by consideration—proffer immunity, at the least—from the government. This circumstance alone weighs against continuing confidentiality because “Randy” surely knows his cooperation will be revealed…

The defense expects “Randy” to testify at trial because he is alleged to have had extensive online chats with Mr. Hutchins around the time of the purported crimes in which Mr. Hutchins discussed his purported criminal activity. Any communications and materials relating to “Randy” are therefore material to defense preparations.

Wheeler speculates the hide-and-seek nature of the government's handling of "Randy"-related material has something to do with "Randy's" possible lack of usefulness. Hence the last-minute downgrade of "Randy's" stature and the ongoing refusal to produce documents.

I’m guessing if the government were required to put “Randy” on the stand they’d contemplate dismissing the charges against Hutchins immediately. I’m guessing the government now realizes “Randy” took them for a ride — perhaps an enormous one. And given how easy it is to reconstitute chat logs — but here, it’s not even clear “Randy” has the chat logs, but just claimed to have been a part of them, in an effort to incriminate him — I’m guessing this part of the case against Hutchins won’t hold up.

The defense is also seeking discovery of the grand jury instructions. As noted earlier in this post, the government set a high bar for itself, offering up charges that require it to prove intent to harm, rather than simply the creation and distribution of malware. As the government appears to have only limited evidence related to proof of intent, it may have secured the indictment by glossing over the "intent" part of the charges. If the instructions were insufficiently clear, the indictment itself might be in trouble.

Wheeler suggests now might be the time for government to cut its losses and give Hutchins back his freedom. But, as she notes, the government prefers to double-down when on hole-digging in these situations. If the government is realizing its case against Hutchins is bullshit, it may dig in and impede discovery efforts just to make the accused pay for daring to fight back.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Jan 2018 @ 1:43pm

    And this is why...

    ...security researchers like me stay far, far away from any kind of public involvement. If I have anything to disclose, it'll be anonymous with no warning to the affected entities.

    Why? Because trying to be nice doesn't work. At best, the report will be denied, the followup will be stonewalled, the company/country will make groundless accusations, and then eventually, maybe, the problem will be quietly addressed and someone else will take credit for it.

    At worst, the door will be kicked down at 5 AM and all my stuff will be confiscated, I'll be arrested and charged with anything/everything, and my ability to make a living will be destroyed. If I ever manage to get out from under the legal problems, I'll be bankrupt and then homeless.

    So while I could do some modest good here and there, I'm going to lift a finger. I've learned the lesson.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2018 @ 2:14pm

      Re: And this is why...

      Thank you for your white hat work. Not all heros are obvious.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2018 @ 3:06pm

      Re: And this is why...

      And this is why......security researchers like me stay far, far away from any kind of public involvement. If I have anything to disclose, it'll be anonymous with no warning to the affected entities.

      Sadly, I agree with this. Every time I have been nice, I've been threatened with lawsuits and my employers have been contacted and told to fire me. Luckily, my employers have basically told them to pound sand and ask them when they are going to fix their shit. With that, and this, it ain't worth my time or energy to do it the right way.

      reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 9 Jan 2018 @ 5:17am

      Mad Dogs and Englishmen WAS Re: And this is why...

      Another take away is Don't come to America. I believe old John Mad Dog Hall has the position of not traveling to the nation to avoid being subjected to its laws and enforcement.

      A fine "protest" would be to make some open source code on more open hardware like a Raspberry PI to allow people who'd like to be at, say, DefCon have remote tele presence. Futureama Hall of Presidents style. Perhaps call it Rsides?

      reply to this | link to this | view in chronology ]

  • identicon
    Jordan Chandler, 8 Jan 2018 @ 1:52pm

    So

    So once again, are all prosecutors corrupt and do whatever their bosses tell them?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2018 @ 2:12pm

    One of the following is fake news

    1. Per the FBI, Marcus Hutchins is the perpetrator
    2. Per the Trump administration, North Korea is the perpetrator

    Perhaps Trump should sue the FBI for defamation. Then we can get to the bottom of this.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 8 Jan 2018 @ 2:21pm

    Now, now, kids: relying on technicalities likely means DOOMED.

    Trying to take back what admitted is going to be tough.

    This isn't blurting once "I did it!", which might be misunderstanding or confusion, but apparently long series of statements by a highly intelligent indiv, among which are admitting writing the malware.

    For perverse cause that always intrigues me, Techdirt, knowing no more than me, just automatically sides with likely criminals. Here, a confessed author of malware makes for likely regardless of all else, yet Techdirt tries to 'splain that away as having all sorts of possible good reasons.

    Never change, Techdirt! You are the patron site of lost causes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2018 @ 2:24pm

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      Your mind must work like a funhouse mirror. You twist everything you read and find alternate reasons for the obvious. You are either deluded or trying to delude others and doing a poor job of whichever it really is.

      reply to this | link to this | view in chronology ]

    • icon
      An Onymous Coward (profile), 8 Jan 2018 @ 2:34pm

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      Criminal or not, simply writing malware or even selling it is not (currently) illegal. If your entire argument rests on that then you have no argument. Malware is a crappy thing to release into the wild but it's going to happen and in the US, at least, it's not a crime. Unless the FBI decides it doesn't like you.

      If he had planted it himself and caused destruction of property in some form then that's illegal and he should suffer the consequences. If you can manage a few minutes of critical thinking and reading comprehension you'll see that's not what this article describes.

      TD defends rights, not "feels".

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2018 @ 2:44pm

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      Even if he is a guilty, malicious criminal, it's important for the freedom and justice of the innocent that we do not allow people to be jailed based upon insufficient evidence or for merely writing software.

      But if he is so malicious and guilty (as you seem to believe), then why did he shut down the WannaCry ransomware?

      reply to this | link to this | view in chronology ]

    • identicon
      tin-foil-hat, 8 Jan 2018 @ 4:39pm

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      Technicalities. Like evidence?

      reply to this | link to this | view in chronology ]

      • icon
        Killercool (profile), 8 Jan 2018 @ 9:37pm

        Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.

        No, technicalities generally fall into the realm of "this evidence was seized unconstitutionally, therefore it is inadmissible."

        You know, minor quibbles like that.

        reply to this | link to this | view in chronology ]

        • identicon
          tin-foil-hat, 9 Jan 2018 @ 11:15am

          Re: Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.

          The government might like to vindicate itself by calling it a techicality but a constitutional violation is a violation of the law, aka a crime.

          reply to this | link to this | view in chronology ]

        • icon
          JMT (profile), 10 Jan 2018 @ 12:39am

          Re: Re: Re: Now, now, kids: relying on technicalities likely means DOOMED.

          That's NOT a technicality, it's an extremely important part of the justice system. Protections like this were put in place because of rampant historical abuse by the authorities. You absolutely should but be belittling them, since you obviously don't know where they came from.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Jan 2018 @ 6:32pm

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      Relying on technicalities is precisely the bread and butter of how your idols in the prosecution make their cases.

      I'm just going to take pleasure in the fact that you automatically side with the likes of Verizon and John Steele.

      reply to this | link to this | view in chronology ]

    • icon
      XcOM987 (profile), 9 Jan 2018 @ 4:19am

      Re: Now, now, kids: relying on technicalities likely means DOOMED.

      just automatically sides with likely criminals.

      Accused, Techdirt sides with the accused, just remember this next time you yourself are accused and wish people to side with you rather than call you criminal.

      reply to this | link to this | view in chronology ]

  • icon
    discordian_eris (profile), 8 Jan 2018 @ 2:30pm

    Feds Have a Serious Credibility Problem

    I'm reminded of this quote almost every time the FBI is involved in a case.

    He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truth without the world’s believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.

    Thomas Jefferson

    The FBI lies so habitually I fail to see how any judge can treat them as credible.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 8 Jan 2018 @ 11:11pm

      How can any judge can treat the FBI as credible?

      When both have the common cause of putting warm bodies into prison, FBI witnesses can say they saw the accused starting the Chicago Fire, and the judge will believe them.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 8 Jan 2018 @ 4:04pm

    Wonder??

    Meetings?
    Convention??

    WOW, how about an ADVANCED SWAT??
    Lets pick on the guy who helped the government..
    Who needs a hack when you just call the FBI/CIA about terrorism.

    reply to this | link to this | view in chronology ]

  • identicon
    alternatives(), 8 Jan 2018 @ 5:14pm

    Milwaukee County and Wisconsin has plenty of crooked timbers when it comes to lawyers.

    Lawyers being stupid in Milwaukee doesn't shock me.

    At least California was willing to throw out a lawyer who was accused of wife strangulation and plead out to battery.

    In Wisconsin you can act as the lawyers for a company, claim the general manager doesn't know who the owners are of the company THEN do 40+ hours of billable work against the company while NOT being the attorneys of record. Why does the state bar do nothing? Your CEO is the treasurer for an appellate court judge may be a factor.

    Meanwhile the chief judge of Milw County is secreting court records as they would show the court worked to prevent charges being pressed against a public official who 'recanted' his sworn statements.

    As the one judge said to me "We do things loose here".

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2018 @ 5:19pm

    "Gov't Plays Keep Away With Documents Requested By Defense"

    I thought that was illegal, could get one disbarred, held in contempt and possible jail time.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2018 @ 5:28pm

    The government witness is obviously Randy in Boise. Next, the judge is going to say to the government: citation needed.
    https://en.wikipedia.org/wiki/Wikipedia:Randy_in_Boise

    reply to this | link to this | view in chronology ]

    • icon
      TrickyRickDreamsOfScreams (profile), 9 Jan 2018 @ 3:11am

      Re:

      This could also be an Asshole John, but that would be depending upon the nuanced specifics, but like wikipedia, the law (as well as these comments) is *SUPPOSED* to not be about "winning." Seriously, are all of these judges and prosecutors Charlie Sheen? Because they only care about winning, as opposed to actually carrying justice, and I swear, they've all gotta be on drugs, legit coked out, because they make NO SENSE. I'm having pop culture flashbacks to 2010, here. What's next, screaming about having tiger blood?

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 8 Jan 2018 @ 9:43pm

    This is all an orchestrated effort to scare white hats.

    They represent a huge liability to companies who prefer security by obscurity, to pocket the savings.
    They represent a huge threat to the government, they might discover vulnerabilities, that they paid out handsomely for, and patch them. (Ignoring their habit of letting them lay around on any old server).

    How dare these regular people invest their own time into trying to secure everyone, and make the governments job of hacking & stealing harder.
    We squeezed this little fish into a ramp to a bigger target & amazingly our case lacks reality. We loved the story of this whitehat turning to the dark side, and working against the interests of the US. It was thrilling & we were sure we'd get bonuses & that sweet sweet cyber money added to our budget. We didn't need to check anything, he talks computer he must be evil.

    reply to this | link to this | view in chronology ]

  • identicon
    @b, 9 Jan 2018 @ 1:26pm

    On that which has not yet been evidenced....

    How will the prosecution argue that they did not need to hand-over the evidence they will later admit to have received?

    What are their options? For example, maybe they can easily claim a "withheld" document is not yet discovered, and then later reveal "oh look, this just in". Is that possible? Easy to get away with? Undesirable for some strategic reason?

    A lot hinges on how these cases tend to play out. Otherwise we all just guess.

    reply to this | link to this | view in chronology ]

    • identicon
      alternatives(), 9 Jan 2018 @ 2:24pm

      Re: On that which has not yet been evidenced....

      <i>For example, maybe they can easily claim a "withheld" document is not yet discovered, and then later reveal "oh look, this just in". Is that possible?</i>

      There are 3 "sets" of "rules" at play here. Rules of evidence, the bar rules and the rules for the prosecutor. The Discovery rules state things can be turned in later 'as found'. Bar rules talk about honesty to the tribunal. And the rules for the prosecutor - I've not used but when I've looked at 'em they appear to be more strict than the bar rules.

      ENFORCEMENT of the rules, well, that is another matter. My guess is it is lip service and as this case is Judge Statmuller and he's a DOJer from the 1970's I'm guessing that unless people are lined up deeper in that courtroom than the Aug hearing "seeking answers" as to why the prosecutor isn't answering Discovery he'll be favorable to the DOJer.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2018 @ 2:43pm

      Re: On that which has not yet been evidenced....

      See Cliven Bundy and why he was sprung.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.