Student Hacker Faces 10 Years In Prison For Spyware That Hit 16,000 Computers

[Megalith]

Is 10 years excessive for writing and selling a keylogger? We’ll have to see what the judge thinks. The hacker, an ex-Northrop Grumman intern, sold his work for $35 to 3,000 buyers, who infected 16,000 people with it.

A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim’s keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice. Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, “and continued to modify and market the illegal product from his college dorm room,” according to the feds.

 

[blkt]

Microsoft. Anyone? Anyone.

 

[PhotoBobBarker]

That old phrase "With great power, comes great responsibility"...

Zachary Shames would be Venom in this situation. Depending on who he sold it to... And if it explained the legal and Illegal uses of the software. 10 years could be about right.

If it could be shown that he sold it to anyone, even knowing it's likely ability to be misused.... Then it would depend on the damages caused to those 16,000 people. And in that case 10 years might not be anywhere near enough.

Software like this is like making an invisibility suit, where there may be a few who use it legally... But the majority of use is totally illicit.

 

[Verge]

never mind, just needed to read the pdf.

“certain malicious keylogger software, knowing that the software was going to [...] intentionally cause damage without authorization.”


All he had to do is market it differently.

 

[blkt]

never mind, just needed to read the pdf.

“certain malicious keylogger software, knowing that the software was going to [...] intentionally cause damage without authorization.”


All he had to do is market it differently.

Perhaps.. as an operating system? Ok, I am done for the day.

 

[c3141hf]

He isn't going to get ten years unless he already has a lengthy criminal record.

Ten years is the maximum punishment allowed for that specific crime by that crime's statute but his sentence is also subject to the federal sentencing guidelines which can lower the maximum amount he can get. This is a common mistake that people make because they simple read whatever statute a person was accused of violating and see the maximum punishment in the statute without taking into account that a sentence is also subject to the guidelines.

 

[Cmdrmonkey]

This is why we are losing the cyber war. Russia or China would see potential and recruit this guy. Here we lock this guy up.

 

[captaindiptoad]

never mind, just needed to read the pdf.

“certain malicious keylogger software, knowing that the software was going to [...] intentionally cause damage without authorization.”


All he had to do is market it differently.

maybe for people to put on their own computers in-case their stolen?

 

[Uncle]

Microsoft. Anyone? Anyone.

If you load up windows 10 without going custom install MS allegedly loads a lot more spyware than just a keylogger. Thats just the obvious ones you can shut off in custom. When you consider what MS claims they're protecting you from, MS truly believes in the nanny state. Other than that, MS needs to go back to the drawing board and start creating an OS from the ground up that isn't so full of holes that it needs to think it has to protect me from myself and have all my privacy collected so it can do that. I guess its tough though when a company allegedly is offered cash from third parties for some of that info.

 

[cageymaru]

This is why we are losing the cyber war. Russia or China would see potential and recruit this guy. Here we lock this guy up.

NSA should be hiring him right now.

 

[PhotoBobBarker]

He isn't going to get ten years unless he already has a lengthy criminal record.

Ten years is the maximum punishment allowed for that specific crime by that crime's statute but his sentence is also subject to the federal sentencing guidelines which can lower the maximum amount he can get. This is a common mistake that people make because they simply read whatever statute a person was accused of violating and see the maximum punishment in the statute without taking into account that a sentence is also subject to the guidelines.

But we don't know if he is also being held culpable for the damages to some or all of the ~16,000 computers affected. That can take this from a less than 10 year sentence to much, much more. If people's identities were "stolen" by this he could be held accountable both criminally and in civil court.

 

[Bigshrimp]

What a great way to throw away your life over a little greed. Sometimes being intelligent doesn't make you smart.

 

[freeloader1969]

Ten years for a keylogger? Wow, no wonder U.S. prisons are overflowing. I think a year in prison and a nice fine would be deterrent enough for this guy doing it again and for other people to learn from his sentence. Just my 2 cents anyhow...

 

[TechLarry]

Is 10 years excessive for writing and selling a keylogger? We’ll have to see what the judge thinks. The hacker, an ex-Northrop Grumman intern, sold his work for $35 to 3,000 buyers, who infected 16,000 people with it.

A 21-year-old from Virginia plead guilty on Friday to writing and selling custom spyware designed to monitor a victim’s keystrokes. Zachary Shames, from Great Falls, Virginia, wrote a keylogger, malware designed to record every keystroke on a computer, and sold it to more than 3,000 people who infected more than 16,000 victims with it, according to a press release from the U.S. Department of Justice. Shames, who appears to be a student at James Madison University, developed the first version of the spyware while he was still a high school student in 2013, “and continued to modify and market the illegal product from his college dorm room,” according to the feds.

No. They should make it 20.

He was a smart MF that went rogue. He had no need to. He was very employable. He had no third-USA issues to worry about. He did it out of greed, and he's an asshole.

Make it 30.

 

[mynamehere]

But we don't know if he is also being held culpable for the damages to some or all of the ~16,000 computers affected. That can take this from a less than 10 year sentence to much, much more. If people's identities were "stolen" by this he could be held accountable both criminally and in civil court.

Imagine the penalties if they used **AA lawyers on him.
Still no "Shames on him" comments? You guys are really slipping.

 

[redmasc]

This guy was a former Northrup Grumman intern? Screwed up a sweet intern position at a military contracted company for some malicious software... What a waste of a good talent.

 

[Verge]

maybe for people to put on their own computers in-case their stolen?

Maybe, I think it was exploiting some dumb chat room thing though. Dude knew he was in the wrong.

 

[B00nie]

I don't see why they would prosecute the guy who sells a gun when the customers are shooting people. Doesn't make any sense.

 

[Koween]

So, do they also prosecute weapon manufacturers and resellers if someone does a crime with one of their guns in the USA? A keylogger in itself isn't a bad thing - what you end up doing with it is what matters. The guy's a dick, for selling keyloggers for malicious use, but then again - it's the buyer who chose to use it maliciously.

 

[Meeho]

Yeah, I don't get that. A keylogger can also be used for personal use, why is it his responsibility what the buyers used it for? They probably used WIndows or Linux to run it and their ISP to access the targeted computer. Should those also be held liable?

 

[Dead Parrot]

The term in prison is less important than making him pay restitution to anyone harmed by his keylogger. For those claiming that the end user is the one responsible, valid argument but in the US, certain types of software are illegal to sell or install on other people's systems.

Without the ability to see his marketing approach, can't tell if he was selling an innocent piece of software that criminal minds repurposed or if he was marketing the software as useful for malicious uses. And he can't use the "Stupid, spur of the moment brain fart" defense since he was working on this since high school.

Hopefully, the case will be unsealed and we can see what really was going on.

 

[Meeho]

Buy this $1 killing tool, sharpened to perfection, and use it to kill or severely injure those who stepped on your toes! Order now and enter promo code "KILLERTOOL2000" for a special discount.

First 100 purchases will include a special manual to easily identify your targets weak spots:

Warning:
Buying or selling this product may be illegal in some states and carry a punishment of up to 10 years in prison.

 

[DeathFromBelow]

I don't see why they would prosecute the guy who sells a gun when the customers are shooting people. Doesn't make any sense.

Yeah, I don't get that. A keylogger can also be used for personal use, why is it his responsibility what the buyers used it for? They probably used WIndows or Linux to run it and their ISP to access the targeted computer. Should those also be held liable?

It looks like they believe they can prove he knowingly wrote customized software for criminal use.

You can be held liable for knowingly providing weapons to be used in a crime, too.

 

[MRAB54]

never mind, just needed to read the pdf.

“certain malicious keylogger software, knowing that the software was going to [...] intentionally cause damage without authorization.”


All he had to do is market it differently.

I'm not a lawyer, but I think you would have a hard time arguing a legitimate use for this type of software regardless of how it was marketed. If there is a law that says selling this type of software is illegal, then yeah lock his ass up. I could see the argument that selling the software isn't the crime, but using it is - but I don't agree with it.

 

[thesmokingman]

Is 10 years excessive for writing and selling a keylogger? We’ll have to see what the judge thinks. The hacker, an ex-Northrop Grumman intern, sold his work for $35 to 3,000 buyers, who infected 16,000 people with it.

Joke?

Fuck yea, he's a criminal. He clearly knew what he was doing.

"Northrop Grumman is a leading global security company providing innovative systems, products and solutions"

 

[spugm1r3]

His biggest mistake was selling it. In no universe is a key-logger ever used for anything other than ill-intent. Lots of college age kids build bad stuff to see if they can... very few sell them to make a couple of bucks.

 

[xorbe]

That's a fine line. Is it illegal to sell a key logger? Is it illegal to sell a gun? Can a gun or key logger be used for bad or good? Doesn't law enforcement deploy key loggers? LE must have bought a key logger from someone that wrote one that didn't go to jail? Can only companies but not people sell key loggers? Do companies have more rights than people?

 

[Ducman69]

Creating malware? No. Selling malware or in any way directly profiting from it? Yes.

 

[ruffbytes]

I don't see why they would prosecute the guy who sells a gun when the customers are shooting people. Doesn't make any sense.

I think the difference is that this was marketed as a tool to perform illegal activity. If someone marketed the guns in their gun store as the best way to murder and they knew that their customers were planning on murdering people when they were purchasing the weapons, they might also be prosecuted.

You have to face palm at the OpSec of this guy. He posts a chat with his full name in a hacker forum!

 

[xorbe]

Creating malware? No. Selling malware or in any way directly profiting from it? Yes.

What about people that sell computers that wind up getting used for hacking. What about people that write compilers. It's a slippery slope. Where in the tool chain do you make the cut-off. What about coders that provided a buggy OS and buggy browser that allow remote privilege escalation.

 

[Ducman69]

What about people that sell computers that wind up getting used for hacking. What about people that write compilers. It's a slippery slope.

You have to ask, is the equipment sold something that can incidentally be used for criminality, or has no other purpose than criminal enterprise.

Selling a computer is like selling a car used in a getaway, it could be used for anything. Selling malware designed for a specific illegal purpose and turning that into a business model is different though. To me, that's pretty cut and dry distinction.

 

[thesmokingman]

He interned for a defense contractor so the kid clearly knew what he was doing. And he improved his code over the years, whilst selling it. That's not by accident.

 

[Meeho]

You have to ask, is the equipment sold something that can incidentally be used for criminality, or has no other purpose than criminal enterprise.

Selling a computer is like selling a car used in a getaway, it could be used for anything. Selling malware designed for a specific illegal purpose and turning that into a business model is different though. To me, that's pretty cut and dry distinction.

A keylogger can be used as a security tool to monitor and record an unauthorized use of someone's own personal computer.

Remote control software with screen capture features is also dangerously close to malware use (heck, it basically is a trojan), but its creators also shouldn't be guilty by default.

I'm not saying this guy does or doesn't deserve to be punished at all, but not for creating and selling a tool that has potential for illegal use. That is not on him.

 

[Ducman69]

A keylogger can be used as a security tool to monitor and record an unauthorized use of someone's own personal computer.

That's true, but from what I understand this was bundled with malware intended to infect machines without the owners knowledge. That clearly demonstrates ill-intent, and was sold for profit, making it criminal enterprise.

The devil is in the details.

 

[Dekoth-E-]

Ok...how the F can anyone with a brain argue this guy deserves even a day of prison? He wrote and sold a keylogger. Writing a piece of software and selling it shouldn't be a criminal offense unless the software was a self proliferating virus or ransomware. This is the same stupid logic as arguing that manufacturers of guns and weapons should be thrown in prison because some people use them to harm others. Seriously people, Stop and use your damn brains a minute and stop wanting to auto crucify everyone. Want to know how we end up in a society stripped of our freedoms and under constant police surveillance? Using that king of logic is how we get there. Jesus christ I am absolutely astounded at some of the statements here. Since when did [H] fforum become a retirement home?

 

[Jagger100]

This is why we are losing the cyber war. Russia or China would see potential and recruit this guy. Here we lock this guy up.

Who says the Russians don't already have him? I mean they're everywhere.

And why do you think we're losing the cyberwar? Oh, makes you sleep easier at night?

 

[Jagger100]

Ok...how the F can anyone with a brain argue this guy deserves even a day of prison? He wrote and sold a keylogger. Writing a piece of software and selling it shouldn't be a criminal offense unless the software was a self proliferating virus or ransomware. This is the same stupid logic as arguing that manufacturers of guns and weapons should be thrown in prison because some people use them to harm others. Seriously people, Stop and use your damn brains a minute and stop wanting to auto crucify everyone. Want to know how we end up in a society stripped of our freedoms and under constant police surveillance? Using that king of logic is how we get there. Jesus christ I am absolutely astounded at some of the statements here. Since when did [H] fforum become a retirement home?

They used to sell them to monitor your kids or employees. Not sure they are completely illegal to make now.