Skip to Content

Cyber Saturday—Marcus Hutchins’ Guilty Plea, Google Nest Camera Security, ‘768k Day’ Is the New ‘Y2K’

US-INTERNET-CYBERATTACKUS-INTERNET-CYBERATTACK
Marcus Hutchins (R), the British security expert who helped stop the global 'WannaCry' cyberattack, has pleaded guilty to malware misdeeds.Joshua Lott—AFP via Getty Images

What justice should be served to Marcus Hutchins?

The twenty-something British security researcher, better known by his online alias “MalwareTech,” gained international acclaim when he stopped a globe-circling, business-crippling, North Korean-sprung cyberattack in 2017. Later that year, the United States arrested Hutchins at a Las Vegas airport and charged him with years earlier conspiring to create and sell login credential-stealing malware, dubbed Kronos, aimed at draining people’s bank accounts. Suddenly, the white hat hacker’s sterling reputation turned a shade of grey.

This week Hutchins pleaded guilty to two counts under the Computer Fraud and Abuse Act and the Wiretap Act, both of which carry maximum penalties of five years in prison and $250,000 in fines. (The government said it would dismiss other counts against Hutchins in exchange for his guilty plea.) In a statement posted to his blog, Hutchins wrote that he regretted his actions and accepted full responsibility for his mistakes. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes,” he said. “I will continue to devote my time to keeping people safe from malware attacks.”

Now as Hutchins faces sentencing, some commentators argue that he should be let off the hook. The New York Times‘ Sarah Jeong contends that Hutchins should be granted a pardon, given his apparently newfound moral sense and his role (temporarily) halting the so-called WannaCry cyberattack. “His conviction sends the wrong message about whether or not it pays to mend your ways and, when the moment comes, to do the right thing,” she writes.

I agree with this sentiment, but not with the conclusion. Hutchins’ good deed was, by his own admission, accidental. While investigating WannaCry’s code, he registered a web domain that, by a stroke of luck, sinkholed the attack. (Of course, had he not done so, it’s possible he would have continued to fly under the radar of law enforcement.)

While it’s true that Hutchins appeared to have turned over a new leaf by the time he inadvertently helped combat WannaCry, he should not get off scot-free. Hutchins’ transgressions caused real harm to innocent people. As my colleague Jeff John Roberts wrote in this newsletter two years ago, “just because he stopped WannaCry doesn’t give him a free pass to commit bank fraud (if that’s what he did) any more than a heroic deed will excuse a gunman from robbing a convenience store.”

What’s fair then? The judge should, in my view, deliver a lenient sentencing that offers ample opportunity to earn reduced time through public service. There is a troubling shortage of cybersecurity expertise in the global workforce, and this researcher’s skills could be put to good use fighting crime. Hutchins, a smart person with unusual talents, did some exceedingly stupid things in his youth; if he has indeed changed his ways, let him prove his sincerity.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Stop callin’, stop callin’, I don’t wanna talk anymore. The National Security Agency has recommended that the White House abandon a controversial surveillance program that collected U.S. phone and text metadata, arguing that the costs—and associated public relations headaches—outweigh the benefits, reports the Wall Street Journal. This is a 180-degree-turn for the agency, which previously argued the once-secret program was essential to fighting terrorism. Legal authority for the program, which got its start following the attacks on September 11th, 2001, will expire at the end of this year unless Congress renews it.

Throw the (Face)book at them. Facebook said it is expecting to be slapped with a (big, but small) fine from the Federal Trade Commission totaling between $3 billion and $5 billion for data privacy violations. Other countries’ regulators are circling too. Meanwhile, the company hired a new general counsel, Jennifer Newstead, a Trump-appointed State Department official who, earlier in her career, helped write the Patriot Act, a piece of legislation that greatly expanded the government’s authority to conduct electronic surveillance.

Apple vs. FBI. At a Time magazine event, Apple CEO Tim Cook said the Federal Bureau of Investigation acted in a “very dishonest manner” when it tried to force the company to unlock a terrorist’s iPhone in 2016. He described the legal case the bureau brought against Apple as “very rigged.” Speaking of the FBI, some furor has erupted over the agency’s decision not to reveal which cybersecurity experts have informed its often-criticized view of encryption.

Show me the Huawei. The Chinese telecom giant sought to tamp down concerns over its opaque ownership structure—which some people believe may conceal government ties—in a press conference this week. The Central Intelligence Agency counts itself a skeptic, warning other nations’ spy chiefs that Huawei does indeed bear close ties to the Chinese government, reports Britain’s The Times. Meanwhile, a group of cybersecurity experts is warning the public that if U.S. and allied nations allow Huawei to provide gear for next generation 5G networks, “the risks are incalculable” and “mitigation is impossible.”

See? Aye, eh.

Share today’s Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

The calls are coming from inside the house. Hackers are subverting home security cameras, a technology designed to keep intruders out, for the purposes of virtual breaking and entering. The Washington Post’s Reed Albergotti highlights the repercussions of so-called credential stuffing, a technique hackers use to hijack accounts and devices by testing out passwords leaked in online data dumps. The article raises a prickling question: Are Internet-connected hardware-makers, such as Google’s Nest division, sacrificing security for the sake of user experience?

Tara Thomas thought her daughter was just having nightmares. “There’s a monster in my room,” the almost-3-year-old would say, sometimes pointing to the green light on the Nest Cam installed on the wall above her bed.

Then Thomas realized her daughter’s nightmares were real. In August, she walked into the room and heard pornography playing through the Nest Cam, which she had used for years as a baby monitor in their Novato, Calif., home. Hackers, whose voices could be heard faintly in the background, were playing the recording, using the intercom feature in the software. “I’m really sad I doubted my daughter,” she said.

FORTUNE RECON

Why You Should Use a Password Manager by Lance Whitney

Kamala Harris: Cyber Attacks Will Become a ‘War Without Blood’ by Renae Reints

Bitcoin Accounts for 95% of Cryptocurrency Crime by Jen Wieczner

The U.S. Is Losing Its Crusade Against Huawei by David Meyer

Trump’s Requests for Clinton Emails Led to Dark Web and Hackers by Erik Larson

Law Enforcement Shouldn’t Rely Entirely on A.I. to Decide Whether to Detain Suspects, Report Says by Jonathan Vanian

ONE MORE THING

The new Y2K bug. Some recent news reports have raised an alarm about an upcoming event, expected to transpire within a month, called “768k day.” The name derives from the limited memory available on outdated networking gear that is needed to store necessary Internet routing directions. If the limit is exceeded on many machines, the event could cause Internet outages—as happened across the Internet on August 12, 2014, or “512k day.”

But before you get too concerned, experts are pushing back, calling the threat overhyped. Remember the Y2K bug, anyone?