The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)

I pose the question above at a high level of generality to include in this discussion not just the writer of DarkComet RAT, but writers of other RATs, and more importantly, writers of similar software, for-profit or otherwise. Because I do believe there is one line to be drawn when the person who created the software intended to, or does profit from it. It is clear from my previous post that law enforcement surely does believe that writing software for these motives may be criminal - the Mariposa botnet creator and the Blackshades RAT creator were both taken into custody - however, I would argue that those situations are distinguishable.

But what should the collective "we" think about DarkComet and its creator? And more importantly, how does an enforcement scheme fit within the framework of existing "hacker" software, such as Metasploit (for profit), Backtrack (totally free - but... paid training - Offensive Security) , Samurai WTF (free), Katana (free, and even more underground) -- yes, I could go on. And, is there a "paid-for" vs. "free" dichotomy?

I want to approach this question normatively, first, because I believe this to be somewhat of a novel issue, wrapped inside an already contemplated dilemma; however I am (secretly, but not so much anymore) really hoping to hear at least one person propose an outcome similar to MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), based not necessarily on statutory law (contributory infringement is not in the Lanham Act), but through judicial interpretation. Remember, forget the law - we're proposing what the law should be, here.

I would like to reiterate that the purpose of this series is to strike a lively debate. First, the easiest analogue to this debate is the "guns kill people" argument. Namely, we don't outlaw guns, even though we know they can kill people but are also used lawfully (the majority of the time); therefore, the argument goes, we can't punish makers of guns because of the potential harm they may cause - we leave the criminal consequences at the doorstep of the individual, instead - they are boxed in by the confines of the law as their state has legislated (most often) and absent just cause (e.g., the Castle Doctrine), murder is murder. But can we dispose of this argument that simply? I (personally) don't think so.

You can't just say DarkCoderSc made a program that is used nefariously and should have known that it would be used in unethical, criminal, and fundamentally immoral ways - and thus he should be punished. Because can't the same argument be used for makers of guns (as the simplified argument above asserts), or maybe the makers of Metasploit (HD Moore), Backtrack, the list goes on.  And, you can't walk away arguing the converse; see below. At the center of the issue is the question - who is more culpable - the tool creators, or the tool users? Or, to put it a couple of other ways - who is more responsible - (a) the gun maker or the shooter; or (b) the scientist who described the process to enrich uranium or the nation-state who launched the nuclear bomb.

So, let's dig in to the heart of the issue. Not surprisingly, it reverberates on a variety of fronts - ethical, legal, and even moral. To name a few: personal responsibility v. governmental intervention; notions of negligence, duty of care, and the reasonable person; foreseeability; national security (the budding argument); material or conspiratorial assistance; and if you want to delve into morality, the argument against such assistance based on natural law (a la righteousness) -- (for example, see Romans 1:18-32). 


I do not propose to have the right answer to this question (in all honesty I am troubled by it), but - I also do not agree with the blanket assertion that because we have already implicitly condoned tools such as Metasploit and Backtrack, that we cannot walk that back. Conversely, I think that would be an inspiring debate. And remember the parallel (yet disparate) personal responsibility argument that turns this issue on its head - it goes like this: we cannot control the end result of every societal interaction, but, we can control the predicate for those interactions. For the lawyers out there, I analogize this (maybe in an over-simplistic way), to the stream of commerce argument. Do you provide a framework to punish the original maker of the faulty product (see Asahi) or do you rein that in and inject (not my words) "objective rationality" (see Dunlop) to shield makers from unintended and unforeseeable outcomes?

Back to the monetary debate - because I like the theme of this argument - that the Blackshades RAT creator and the Mariposa botnet creator went down because they were a part of the criminal enterprise that was taken down. And furthermore, that we look down on individuals who attempt to profit from the (insert belief word here (moral, ethical, religious)) wrong that they have caused. Clear example - we do not allow murders to profit from the story of their offense. Is that analogous to the DarkComet RAT? Should a profit motive be involved?

In the last (third) part of this series, I will discuss whether or not DarkCoderSc (or other RAT creators) could be prosecuted or held legally liable for his RAT.

Just as a little poke - my first post should make it clear that use of DarkComet RAT as a hacking tool is transcendently clear. If you attempt to use lack of foreseeability as the basis of your argument, you automatically lose. Let the debate begin.