The End of DarkComet RAT - Part 3: Could the creators of RATs (or similar software analogues) be prosecuted (law)

And now, on to the finale - could DarkCoderSc be prosecuted for creating, supporting, and distributing the DarkComet RAT.

NO (in the United States)

First, DarkComet RAT can be easily distinguished from Mariposa and Blackshades, on the following grounds:

1. DarkCoderSc never sold what he made - there was no profit motive, and thus one could argue, no intent to defraud.

2. As far as I know, DarkCoderSc was never affiliated with any illicit group as the Blackshades RAT creator was - which would make that person liable for numerous charges, not the least of which would be conspiracy under the CFAA.

3. At least with respect to Mariposa, DarkComet RAT had legitimate uses. You could use it for remote administration, to monitor your kids, and for legitimate purposes not otherwise specified. On the other hand, it is hard to argue legitimate uses for a botnet such as Mariposa.

Second, as many readers have pointed out, there is the "what about Metasploit and Backtrack argument." Namely, those two tools, combined, have probably pwned more computers than DarkComet RAT, yet the creators of those tools (who do have a profit motive) are not prosecuted for such activity. Circumventing these types of arguments would be a prosecutor's nightmare; I would love anyone's possible argument around those, or a different way to distinguish DarkComet/DarkCoderSc.

As I mentioned in the previous post, an interesting argument could be made along the lines of MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) - specifically, that a tool that had no legitimate legal uses could be a violation of XXX law. I say XXX law, because the Grokster case was based on the Lanham Act (and a judicially created standard of contributory infringement). However, as stated above, this sort of law might be used to prosecute other software creators - but because DarkComet has legitimate uses (see above), even this law would be ineffective. But, is law XXX, making it illegal to create illicit hacking tools off the table? I don't think it should be. 

In fact, it is the law in other countries - Germany's "Anti-Hacking Law" Section 202c of the StGB states "[w]hosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible… (2) software for the purpose of the commission of such an offence" is subject to prison time up to a year.  See this document describing the law a little further with recommendations for security professionals. As the article states, the regular use of penetration testing tools does not fall within the ambit of the law, as long as the purpose is legal, and everything is above board. The law is aimed at those tools that are developed or aimed at perpetrating cybercrime.

Such a law for the United States, to return to a normative argument for a second, should be considered. It would immunize Metasploit, Backtrack, etc., but go after those who create the software solely for criminal intentions.

To see the earlier parts of this series follow the links below:

The End of DarkComet RAT - Part 1: The Introduction
The End of DarkComet RAT - Part 1: The Introduction - Update
The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)
The End of DarkComet RAT - More Technical Details

Read More

The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)

I pose the question above at a high level of generality to include in this discussion not just the writer of DarkComet RAT, but writers of other RATs, and more importantly, writers of similar software, for-profit or otherwise. Because I do believe there is one line to be drawn when the person who created the software intended to, or does profit from it. It is clear from my previous post that law enforcement surely does believe that writing software for these motives may be criminal - the Mariposa botnet creator and the Blackshades RAT creator were both taken into custody - however, I would argue that those situations are distinguishable.

But what should the collective "we" think about DarkComet and its creator? And more importantly, how does an enforcement scheme fit within the framework of existing "hacker" software, such as Metasploit (for profit), Backtrack (totally free - but... paid training - Offensive Security) , Samurai WTF (free), Katana (free, and even more underground) -- yes, I could go on. And, is there a "paid-for" vs. "free" dichotomy?

I want to approach this question normatively, first, because I believe this to be somewhat of a novel issue, wrapped inside an already contemplated dilemma; however I am (secretly, but not so much anymore) really hoping to hear at least one person propose an outcome similar to MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), based not necessarily on statutory law (contributory infringement is not in the Lanham Act), but through judicial interpretation. Remember, forget the law - we're proposing what the law should be, here.

I would like to reiterate that the purpose of this series is to strike a lively debate. First, the easiest analogue to this debate is the "guns kill people" argument. Namely, we don't outlaw guns, even though we know they can kill people but are also used lawfully (the majority of the time); therefore, the argument goes, we can't punish makers of guns because of the potential harm they may cause - we leave the criminal consequences at the doorstep of the individual, instead - they are boxed in by the confines of the law as their state has legislated (most often) and absent just cause (e.g., the Castle Doctrine), murder is murder. But can we dispose of this argument that simply? I (personally) don't think so.

You can't just say DarkCoderSc made a program that is used nefariously and should have known that it would be used in unethical, criminal, and fundamentally immoral ways - and thus he should be punished. Because can't the same argument be used for makers of guns (as the simplified argument above asserts), or maybe the makers of Metasploit (HD Moore), Backtrack, the list goes on.  And, you can't walk away arguing the converse; see below. At the center of the issue is the question - who is more culpable - the tool creators, or the tool users? Or, to put it a couple of other ways - who is more responsible - (a) the gun maker or the shooter; or (b) the scientist who described the process to enrich uranium or the nation-state who launched the nuclear bomb.

So, let's dig in to the heart of the issue. Not surprisingly, it reverberates on a variety of fronts - ethical, legal, and even moral. To name a few: personal responsibility v. governmental intervention; notions of negligence, duty of care, and the reasonable person; foreseeability; national security (the budding argument); material or conspiratorial assistance; and if you want to delve into morality, the argument against such assistance based on natural law (a la righteousness) -- (for example, see Romans 1:18-32). 


I do not propose to have the right answer to this question (in all honesty I am troubled by it), but - I also do not agree with the blanket assertion that because we have already implicitly condoned tools such as Metasploit and Backtrack, that we cannot walk that back. Conversely, I think that would be an inspiring debate. And remember the parallel (yet disparate) personal responsibility argument that turns this issue on its head - it goes like this: we cannot control the end result of every societal interaction, but, we can control the predicate for those interactions. For the lawyers out there, I analogize this (maybe in an over-simplistic way), to the stream of commerce argument. Do you provide a framework to punish the original maker of the faulty product (see Asahi) or do you rein that in and inject (not my words) "objective rationality" (see Dunlop) to shield makers from unintended and unforeseeable outcomes?

Back to the monetary debate - because I like the theme of this argument - that the Blackshades RAT creator and the Mariposa botnet creator went down because they were a part of the criminal enterprise that was taken down. And furthermore, that we look down on individuals who attempt to profit from the (insert belief word here (moral, ethical, religious)) wrong that they have caused. Clear example - we do not allow murders to profit from the story of their offense. Is that analogous to the DarkComet RAT? Should a profit motive be involved?

In the last (third) part of this series, I will discuss whether or not DarkCoderSc (or other RAT creators) could be prosecuted or held legally liable for his RAT.

Just as a little poke - my first post should make it clear that use of DarkComet RAT as a hacking tool is transcendently clear. If you attempt to use lack of foreseeability as the basis of your argument, you automatically lose. Let the debate begin.

Read More