back to article Promising compsci student sold key-logger, infects 16,000 machines, pleads guilty, faces jail

A 21-year-old computer science student, who won a Programmer of the Year Award in high school, has admitted selling key-logging malware out of his college dorm room. On Friday, Zachary Shames, an undergraduate at James Madison University in Virginia, US, pleaded guilty in a federal district court to one count of aiding and …

  1. Anonymous Coward
    Big Brother

    Programmer prosecuted for selling key-logger

    I'm confused, since when was selling key-logger software declared illegal? I mean there are a ton of remote monitoring silutions out there watching what you do in order to sell you stuff. Why aren't they in court?

    "Shames went onto hacker forums to tout his $25 keystroke-logging spyware, which once installed on a victim's computer recorded passwords and other sensitive information."

    Well - DOH!

    1. Anonymous Coward
      Anonymous Coward

      Re: Programmer prosecuted for selling key-logger

      Is that why they gave away Windows 10 + bundled Telemetry for free ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Programmer prosecuted for selling key-logger

        Is that why they gave away Windows 10 + bundled Telemetry for free ?

        Yes, it's Netscape versus Internet Explorer all over again :)

      2. WatAWorld

        Re: Programmer prosecuted for selling key-logger

        Why pick on MS when Apple and Google do it too?

        https://www.schneier.com/blog/archives/2016/06/apples_differen.html

        http://www.networkworld.com/article/2987479/security/your-privacy-and-apple-microsoft-and-google.html

        1. gnasher729 Silver badge

          Re: Programmer prosecuted for selling key-logger

          I can't quite see that Schneier's article about Apple (which is rather content-free by the way) mentions key loggers. It's about Apple trying to develop some technology that is supposed to be able to gather information without any possibility of finding out anything about individual users, and Schneier saying it's hard to do and claiming Apple won't get it to work properly.

          1. Anonymous Coward
            Anonymous Coward

            Re: Programmer prosecuted for selling key-logger

            Yeah, that content free thing ..

            Schneier is someone who has chosen the marketing route, and that requires constant pings in the press to keep alive, even when you have nothing to really contribute (because you have to actually get some work done too in between). Such is the life of the self promoter - not that he's not skilled, but tooting your own horn strikes me as very American.

            Compare to that Cambridge's academic Ross Anderson who has a Northerner's fairly gruff and direct approach to the truth, and nothing but the truth and no bullshit, thank you, so God help you if you try. Call me mad, but if I need facts *that's* the guy I'd pick.

            That said, Schneier's marketing focused approach does deliver benefits too - he's written a few books you could actually hand to a C level executive to establish *some* clue about security at that level - the academic approach is for non-specialists usually a bit too dry and jargony to make an impact. So for beginners I'd get Bruce.

    2. WatAWorld

      Re: Programmer prosecuted for selling key-logger

      That is why "legitimate" sellers pretend to be selling their products for "testing purposes" for us on one's own and one's clients machines.

      If you actually admit you're selling the keylogger for illegal intrusion purposes then you're committing a crime.

    3. martinusher Silver badge

      Re: Programmer prosecuted for selling key-logger

      This is where you need a bit of instruction on the noble art of "talking to authorities". In the TV detective show there's usually a point at the end of the show where our hero gets everyone together in the library and expounds on their theory of the crime, eventually fingering someone other than the butler. The person then blurts out "OK, it was me, but (insert name of victim here) had it coming to him". Tantamount to helping Mr. Pierrepoint adjust the noose around their neck.

      Keyloggers do have legitimate uses. I think I might have made one years ago, although it wasn't covert and it didn't report the information to an external device, it was actually intended to go the other way and imitate a keyboard. If some random cop had turned up and tried to allege that I had criminal intent then I would have initially issued a curt denial and then told them to talk to my lawyer (....anything more -- and I mean *anything* -- is asking for trouble; cops are not your friends and they're not interested in how civic minded you are, if you're in their sights then anything will be used against you for any reason).

      I feel sorry for this guy who's really guilty of being terminally stupid (after all, he made a device driver -- hardly Rocket Science -- but then did something extremely sill with it). A word to the wise would have been as effective as a prosecution and far less damaging.

  2. bobajob12

    Another lost opportunity

    This sort of thing drives me crazy. Department A of the Federal Government is desperate for computing talent to fight off the bad guys. Department B of the Federal Government is locking them up. Cmon now, would a plea deal have been so hard? Or 10,000 hours community service working for a three-letter agency?

    Instead, some young man's life is going to be scribbled on, hard, by the crims in the penitentiary. Sad.

    1. Mark 85 Silver badge

      Re: Another lost opportunity

      He might have been bright and intelligent but he wasn't smart. He got caught using his real name, etc. I can see why Department A wouldn't want him. But yeah.. there could have been a plea bargain deal and he could make something worthwhile of his life.

      OTOH, the Marines are looking for a few good men with his skills.. maybe a tradeoff...?

      1. Version 1.0 Silver badge

        Re: Another lost opportunity

        If he had licensed the code to the FBI he'd probably done much better - but I guess the FBI has the code anyway now.

    2. Anonymous Coward
      Anonymous Coward

      Re: Another lost opportunity

      Writing a keylogger hardly indicates a proficiency for "cyber warfare". Getting caught in such a stupid manner indicates he may be book smart, but probably spent way too much time behind a keyboard and lacks basic social skills. And breaking the law is always going to be a strike against hiring a guy, he has to offer enough upside to make it worth the risk that he turns his talents against them from the inside.

      I don't think they are losing anything by not hiring this guy, though putting him behind bars would be kind of pointless since it was a victimless crime and he isn't a threat to society. They should make him do IT for schools, old folks homes, community centers, etc. With some occasional monitoring at random times, of course, to insure he doesn't turn to the dark side again.

      1. Commswonk Silver badge

        Re: Another lost opportunity

        putting him behind bars would be kind of pointless since it was a victimless crime and he isn't a threat to society.

        I don't doubt that I will attract a few downvotes by asking this, but by what logical process did you make the above statement? Admittedly others have suggested more or less the same.

        The original article included this passge:

        According to prosecutors, Shames developed malicious software, known as a keylogger, that allowed users to steal sensitive information, such a passwords and banking credentials, from a victim’s computer.

        Shames sold his keylogger to over 3,000 users who, in turn, used it to infect over 16,000 victim computers.

        How can it you argue that it was a "victimless crime" and that "he isn't a threat to society"? I'll concede that he didn't constitute a threat like being a suicide bomber or releasing nerve gas in the underground but wilfully embarking on a course of action that resulted in over 16,000 computers being infected can hardly be reduced to the level of stealing a few apples from someone's back garden.

        What honourable purpose did he think he was serving by developing and selling such a product, particularly as he reportedly engineered it so that antivirus software would not spot it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Another lost opportunity

          What honourable purpose did he think he was serving by developing and selling such a product, particularly as he reportedly engineered it so that antivirus software would not spot it?

          I can only think "not being up to his nostrils in debt when graduating" which is still not very honourable but a possible motivator. On the plus side for him, he will have plenty of time in jail to network with people who may become his next employer for his l33t skillz..

        2. oldcoder

          Re: Another lost opportunity

          It is pointless due to the fact that Microsoft does that with every Windows update. More spying, and you can't tell what is being stolen.

          1. Anonymous Coward
            Anonymous Coward

            Why IT schools need ethics badly courses

            "It is pointless due to the fact that Microsoft does that with every Windows update. More spying, and you can't tell what is being stolen."

            Be careful where you say things like that. IF, as presumably some kind of an IT professional whom people might trust, you said it on the record to a journalist or if you published it in a serious section of a website (in the real articles) or in a newspaper's formal letters to the editor section, as opposed to the "pub talk" of comments section, you'd be open to being sued for libel by MS in most countries.

            Why? Because you just stated MS puts key loggers in every Windows Update, and it is provable that MS does not. Plus you worded it as a fact, not as a personal opinion.

            Saying it in the comments section or in a pseudonymous forum is pretty safe. In the UK the courts have already ruled talk in such places is akin to "pub talk", cheap talk and opinions no reasonable person would rely on. ( http://www.theregister.co.uk/2011/02/28/newspaper_anonymous_commenters/ )

            Yes MS puts telemetry in their software, but they do it with the computer owner's permission. Same with Apple, same with Adobe, same with your AV company -- right? But is is telemetry, not a keylogger.

            And they're selling it for computer owners and their appointees to install on their own computers, not for criminals to install on other people's computers.

            Huge difference.

            The IT industries lack of ethics is so extreme it is worse than that of personal injury lawyers.

            Personal injury lawyers might chase ambulances seeking cases, but they don't publish tips for kids on how to remove stop signs from roadways or pour oil on stairways for LOLZ.

            1. Dan 55 Silver badge
              Devil

              Re: Why IT schools need ethics badly courses

              Why? Because you just stated MS puts key loggers in every Windows Update, and it is provable that MS does not. Plus you worded it as a fact, not as a personal opinion.

              Windows 10's default privacy options are none whatsoever (AKA full), and that includes "Send Microsoft info about how I write to help us improve typing and writing in the future" - i.e. a keylogger. It'll be buried in the famous 45 page privacy policy. I'd include the text I could actually be bothered I'd search it, but you can do that too.

              Windows 7 and 8 also got telemetry updates pushed out to them.

              So yes, MS do run keyloggers.

            2. Anonymous Coward
              Anonymous Coward

              Re: Why IT schools need ethics badly courses

              Why? Because you just stated MS puts key loggers in every Windows Update, and it is provable that MS does not. Plus you worded it as a fact, not as a personal opinion.

              I would like Microsoft to offer its full code for public review to prove a negative, plus I suspect that such statement can be deemed representative of all telemetry options in Win 10. On top of that, keylogger requires more accurate definition - even a remote control facility (which exists in Windows) needs keystroke intercept.

              In short, I don't think that there is a need to worry that MS would want to score an own goal by doing what you suggest. It would open a kingsize Pandora's box and establish a precedent that would remove their ability to ever close said box again. They may not code worth cr*p, but their lawyers have far too much sense to try that one.

        3. Anonymous Coward
          Anonymous Coward

          Re: Another lost opportunity

          He developed something that enabled others to commit a crime, but had he not, many other similar options existed (at $25/ea, he was probably undercutting the competition and stealing their profit)

          I view it as similar to selling a lockpick set, which like a keylogger has legitimate uses but can also be used to commit a crime.

      2. WatAWorld

        Re: Another lost opportunity

        Despite what it seems reading the news, the US military is not actually looking to upgrade the skills of serious criminals so they can be better serious criminals.

        They don't hire known murderers for Seal Team 6, as an example.

        They want people who will commit crimes, but only when following official orders.

    3. GrapeBunch
      Childcatcher

      Re: Another lost opportunity

      If they put him away for 10 years, they will know where to find him when the Cyberwar begins in earnest. If he got 100 hours of Community Service, he might already have slipped off the radar and be a pansy pizza leftist in a grotty cellar stealing wi-fi. Now he'll be a hardened criminal, willing to Do What It Takes. I'm sure that the various alphabet agencies see this as a recruiter-friendly move.

      His errors seem to have included using his real name, and supporting his product. This is America, where any kid can grow up to become President, but you need to keep your eye on the prize from a young age.

    4. John Tserkezis

      Re: Another lost opportunity

      "Instead, some young man's life is going to be scribbled on, hard, by the crims in the penitentiary. Sad."

      You'd be singing a different tune if you were one of the many who were scammed. In fact, I'm guessing you'd be screaming blue bloody murder instead of being concerned about his being scribbled on.

    5. JLV
      Facepalm

      Re: Another lost opportunity

      Normally I am unimpressed by the tough-on-crime crowd. Crime needs minimizing but emotional pleas to throw people in jail for long durations for low-impact crimes is stoopid. A well-run country, to me, imprisons a low proportion of their citizens while keeping the others safe.

      However, 16000 computers hacked and a substantial propertion of their owners likely having to spend time untanglingling identity theft is NOT victimless. High-reward white collar crime needs deterrence past what their lack of violence would suggest.

      Hack _criminally_ for profit? But, wait, if you get caught, all is forgiven and you get hired to be a government hacker? Not much downside, izzit? That sounds pretty effin stupid to me. We also have enough ethics problems already with government spying. Without adding this kind of lowlife to the mix.

      10 actual years? Too much. But 2-3 served, with a proper reinsertion program to have his legal skills benefit society and himself again? Sounds about right.

    6. Anonymous Coward
      Anonymous Coward

      Re: Another lost opportunity

      I get what you say, however - in the interests of balanced views I'll play Devil's Advocate.

      Those agencies would almost certainly view his presence as an infiltration and the training of a future adversary if he is viewed as a temp worker with a criminal record. That would be the reality.

  3. Anonymous Coward
    Anonymous Coward

    You're assuming he had talent

    And not just access to everyone elses coursework...via the keylogger.

  4. frank ly

    We want information

    "An ice hockey fan and one-time country club waiter, ..."

    I can understand why this is interesting, important and relevant. Wait .... no, I can't.

    1. Anonymous Coward
      Anonymous Coward

      Re: We want information

      Hey there! An ice-hockey fan is by definition our kinda chap, so all this is just a ghastly mistake an could you please let my client off with a warning, yer'onor?

    2. Anonymous Coward
      Anonymous Coward

      Re: We want information

      "An ice hockey fan and one-time country club waiter, ..."

      I can understand why this is interesting, important and relevant. Wait .... no, I can't.

      It's the beginning of a joke?

      :)

    3. John Tserkezis

      Re: We want information

      "An ice hockey fan and one-time country club waiter, ..."

      "I can understand why this is interesting, important and relevant. Wait .... no, I can't."

      It is important, because without those two things, the only other two things to his name, would be a malware author, and, well, how can I put this nicely, stupid.

  5. chivo243 Silver badge

    This kid has a bright future

    ...graduated from Langley High, in Fairfax, Virginia, worked as an intern at Northrup Grummond...

    He got busted for being naive and inexperienced. I'm sure that has all changed by now. His Uncle will have made sure of that. It will be interesting to see how long he stays incarcerated.

  6. Norman Nescio

    Ignorant Brit here

    Could someone explain what a '3.7 GPA' means? Please?

    When writing for a multinational audience, it's worth making sure that you are not using parochial cultural references. It's also worth understanding generational change too: if I said I left grammar school with 4 Grade 'A' A-levels and two S-levels at Grade 1 and Grade 2, few British people would understand me either. (And before anyone thinks I'm boasting, I didn't).

    1. heyrick Silver badge

      Re: Ignorant Brit here

      From what I remember from Buffy and such, a "standardised" Grade Point Average is a calculation from all of your test scores averaged. A 4.0 means you're made of awesome. 3.0 is pretty normal as regular smart people are good at something and suck at something else. And so on.

      1. Phil O'Sophical Silver badge

        Re: Ignorant Brit here

        3.0 is pretty normal as regular smart people are good at something and suck at something else.

        So really it's as useless as a TripAdvisor star rating, then.

        1. James O'Shea

          Re: Ignorant Brit here

          "3.0 is pretty normal as regular smart people are good at something and suck at something else.

          So really it's as useless as a TripAdvisor star rating, then."

          It's an indicator. In this case it means that he's pretty good at taking tests and doing projects in a fairly difficult technical subject at a upper-level university. Not a top-level; James Madison is good, but it's not Carnagie-Mellon or Case Western or MIT or CalTech.

      2. GrapeBunch
        Headmaster

        Re: Ignorant Brit here

        "Grade Point Average is a calculation from all of your test scores averaged"

        GPA was explained in detail in a later comment, but it's actually an average of your marks or grades which include course work such as term essays and even subjective factors (as exploits the plot line of many a movie). Test scores are a wholly different mystery, the most notorious being LSAT, for which the keener may buy textbooks or hire coaches.

        Education in Canada is a Provincial responsibility, and I believe that in the USA it belongs to the States. So in North America you have at least 60 educational jurisdictions. And yet, there is a surprising level of consistency. "School" consists of 12 levels called Grades (not to be confused with grades, which are course marks). The simplest division of "school" is "Elementary" (grades 1 to say 8) and "High School" (9 to 12), though there can be variations, for example "Middle School" (5 to 8 maybe), "Junior High School" (8 to 10), "Senior High School" (11-12). "Secondary School" is a synonym for "High School". In USA, High School students are Freshman (Grade 9), Sophomore (10), Junior (11) and Senior (12). Then if they go on to Post-Secondary Education = College = University, the whole nomenclature is repeated: Freshman = 1st year and so on. So persons A and B may be "Sophomores", but differ in age by 4 or more years, you need to know the context. Just as you need to know the context in Britain for say 2nd year at various levels.

        In Canada the system is similar. When I was growing up, and it may still be true, we did not use GPA. We also did not use the Freshman ... Senior nomenclature, ever. In some places, schooling was 11 or 13 years, but that's pretty much disappeared except perhaps in Quebec, where after 11, there were two years of CEGEP and only then do students go on to College = University. 40 years ago, old people would talk about "Junior Matriculation" (or "junior matric") and "Senior Matriculation" although perhaps mostly in Ontario, and it had to do with the fact that you could leave school with your head held up high after 11, 12 or 13 years. But later in Ontario, you would take 13 years. Then a further 3 years at College = University would give you an ordinary (Bachelor's) degree, whereas 4 years at University might result in an Honours degree. But where I went, it was 12 + 4 for everybody, and the "Honours" could result only from taking more courses including certain specific ones. So if you wanted an Honours Math (not Maths in Canada) degree, in 3rd and 4th year you'd be learning a lot about Analysis, but if you wanted a vanilla Math degree, you could slack off with Geometry or Number Theory or Modern Algebra. In addition, if you averaged marks (grades) of 80% or more, the degree on your transcript (but not on the diploma) would be marked Class I, whereas 70?-79.99% would be Class II, etc. I bet they've at least tried to make things more standardized in the ensuing decades. In the Real World, a Math degree and a driver's license would go a long way towards qualifying you to be a taxi driver. Hardly anybody gave a flying puck about whether you had an Honours (except grad schools) degree, and nobody at all cared about Class I. On graduating, I purchased a Sealed Transcript of my marks, mindful of future employment opportunities. I still have it, still sealed, over 40 years later!

        In USA, a College tends to be a 4-year institution that grants only Bachelor degrees. University would be a College + Masters and PhD's. In Canada, there is a tendency for a College to not even grant degrees. You go to a local College for two years and then possibly to a University to complete the Bachelor's.

        Cross-pond Educational confusion extends also to occupations. In one genealogical Family Tree, some of my relatives' occupations were labelled as "Lecturer". To which I joked, I've got you beat, I'm a Haranguer. Deep down I probably knew what they were, but the England-based compiler of the tree relented with "University Lecturer". Here in Canada, that might be called "Assistant Professor" or "Associate Professor". By contrast, there was no confusion about what a "Wine Merchant" was, though we did remain with a mild disagreement about the person who was "Theologian" from one point of view, but "Missionary" from another. Even there, cross-pond differences in norms and expectations played a role.

        Please excuse the verbosity.

    2. heyrick Silver badge

      Re: Ignorant Brit here

      When I was at school there was Infants (several years, don't remember). Then four years of Junior. Then finally five years of Senior (including in itself 2 years Junior, 2 years Intermediate, and 1 year Senior, plus optional Sixth and Upper Sixth). I don’t understand the Year X style.

      1. VinceH

        Re: Ignorant Brit here

        I've got somewhere in the region of a million nephews and nieces, so I hear the Year X references a lot - and while I understand the concept, I still can't equate any given year to what stage that puts them in school in the context of infant/junior/senior school.

        (It would be easier to approximate by their age, but I have so many I don't have a clue of their ages - I can only guestimate on that, so I'd be approximating based on an guestimation.)

      2. John Brown (no body) Silver badge

        Re: Ignorant Brit here

        "I don’t understand the Year X style."

        Me neither. And don't forget those weird places which had "middle" schools too.

        1. Def Silver badge

          Re: Ignorant Brit here

          And don't forget those weird places which had "middle" schools too.

          heh, I went to primary, middle, and secondary school. Four years apiece.

          Don't worry, I kept a low profile and made sure I didn't inadvertently teach the teachers anything. ;)

    3. James O'Shea

      Re: Ignorant Brit here

      "Could someone explain what a '3.7 GPA' means? Please?"

      If the school was using the normal 4-point scale (some use a 5-point scale) and it looks as though it was, then...

      An 'A' is 90 or more, and counts as a 4. A 'B' is 80-89.99, and counts as a 3. A 'C' is 70-79.99, and counts as a 2. A 'D' is 60-69.99, and counts as a 1. Anything below 60 id a 'F', and counts as 0. Some places have A-, A+, etc, to complicate things a little. Each class is worth x 'credit hours'; 'Lit111: Minor English Poets of the 19th Century' might be 2 hours, 'CIS411: Advanced Website Scripting with Lab' might be 5 hours. If someone got an 'A' in Lit111, that would be 4 x 2 or 8 points. If he got a 'C' in CIS411 that would be 2 x 5 or 10 points. Add all the points together, divide by the number of total credit hours, you have the GPA. In this case, that's 18 points divided by 7, or 2.57.

      M'man had a 3.7 GPA. That means that he had mostly 'A's, with a few 'B's.

      In most places in the US system, 'freshmen' are first year, 'sophomore' are second year, 'juniors' are third year, and 'seniors' are fourth or higher; the three military academies (West Point for the Army, Annapolis for the Navy and Marines, and Colorado Springs for the Air Force) are notable exceptions to this convention. And you really don't want to know what a 'redshirt' means. (nothing to do with Star Trek.)

      If he's a junior, that means that he's in his third year and his GPA would reflect grades for the first two years plus anything done up until then for the third. A 3.7 from a school like James Madison is pretty good. A 3.7 from a notorious party school (can you say 'Florida State'? Knew you could) would not be nearly as impressive.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ignorant Brit here

        If the school was using the normal 4-point scale (some use a 5-point scale) and it looks as though it was, then... (etc)

        This is the exact purpose for which tables were invented ..

        :)

      2. Wensleydale Cheese

        Re: Ignorant Brit here

        "In most places in the US system, 'freshmen' are first year, 'sophomore' are second year, 'juniors' are third year, and 'seniors' are fourth or higher;"

        Thanks for the detailed explanation, but what age is the typical 'freshman'?

        Still a bit confused.

        1. Shooter

          @ Wensleydale Cheese

          In the US, most high school students are graduated at age 17 or 18, with a few stragglers from the extremely smart/dumb ends of the curve. So most high school freshmen are 13/14 years old, if that particular high school has four grades/levels/classes. When I was in school we had elementary school (grades 1 - 6), junior high school (grades 7 - 9), and high school (grades 10 - 12). I honestly don't recall how 10th graders were designated at my high school (freshmen or sophomore); all I recall is juniors were grade 11 and seniors were grade 12. I believe that under the system most commonly used these days, junior high has been replaced by middle school, which runs from grade 6 to grade 8, which results in four years of high school.

          Once paroled from high school, most of the college/university bound students would be enrolled in classes the following fall, and therefore roughly 2/3rds of those freshmen would be 18, about 1/3rd would be 17, etc.

          1. werdsmith Silver badge

            Re: @ Wensleydale Cheese

            I had one of those password recovery security questions come up the other day:

            "What is the name of your best friend when you were in 8th grade"

            I wrote "WTF is 8th grade?"

            Which is probably what I will write if I ever have to use the recovery process. I have no idea what an 8th grade is.

    4. Anonymous Coward
      Anonymous Coward

      Re: Ignorant Brit here

      If he was a really excellent student they'd have given his average as a percentile. If that info wasn't automatically on his transcript they could get it from the school.

      Just like F-to-A and 0-to-100 grades, 0-to-4 GPAs depend a lot on which school they are from.

      In the old days the 50th percentile at most schools was 2.5 to 3. But since grade inflation the 50th percentile can be as high as 3.75.

      Your easy schools can have 1/4 of the students being 4.0 straight-A students.

      Grade Points are like percent grades, but don't pretend to be so precise. They're A to F letter grades, but translated to numbers so you can find averages, specifically the GPA.

      Typically F=0, D=1.0, C=2.0, C+=2.5, B=3, B+=3.5.

      A and A+ are usually both 4.0 on a GPA, but on an augmented GPA (AGPA) used for scholarships and awards, A=4.0 and A+=4.5.

      GPA= Sum (each course's grade points and that courses number of credit hours) divided by the total number of credit hours for all courses.

      An example calculation: http://www.uvic.ca/registrar/students/policies/calc/

      Tables A to F here show varations at different universities:

      http://umanitoba.ca/faculties/graduate_studies/admin/570.html

    5. Jaybus

      Re: Ignorant Brit here

      Five grades, (ie. marks), possible for an individual course, A, B, C, D, and F, from good to bad, where F = 0, D = 1, C = 2, B = 3, and A = 4. GPA (grade point average) is the mean of the grades from all of one's courses at a particular school.

  7. Cameron Colley

    How is a keylogger illegal?

    As another commentard asks, why is it illegal to produce a keylogger? It's particularly stupid that somebody is prosecuted for producing one in a country where being convicted due to evidence from a keylogger allows a person to walk away because law enforcement don't want anybody to know what their keylogger does.

    If the guy lived in a free country he'd be fine.

    1. Anonymous Coward
      Anonymous Coward

      Re: How is a keylogger illegal?

      As another commentard asks, why is it illegal to produce a keylogger? It's particularly stupid that somebody is prosecuted for producing one in a country where being convicted due to evidence from a keylogger allows a person to walk away because law enforcement don't want anybody to know what their keylogger does.

      I think it's not the act of coding one itself, it's selling it to people of which you can have a reasonable suspicion they'll use it for illegal purposes. That makes you at a minimum an accessory, and I suspect that's what they used to get him to plea guilty.

      1. Aitor 1

        Re: How is a keylogger illegal?

        He sells a keylogger that sends data to a server under his control. He is DUMB.

    2. Robert Carnegie Silver badge

      Re: How is a keylogger illegal?

      It's legal to install a key logger on a computer you own - with probably some qualifications. This software gets installed on someone else's computer and is built for that - hiding from virus scans is a clue to that.

      As for making him work for the government, um, allegedly that's how justice happens in Russia.

      1. smalldot

        Re: How is a keylogger illegal?

        I think all keyloggers need to hide from virus scanners. The AV companies cannot know whether a program is used legally or not, they will trigger an alarm for every keylogger they find. Not all users are clever enough to know how to set an exception (white-list) in their AV scanner tool.

    3. Anonymous Coward
      Anonymous Coward

      Re: How is a keylogger illegal?

      Probably isn't to develop a keylogger, probably is illegal to sell something that you expect will be used for crime. If his site was all shinny and only selling to enterprise he'd probably be fine.

    4. James O'Shea

      Re: How is a keylogger illegal?

      "why is it illegal to produce a keylogger?"

      It's not illegal to produce a keylogger. It is, however, not the best idea to:

      1 produce a keylogger which deliberately hides from anti-malware systems

      2 do your marketing on 'dark web' (whatever that is) sites

      3 aim your marketing at people who are not likely to be placing the keylogger on machines they have legit access to

      4 (most important point here) get caught doing it.

      Producing software which tries to hide is a red flag. Selling it to people who are likely to be criminals or FBI agents, as if there was a difference, is another. Getting caught at it is... not very bright.

    5. Jaybus

      Re: How is a keylogger illegal?

      "If the guy lived in a free country he'd be fine."

      And what free country would that be? Where, exactly, is it legal to aid and abet thieves?

      1. Commswonk Silver badge

        Re: How is a keylogger illegal?

        "If the guy lived in a free country he'd be fine."

        And what free country would that be?

        The person who made the rather silly original statement appears not to have realised that in this mythical "free country" the 16,000 victims would be at liberty to turn up on sentencing day with some nice warm tar and some bin liners full of feathers, or perhaps cricket / baseball bats.

        Thinking about it, we could dispense with all the legal niceties and tar and feather anyone who seriously pisses us off with no fear of the law taking us to task.

        Bliss.

  8. King Jack
    WTF?

    Don't get it

    Why is it bad for this guy to sell a keylogger when M$ has one built in and running on Windows 10 and compromised W7 and W8 machines? Where are the criminal charges for M$?

    1. John Tserkezis

      Re: Don't get it

      "Why is it bad for this guy to sell a keylogger when M$ has one built in and running on Windows 10 and compromised W7 and W8 machines?"

      Microsoft has thousands of lawyers to make what they do look legal. You don't think their terms and conditions write themselves do you?

  9. Doctor Syntax Silver badge

    I suppose it depends on how the product is marketed. If I sold sodium hypochlorite solution as household bleach I wouldn't expect trouble. If I sold it as something suitable for finishing off someone you didn't like in an unpleasant manner I might reasonably expect a knock on the door PDQ. Same product, different purposes.

    In this case we're not told how he marketed it. However, there's no mention of this little sideline on his CV page and he registered a different domain for the job so that might be indicative, as is the fact that he took steps to conceal it from anti-virus S/W. He just didn't do a good job at covering his tracks.

  10. Anonymous Coward
    Anonymous Coward

    Why did he plead guilty?

    This kid made a program that other people chose to use for illegal purposes. He faces 10 years for that? Nice justice system, I have to say. Only North Korea does it better.

    Maybe his keylogger was superior to the ones cops are using. So they'll put the kid in jail to avoid paying the $35 license fee.

  11. four tuna

    He was selling stuff to aid others in theft. It wasn't as if he were selling crowbars that could have been intended to jemmy doors open. He knew what this sw was going to be used for.

  12. Anonymous Coward
    Anonymous Coward

    Well...

    I cant help but think that this is yet another example of how the IT industry is shit to work in.

    As long as the money available on the black market is higher than holding a legit position somewhere this kind of thing will keep happening.

    I know the dude was studying but still, a well paid part time job shouldt be out of reach.

    When I started out at his age in the IT industry (some 15 years ish ago). I was basically poverty stricken. My starting salary was £11,000 a year and I didnt get a raise for 3 years. £11k back then in London was nothing effectively. I barely had enough to eat.

    Even now with 15 years experience under my belt, I occasionally struggle to get what Im worth. Especially if there are "investors" involved.

    1. FlamingDeath Silver badge

      Re: Well...

      You need to take a leaf out of our leaders / politicians book.

      Lie cheat and steal your way to success

  13. Gene Cash Silver badge

    Black market

    Guess who'll be a star computer expert for the Mob when he gets out...

  14. Florida1920
  15. This post has been deleted by its author

    1. Diginerd
      Coat

      Re: Reverse nominative determinism

      Shurley that should be SEMANTIC...

      ...Coat, I'll get it. :-)

  16. Haku

    The headline seems to imply that he personally infected 16,000 machines.

    Almost like saying car manufacturers are the cause of countless accidents and deaths on the roads.

    1. Commswonk Silver badge

      Re: The headline seems to imply that he personally infected 16,000 machines.

      The headline includes the words sold keylogger.

      Perhaps you missed this bit in the article: Shames sold his keylogger to over 3,000 users who, in turn, used it to infect over 16,000 victim computers.

      Your "car" analogy would be more convincing if you could supply some legitimate reason why Joe Public should have access to keylogging software with the ability to slip past antivirus software unnoticed.

  17. Anonymous Coward
    Anonymous Coward

    Why you always consult a lawyer before setting up a business in a grey area

    He is a US citizen, so he'll be able to bargain the sentence way down. Whatever the sentence sayd, if he serves any actual time behind bars it will be measured in months (less than 24), followed by some years of probation. And it will be at a "club fed" minimum security prison or a jail.

    That 10 year maximum sentence, that is reserved for foreign hackers. And foreigners are not eligible for minimum security prisons.

    I can see why he used his real name though. There *seem to be* so many 'blackhats' successfully disguised as 'whitehats' openly doing business across the world, why would he think he'd have any problems? Everyone is doing it, why did they nab me?

    He should have read the news articles a bit more closely and paid more attention to the marketing words used to stay out of jail.

    1. Your hacking tool is for "testing purposes" for use on your customers' own computers and those of your customers' clients.

    2. Or your hacking tool is a (detailed fully functioning) proof of concept, something along those lines, so that people can test their own systems to see if they are vulnerable.

    3. Your hacking tool in never adjusting school grades or stealing passwords or industrial secrets.

    4. Your hacking tools is never for increasing billing hours by deliberately reducing security on the internet.

    If he's consulted a good lawyer in advance of advertising he'd be giving presentations at conferences.

    And really do consult a good lawyer first, don't go with advise from web forums. You want up-to-date advise that will work, and you want to paid for it and you want it in writing. You want exact wordings that will work. You want to have a lawyer you can sue if he goofs and you get successfully prosecuted. (It is much harder to sue for free advise.)

    TL;DR Formally consult a lawyer and get written advise before setting up business in a grey area. Get the lawyer's okay (1) on your concept, (2) on your marketing and support material, and then you almost definitely will be fine as far as the courts go.

    Otherwise you can try the Bitcoin total anonymity thing, but that will only work so long as the authorities want it to work. (I can't see why anyone thinks there is real anonymity in a world where the NSA is capturing all the digital traffic across national borders. I suppose Bitcoin makes CIA and MI6 operations so much easier they agree to let it exist.)

    Disclaimer: I'm neither a lawyer nor an IT security professional. I'm just a businessman.

  18. John Brown (no body) Silver badge
    Coat

    For Shame(s)!

    Really? Nobody said that yet?

  19. Anonymous Coward
    Anonymous Coward

    Pretty sure 21 is a fully grown adult even in the modern era of safe spaces and snowflakes.

    1. Anonymous Coward
      Anonymous Coward

      "The berk will be sentenced on June 16. ®"

      Fixed it for you.

  20. Anonymous Coward
    Anonymous Coward

    Selling a computer program that can be used for illegal purposes is illegal.

    Yet buying and selling firearms is perfectly fine.

    Gotta love America.

  21. Terry 6 Silver badge

    Disingenuous

    He wasn't flogging this stuff for any legitimate use. If you sell burglary tools to burglars you, at the very least, need to think of a way to pretend it is being sold for a legit purpose ( with plausible deniability of the type of customer buying it.).

  22. BillDarblay

    Begs the question

    Why the hell weren't Google execs in court facing ten years for their illegal wifi snooping?

    Oh - I forgot! One law for plebs and another for elites in 'The Land of the Free'.

  23. Blofeld's Cat Silver badge
    Coat

    Hmm...

    "... selling more than 3,000 copies of a key-logger program ... that was used to infect at least 16,000 machines ..."

    This chap appears to be in need of a good lawyer - There are nearly 13,000 pirated copies of his software out there.

    Er, no, hang on a minute ...

  24. mediabeing

    So computer science students can be dumb as dirty too, eh?

    Nice to know.

  25. tiggity Silver badge

    Surprised

    There's a market willing to pay money for anything as trivially simple to write as a key logger

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprised

      Thays why Windows 10 isnt free any more.

  26. Anonymous Coward
    Anonymous Coward

    "Shames had registered that domain under his real name and home address, too."

    ID10T!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020