Thousands of usernames and email addresses were exposed in a Sunday data breach at the forum of popular web comic XKCD. The user forum for popular web comic XKCD was shut down this weekend after administrators were alerted to a security breach that quietly exposed members' data.
A message from forum administrators confirmed nearly , usernames, email addresses, hashed passwords and some IP addresses were stolen. At a performance by one of Hutchins' favorite bands, the Chainsmokers, he stripped down to his underwear and jumped into a pool in front of the stage.
Someone stole his wallet out of the pants he'd left behind. He was too elated to care. Three years had passed since Hutchins' work on Kronos, and life was good.
He felt like a different person. And as his star rose, he finally allowed himself—almost—to let go of the low-lying dread, the constant fear that his crimes would catch up with him.
Then, on his last morning in Vegas, Hutchins stepped barefoot onto the driveway of his rented mansion and saw a black SUV parked across the street. Almost immediately, Hutchins gave his FBI interrogators a kind of half-confession. Minutes after the two agents brought up Kronos in the McCarran Airport interrogation room, he admitted to having created parts of the malware, though he falsely claimed to have stopped working on it before he turned Some part of him, he says, still hoped that the agents might just be trying to assess his credibility as a witness in their WannaCry investigation or to strong-arm him into giving them control of the WannaCry sinkhole domain.
He nervously answered their questions—without a lawyer present. Finally, the red-headed agent who had first handcuffed him, Lee Chartier, made the agents' purpose clear. The agents pulled out a warrant for his arrest on conspiracy to commit computer fraud and abuse.
He was allowed one phone call, which he used to contact his boss, Salim Neino. Then he was handcuffed to a chair in a room full of prisoners and left to wait for the rest of the day and the entire night that followed. Only when he asked to use the bathroom was he let into a cell where he could lie down on a concrete bed until someone else asked to use the cell's toilet.
Then he'd be moved out of the cell and chained to the chair again. Instead of sleep, he mostly spent those long hours tumbling down the bottomless mental hole of his imagined future: months of pretrial detention followed by years in prison.
He was 5, miles from home. It was the loneliest night of his year-old life. Unbeknownst to Hutchins, however, a kind of immune response was already mounting within the hacker community. After receiving the call from jail, Neino had alerted Andrew Mabbitt, one of Hutchins' hacker friends in Las Vegas; Mabbitt leaked the news to a reporter at Vice and raised the alarm on Twitter. Immediately, high-profile accounts began to take up Hutchins' cause, rallying around the martyred hacker hero.
Not everyone was supportive of Hutchins: Ex-NSA hacker Dave Aitel went so far as to write in a blog post that he suspected Hutchins had created WannaCry himself and triggered his own kill switch only after the worm got out of control. That theory would be deflated eight months later, when the Justice Department indicted a North Korean hacker as an alleged member of a state-sponsored hacking team responsible for WannaCry.
But the overwhelming response to Hutchins' arrest was sympathetic. Stripped of his computers and phones, Hutchins couldn't get access to his bank accounts to cover that cost. So Tor Ekeland, a renowned hacker defense attorney, agreed to manage a legal fund in Hutchins' name to help cover the bond.
Money poured in. Almost immediately, stolen credit cards began to show up among the sources of donations, hardly a good look for a computer fraud defendant. Ekeland responded by pulling the plug, returning all the donations and closing the fund. But the hacker community's goodwill toward Hutchins hadn't run out. On the day he was arrested, a pair of well-known cybersecurity professionals named Tarah Wheeler and Deviant Ollam had flown back to Seattle from Las Vegas. By that Sunday evening, the recently married couple were talking to Hutchins' friend Mabbitt and learning about the troubles with Hutchins' legal fund.
Wheeler and Ollam had never met Hutchins and had barely even interacted with him on Twitter. But they had watched the Justice Department railroad idealistic young hackers for years, from Aaron Swartz to Chelsea Manning, often with tragic consequences.
They imagined Hutchins, alone in the federal justice system, facing a similar fate. And no one was there to help him. Wheeler had just received a five-figure severance package from the security giant Symantec because her division had been shuttered. She and Ollam had been planning to use the money as a down payment on a home.
Instead, on a whim, they decided to spend it bailing out Marcus Hutchins. Within 24 hours of leaving Las Vegas, they got on a flight back to the city. They landed on Monday afternoon, less than 90 minutes before the courthouse's 4 pm deadline for bail payments. If they didn't make it in time, Hutchins would be sent back to jail for another night. But when they arrived at the courthouse, a court official told them it had to be notarized.
Now they had only 20 minutes left until the court's office closed. Wheeler was wearing Gucci loafers. She took them off and, barefoot in a black sweater and pencil skirt, sprinted down the street in the middle of a scorching Las Vegas summer afternoon, arriving at the notary less than 10 minutes before 4 pm. Soaked in sweat, she got the check notarized, flagged down a stranger's car, and convinced the driver to ferry her back to the courthouse.
Wheeler burst through the door at pm, just before the clerk closed up for the day, and handed him the check that would spring Marcus Hutchins from jail. From there, Hutchins was bailed to a crowded halfway house, while even more forces in the hacker community were gathering to come to his aid.
Two well-known veteran lawyers, Brian Klein and hacker defense attorney Marcia Hofmann, took his case pro bono. At his arraignment he pleaded not guilty, and a judge agreed that he could be put under house arrest in Los Angeles, where Klein had an office. Over the next two months, his lawyers chipped away at his pretrial detainment conditions, allowing him to travel beyond his Marina del Rey apartment and to use computers and the internet—though the court forbade him access to the WannaCry sinkhole domain he had created.
Eventually, even his curfew and GPS monitoring ankle bracelet were removed. Hutchins got the news that those last pretrial restrictions were being lifted while attending a bonfire party on the beach with friendly hackers from the LA cybersecurity conference Shellcon. Somehow, getting indicted for years-old cybercrimes on a two-week trip to the US had delivered him to the city where he'd always dreamed of living, with relatively few limits on his freedom of movement. Kryptos Logic had put him on unpaid leave, so he spent his days surfing and cycling down the long seaside path that ran from his apartment to Malibu.
And yet he was deeply depressed. He had no income, his savings were dwindling, and he had charges hanging over him that promised years in prison. Beyond all of that, he was tormented by the truth: Despite all the talk of his heroics, he knew that he had, in fact, done exactly what he was accused of. A feeling of overwhelming guilt had set in the moment he first regained access to the internet and checked his Twitter mentions a month after his arrest. Many supporters had interpreted his not-guilty plea as a statement of innocence rather than a negotiating tactic, and they donated tens of thousands of dollars more to a new legal fund.
Tarah Wheeler and Deviant Ollam had become almost foster parents, flying with him to Milwaukee for his arraignment and helping him get his life set up in LA.
He felt he deserved none of this—that everyone had come to his aid only under the mistaken assumption of his innocence. In fact, much of the support for Hutchins was more nuanced.
Just a month after his arrest, cybersecurity blogger Brian Krebs delved into Hutchins' past and found the chain of clues that led to his old posts on HackForums, revealing that he had run an illegal hosting service, maintained a botnet, and authored malware—though not necessarily Kronos.
Even as the truth started to come into focus, though, many of Hutchins' fans and friends seemed undeterred in their support for him. But Hutchins remained tortured by a kind of moral impostor syndrome. He turned to alcohol and drugs, effacing his emotions with large doses of Adderall during the day and vodka at night. At times, he felt suicidal. In the spring of , nearly nine months after his arrest, prosecutors offered Hutchins a deal.
If he agreed to reveal everything he knew about the identities of other criminal hackers and malware authors from his time in the underworld, they would recommend a sentence of no prison time. Hutchins hesitated. He says he didn't actually know anything about the identity of Vinny, the prosecutors' real target. But he also says that, on principle, he opposed snitching on the petty crimes of his fellow hackers to dodge the consequences of his own actions.
Moreover, the deal would still result in a felony record that might prevent him from ever returning to the US. And he knew that the judge in his case, Joseph Stadtmueller, had a history of unpredictable sentencing, sometimes going well below or above the recommendations of prosecutors. So Hutchins refused the deal and set his sights on a trial. Soon afterward, prosecutors hit back with a superseding indictment, a new set of charges that brought the total to 10, including making false statements to the FBI in his initial interrogation.
Hutchins and his lawyers saw the response as a strong-arm tactic, punishing Hutchins for refusing to accept their offer of a deal. After losing a series of motions—including one to dismiss his Las Vegas airport confession as evidence—Hutchins finally accepted a plea bargain in April This new deal was arguably riskier than the one he'd been offered earlier: After nearly a year and a half of wrangling with prosecutors, they now agreed only to make no recommendation for sentencing.
Hutchins would plead guilty to two of the 10 charges, and would face as much as 10 years in prison and a half-million-dollar fine, entirely up to the judge's discretion. Along with his plea, Hutchins finally offered a public confession on his website—not the full, guts-spilling one he wanted, but a brief, lawyerly statement his attorneys had approved.
Then he followed up with a more earnest tweet, intended to dispel an easy story to tell about his past immorality: that the sort of whitehat work he'd done was only possible because of his blackhat education—that a hacker's bad actions should be seen as instrumental to his or her later good deeds. You can learn everything you need to know legally. Stick to the good side. On a warm day in July, Hutchins arrived at a Milwaukee courthouse for his sentencing.
Wearing a gray suit, he slipped in two hours early to avoid any press. As he waited with his lawyers in a briefing room, his vision tunneled; he felt that familiar sensation of impending doom begin to creep over him, the one that had loomed periodically at the back of his mind since he first went through amphetamine withdrawal five years earlier. This time, his anxiety wasn't irrational: The rest of his life was, in fact, hanging in the balance. He took a small dose of Xanax and walked through the halls to calm his nerves before the hearing was called to order.
When Judge Stadtmueller entered the court and sat, the year-old seemed shaky, Hutchins remembers, and he spoke in a gravelly, quavering voice. Hutchins still saw Stadtmueller as a wild card: He knew that the judge had presided over only one previous cybercrime sentencing in his career, 20 years earlier. How would he decipher a case as complicated as this one?
But Hutchins remembers feeling his unease evaporate as Stadtmueller began a long soliloquy. It was replaced by a sense of awe. Stadtmueller began, almost as if reminiscing to himself, by reminding Hutchins that he had been a judge for more than three decades.
In that time, he said, he had sentenced 2, people. But none were quite like Hutchins. And that is, at the end of the day, what gives this case in particular its incredible uniqueness. Stadtmueller seemed to be weighing the deterrent value of imprisoning Hutchins against the young hacker's genius at fending off malevolent code like WannaCry.
Hutchins could hardly believe what he'd just heard: The judge had weighed his good deeds against his bad ones and decided that his moral debt was canceled. After a few more formalities, the gavel dropped. Hutchins hugged his lawyers and his mother, who had flown in for the hearing. And then he walked out onto the street, almost two years since he had first been arrested, a free man. After five months of long phone calls, I arranged to meet Marcus Hutchins in person for the first time at a Starbucks in Venice Beach.
I spot his towering mushroom cloud of curls while he's still on the crowded sidewalk. He walks through the door with a broad smile. But I can see that he's still battling an undercurrent of anxiety. He declines a coffee, complaining that he hasn't been sleeping more than a few hours a night. We walk for the next hours along the beach and the sunny backstreets of Venice, as Hutchins fills in some of the last remaining gaps in his life story.
On the boardwalk, he stops periodically to admire the skaters and street performers. This is Hutchins' favorite part of Los Angeles, and he seems to be savoring a last look at it. Despite his sentence of time served, his legal case forced him to overstay his visa, and he's soon likely to be deported back to England. As we walk into Santa Monica, past rows of expensive beach homes, he says his goal is to eventually get back here to LA, which now feels more like home than Devon.
Despite his case's relatively happy ending, Hutchins says he still hasn't been able to shake the lingering feelings of guilt and impending punishment that have hung over his life for years. It still pains him to think of his debt to all the unwitting people who helped him, who donated to his legal fund and defended him, when all he wanted to do was confess.
I point out that perhaps this, now, is that confession. That he's cataloged his deeds and misdeeds over more than 12 hours of interviews; when the results are published—and people reach the end of this article—that account will finally be out in the open. Hutchins' fans and critics alike will see his life laid bare and, like Stadtmueller in his courtroom, they will come to a verdict. Maybe they too will judge him worthy of redemption. And maybe it will give him some closure.
He seems to consider this. He's come to believe, he explains, that the only way to earn redemption would be to go back and stop all those people from helping him—making sacrifices for him—under false pretenses. His motives for confessing are different now, he says. He's told his story less to seek forgiveness than simply to have it told. To put the weight of all those feats and secrets, on both sides of the moral scale, behind him.
And to get back to work. In addition, the story's description of Hutchins' attorneys' legal advice has been clarified. A small section of this story is adapted from that book.
The hacking group Guardians of Peace has mostly used the website Pastebin to post links to the hacked documents, but other people have copied and pasted those links on Reddit, making it a popular repository for people looking to pore through the hacked materials. Reddit said it shut down the SonyGOP subreddit in response to requests from Sony to take down the links. The Digital Millennium Copyright Act allows media companies to ask websites take down copyrighted material, but the websites are not obligated to take down links themselves -- let alone shut down an entire page or site.
Yet Reddit took the unusual measure of banning the entire subreddit. Hackers used special tools and apps that took usernames and passwords leaked via data breaches at other sites and tested their validity against Ring's account system. The username-password combos that matched, they published online. In some cases, hackers also published the tools they used, to let other hackers have a go themselves.
TechCrunch reported on another list of 1, Ring accounts. ZDNet also received the list that TechCrunch received. The person who tipped ZDNet said he notified Ring of the issue earlier this week, and the company began resetting passwords and notifying customers. ZDNet also received links to three other instances where hackers had compiled lists of credentials for Ring accounts, which they dumped online to boost their reputation among their peers.
Two of those lists were taken down by the service provider where they were uploaded. The last was a list claiming to hold credentials for , Ring accounts.
ZDNet shared the list with Ring's security team. The company said that of the , credentials only 4, entries were for valid Ring accounts. The company wasn't aware of this particular list but said they've already reset passwords and notified account owners in the past, suggesting that other hackers had identified these same accounts in the past.
The origin of this data was also without a doubt from credential stuffing. All the emails ZDNet tested had been included in breaches at other services.
0コメント