Programmer faces federal charges for creating software used by hackers
Updated: An Arkansas programmer who created software that is popular with hackers is facing federal charges of conspiracy, and aiding and abetting computer intrusions.
Taylor Huddleston created a remote administration tool called NanoCore that has been linked to computer hacks in at least 10 countries, the Daily Beast reports. The case raises a novel question, according to the article: When is a programmer criminally responsible for the actions of their users?
Huddleston, a high school dropout, developed the program in hopes that it could lift him out of poverty and get him out of a run-down trailer where he lived on his mother’s property. His hope, he said, was that his $25 program could be used by IT administrators, parents keeping track of their children’s online activity, and others who didn’t have a lot of money to spend on remote-access capability. He eventually bought a $60,000 home with proceeds from NanoCore and an anti-piracy program he created called Net Seal.
Prosecutors pointed out that Huddleston announced and supported NanoCore on HackForums.net. They raided his home in December, arrested him in February, and are seeking forfeiture of his home in Hot Springs, Arkansas.
“It would soon become clear,” the Daily Beast reports, that HackForums “was a terrible place to launch a legitimate remote administration tool. There aren’t a lot of corporate procurement officers on HackForums. Instead, many of Huddleston’s new customers had purely illicit uses for a slick remote-access tool. In short order, Huddleston found himself routinely admonishing people not to use his software for crime.”
Huddleston eventually removed his product’s capability to steal passwords and log keystrokes, and he would log in and disable the software when he discovered a buyer was using it for hacking. Unhappy hackers eventually distributed pirated versions of Huddleston’s software online. He eventually sold the NanoCore business to a HackForum member.
Huddleston sees a double standard. Hackers also have used remote-access software created by large corporations, he said. “NanoCore is abused in the same way that those are,” he told the Daily Beast. “The difference is I … go after these people and build security into the software to catch these people.”
Cornell law professor James Grimmelmann told the Daily Beast that the case could have a chilling effect on software developers whose technology could be adapted by criminals. He said the prosecution of Huddleston comports with a trend in online law enforcement in which prosecutors target defendants who can be identified in place of criminals who can’t be found.
“It’s kind of unusual to target a software developer, but I definitely feel that’s the way the winds are blowing,” Grimmelmann told the Daily Beast.
Krebs on Security took a look at the indictment (PDF) and concluded the case is more nuanced than suggested by the Daily Beast article. According to the government, Huddleston’s Net Seal program was intended to help developers of malware prevent customers from copying their programs without paying, and NanoCore was intended to be used for illegal computer intrusions.
The indictment focuses on allegations that Huddleston conspired with college student Zachary Shames, who developed a keystroke logging program called Limitless and used Net Seal to protect it. Shames pleaded guilty in January to aiding and abetting computer intrusions, according to a government press release.
Shames made at least a thousand payments via PayPal to Huddleston for his Net Seal licensing software, which was used to assist in the distribution of Limitless, according to the indictment. Shames’ program was used to access over 16,000 computers without authorization, prosecutors say.
Krebs on Security interviewed Allison Nixon, director of security research for cybersecurity firm Flashpoint, for her take on the indictment. The indictment portrays Huddleston as the money man for Limitless, raising questions “about how sincere his anti-cybercrime stance really is,” she said.
The case will hinge on intent, said Mark Rumold, senior staff attorney at the Electronic Frontier Foundation. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific,” he told Krebs on Security.
Huddleston’s lawyer, Travis Morrissey of Hot Springs, Arkansas, did not immediately respond to an ABA Journal email seeking comment.
Hat tip to the Marshall Project.
Updated on April 5 to include information from Krebs on Security.