News & Politics

FBI Arrests Programmer After Hackers Abused His Legal Product

Can someone be punished for what someone else does with their product? Especially if the product was legally produced for a legal purpose?

Anti-Second Amendment activists have somehow gotten to “Yes” on this issue, as they have routinely sued firearm manufacturers for the misuse of guns by criminals. Now, it’s surfaced elsewhere: a computer programmer is facing legal trouble because software he developed for legitimate purposes has been pirated and used by hackers:

The visitors were from the FBI, and after a 90-minute search of his house, they left with his computers, only to return two months later with handcuffs. Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.

[Taylor] Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself — hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.

Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users? “Everybody seems to acknowledge that this software product had a legitimate purpose,” says Travis Morrissey, a lawyer in Hot Springs who represented Huddleston at his bail hearing. “It’s like saying that if someone buys a handgun and uses it to rob a liquor store, that the handgun manufacturer is complicit.”

More specifically, it’s like someone stealing a gun and robbing a liquor store, followed by prosecutors going after the manufacturer. Huddleston alleges his software was pirated, not sold.

Yet even if it was purchased, Huddleston developed it as a product with a lawful use. It is exactly what he claims it to be: a remote administration tool.

Prosecutors claim Huddleston intended for his software to be used by hackers, but initial filings don’t give any indication of how they’re so sure. Apparently Huddleston was involved in some sites popular with hackers, yet those same sites are also popular with general coding enthusiasts.

Further, Huddleston has developed another piece of software with the sole purpose of remotely stopping his RAT software when he was able to determine it was being used illegally. He even notes that he made updates so he could find people using his software in tutorials and shut them down as well.

All of this indicates a pattern of behavior very different than what prosecutors claim.

This is a case worth watching, since it would have a stifling effect on all software developers, who would have the burden of figuring out if their work could ever be used for criminal purposes.