Category Archives: COURTS CRIME LAW

FBI charges Chinese national with distributing malware used in OPM hack attack

The malware has been linked to both the data breach of the US Office of Personnel Management as well as the Anthem breach.

The FBI has filed charges against a Chinese malware broker named Yu Pingan, alleging that he provided hackers with malware, including the Sakula trojan, to breach multiple computer networks belonging to companies in the US

The FBI alleges that Yu, also known as “GoldSun,” conspired with two unnamed hackers from around April 2011 through around January 2014 to maliciously target a group of US companies’ computer networks.

The complaint filed does not name which companies were targeted but notes that the different companies were headquartered in San Diego, California; Massachusetts; Los Angeles, California; and Arizona.

The rarely-used Sakula malware has been linked to both the 2014 breach of the US Office of Personnel Management as well as the 2015 breach of the health insurance firm Anthem.

The Anthem breach impacted 78.8 million current and former customers of the company, while the OPM hack affected more than 22 million records of Americans who had applied for security clearance to work for the government.

WannaCry researcher denies in court about creating banking malware

The security researcher rose to fame for curbing the spread of the WannaCry ransomware recently

A security researcher who helped curb a global outbreak of the WannaCry ransomware earlier this year has told a court he is not guilty of charges of allegedly creating a notorious banking malware.

Marcus Hutchins, 22, said he was not guilty during a hearing at a Las Vegas court after he was arrested and detained earlier this week.

The news was confirmed by his attorney Adrian Lobo, speaking on Facebook Live to local reporter Christy Wilcox, at the court house.

Hutchins was granted bail on a bond of $30,000 during a hearing at a Las Vegas court.

But he will “not be released today lawyers says could not get bail in time,” according to Wilcox in a tweet.

He will not be allowed access to devices with an internet connection, said Wilcox, and he will be tagged to be monitored at all times.

Hutchins, also known as @MalwareTechBlog, stormed to fame earlier this year after he found a kill switch in the malware, known as WannaCry, amid a global epidemic of ransomware in May.

By registering a domain found in the code, he stopped the spread of the malware.

The Justice Department announced Thursday that it was charging Hutchins with malicious activity, unrelated to the WannaCry cyberattack.

The security researcher, a British native, was arrested shortly before boarding a flight home. He had been attending the Def Con security conference late last month. He was briefly detained in a federal detention facility in Nevada, then later questioned by the FBI at its field office in Las Vegas.

Hutchins was later indicted, along with an unnamed defendant, on six charges relating to allegations that he created the Kronos malware, a trojan that can steal banking usernames and passwords from victims’ computers.

He was also charged with five other counts, including wiretapping — thought to relate to the interception of passwords; and violating the controversial Computer Fraud and Abuse Act, which serve as the basis of US hacking laws.

Hutchins will appear at a court in Wisconsin, where the case was filed, on August 8.

Developing… more soon.

Henry Sapiecha

With just one wiretap order, US authorities listened in on 3.3 million phone calls

The order was carried out in 2016 as part of a federal narcotics investigation.

NEW YORK, NY — US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.

The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.

The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania.

The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests.

But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.

The revelation was buried in the US Courts’ annual wiretap report, published earlier this week but largely overlooked.

“The federal wiretap with the most intercepts occurred during a narcotics investigation in the Middle District of Pennsylvania and resulted in the interception of 3,292,385 cell phone conversations or messages over 60 days,” said the report.

Details of the case remain largely unknown, likely in part because the wiretap order and several motions that have been filed in relation to the case are thought to be under seal.

It’s understood to be one of the largest number of calls intercepted by a single wiretap in years, though it’s not known the exact number of Americans whose communications were caught up by the order.

We contacted the US Attorney’s Office for the Middle District of Pennsylvania, where the wiretap application was filed, but did not hear back.

Albert Gidari, a former privacy lawyer who now serves as director of privacy at Stanford Law School’s Center for Internet and Society, criticized the investigation.

“They spent a fortune tracking 26 people and recording three million conversations and apparently got nothing,” said Gidari. “I’d love to see the probable cause affidavit for that one and wonder what the court thought on its 10 day reviews when zip came in.”

“I’m not surprised by the results because on average, a very very low percentage of conversations are incriminating, and a very very low percent results in conviction,” he added.

When reached, a spokesperson for the Justice Department did not comment

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

If you see something, leak something. Telling the world holds people in office accountable, no matter how big or small it may be.

There are a number of ways to contact me securely, in ranking order.

Encrypted calls and texts

I use both Signal and WhatsApp for end-to-end encrypted calling and messaging. The apps are available for iPhones and Android devices.

You can reach me at +1 646-755–8849 on Signal or WhatsApp.

I will get back to you as soon as possible if I don’t immediately respond.

Encrypted instant messaging

You can also contact me using “Off The Record” messaging, which allows you to talk to me in real time on your computer. It’s easy to use once you get started. This helpful guide will show you how to get set up.

You will need a Jabber instant messaging account. There are many options to choose from. For anonymity, you should create an account through the Tor browser.

You can reach me at: during working hours.

When you verify my fingerprint, it’s this: 914F503C 03771A5F A9E2AC91 95861FDA 9B3A7EAD.

Send me PGP email

My email address is (remove the dot for PGP).

PGP, or “Pretty Good Privacy,” is a great (but tricky-to-use) way of emailing someone encrypted files or messages. PGP works on almost every email account and computer, but using it on your work or home email address won’t hide who you are, or the fact that you sent a reporter an email.

If you want to remain anonymous, go somewhere that isn’t your home or work network. Then, you should use the Tor browser, which hides your location, to access a free email service (like this one or this one).

The EFF has a set of easy-to-use tutorials on how to get started.

You will need my public PGP key to email me securely, available here.

You can also verify my PGP fingerprint to be sure it’s me: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

You can also get this information on my Keybase profile.

When all else fails…

You can always send me things through the mail. My work address is:

Zack Whittaker c/o CBS,
28 E. 28th Street,
New York, NY 10016,
United States of America.

(Updated: January 14 with additional Keybase details.)
(Updated: April 30 with new Jabber fingerprint.)

Henry Sapiecha

Federal Court rejects application for Telstra to supply ‘personal’ metadata

A long-running battle over whether or not telcos should have to provide stored metadata to customers on request — which evolved over numerous appeals into a battle over which data should be considered personal — appears to have come to an unsatisfying end this week in Australia’s Federal Court.

The case between the Privacy Commissioner and Telstra was sparked two years ago when the former ordered the telco to supply metadata on request, on the grounds that it was the personal data of the customer. With this latest decision, Telstra will not be obliged to obey that order.

telstra-logos-on-site image

As the government was preparing to introduce new rules in 2013 that would oblige telcos to store the data generated when customers used their services (for example not your voice or articles you read online, but information on your calls, location and IP addresses of sites you visit), Ben Grubb, then a journalist at Fairfax Media, asked his telco Telstra for a copy of the data.

Telstra provided some information, but not the complete set it would be required to give to law enforcement if asked under the retention laws.

In 2015 the Privacy Commissioner ruled against Telstra, ordering it to provide the missing data, but the decision was overturned when Telstra appealed to the Administrative Appeals Tribunal (AAT).

A counter appeal from the Privacy Commissioner saw the issue taken to the Federal Court, where it was ultimately dismissed this week.

“It’s obviously a disappointing outcome,” Grubb says, “but I’m really grateful that the Privacy Commissioner followed this through by going to the Federal Court to appeal it”.

Grubb says he believes the protracted, public legal stoush may have influenced the system to change for the better, even if Telstra was ultimately vindicated.

“The point of this case was to get my telco to hand over what they were already providing to law-enforcement agencies on a case-by-case basis. In effect, the case achieved most of this, with Telstra eventually allowing consumers to access a lot of what they had on file about their users,” Grubb says, referring to a change the telco made in 2015.

Still, this week’s decision means his original request for metadata will ultimately not be fulfilled.

“At first, Telstra refused me access to information beyond my billing information. They then provided further information, but not all of what I was requesting. Wednesday’s decision means that I won’t be provided with that further information, which included, among other information, IP addresses, URLs, and specific cell tower location information,” Grubb says.

“I still worry about scope creep with regards to data retention. The recent discussion paper put out just before Christmas by the government to enable even more entities to access our highly personal information is worrying, and something many privacy advocates warned would likely end up happening once the data retention laws were passed.”

Anna Johnston, director of Salinger Privacy and former deputy privacy commissioner for NSW, says people shouldn’t interpret this week’s decision as the court “gutting” the definition of what “personal information” is. Rather, the court has just declined to resolve questions still up in the air.

In a detailed blog post explaining the case, Johnston argues that the AAT’s interpretations in its decision in favour of Telstra were “ridiculous”, and “completely undermined our privacy laws”. The AAT’s view that some metadata was not personal information, and so need not be provided to customers, hinged on the fact that the data was about connections between mobile devices, rather than about a person.

But, Johnston writes, surely the data can be both things at once.

“Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner”, like their address, phone number and car make, Johnston writes.

In this case, though, the Privacy Commissioner failed to make this distinction in its appeal to the Federal Court.

“Instead of arguing that information could be ‘about’ more than one thing, i.e. that metadata could be ‘about’ both the delivery of a network service and the customer receiving that service,” Johnston wrote, “the Privacy Commissioner’s legal team argued that the phrase ‘about an individual’ was redundant, and should simply be ignored,” and the argument was ultimately rejected by the court.

Speaking to Fairfax Media, Johnston said the situation is complicated by the fact that definitions in the Telecommunications (Interception And Access) Act have changed in the time since Grubb first lodged his complaint.

Johnston believes Telstra was in the wrong in refusing to supply the information, but the privacy commissioner went the wrong way about setting things right (although she says the door is not closed for a fix to come in future with another complaint).

With the rules as they currently are, Johnston believes the case could be made for information to be provided if the complainant could show why the data was personal.

“I would argue that the Federal Court left open the possibility that the data Ben Grubb and Telstra were arguing about would be ‘personal information’, because they said that the individual needs to be a subject matter, not the subject, as the AAT said,” Johnston says.

“The judges stressed the need to consider “the totality of the information”. In other words, linkability to an identifiable individual might still make something ‘personal information’, and thus within the scope of our privacy laws.”


Henry Sapiecha


Shane Stephen Duffy at the Brisbane Supreme Court image

FROM the comfort of his bedroom, computer whiz Shane Stephen Duffy made more than $32,000 from computer gamers who paid him to access other people’s gaming accounts.

The 23-year-old hacker also attacked the computers of his online opponents, using knowledge of their IP addresses to slow their internet connections, allowing him to advance in the online game.

The IP address is the computer’s address on the internet and identifies that computer for that session or permanently.

At Brisbane District Court on Thursday, Duffy was sentenced for his crimes, including fraud, computer hacking and unauthorised impairment of electronic communication that occurred while he was living at Poona – near Hervey Bay – and Kingaroy.

Duffy, who now lives in Brisbane, pleaded guilty to the offences that occurred between May 2013 and March 2014 and was sentenced to jail with immediate parole.

League of Legends is an online computer game where players create an account and join a team that bands together to destroy an opposing team’s base.

In 2011, someone hacked into the database of the game’s LA-based publisher Riot Games and got hold of more than five million usernames and passwords for League of Legends.

It was not suggested Duffy was responsible for this hacking, but the court heard a copy of this database was found on his computer in 2013 and was also available on the internet.

The court heard Duffy made $32,000 from selling the usernames and passwords of online gaming accounts to other gamers.

In July 2013, Duffy and an associate he met online hacked into Riot Games and removed data from the server.

Judge Tony Moynihan said Riot Games spent hundreds of thousands of dollars to secure their systems.

Duffy also set up a website where players could launch attacks on their opponents’ computers using their IP address information.

Duffy’s defence barrister Patrick Wilson said doctors reports showed his client had a lack of understanding of how his actions impacted others.

He also said the offending happened at a low point in Duffy’s life, where he was restricted to his bedroom for a number of years and was traumatised by the death of his father.

Duffy was now socialising more and living a healthier life, the court heard.

Judge Moynihan said Duffy had no criminal history and he had taken constructive steps towards rehabilitation and reducing his risk of re-offending.

Duffy was sentenced to two and a half years in jail and was granted immediate parole.

He must also be of good behaviour for two and a half years. – ARM NEWSDESK

home finance generic banners (36)

Henry Sapiecha

Intelligence Chief: Little Penalty for Cyberattacks

Director of National Intelligence James Clapper testifies on Capitol Hill in Washington, Thursday, Sept. 10, 2015, before the House Intelligence Committee hearing on cyber threats. (AP Photo/Pablo Martinez Monsivais)

Director of National Intelligence James Clapper testifies on Capitol Hill in Washington, Thursday, Sept. 10, 2015, before the House Intelligence Committee hearing on cyber threats. (AP Photo/Pablo Martinez Monsivais)

Cyberattacks against American interests are likely to continue and grow more damaging, in part because hackers face a low risk of consequences, the director of national intelligence told Congress Thursday.

James Clapper, the nation’s top intelligence official, told the House intelligence committee that a muted response to most cyberattacks has created a permissive environment in which hacking can be used as a tool short of war to benefit adversaries and inflict damage on the United States.

“Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,” Clapper said, speaking specifically about the recently revealed hack of federal personnel information linked to China in which personal data on some 22 million current and former U.S. government employees, contractors, job applicants and relatives was stolen. “We will continue to see this until we create both the substance and the psychology of deterrence.”

The administration has yet to act in response to the OPM hack.

Last May, the Justice Department issued criminal indictments against five Chinese military hackers it accused of cyberespionage against U.S. corporations for economic advantage. FBI director James Comey said at the time the spying was to benefit Chinese companies, but he neither named the companies nor took formal action against them.

Clapper said Thursday he is deeply worried that the data will be used to expose or blackmail American intelligence operatives, but he said the U.S. has yet to see any evidence of the data being used in that way.

Clapper discussed cyber threats alongside with CIA director John Brennan, Comey, National Security Agency director Admiral Mike Rogers, and Defense Intelligence Agency chief Lt. Gen. Vincent Stewart.

Russia, China, Iran and North Korea pose the top cyber threats, the officials said. Foreign intelligence services are increasingly gaining access to critical US infrastructure that would allow them to inflict damage, Clapper added.

Source: Associated Press


Henry Sapiecha

Schrems: the law student who brought down a transatlantic data pact

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

From Vienna cafes to the European Union’s highest court, an Austrian law student’s two-year battle against Facebook and mass U.S. surveillance culminated on Tuesday in a landmark ruling that has rippled across the business world.

Max Schrems, a 28-year-old Facebook user finishing his Ph.D in law at Vienna University, took an interest in the subject of privacy while studying for a semester abroad at Santa Clara University in California.

The legal battle against mass U.S. surveillance that he subsequently pursued resulted in what lawyers called a “bombshell” ruling knocking down a data transfer framework between the European Union and the United States used by over 4,000 companies such as Google, Facebook and IBM.


“Max Schrems and Edward Snowden. What a combination. Two young men who have made indelible impacts on the world of data protection,” wrote Stewart Room, a partner at PwC.

Like many Vienna residents, Schrems has a cafe – the traditional Cafe Ritter in the Austrian capital’s fashionable Mariahilf shopping district – that is like a second home where he likes to spend much of his time and receive visitors.

In 2013, ex-National Security Agency (NSA) contractor Edward Snowden leaked details about the U.S. government’s Prism program that allowed it to harvest private information directly from big tech companies such as Facebook.

Facebook has repeatedly denied being a “back door” for U.S. spies.

Schrems took up the privacy battle and filed 22 complaints against Facebook in Ireland, where the company has its European headquarters. He set up a website, called, with the aim of ensuring that Europeans’ privacy rights are enforced against “tech giants like Facebook.”

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

He then lodged a complaint with the Irish Data Protection Commissioner, asking it to stop Facebook’s transfers of European users’ data to its U.S. servers because of the risk of U.S. government snooping.

That complaint was thrown out as “frivolous and vexatious.”

But Schrems appealed. His case eventually wound its way to the Luxembourg-based European Court of Justice, which on Tuesday struck down the framework underpinning the data transfers of thousands of companies.

“Individuals now have far greater ability to exert a disruptive influence and shape law,” said Paula Barrett, partner at law firm Eversheds.

Snowden, without whom Schrems said Tuesday’s victory would have been impossible, congratulated the Austrian privacy activist via Twitter.

“Congratulations Max Schrems. You’ve changed the world for the better,” Snowden tweeted.


Henry Sapiecha


Skype summoned to Belgian court over failure to share call data

A page from the Skype website is seen in Lausanne May 10, 2011. REUTERS/Denis Balibouse

A page from the Skype website is seen in Lausanne May 10, 2011. REUTERS/Denis Balibouse

Online communication service Skype (MSFT.O) has been summoned to appear in court in Belgium after refusing to pass on customer data to aid a criminal investigation, a court spokesman said.

A court in Mechelen, just north of Brussels, had asked for data from messages and calls exchanged on Microsoft-owned Skype, arguing that telecom operators in the country were required to do so.

“The judicial question is whether Skype is also a telecoms operator,” the court spokesman said, adding that Skype would have to pass on the data if this was established to be the case. It could also face a fine.

Skype was not immediately available for comment.


Henry Sapiecha

Crime Commission to give evidence on disrupting illegal online activity

The ability of government agencies to disrupt the operation of illegal online services has proven to be a useful tool for Australian law enforcement to prevent harm to the Australian community caused by serious and organised crime, according to the Australian Crime Commission (ACC).

On Wednesday morning, the House Standing Committee on Communications will hear evidence from the ACC at its third public hearing for its inquiry into the use of the Telecommunications Act 1997.

The ACC is a strong advocate of maintaining section 313 of the Act, which gives powers to some agencies to disrupt illegal online activity, and also supports improvements in transparency and accountability in the use of the section.

In its submission, the ACC said that balancing transparency, accountability and law enforcement effectiveness can be achieved by creating a regime that is proportional to the threat posed by serious and organised crime.

Committee Chairman Jane Prentice said, “Striking a balance between freedom and protection is the essence of democratic government. The scale and nature of criminal activity online demanded a response from governments and law enforcement agencies. Nonetheless, agencies must be accountable for the use of the powers they are granted, and those powers must be proportional to the threat.”

Mrs Prentice noted that the Committee would be examining those issues to ensure that the use of the powers conferred under section 313 was appropriate, proportionate and subject to effective accountability.

Details of the hearing are as follows:
Date:  Wednesday, 25 February 2015
Time:  8:00 am
Venue:  Committee Room 1R3, Parliament House, Canberra

Further information on the Inquiry, including the full terms of reference and how to prepare a submission can be obtained from the Committee’s website at or from the Secretariat on (02) 6277 2352.


Henry Sapiecha

Investigations warrant that Amin Mohamed stands trial for allegedly trying to join Syrian conflict

Amin Mohamed planned to join the fighting in Syria to overthrow the government image

A 24-year-old Sydney man has been committed to stand trial for allegedly trying to join the fighting in Syria.

Amin Mohamed is accused of obtaining a phone number in a false name, applying for a New Zealand passport, booking flights to Turkey and obtaining the contact details of a Turkish resident to facilitate travel from Turkey to Syria.

Prosecutors in the Melbourne Magistrates Court alleged his sole intent was to join the fighting to overthrow the Syrian government.

He has pleaded not guilty to the charges.

Terrorism expert Dr Rodger Shanahan gave evidence to the court about a report he wrote for counter-terrorism agencies.

He said the two main organisation that accepted foreign fighters in Syria were Islamic State and Jabhat al-Nusra.

Dr Shanahan told the court anyone travelling overseas to the Syrian border would know about the area they were heading to.

“You don’t just randomly choose,” he said.

However, under cross examination, Dr Shanahan said there was an overwhelming need for humanitarian assistance in Syria and some organisations ran support operations that provided food and fuel.

“Some of these organisations operate bakeries,” he said.

Magistrate Jan McLean said the evidence against Mohamed was of sufficient weight to support a conviction at a jury trial.

Prosecutor Mark Gibson had earlier told the court police intercepted phone conversations where Mohamed was encouraged to travel to Syria to obtain “martyrdom for the sake of Allah”.

Henry Sapiecha