If American judicial authorities are going after British security researcher Marcus Hutchins for allegedly writing malware, then they will also have to indict people at the NSA who were responsible for creating Windows exploits that then leaked and led to massive ransomware attacks.

Those attacks have left some companies incapable of returning to full production even now, with a case in point being the pharmaceutical giant Merck.

Hutchins has pleaded not guilty to all six counts on his indictment. He has been charged with creating a banking trojan known as Kronos and also selling it, among other charges.

In Hutchins' case, the malware he is charged with creating Kronos barely raised a blip on the screen when it was being used.

Nobody in the US has ever said that someone in the NSA needs to be held responsible for their slip-ups. In other words, if you leave a slab of meat lying in the open and dogs attack it, then the dogs are to blame.

Another category that should come under scrutiny is businesses like Immunity, led by former NSA man Dave Aitel, which pay for vulnerabilities that are not publicly known and then protect only their own clients against them. There is no disclosure for the greater good.

But then in the US, there is one kind of justice meted out to government organisations that screw up and leave a mess that others drown in, and an entirely different kind of justice served to the average man/woman in the street.

One would expect much lauded mainstream media outlets like The New York Times and the Washington Post to come out screaming about things like this. But there has not been a peep from either of these brave defenders of democracy.

Every security researcher creates proof of concept code to understand how a particular vulnerability works and how it can endanger the average computer user. Only then can patches be devised.

Else, there is no way of testing anything. We will all have to live with thousands of vulnerabilities that remain unpatched if authorities get red under the collar every time someone creates PoC code.

Anti-virus researchers do it every day. So too do researchers at bigger security companies.

In the NSA, they do it to create exploits that can be used to target other countries. The NSA often does not inform companies that their products have vulnerabilities - else how would they exploit the same vulnerabilities when they want to?

Exploits like ETERNALBLUE leaked out of the NSA because the security agency was unable to look after its own creations.

The move against Hutchins looks very much like the US wants to make an example of someone to scare the bejesus out of all and sundry. Meanwhile, the professionals who live off the proceeds of malware and ransomware are laughing all the way to the bank.

Follow this link:

If Hutchins is at fault, then the NSA needs to be pulled up too - iTWire