
Former Reuters Journalist Matthew Keys Sentenced to Two Years for Hacking - citizensixteen
https://motherboard.vice.com/read/former-reuters-journalist-matthew-keys-sentenced-to-two-years-for-hacking
======
baldfat
Such a BAD use of tax payer money. So now we have to pay for 2 years of jail
time (Probably 1 year for good behavior) for giving a key (That was actually
not proven but was believed by the juror. The crime was the defacing of ONE
page. This key also should have been revoked after he left the company.

The recommendation of 7 years is just crazy and even the lowered 5 years is
just nuts. If you just look at the cost to the newspaper it was at one point
almost a million dollars when the fix for the page was one editor reverting
the page.

> In order to be convicted of felony under the particular provisions of the
> Computer Fraud and Abuse Act which prosecutors used to charge Keys, the
> conduct must exceed a threshold of $5,000.

That someone is responsible for paying a company to sure up their security is
an issue. Or the inflation of cost to so Federal Prosecutors can get another
win under their belt. That over reach is pretty high in this case.

~~~
tptacek
In this case, the problem wasn't so much that Trib Corp had poor security
(they probably do though), but rather that an insider exfiltrated credentials
to one of their servers to an IRC channel. There are a few companies in our
industry where that attack wouldn't be devastating, because of very carefully
designed security programs. But there are not many of those companies. Most
companies you've heard of are just as vulnerable as Trib Corp was.

~~~
matt_wulfeck
But charging them with hacking? And putting them in prison for 2 years?

~~~
tptacek
There's no such charge as "hacking".

~~~
matt_wulfeck
Of course. We're able to make the distinction of being hacked versus someone
crawling through an open window. If only jurors could be expected to do the
same.

~~~
tptacek
What distinction is it that you're trying to make? Crawling into a building
through an open window is no less of a crime than picking the locks. In fact:
it's exactly the same crime.

~~~
possibility
Picking the locks is breaking and entering, going through an open window is
illegal trespass, assuming you don't have to move any parts of the window. At
least where I live. It depends on whether or not you have to use even the
slightest amount of force to gain access. It also depends on your intent to
commit a crime inside. If I'm looking for you because I've found your toddler
wandering around outside and I open an unlocked door to call out your name, it
isn't a crime. I'm not sure what happens if I pick a locked door in that
situation, getting pretty contrived now. But let's say I heard your kid crying
inside that you'd abandoned, it wouldn't be a crime to pick the lock and
rescue him/her.

~~~
tptacek
No, I don't think this is at all correct. Going through a window is breaking
and entering.

~~~
possibility
Well, I didn't know, so I looked it up before posting.
[https://en.wikipedia.org/wiki/Burglary](https://en.wikipedia.org/wiki/Burglary)

> Although rarely listed as an element, the common law required that "entry
> occur as a consequence of the breaking".[7] For example, if a wrongdoer
> partially opens a window with a pry bar—but then notices an open door, which
> he uses to enter the dwelling, there is no burglary under common law.

There are more results if you search for "breaking and entering", it was all
pretty consistent.

~~~
tptacek
See for instance Massachusetts model jury instructions, which are explicit
that opening an unlocked door constitutes "breaking".

~~~
possibility
Yes, but that's using force to open the door, which was in my original claim
about no force on an open window.

Reading that WP article again, turns out I was just considering the common law
part. It later says:

> The common law definition has been expanded in most jurisdictions, such that
> the building need not be a dwelling or even a building in the conventional
> sense, physical breaking is not necessary, the entry does not need to occur
> at night, and the intent may be to commit any felony or theft.

So I'll give it to you for "physical breaking is not necessary", even though I
don't actually know about the jurisdiction in question. (I didn't rtfa.)

~~~
tptacek
What's your point, though? If opening an unlocked door is B&E, what does the
lockpicking analogy teach us?

~~~
possibility
Oh, I was literally just arguing the other side about going through an open
window because I didn't know for sure if it was burglary. (Common law says no,
but that's probably updated, but maybe not in some places, but I didn't check
them all.)

I don't see how you could access a computer without using "force", any input
from a human constitutes force in my opinion. So no disagreement as far as the
actual crime is concerned, I'm just nitpicking for fun...

~~~
possibility
On reflection, perhaps this pointless diversion yields the following maxim:

    
    
      You can walk into a house through an open door,
      but you can't walk into a computer.

~~~
tptacek
You can totally walk into a computer. I've done it. Hurts.

~~~
possibility
The only machine around here that I could totally walk into is an S/390, but
oddly enough I don't have the key to its bedroom.

------
matt_wulfeck
If someone broke into the tribune's printing office (which perhaps didn't
collect the key or change the lock when they fired someone) and that person
changed the headline and a byline for an article in the paper that went out to
thousands of people, I still have a hard time believing a court would put that
person in prison for 2 years because of it.

At some point we have to acknowledge these tough cyber laws do nothing but
pass down intentionally harsh sentences to the unlucky few Americans that get
the book thrown at them.

I predict we'll look back at them with the same embarrassment and shame we do
mandatory minimum drug sentencing laws now.

~~~
tptacek
I don't know about that. What's the value of an entire print run of the Los
Angeles Times? It's probably quite a bit more than the damages the court
imputed to Keys.

~~~
matt_wulfeck
I guess the fundamental difference driving my thinking is I believe it's
futile to hand out _prison_ sentences for crimes such as these. I'm dubious
that it acts as any real deterrent to "hacking", and it waste tax-payer money.

It's also becoming clear that the plaintiffs in these cases are completely
washing their hands of their own responsibility for the crime. I understand
that this is common in case law such as this, but if we want to actually
secure this country against real cyber criminals then we need companies to
step up and take responsibility for what's happening within their networks.

------
sparkzilla
For those catching up, I made a timeline of the case:
[http://newslines.org/matthew-keys/](http://newslines.org/matthew-keys/)

~~~
Magi604
This is a great timeline. Thank you. It puts a lot of things into context.

------
snake_plissken
I've read like 20 stories and I still can't figure out what Keys did that is
actually illegal. He (or someone else) posted the login credentials to the
Tribune's CMS, and then someone used those credentials to login and deface the
site? Or am I missing something?

That's like saying you can get in trouble for giving someone a key to your old
apartment, and then they go use it to unlock the door and do whatever they
feel like inside. Or can you get in trouble for this, as maybe, an accessory?

~~~
williamscales
What you describe in both cases is illegal.

