
‘Beyond disgusting,’ says journalist Matthew Keys of his hacking conviction - ourmandave
http://www.washingtonpost.com/news/morning-mix/wp/2015/10/08/edward-snowden-miffed-journalist-facing-years-in-prison-for-conspiring-to-deface-an-online-newspaper-article/
======
tptacek
Keys won't be sentenced to anything resembling 25 years. Even his prosecutors
have said so.

He's also far more responsible for his actions than Andrew Aurenheimer was.
Keys, while working as a social media editor at Reuters, used his access from
a previous job at a Tribune subsidiary to let anonymous Internet hackers break
into the LA Times, one of the largest newspapers in the world; the attackers
used it to modify stories. His "hack" was a straightforward abuse of the trust
misplaced with him.

Keys defense fixates on the rapidity with which those stories were taken down.
But of course, that's not the whole story. The Tribune Corporation, like every
major corporation, usually must follow a complex process after a breach. The
cost far exceeds that of simply taking a story down.

Keys has, by all accounts, fantastic attorneys. The sentencing phase of this
trial is just now starting, right? How can they possibly be letting a freshly
convicted felon talk like this? Isn't he harming his case here?

 _Edit: my comment originally claimed, incorrectly, that Keys had used Reuters
access to compromise the Tribune Company; he did not; rather: he used his
access from a previous job at a Tribune subsidiary to do it._

~~~
baldfat
To be fair the Tribune subsidiary should have revoked that access a LONG TIME
AGO. The million dollars spent after the attack was to fix their security I
bet.

Don't think what he did was right and he did have someone illegally attack the
LA Times but it does seem strange that this case is so big and the charges
against him so large.

~~~
jccc
_it does seem strange that this case is so big and the charges against him so
large._

Because he was caught up in the Feds surveillance of Anonymous.

It is at least worth noting that Keys says it wasn't him. FTA:

\-----

“Let’s be clear: I never passed a username or password to Anonymous,” he said.

Keys, who went on to serve as deputy social media editor for Reuters before
his indictment in 2013, said he was investigating Anonymous in chatrooms when
his username was used without his permission by parties unknown. Five years
ago, Anonymous was in the news for its attacks on Visa and PayPal — and,
according to Keys, he was just doing his job.

“It occurred to me that no one had looked into these guys,” he said. “They
were talking at a level above my head. … Anybody could co-opt [the username]
and it looks like in this case somebody did.”

Keys said the Tribune company — by then his former employer to whom he
nonetheless pitched his story about Anonymous — should have supported him.
This was about freedom of the press, not passwords.

“Tribune Media – what are they thinking?” he said. “Do they care about
journalism at all? Do they care about the government prosecuting a journalist
who decided to keep his sources undisclosed? That is beyond disgusting.”

~~~
tptacek
He says it wasn't him, but if it was someone else, they were much more
thorough than just his username, since there's network evidence tying Keys to
this as well (see again the search warrant).

~~~
sarciszewski
Are you aware of this evidence? Was the court, for that matter?

It's also entirely possible that they managed to convince a technology-
illiterate magistrate to sign off on the warrant.

------
sageabilly
Wow, this guy sounds like a tool- zero remorse whatsoever for what he did,
zero indication that he feels anything but completely entitled to a hand wave
and a fine. No indication that he learned from his mistake, and no indication
that he wouldn't do it again if he got fired from another job.

25 years is ridiculous, for sure. Honestly, prison time at all seems like
crazy overkill. However Matthew Keys comes across like the definition of whiny
entitled millennial.

Any law-types able to weigh in on precedent in this sort of case? That might
help to explain why they're pushing for such a ridiculous prison sentence.

~~~
tptacek
He's not actually facing 25 years.

~~~
sageabilly
"But for journalist Matthew Keys, who prosecutors said illegally leaked the
username and password needed to make the changes to the hacking group
Anonymous, _the end result may mean 25 years in prison._ " Probably not going
to, but there's apparently a possibility or a precedent somewhere for that
number to pop up.

~~~
tptacek
Yes, the story is wrong. It also contradicts itself on this point within a few
grafs.

[https://popehat.com/2013/02/05/crime-whale-sushi-sentence-
el...](https://popehat.com/2013/02/05/crime-whale-sushi-sentence-eleventy-
million-years/)

------
tptacek
[https://twitter.com/Popehat/status/651895735105929216](https://twitter.com/Popehat/status/651895735105929216)

~~~
moey
Keys responded directly to that tweet, saying for people to keep saying he is
facing 25 years, because it's true.

~~~
tptacek
Keys is a dimwit. Ken White is a defense attorney and former federal
prosecutor. I'ma go with Ken White on this.

~~~
matthewkeys
To be clear, people are not upset at the _actual_ or _likely_ sentence, they
are upset at the _potential_ sentence.

When reporters say "Keys faces," they are talking about the potential sentence
I face (as put forth by the Department of Justice in its own press releases),
and when people are critical of it, they are taking the position that the
potential sentence is absurd.

Aside from the fact that I didn't do it (despite what prosecutors were able to
convince a jury), this case has opened my eyes to the antiquated and draconian
computer laws of which we are all governed under in the United States. Any
reasonable person would agree that the punishments simply don't fit the
alleged offenses, and the law is in desperate need of reform. Any offside
discussion about potential versus actual sentences takes away from the very
serious, very important discussion about reform.

~~~
tptacek
There was no potential for a 25 year sentence in this case. The statute caps
any possible CFAA sentence, but that cap captures a wealth of factors not at
play in this case: no intent to make money or commercialize the attack, no
priors, &c.

The 25 year maximum describes a case where someone caused damage to critical
infrastructure, helped stole a zillion credit cards, and potentially caused
loss of life, but due to the idiosyncracies of the case, was only able to be
charged under CFAA and wire fraud law. That's not this case.

Ken White has pointed out the discrepancy between DOJ press releases and
actual sentencing procedures at length. See [popehat whale sushi]. White is,
again, a former white-collar crime prosecutor, and is himself no friend of the
DOJ.

 _On the very, very remote chance that the person who signed up as
"matthewkeys" on HN is actually "matthewkeys", and acknowledging that I am not
a lawyer: it is probably a fantastically bad idea to be commenting on this
case on HN prior to sentencing._

~~~
matthewkeys
> I am not a lawyer

You don't say?

------
forgetsusername
It's been posted a couple times by danso here, but it's worth posting again.
Read the search warrant chat transcripts. They provide some insight into the
case as well as his personality, and are good for a few laughs. They start on
or about page 45:

[http://www.laweekly.com/news/matthew-keys-helped-
anonymous-h...](http://www.laweekly.com/news/matthew-keys-helped-anonymous-
hack-los-angeles-times-website-feds-allege-4175127)

~~~
matthewkeys
To be clear, federal authorities have already admitted altering chat log
information in this case.

------
scelerat
What would the charges be against Keys if he had knowingly given a set of keys
to some vandals who came in and did several thousand dollars of damage?

Whatever it is, it shouldn't be 25 years in prison, either.

~~~
socalnate1
I don't know why this is getting downvoted, you are exactly right. Treating a
crime committed "with a computer" with a totally different scale is idiotic.

------
lowprestigetech
Laws such as the CFAA that impose draconian penalties for what amount to
harmless (or nearly so) infractions with computers are just another symptom of
the low prestige of technology professionals. Yes, I know the offender in this
case is a non-technical journalist and not a technology professional, but he
is mere collateral damage and doesn't represent the people the CFAA was meant
to keep in line, namely us.

Contrast the legislative treatment we receive with that of doctors, who
according to that same publication can apparently get away with literal murder
and maiming for years before finally being punished:
[http://www.washingtonpost.com/news/morning-
mix/wp/2015/08/25...](http://www.washingtonpost.com/news/morning-
mix/wp/2015/08/25/sociopath-neurosurgeon-accused-of-intentionally-botching-
operations/)

------
emidln
I'm not actually clear what crime was committed. Divulging trade secrets or
proprietary information is not a violation of the CFAA is it? Even so, how is
divulging a (presumably expired) username and password any different than a
security researcher releasing a PoC exploit? We don't (yet) prosecute
researchers, even though they reasonably should know that their code could be
used to exploit actual systems.

~~~
wpietri
It's different in the same way that you giving your work keys to thieves is
different than you writing a paper about potential flaws in a particular model
of lock.

~~~
matthewkeys
Whether you believe in my innocence or not, the CFAA actually does have a line
about "password trafficking," which was alleged by the government -- but not
charged.

------
Simulacra
What concerns me about this is that people of the media seem to think that
they are above reproach. A belief that their actions are always protected, and
as a journalist, they should be given the benefit of the doubt. I know he has
not made this claim directly, but I think this story would be vastly different
had he not been a "journalist".

------
danso
I sincerely hope Keys gets nothing more than probation. Mostly because this is
the government's chance to make up for their colossal fuck up over Aaron
Swartz. And because incarcerating Keys has so little value; he seems to have
learned his lesson and in the time since his indictment has continued to do
good journalism work, even landing new jobs.

But if you believe the government's narrative isn't totally hocus pocus, that
the IRC logs truly depict what they seem to, that Keys maintained the identity
of "AESCracked" throughout the period of his alleged hacking...then to portray
his actions as just helping to change a story's headline for the lulz is plain
dishonest.

Read the search warrant yourself [1], starting with page 39.

He not only gives his credentials over; in the conversation, he talks about
creating new accounts for hackers to use (yes, apparently an average web
producer -- even after being fired -- has superuser privileges on the Tribune
CMS). He then walks the other IRC users through how to navigate the CMS. He
doesn't _just_ encourage them to "go fuck some shit up!" on the LA Times, he
then proceeds to enumerate every news site owned by Tribune, with particular
instruction on which places should be hit for being "tribune's bread and
butter assets".

What really irks me is that hackers, page 47, then talk about rooting the
Tribune server to gain access to to emails and everything else. And
"AESCracked" is just sitting there, goading them along, giving them more
information completely unprompted. It's hard for me to believe that any
reporter who knows what "root access" means can say with a straight face that
Keys is only guilty of a prank, that the possibility of an entire news
organization's data -- including every reporter's email -- being captured and
dumped like HBGary or Ashley Madison or Sony, is just no big deal.

So why didn't that happen? Who knows -- but the fact that a company who
granted superuser access to all web producers to their non-https publicly-
exposed CMS, and had no process for revoking credentials, and did nothing even
after noticing said superuser account was creating new unauthorized accounts
-- managed to _not_ get rooted after said credentials were given over is a
bonafide Christmas miracle. One of the other IRC users (sharpie) decided on
his/her own to fuck around with the LA Times in a way that was immediately
obvious to the Tribune sysops, who then removed user privileges.

Giving out superuser credentials to a hacker's group causes $0 worth of
damage. Creating new user accounts (including another super user account)
causes $0 of damage. Giving out every URL to the different CMSes, including
the user manual about how to navigate their interfaces causes $0 of damage.
Sure, it adds up to less than $5,000 of damage if you believe bits are just
nothing but electronic blips. But let's not be dishonest and say that this was
just a good ol' fun prank like the time when Woz programmed the campus
computer system to bulk print "FUCK NIXON" [2]

But yeah, the truth is that no real damage was caused despite the potential --
the $900K+ of damages cited was the money spent by Tribune to overhaul their
system, including making CMS login URLs https. And hopefully, a better access-
control system...and frankly, I'm OK with that kind of technicality allowing
Keys to just get probation. Worser criminals have gotten acquitted for lesser
reasons. But I don't feel it's right to gloss over his crime. IMO, what he did
was not just less admirable than what Snowden and Aaron Swartz did, but more
sociopathic than what weev was imprisoned for. According to the IRC
transcript, Keys had no problem abetting a chatroom full of hackers with
completely fucking his colleagues -- and any and all confidential sources for
any ongoing journalism investigations.

On a lighter note, page 46 of the search warrant is fun reading and I think
sheds light on why the Tribune company didn't get completely owned. The
hackers invite Keys to paste all the user credentials to their private
hackerpad, and after doing so, Keys asks, "what's the govt passwords for? what
lulz will be unleashed soon? or is that for me to not know? :p"...the
responses in the IRC from the hackers after they realize what they've just let
slip to a total stranger are just pure comedy.

[1] [http://www.laweekly.com/news/matthew-keys-helped-
anonymous-h...](http://www.laweekly.com/news/matthew-keys-helped-anonymous-
hack-los-angeles-times-website-feds-allege-4175127)

[2]
[https://books.google.com/books?id=Yd2Hm8BlzZUC&pg=PA162&lpg=...](https://books.google.com/books?id=Yd2Hm8BlzZUC&pg=PA162&lpg=PA162&dq=wozniak+fuck+nixon&source=bl&ots=KZdktxAOzS&sig=n5dM8cTZTNo9v_OM3Kg4XbIpXd4&hl=en&sa=X&ved=0CB4Q6AEwAGoVChMIlPPp8e6yyAIVkS2ICh3riARC#v=onepage&q=wozniak%20fuck%20nixon&f=false)

~~~
notahacker
> he seems to have learned his lesson

This is the big problem with Keys though: he apparently hasn't. He's issuing
statements defending himself with the massively hypocritical stance that he's
"protecting his sources" when, as you point out, he actually gave potential
access to all the correspondence with all his newspaper's sources to a group
which enjoys distributing similar material across the internet, especially if
they can find something embarrassing. He's not only protesting his innocence
(which he has a right to do, even if it's not a credible protest) but also
insisting that such actions shouldn't be prosecuted in the first place. I
don't think that it can be said that a person arguing that as a journalist
they had a fundamental right to invite third parties to damage their former
employer's property and potentially embarrass uninvolved third parties (out of
spite rather than activism) can be said to have learned their lesson just
because they've apparently performed competently at their day jobs since then.

------
eru
jug5, you have been banned..

------
cubano
The 25-year "offer" from the prosecution is nothing but a scare tactic to make
a defendant have to sit and think about all that time for awhile while they
work on the other cases they have in the pipeline.

It's a very standard practice and in no way indicates what the prosecution
really wants to give him.

In my recent experience, it works very well as it is no fun sitting around for
months thinking about the possibility of doing all that time.

~~~
tptacek
What "offer"? 25 years is the statutory maximum. Nobody "offered" it.

------
CaiGengYang
25 years jail for defacing a non-governmental website ? That seems like an
incredibly harsh punishment ... I remember a previous case where Aaron Swartz
was given 30 years for hacking into MIT website, after which he committed
suicide by hanging himself ..

