Keys won't be sentenced to anything resembling 25 years. Even his prosecutors have said so.
He's also far more responsible for his actions than Andrew Aurenheimer was. Keys, while working as a social media editor at Reuters, used his access from a previous job at a Tribune subsidiary to let anonymous Internet hackers break into the LA Times, one of the largest newspapers in the world; the attackers used it to modify stories. His "hack" was a straightforward abuse of the trust misplaced with him.
Keys defense fixates on the rapidity with which those stories were taken down. But of course, that's not the whole story. The Tribune Corporation, like every major corporation, usually must follow a complex process after a breach. The cost far exceeds that of simply taking a story down.
Keys has, by all accounts, fantastic attorneys. The sentencing phase of this trial is just now starting, right? How can they possibly be letting a freshly convicted felon talk like this? Isn't he harming his case here?
Edit: my comment originally claimed, incorrectly, that Keys had used Reuters access to compromise the Tribune Company; he did not; rather: he used his access from a previous job at a Tribune subsidiary to do it.
The worst thing is, that according to the report he's both claiming that giving a login to strangers to "fuck it up" is "an act of journalism" and simultaneously protesting that he's completely innocent and it must have been someone else using his login to pass another of his logins to hackers whilst masquerading as a person with a grudge against his ex-employer. It's basically the reductio ad absurdum version of all the more sensible arguments people have made about computer crime legislation not upholding free speech and giving insufficient attention to burden of proof.
I agree that this is the sort of low level vandalism whose sentencing time should be measured in days rather than years, but it doesn't really help the case of civil liberties when the usual supporters of the cause rush to make someone so undeserving a martyr.
I wouldn't focus to much of what is said in proximity to court proceedings. When you're facing jail time you don't really have the luxury of doing anything else than trying to argue the best defense possible, often by embellishing or excusing your side of the story. Especially with the aggressive prosecution in the US.
Keys has been arguing this line for a while though. He's been unusually vocal in his own defense in the months leading up to the trial (compare that to how relatively quiet Aaron Swartz [0] was) -- and I think it's a calculated tactic. Not necessarily a wrong one, but Keys' reputation as being savvy about online and social media is very well deserved.
But I think that it is likely to severely backfire on him. A lot about the justice system is public relations -- check out the press releases feed at the Dept of Justice [1]...and he's doubling down in such a way that the prosecutors and judge can only lose face if they go lenient with him. The best defense for him is to be contrite and ask for leniency -- that's the whole point of his defense lawyers arguing that it was just a simple webpage defacement. Instead, he's arguing federal-level type coverup and incompetency, from the FBI investigation to the jury-by-trial itself. If the judge slaps him on the wrist, the judge is basically insinuating "Yeah, you're right...our court system is a joke!".
From what I can tell, not many judges choose to go that route.
Most Journalists think that laws are for little people and that the end justifies the means - just look at News International and how hundreds of journalists have got off on a technicality.
The journalists I know definitely don't think News International is representative of their field. If you'd like to tar most journalists with that particular brush, you'll have to try harder.
True, true, but there are journalists who don't hesitate to paint with broad brushes and push buttons in order to get page views or please an audience and seldom get called out by more reputable journalists.
The problem is that the law is written for bank wire cyber criminals and this guy did the real life equivalent of opening up the fire escape to let in a raving homeless person.
Yes he should get punished. Fired, fined, maybe even a couple days or weeks in jail. But the justice system has not caught up to the internet.
We have have a thing called assault. A thing called battery. A couple things called murder. Morality is a grey scale.
I'd say it's more like handing a copy of his keys to miscreants (of any type) with a note attached "DO HARM THERE" after being evicted. If proven in court, I'd expect a guilty verdict on a charge of criminal mischief.
Having no authority to order the harm, and having no plausible way to realize a tangible benefit from any harm that may occur, I fail to see how that is a criminal act. At worst, that's just a civil lawsuit against him.
And it would be a pretty strong affirmative defense if the landlord did not re-key all of his locks at the time of the eviction.
If this had happened in a physical place rather than on a web site, no one would be going to jail. Someone would be sued in civil court, and be forced to pay no more that the amount that a locksmith typically charges to re-key all the locks on a property.
And if the landlord so much as left a window open, the defendant probably wouldn't have to pay anything at all!
What does his authority have to do with it? His intent seems entirely clear. Again: the chat transcripts, which are traceable to him through the network, show him expression discouragement at the minimal amount of damage the IRC hackers were willing to do. What he wanted to have happen was even worse.
I'm also not sure how "the employers didn't rekey the lock" is any kind of defense at all.
The hackers are the ones actually responsible for the damage that occurred, as evidenced by the fact that they did not do as much as he asked of them.
You leave your bike propped up against a wall, unlocked. Someone starts shouting "Hey, steal this bike! Steal it!" When you return, your front wheel is gone. Someone tells you about the shouting guy. So you sue him for the loss of your front wheel. You are able to get a recording of that guy complaining that only the front wheel got stolen. It doesn't matter. He didn't steal your wheel. He could have wanted someone to steal your whole bike and your wallet, but the fact remains that he didn't do it.
Now suppose that you did lock up your bike. But you used a TSA-approved luggage lock. Now the guy passes out copies of the TSA master key along with the shouting. But anybody could have had that key already. He still didn't steal your wheel.
Now instead of a known-insecure lock, you use a good lock, but you had at some point given the shouting guy a key to it. After you two have a falling-out, you keep using the same lock. While on the surface it looks different, this is the same situation as the TSA lock, because your lock is not truly secure if its keys are not controlled by you, and you alone. He still didn't steal your wheel. At worst, you can recover from him the cost of replacing your u-lock, as he made it unfit for its intended purpose.
Wishing misfortune on others is not a crime. It isn't very nice, but it is not criminal, and does not create civil liability. I can say as often as I like that I would be happier if Bank of America's corporate headquarters were destroyed by a lucky meteorite strike. If an arsonist tries to burn it down instead, I am in no way responsible. I didn't give that guy any tangible benefit for doing the crime. I could not have harmed him in any way if he did not do it. The person was not acting as my proxy. If the arsonist cannot be identified, I am not an acceptable scapegoat simply because I wished harm upon the victim. I have malicious intent, it is certain. But I have not performed the malicious act.
(I won't be able to respond further, because "HN: You're submitting too fast. Please slow down. Thanks." It looks like tptacek can post about 10 times more often than I can, so I can't meaningfully participate in a discussion with that account.)
No, the real life equivalent of what he did would be giving some teenagers unsupervised access to the office copy machine. It wasn't bright, but it doesn't sound like a life-defining felony.
How can you believe that giving a group of anonymous people you suspect to be hackers a username/password, then telling them that it's superuser access, then giving them the admin URLs, then giving them the URL to the user manuals for the console, then creating them new accounts...is the same scope as letting a bunch of teens use your "office copy machine"? (unless your company's business is literally the copy machine...I suppose)
I just pulled up the Los Angeles Times, and something literally resembling a copy-scan-fax machine plugged directly into a Wordpress site comes to mind.
In reading the transcript, it's clear this person deserves to be punished according to the maximum penalties prescribed by the applicable laws. It is not as clear to me that the laws being applied accurately reflect the harm incurred, or even the potential for harm given the nature of the compromised system.
He won't get 25 years. But federal sentences for any type of fraud, including those issued under the CFAA, are based upon the actual or intended loss - whichever is higher. In other words, if the government argues at sentencing that his intent was to seriously disrupt the entire paper's site for an extended period of time by giving out these credentials to a known hacking group, they can claim an intended loss of millions of dollars. A sentence based upon an intended loss of more than $1 million will start at about two years and go up from there, basically depending on how the judge feels that particular day.
Anyone who has suffered a significant breach where authentication systems are suspect knows that likely you'll have to build a parallel 'clean room' system where the legacy system a d infrastructure are completely untrusted, from hardware firmware and software, then there are policy changes, etc. That can easily pass into millions territory. It's laughable to claim simple defacement.
To be fair the Tribune subsidiary should have revoked that access a LONG TIME AGO. The million dollars spent after the attack was to fix their security I bet.
Don't think what he did was right and he did have someone illegally attack the LA Times but it does seem strange that this case is so big and the charges against him so large.
You leave a job, you keep the keys to your office, your employer forgets to take them back, you then deliberately copy the keys and hand them out to vandals. What court in the world would put any of the responsibility for that on the company?
Trib didn't spend millions in cleanup, but if any breach investigation were done --- to rule out the attackers having done things to retain access after credentials were revoked, and to ensure Trib's clients that no PII was taken --- would easily run into the mid tens of thousands.
Even the tens of thousands could be a stretch for the actual cost.
When I was handed a copy of my Pre-Sentencing Report, for an incident that took place on June 21, 2011, they billed from June 16-24.
I pointed out that I did not own a time machine, then they quickly changed the dates to June 21-27 and dropped the "damages" by over 60%. That's the difference between certain prison time and probation with house arrest.
(This was Sylint, maybe they're just scumbags and wanted to make as much money as they could off my mistake.)
I'm sorry, but this just isn't correct. It's hard to imagine any outside forensics investigation happening for less than $20k ($50k is a more reasonable estimate), and those outside investigations are often mandatory in breach cases. Insurance companies and, sometimes, regulated data protection usually require that the company take steps to ensure that everyone knows the limits of the attack --- and those limits, as you know, aren't at all obvious from the attackers overt actions.
It looks like the attackers just fucked up a bunch of web pages. But they broke in; how do you know they didn't leave backdoors, or exfiltrate databases? You often don't, unless you engage an outside firm to verify.
> It's hard to imagine any outside forensics investigation happening for less than $20k
In my case, Sylint was the web host and the forensics investigator. That might also explain their duplicity and lack of consistency in the reports to the court.
Aside, is knowing how to use Encase really that lucrative? I should switch specialties.
I agree that EnCase jockeys are overpaid, and I generally think of forensics as a lower-status specialty than software security, but website breach investigations are much more annoying than just imaging hard drives.
I can only imagine, especially if the logging/auditing policy was "pretty much non-existent" and you don't know how extensive the access was for a given user account (nor how much of that access could have been used in the short window of compromise).
Four years ago, I knew practically nothing about the security industry (or of business). I was a self-taught web programmer who knew really obvious ways to defend websites from attackers.
You work for a bank and you have the keys to the vault. You quit. The bank doesn't immediately change the locks to ensure that their security isn't compromised.
What happens to the keys after that is in my made up example doesn't matter. The bank is at fault because the bank has a responsibility to ensure the security of their operation, irrespective of how ethically or unethically their former employee acts from that point onwards.
A newspaper is an information bank especially in the Internet age.
EDIT: I should have specified "the bank is at fault for the total amount of damage" not that the bank is at fault full stop.
>The bank is at fault because the bank has a responsibility to ensure the security of their operation
Yes, and in the case of the Tribune company here, it cost them tens of thousands of dollars to "repair" the breach. That's the punishment for their failing of responsibility. It's not like they are suing to recover that money.
But I'm not sure how that absolves the actual criminal here.
I guess what I'm saying is that if your job is security and you fail at security and because of your failure at security a former employee is able to do some damage he or she if of course guilty of whatever crime.
But the amount of money that you spent to clean up the mess because you failed at your job initially, that doesn't matter and shouldn't influence the trial. The crime is a crime no matter how large or small the damage.
Consider a warehouse guarded by a night watchman, but sometimes he takes a smoke break (hence, failing to do his job). Some vandal comes by and tags the building with graffiti. Later, some other vandal comes by and burns the place to the ground. You think both vandals deserve equal treatment?
One is vandalism, the other is arson, destruction of property, and probably a bunch of additional crimes. They should be handled differently because they're different crimes.
The point is that two people who vandalize should be treated equally even if one vandalizes a poor person's house and the other vandalizes a rich person's house. The exact dollar amount of the vandalism shouldn't matter because either way we've all agreed by way of the law that vandalism is wrong.
Yes of course, and within vandalism there probably are different fines or sentences depending on just how much property you damage. But if you're going to label "anything where some property is damaged" as vandalism then 9/11 was vandalism, right?
You also neglected to address arson and the idea that a whole building burned down. I don't think any part of the justice system would seriously suggest that destroying a building and spray painting a building are the same. I don't think they'd be investigated the same, charged the same, etc.
The problem here is that the CFAA has definitions and those definitions are what determine what the crime is. So yes someone breaking into your Facebook account and posting a "turns out I'm gay everyone!" comment is -- again according to a strict reading of the law -- just as bad as someone breaking into VISA and forcing them to re-issue all the credit cards in the country. That's because the law doesn't distinguish damages or anything like that. In part that's because in reality you don't do any actual damage, you just cause people to have to take action to mitigate that your specific knowledge causes problems with their security.
This makes sense too, if you break into a bank it might be reasonable to attempt to force you to pay for the repairs to the vault door, but it would not be reasonable to force you to compensate the bank's shareholders for the loss of goodwill (and share price!) they suffer because the bank's security wasn't able to keep you out.
The CFAA makes knowing, purposeful access to computer systems you don't have permission to use a crime, and a felony when that access is used to attempt to perpetrate additional crimes. It's a simple statute.
There are two common arguments against CFAA.
The first is that it shouldn't be a felony to access computer systems without authorization. The logic goes: if you use access to a computer system to perpetrate a fraud, charge fraud. If theft, charge theft.
A variant of this argument suggests that maybe "serious hacking" should be a felony, but things like reusing an old password, or guessing the URL after the login screen, those things shouldn't be felonious.
These arguments are problematic. For instance, in cases where the offender has used their unauthorized access solely to cause economic harm to someone else, there may not be a better crime to charge. The vandalism statutes weren't designed for offenses that can easily rack up tens of thousands of dollars. There's also the basic issue of trespass and violation of property rights. And, of course, civil remedies to these problems have their own problems, prominent among them the fact that all the burden for collecting those remedies falls on the victim, who under civil law receives no assistance from the rest of society.
The second set of arguments against CFAA is that the sentences are draconian. This argument seems much more straightforward. A particular problem with CFAA is that the sentence scales with damage, but damage can trivially scale with the induction variable of a program's loop; it does not seem intuitively just that typing an extra '0' into a single program can ratchet your sentence by years.
A variant of this argument suggests that damages are also inflated by victims and prosecutors. This is likely very true, but it's less meaningful in this case than in others, because even the most charitable view of the offenses charged suggest he did more than 15k of damages, and is facing a multi-year sentence.
I think CFAA should be reformed so that damages accelerate sentences only to the extent that the prosecution can prove intent to cause damage. That wouldn't much help Keys, though, who is convicted of deliberately trying to maximize the harm to Tribune Corporation.
I would also be in favor of factoring in "what kind of precautions did you take?" to the whole thing, though I have no idea how you could practically do that.
But I do think that most reasonable people would agree that finding someone's browser still logged in to Facebook and making a joke (whatever kind of joke that is) is substantially less bad than cracking the person's password.
Just the same as there are "breaking" and "entering" for forcing your way into someone's home (versus just "entering" if the door or window is unlocked) the severity of the computer crime is in proportion to how hard the people who owned the computer were trying to keep it under their control.
Don't have any kind of access control for your computer at all? Sorry, we're statutorily limited to the lesser charges. Fix your security and if this happens again we can nail them!
EDIT:
So if you say that the X axis is the amount of effort that the entity expends to keep the system secure, then the Y axis is the maximum intent that can be inferred, and your function is something that you think is reasonable like say y=x.
In other words, if a company makes no serious effort to secure their systems or control access no malicious intent can be inferred from someone "accessing without authorization", whereas someone who has to mission impossible style break into your facility says a lot about their level of malicious intent.
I don't think you're right about breaking into people's houses. Breaking a locked window and opening an unlocked window probably doesn't net you a different charge at all.
There are various definitions, here's one that I read that bolstered my claim but there are others that don't; "force" can mean as little as pushing an already open door open further.
I think it's fair if a vandal uses a copied key to enter the office and pee on the rug, then the company should cover the costs of changing the locks, but the vandal is responsible for the damage to the rug. Changing the locks is a direct consequence of the company's failure to collect the keys (and needs to be done regardless of what if any vandalism has taken place), but the follow on damage was not caused by mere negligence or happenstance.
Right. I think the reasonable complaint in these cases is that the damages should cover the cost of investigation that resulted directly from the breach, not the cost of fixing the original security vulnerability and/or auditing the entire system.
If you break into a bank, then the bank is right to ask for damages of amount stolen + amount necessary to sweep their building for any backdoors you might've added and repair any damage. That's fair. They shouldn't be suing for the cost of an upgrade to their security system or a new training course for their security officers.
The bank is at fault for the amount of damage due to their own negligence, which would be the amount greater than what it would have cost to re-key the locks. And you have to re-key the locks instead of recovering the keys that had been issued, because you have no way of knowing whether the keys were copied or not.
In the case of username/password keys, "changing the locks" can be done as easily as running an automated script nightly against the HR employee database, to suspend login privileges from anyone who is on leave or no longer an employee, or at worst, by having your sysadmin's lackey, who makes $30/hour, spend 2 minutes on doing that every time it is needed.
The people who broke in are responsible only for the damages they caused directly, not for the cost of fixing things that were already broken when they showed up, or for investigating and implementing measures to stop the next gang of vandals that might enter.
So what is the actual financial impact of a defaced web page? How do you prove that? If you give crowbars and sledgehammers to a gang of vandals, to what extent are you responsible for the damage they cause with them? If they only use those tools for legit demolition work, are they obligated to pay you a cut of their revenue?
it does seem strange that this case is so big and the charges against him so large.
Because he was caught up in the Feds surveillance of Anonymous.
It is at least worth noting that Keys says it wasn't him. FTA:
-----
“Let’s be clear: I never passed a username or password to Anonymous,” he said.
Keys, who went on to serve as deputy social media editor for Reuters before his indictment in 2013, said he was investigating Anonymous in chatrooms when his username was used without his permission by parties unknown. Five years ago, Anonymous was in the news for its attacks on Visa and PayPal — and, according to Keys, he was just doing his job.
“It occurred to me that no one had looked into these guys,” he said. “They were talking at a level above my head. … Anybody could co-opt [the username] and it looks like in this case somebody did.”
Keys said the Tribune company — by then his former employer to whom he nonetheless pitched his story about Anonymous — should have supported him. This was about freedom of the press, not passwords.
“Tribune Media – what are they thinking?” he said. “Do they care about journalism at all? Do they care about the government prosecuting a journalist who decided to keep his sources undisclosed? That is beyond disgusting.”
He says it wasn't him, but if it was someone else, they were much more thorough than just his username, since there's network evidence tying Keys to this as well (see again the search warrant).
Hmm. If we accept the premise that the Tribune is at fault for not securing their systems, does that mean Keys is at fault for not securing his password?
Yes, I agree...in fact, Tribune should be secretly thanking Keys...no matter what his actual intent, the incident got them to implement proper security...the $900K they spent they would've had to spend anyway and is a bargain compared to what could've happened.
But "oh the company should've had better security" is a not strong legal defense, in the same way that "the victim shouldn't have been walking alone at might" is not.
edit: just to clarify, I'm being flippant here since most of the main arguments for and against Keys have already been made...but I don't interpret Keys's actions as any kind of "white hat" hacking. According to the evidence, he most certainly tried to get Anonymous to burn the company to the ground, and he and Tribune are very lucky they didn't.
However, I do think it's dishonest for the Tribune to claim $900K in damages when that was the amount used to shore up their security after the breach. But the $17K they spent as incident response seems very reasonable. But to then tack on the $900K so that the maximum possible prison time is more politically palatable helps to perpetuate the worst parts of the CFAA and the justice system.
So, I have a very strong opinion of this whole matter, and the person behind it. I've forced myself to ignore everything I wanted to write or reply to about it, but what struck a chord was your perspective, which is that credentials should have been revoked.
Journalism is a set of very specialized jobs. It's also a small cultural subset and after a time, everyone knows everyone. When you change jobs in news, you either go to an another news organization or pretty much retire from news (meaning you leave it and go do something else - it's rare that you'd ever come back to it and the barrier to re-entry becomes steeper.) What I mean to say is that your reputation definitely precedes you and it sticks around for a very long time.
There are some in this thread who have written or implied that "most journalists" have no ethics or self-restraint and all they're guided by is the end result. In some organizations, that's true and those places keep their notoriety all to themselves. For every bad apple in every industry, there are thousands of notable ones who do their work, and more than enough of them have self-respect to uphold their integrity.
Having said all that, I don't disagree with what you're saying at all. But here's an anecdote to help illustrate the culture and level of trust typically found in news. In early 2013 Nelson Mandela got sick. Many news organizations prepared a number of packages for the eventuality of his death - that included everything ranging from special reports, photo galleries, videos, memorials, and other special projects. A very talented colleague of mine put together a montage of Nelson Mandela's 1994 acceptance speech being read by various children living in South Africa today. It was pretty moving and showed just how things changed in those 20 years since. The project was finished, and readied in case it was ever needed. Then in mid-2013, that person left us and went to work for a large national newspaper, which was a great career move for them.
Soon thereafter, a number of staff changes occurred and on the evening (local time) of Nelson Mandela's death, no one was left on duty who remembered the tribute package existed. The ones who did weren't on duty at the time and the material they could immediately put together was very lacking and would take some hours, perhaps a day to properly acknowledge the man and his work.
That ex-colleague of mine tried to get in touch with duty editors, but was unable to get through. Given the timing and possibility that this material would never see the light of day, they remotely logged into our CMS (because none of the credentials were yet revoked), prepared the material as a draft and sent a note to the entire office letting them know it was ready for publishing. Some of the recipients on that list probably didn't even yet know the sender had left the organization, but from the email trail were very grateful to have the package ready to go.
This is the kind of hard-working journalist with integrity I'd have expected Matthew Keys to be.
But that is in the law. I think most people understand there's usually a big gap between the threatened sentence and the subsequent actual sentence in the event of a conviction.
People are objecting to the law as it is written and as it is abused by the government to make these indictments, in this case actually achieving conviction:
"Each of the two substantive counts carry a maximum penalty of 10 years in prison, three years of supervised release and a fine of $250,000. The conspiracy count carries a maximum penalty of five years in prison, three years of supervised release and a fine of $250,000."
The guidelines are pretty broad for the Computer Fraud and Abuse Act and the judge will have a lot of leeway in sentencing.
If he was smart, he'd apologize and take responsibility for what happened and ask for leniency. Coming out publicly after being convicted and calling it "bullshit" and crying like a child won't win him any favors with the judge and could certainly backfire on him.
The judge should give him a suspended sentence and put him on a 5-8 year probation with some community service and a stiff fine. As much as I believe in jail time for hackers who do malicious things, I don't think his crime warrants jail time.
Then you would agree that the law should not have enabled the government to indict and then convict him on charges that carry years of jail time, that it should instead have led to conviction on charges that don't warrant jail time.
That is the argument about the CFAA -- that the law should be revised to rein in the government's crazy abuse of it.
That is the argument about the CFAA -- that the law should be revised to rein in the government's crazy abuse of it.
I absolutely agree the law should be revised. The only problem is trying to set a decent spectrum of punishments that have clear delineation points. This is the main reason I feel it hasn't been revised. The law is broad in its application, and the feds can argue that judges still have the ability to hand down more lenient sentences where they feel its applicable.
I do agree because of its broad and vague terminology, the feds have used it to go after a wide range of offenses. Sometimes merited, but I fell in this case, not so much.
There are no felony charges that don't warrant jail time.
There are, however, federal sentencing guideline ranges that could result in probation instead of a custodial sentence given: no remunerative intent, no prior convictions, &c.
I think a lot of people could agree that this is a crime that should have landed in the lower range of the guidelines (but might not, given the CFAA guideline damage scaling).
I don't think CFAA sentences should scale with damages at all, unless the prosecution can prove an intent to cause those damages (that's tricky in this case because the prosecution can put on a pretty good case demonstrating that intent).
I'm guessing the news agency with its leaked username/password hired some outside security firm to assess to breach and certify all is good - and that is what cost thousands? Could we have some consideration of what is fair and rational here? Leaking a username/password should not generally involve any jail time period.
If the company claims to have business-critical resources, then it should also be sentenced for not protecting them enough. What's happening here is weak password-based security, non-deactivated credentials of a former employee, and an attempt to fund the security firm from the penalties on the hackers.
Why should the business be prosecuted for not protecting themselves better? I can only see the point behind arguing that a business should be prosecuted for not protecting their _customers_ or _the public_ better.
While I might want my accountants to be prosecuted for leaving their doors unlocked overnight, I wouldn't want the local baker prosecuted for doing the same.
Well, he could very well have cost his former employer tens of thousands of dollars—it would be appropriate for any sentence to be at least roughly the amount of time it would have taken him to earn that sum.
Financial damages, have him actually pay for (possibly a set percentage of) them instead of spending money to keep someone away from work to inflict the same damage on him.
Just in the interest of being thorough (because I'm not at all interested in his guilt or innocence), there seems to be some confusion about the IP address:
"As Keys tells it, he was merely gathering information as a journalist about Anonymous, but did not have his IRC handle registered—so, he supposes, someone else, using an entirely different IP address, was using that nickname instead."
"'That was one of several names that I used, but it wasn't locked down, it wasn't registered and it looks like somebody did use it. It was connected to an IP address that wasn't mine. The FBI agent admitted that he didn't have any records of [that IP address].'"
"However, exhibits displayed during the defense’s opening arguments show supposed emails from Brandon Mercer, Keys’ ex-boss, saying, “If you bill a thousand dollars an hour, that will help us get it prosecuted,” suggested the government is misrepresenting the true cost. In another email from the exhibits, Mercer estimated the damage at around $3,800."
So? That should normally be covered by damages and not punishment. The reason the defense "fixates" on how long the story was up for is because that actually has to do with the severity of the crime.
Wow, this guy sounds like a tool- zero remorse whatsoever for what he did, zero indication that he feels anything but completely entitled to a hand wave and a fine. No indication that he learned from his mistake, and no indication that he wouldn't do it again if he got fired from another job.
25 years is ridiculous, for sure. Honestly, prison time at all seems like crazy overkill. However Matthew Keys comes across like the definition of whiny entitled millennial.
Any law-types able to weigh in on precedent in this sort of case? That might help to explain why they're pushing for such a ridiculous prison sentence.
"But for journalist Matthew Keys, who prosecutors said illegally leaked the username and password needed to make the changes to the hacking group Anonymous, the end result may mean 25 years in prison." Probably not going to, but there's apparently a possibility or a precedent somewhere for that number to pop up.
He'd be smart to lose the attitude before sentencing. It all depends on the judge, but a lot of judges really really love to see groveling, remorse, repentance, contrition, etc.
As others have said, he probably won't get 25 years. But maybe he does 3 years instead of 2 years. We'll see if he still thinks it's "bullshit" after he reports to prison.
We have no idea how long the sentence will be. Prosecutors said under 5 years. If I had to guess, it'll be closer to two years.
I think the major problem with CFAA is the way in which sentences scale with damages. I generally think all criminal sentences are far too long.
At the same time, this is a really unsympathetic defendant.
It's not "minor vandalism" when the cleanup involves a $50,000 outside forensics investigation. I don't know if that's what Trib had to do, but much smaller companies than the Trib have had to pay much more in cleanup from otherwise innocuous breakins.
The court cares of the defendant is an asshole. You will get a higher sentence for being remorseless.
I agree that two years is a really long time. But then, I think a single year in prison for dealing heroin on a corner is also a really long time, and the people who get imprisoned for doing that had far fewer options and opportunities than Keys did, so it's hard for me to imagine Keys being anyone's cause celebre.
Yes, that is a problem (and even worse facing a parole board), but showing remorse is very much about convincing the court you won't do it again. So explain that you think the crime in question is a terrible, horrible, no good, very bad act and that you would never do such a thing, especially not in the future. As opposed to e.g. insisting even if you didn't do it, they had it coming anyway.
"but showing remorse is very much about convincing the court you won't do it again."-but you're all but admitting you did it once in order to say that you won't do it again.
So explain that you think the crime in question is a terrible, horrible, no good, very bad act and that you would never do such a thing, especially not in the future.
Keys is an asshole, and low-level nonviolent drug offenders absolutely should not be treated as they are.
Both of these things are completely irrelevant to the fact that any jail time for defacing a website is completely insane, the result of a witch-hunt mentality surrounding computer-based crimes.
Why do people keep oversimplifying this to "defacing a website"? If you were running ops for a tech company and your website was defaced, would your costs stop at the point where you restore the original content to the website? Of course they wouldn't.
If a tagger defaces a wall of your building, there are several things you can do about it.
- ignore it
- paint over the graffito
- paint the entire wall
- sandblast the graffito off
- repaint the entire building
- demolish the building and construct a new one, then paint it
- abandon the building and move your business to a new city
Additionally, there are some things you can do to discourage future miscreants.
- nothing
- hire an artist, to make the original tagger feel inept and outclassed
- point cameras at your walls
- hire a guard to chase off taggers
- coat your walls with a substance that prevents paint from adhering
- build a wall around your walls, with razor wire
- buy sentry guns with an AI tagging-detection system
And there are several ways to calculate damages.
- declare that no damage occurred
- cost of one bucket of paint
- devaluation of the market value of the property
- loss of business from customers that might have been scared off
- loss of reputation among existing customers
- research costs for a device that will erase the memory of the graffito
from anyone that ever saw it
- lobbying costs for new federal laws and regulations regarding tagging
- cost of consultants capable of determining Banksy or not-Banksy
At some point, you step across the line where you can reasonably say that the expenditures were all due to one kid with a fat marker or spray-paint can.
Your costs might not stop at that line, but the amount you can claim as damages would.
You've lost me. Nothing a tagger does to your wall is going to cost you $20,000, and the tagger doesn't set out with the objective of totally destroying your wall, failing only because their accomplices refuse to do that.
You're 100% right. There are some costs to the company to clean up after what happened.
However, I think people are correctly wondering why we live in a society where a more or less victimless crime will result in years in prison, while bankers loot and destroy the entire economy, ruining countless peoples lives, and not even one exective spends a minute in jail.
There exists a two-tiered system, and this is yet another illustration of what happens when you're in the lower tier. If bankers aren't going to jail, this guy definitely shouldn't be.
When one compares it to other crimes that not only go unpunished, but rewarded, this particular crime is comparatively insignificant - thus the "more or less".
I trust in the aftermath of the 2008 meltdown, you were speaking out equally vigourosly in favor of jailing bank executives.
Even Ben Bernanke says we should have jailed banking executives after 2008.
In case you're not being purposefully obtuse, you can watch about how the reams of evidence of criminal behavior (you know, of actual written-down crimes) was ignored by the justice department (you know, the same agency that is pursuing this case), via PBS Frontline: http://www.pbs.org/wgbh/pages/frontline/untouchables/
Frontline, was able to find direct evidence of executive criminality with just a cursory investigation (with no power of subpoena). The excuses coming out of the justice department's mouthpiece were so laughable, that he resigned the day after the piece went to air.
There's a two-tier system in place here, and crimes like defacing a website causing a paltry amount of damage, although real, should be the crimes the justice department ignores if they're not able to apply justice to all crimes fairly and evenly.
Keys posted active credentials to a forum, and those credentials were used by others to deface a website. Do you regard that as a fair statement of what happened? Still completely insane to send someone to prison for that.
He posted active credentials to the (his words) secret chat room of a "group of renegade criminal" hackers, and pleaded with them to trash Tribune properties --- he was distraught when the people on that channel merely poked around and tried to maintain their access. Ultimately, Keys was disappointed --- again, his words --- with the minimal damage done to his former employer.
It does not seem at all insane to send someone for prison for that.
The actual damages that resulted from his actions were pretty small and purely financial.
Even if you prosecute on the basis of what could have happened (maybe we start charging everyone who runs a red light with manslaughter?), we're still not reaching the level of physical harm to anyone or (barring complete negligence on the part of the Tribune) a catastrophic material loss.
You really think society's need to avenge that wrong is worth spending $30k a year to hold him in federal prison, exposing him to possible violent harm, and depriving him of his future? Sorry, but that's insane. He should pay the actual damages, a punitive fine, and perform community service, tops.
To be clear, people are not upset at the _actual_ or _likely_ sentence, they are upset at the _potential_ sentence.
When reporters say "Keys faces," they are talking about the potential sentence I face (as put forth by the Department of Justice in its own press releases), and when people are critical of it, they are taking the position that the potential sentence is absurd.
Aside from the fact that I didn't do it (despite what prosecutors were able to convince a jury), this case has opened my eyes to the antiquated and draconian computer laws of which we are all governed under in the United States. Any reasonable person would agree that the punishments simply don't fit the alleged offenses, and the law is in desperate need of reform. Any offside discussion about potential versus actual sentences takes away from the very serious, very important discussion about reform.
There was no potential for a 25 year sentence in this case. The statute caps any possible CFAA sentence, but that cap captures a wealth of factors not at play in this case: no intent to make money or commercialize the attack, no priors, &c.
The 25 year maximum describes a case where someone caused damage to critical infrastructure, helped stole a zillion credit cards, and potentially caused loss of life, but due to the idiosyncracies of the case, was only able to be charged under CFAA and wire fraud law. That's not this case.
Ken White has pointed out the discrepancy between DOJ press releases and actual sentencing procedures at length. See [popehat whale sushi]. White is, again, a former white-collar crime prosecutor, and is himself no friend of the DOJ.
On the very, very remote chance that the person who signed up as "matthewkeys" on HN is actually "matthewkeys", and acknowledging that I am not a lawyer: it is probably a fantastically bad idea to be commenting on this case on HN prior to sentencing.
It's been posted a couple times by danso here, but it's worth posting again. Read the search warrant chat transcripts. They provide some insight into the case as well as his personality, and are good for a few laughs. They start on or about page 45:
I don't know why this is getting downvoted, you are exactly right. Treating a crime committed "with a computer" with a totally different scale is idiotic.
Laws such as the CFAA that impose draconian penalties for what amount to harmless (or nearly so) infractions with computers are just another symptom of the low prestige of technology professionals. Yes, I know the offender in this case is a non-technical journalist and not a technology professional, but he is mere collateral damage and doesn't represent the people the CFAA was meant to keep in line, namely us.
Contrast the legislative treatment we receive with that of doctors, who according to that same publication can apparently get away with literal murder and maiming for years before finally being punished:
http://www.washingtonpost.com/news/morning-mix/wp/2015/08/25...
I'm not actually clear what crime was committed. Divulging trade secrets or proprietary information is not a violation of the CFAA is it? Even so, how is divulging a (presumably expired) username and password any different than a security researcher releasing a PoC exploit? We don't (yet) prosecute researchers, even though they reasonably should know that their code could be used to exploit actual systems.
It's different in the same way that you giving your work keys to thieves is different than you writing a paper about potential flaws in a particular model of lock.
Whether you believe in my innocence or not, the CFAA actually does have a line about "password trafficking," which was alleged by the government -- but not charged.
What concerns me about this is that people of the media seem to think that they are above reproach. A belief that their actions are always protected, and as a journalist, they should be given the benefit of the doubt. I know he has not made this claim directly, but I think this story would be vastly different had he not been a "journalist".
I sincerely hope Keys gets nothing more than probation. Mostly because this is the government's chance to make up for their colossal fuck up over Aaron Swartz. And because incarcerating Keys has so little value; he seems to have learned his lesson and in the time since his indictment has continued to do good journalism work, even landing new jobs.
But if you believe the government's narrative isn't totally hocus pocus, that the IRC logs truly depict what they seem to, that Keys maintained the identity of "AESCracked" throughout the period of his alleged hacking...then to portray his actions as just helping to change a story's headline for the lulz is plain dishonest.
Read the search warrant yourself [1], starting with page 39.
He not only gives his credentials over; in the conversation, he talks about creating new accounts for hackers to use (yes, apparently an average web producer -- even after being fired -- has superuser privileges on the Tribune CMS). He then walks the other IRC users through how to navigate the CMS. He doesn't just encourage them to "go fuck some shit up!" on the LA Times, he then proceeds to enumerate every news site owned by Tribune, with particular instruction on which places should be hit for being "tribune's bread and butter assets".
What really irks me is that hackers, page 47, then talk about rooting the Tribune server to gain access to to emails and everything else. And "AESCracked" is just sitting there, goading them along, giving them more information completely unprompted. It's hard for me to believe that any reporter who knows what "root access" means can say with a straight face that Keys is only guilty of a prank, that the possibility of an entire news organization's data -- including every reporter's email -- being captured and dumped like HBGary or Ashley Madison or Sony, is just no big deal.
So why didn't that happen? Who knows -- but the fact that a company who granted superuser access to all web producers to their non-https publicly-exposed CMS, and had no process for revoking credentials, and did nothing even after noticing said superuser account was creating new unauthorized accounts -- managed to not get rooted after said credentials were given over is a bonafide Christmas miracle. One of the other IRC users (sharpie) decided on his/her own to fuck around with the LA Times in a way that was immediately obvious to the Tribune sysops, who then removed user privileges.
Giving out superuser credentials to a hacker's group causes $0 worth of damage. Creating new user accounts (including another super user account) causes $0 of damage. Giving out every URL to the different CMSes, including the user manual about how to navigate their interfaces causes $0 of damage. Sure, it adds up to less than $5,000 of damage if you believe bits are just nothing but electronic blips. But let's not be dishonest and say that this was just a good ol' fun prank like the time when Woz programmed the campus computer system to bulk print "FUCK NIXON" [2]
But yeah, the truth is that no real damage was caused despite the potential -- the $900K+ of damages cited was the money spent by Tribune to overhaul their system, including making CMS login URLs https. And hopefully, a better access-control system...and frankly, I'm OK with that kind of technicality allowing Keys to just get probation. Worser criminals have gotten acquitted for lesser reasons. But I don't feel it's right to gloss over his crime. IMO, what he did was not just less admirable than what Snowden and Aaron Swartz did, but more sociopathic than what weev was imprisoned for. According to the IRC transcript, Keys had no problem abetting a chatroom full of hackers with completely fucking his colleagues -- and any and all confidential sources for any ongoing journalism investigations.
On a lighter note, page 46 of the search warrant is fun reading and I think sheds light on why the Tribune company didn't get completely owned. The hackers invite Keys to paste all the user credentials to their private hackerpad, and after doing so, Keys asks, "what's the govt passwords for? what lulz will be unleashed soon? or is that for me to not know? :p"...the responses in the IRC from the hackers after they realize what they've just let slip to a total stranger are just pure comedy.
This is the big problem with Keys though: he apparently hasn't. He's issuing statements defending himself with the massively hypocritical stance that he's "protecting his sources" when, as you point out, he actually gave potential access to all the correspondence with all his newspaper's sources to a group which enjoys distributing similar material across the internet, especially if they can find something embarrassing. He's not only protesting his innocence (which he has a right to do, even if it's not a credible protest) but also insisting that such actions shouldn't be prosecuted in the first place. I don't think that it can be said that a person arguing that as a journalist they had a fundamental right to invite third parties to damage their former employer's property and potentially embarrass uninvolved third parties (out of spite rather than activism) can be said to have learned their lesson just because they've apparently performed competently at their day jobs since then.
>the truth is that no real damage was caused despite the potential
This is the crux of what bothers me about these cases. Most of the time, it's harmless pranking. But the hackers are being punished based on potential damage. Sure, the potential damage is high, but it also speaks to the morals of the individuals doing the hacking that they choose to do nothing but a stupid joke.
The 25-year "offer" from the prosecution is nothing but a scare tactic to make a defendant have to sit and think about all that time for awhile while they work on the other cases they have in the pipeline.
It's a very standard practice and in no way indicates what the prosecution really wants to give him.
In my recent experience, it works very well as it is no fun sitting around for months thinking about the possibility of doing all that time.
25 years jail for defacing a non-governmental website ? That seems like an incredibly harsh punishment ... I remember a previous case where Aaron Swartz was given 30 years for hacking into MIT website, after which he committed suicide by hanging himself ..
He's also far more responsible for his actions than Andrew Aurenheimer was. Keys, while working as a social media editor at Reuters, used his access from a previous job at a Tribune subsidiary to let anonymous Internet hackers break into the LA Times, one of the largest newspapers in the world; the attackers used it to modify stories. His "hack" was a straightforward abuse of the trust misplaced with him.
Keys defense fixates on the rapidity with which those stories were taken down. But of course, that's not the whole story. The Tribune Corporation, like every major corporation, usually must follow a complex process after a breach. The cost far exceeds that of simply taking a story down.
Keys has, by all accounts, fantastic attorneys. The sentencing phase of this trial is just now starting, right? How can they possibly be letting a freshly convicted felon talk like this? Isn't he harming his case here?
Edit: my comment originally claimed, incorrectly, that Keys had used Reuters access to compromise the Tribune Company; he did not; rather: he used his access from a previous job at a Tribune subsidiary to do it.