Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login

from the seems-extreme dept

Two and a half years ago, we wrote about former Reuters editor Matthew Keys being indicted based on charges that he'd shared the login information for the content management system to his former employer, the Tribune Company, in an online forum and then encouraged members of Anonymous in that forum to mess things up. Some people used that access to change a story on the LA Times website. Keys insists that he didn't do this and the feds have no direct evidence linking him to whoever leaked the login (he also claims at the time of the leak he no longer had access to the Tribune Company's systems).

As we noted at the time, if we accept the DOJ's version of what happened, what Keys did definitely was the wrong thing to do. But the result was little more than annoying vandalism -- and nothing Keys did should qualify as "criminal hacking." The changes to the LA Times were up for less than an hour and quickly reverted. There was little evidence that it created any real damage, and certainly no lasting damage. And yet, because this is a "computer crime," the feds came down on Keys as if he was part of some massive criminal conspiracy. In order to use the already problematic CFAA, it needed to show more than $5,000 worth of damage, which is crazy. Even crazier... is that the feds argued $929,977 worth of damage, based on some ridiculously exaggerated estimates of the amount of time people had to work on this issue.

And now a jury has convicted Keys on all three counts. Sentencing will be in January, and while lots of people are throwing around the statutory maximum of 25 years in jail, prosecutors have said they'll likely ask for "less than 5 years" according to Motherboard's Sarah Jeong, who was at the courthouse.

I think it's clear that Keys was in the wrong in handing out the login to the Tribune's systems, if he actually did it. But should that equate to criminal hacking charges and jailtime, because it resulted in a bit of online vandalism and some annoyance for a sys admin somewhere? That seems doubtful. As Keys himself points out in a pinned tweet in his Twitter feed, if sharing logins is a criminal act, all of you who share your HBO Go or Netflix logins may want to be careful.

The problem, once again, comes back to the ridiculous CFAA and the bogeyman of "computer hackers." It was wrong to give out the login, but the idea that it did even $5,000 in damage (as required by the CFAA), let alone nearly a million in damages, is ludicrous. It's even more ludicrous that this should be a criminal offense with any jailtime at stake. Go after him in a civil case for actual damages (of which there would be very little) and move on. Keys, for his part, has said the verdict is "bullshit" and he's planning to appeal.

It's way past time that we fixed the CFAA, and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PaulT (profile), 8 Oct 2015 @ 3:13am

    I wonder what the offline version would be? I mean, if I gave someone my security pass for my office and he made a mess of the kitchen, maybe broke a couple of things in the reception area, it wouldn't be expected that I get prosecuted for breaking and entering or industrial espionage. Sure, if I gave him keys to the server room or showed him how to access and alter private databases, I'd expect greater trouble. But, this?

    I hate the use of flawed physical analogies for digital activities, but I wonder what the best analogy would be to get across how silly this looks to anyone who doesn't panic when the word "hacker" is uttered.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2015 @ 5:39am

      Re:

      I hate the use of flawed physical analogies for digital activities

      Digital Activity IS physical activity! Just because YOU do not understand that technology is still a very physical event does not make it NOT REAL OR PHYSICAL.

      Just because it takes far less HUMAN physical activity means nothing, someone still have to lift at least a finger at some point to get the machine to do some physical work.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 8 Oct 2015 @ 5:42am

        Re: Re:

        "get the machine to do some physical work"

        Was it a robotics factory? or, are you speaking a strange dialect that looks like English but has a different dictionary?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Oct 2015 @ 8:52am

          Re: Re: Re:

          I think the AC is pointing out that until the heat-death of the universe, any and all events everywhere and everywhen are physical at some level. Therefore, SHOUTY DERISION OF YOUR INSUFFICIENTLY MIND-NUMBINGLY-ABSTRACT-YET-PARADOXICALLY-LITERAL USE OF THE WORD 'PHYSICAL'.

          reply to this | link to this | view in chronology ]

  • icon
    The Infamous Joe (profile), 8 Oct 2015 @ 4:03am

    The problem is the word hacker

    I don't know if I agree here, Mike. (And I almost always agree with you.)

    I think the problem here is your internal definition of 'hack', this time. Let's drop that word and substitute what we're really concerned about: defeating the security of a secured computer system.

    Did Keys do that? Absolutely.

    Equating it to sharing a login for Netflix: I think that's a bit of a red herring. Unless Anonymous could have paid a sum of money to the Tribune Company and gotten themselves their own login, I don't think the two situations really compare.

    As for criminal versus civil: I don't know really which way I lean. If Keys went into a grocery store and fired off a few rounds from a gun, but only managed to do some minor property damage, would you support only charging him civilly for that minor property damage? I wouldn't. I think the potential for damage should weigh in on whether something is a criminal or civil-- not strictly the actual damage.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Oct 2015 @ 8:18am

      Re: The problem is the word hacker

      Since firing off a gun could kill someone, that doesn't seem to be a very good model for this case.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2015 @ 12:50pm

      Re: The problem is the word hacker

      The difference is, the sound a gun makes immediately signals "life-threatening danger" to people nearby. That is instinctive and for a good reason - guns can kill.

      Changing a few lines of text on a news website to something prank-esque doesn't risk anyone getting killed. That's a huge difference.

      reply to this | link to this | view in chronology ]

  • identicon
    Lonyo, 8 Oct 2015 @ 4:58am

    333 hours

    Apparently it took 333 hours to fix the issues.
    If that time is JUST for removing the access for that user and checking logs to see what else the account was used for, plus reverting the page, then their systems are broke.

    If it also included doing a security audit that should have been done in the first place to cover off any other still active accounts for people who have left, then that has nothing to do with the actions which occurred, and is something that should be part of their regular activities.

    333 hours of work sounds rather suspect for what the actions caused, if they have an effective system.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2015 @ 5:04am

      Re: 333 hours

      if they have an effective system.

      The CFAA and Headlines like this is their most effective system for protecting corporate systems.
      /Sarc

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2015 @ 10:57am

      Re: 333 hours

      Investigators: How many hours did it take to recover from this hack?

      Tribune: Well we did not really keep track but this hack was evil but also funny so only half evil. 666 is evil so divide that in half and well it took us 333 hours to recover!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2015 @ 5:01am

    nothing like being used as a scapegoat to hide the misuse of funds into the pockets of the corrupt.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2015 @ 5:25am

    That company has a sys-admin that should be fired (if not the whole IT staff and some VPs). First thing you do when someone leaves a company is lock them out of secure systems. If you can't do that easily, that is your fault, not the person who left or got fired... Especially to the tune of nearly a million dollars.


    Of course the over reaction makes me wonder if there are other issues like regulatory or contractual problems this company has if the fact that their data vault is guarded by novices comes to light. Easier to throw the book at some guy saying he 'hacked' the system.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 8 Oct 2015 @ 5:38am

      Re:

      "That company has a sys-admin that should be fired (if not the whole IT staff and some VPs). First thing you do when someone leaves a company is lock them out of secure systems."

      Maybe, but I've worked in some disorganised companies where HR didn't bother to properly inform IT of people coming and going (among other things). Numerous times, I'd have someone turning up for work with no accounts or equipment set up because the form had been submitted the previous evening - and people's accounts being open for days because nobody had informed us they'd left. Especially if you're not on the same site, you can't know what's happened with some random person's employment status until you're notified.

      I'm not necessarily making excuses, but the process failure might not just be with the IT side. It would be wrong to scapegoat some IT staff when the actual problem was some HR monkey leaving the notification until the evening so they could pick their brat up from school and then forgetting to submit it when they made it home (as happened with one useless person I once worked with).

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Oct 2015 @ 6:45am

        Re: Re:

        And here I thought that this was the normal IT procedures. HR did everything by the book and IT couldn't get its act together.

        The number of times I have informed the IT support staff that someone was no longer employed but their userids and passwords were still active weeks after the IT support was notified is enough to give rise to doubting the capabilities of the IT support area.

        Decades ago, it was a simple matter of calling someone and getting everything revoked immediately. Then the bright sparks running the management team brought in all the systems to monitor and control these processes and the time taken went out to days or in some cases weeks before any action took place.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 8 Oct 2015 @ 7:00am

          Re: Re: Re:

          Well, both are true of course. There's plenty of muppets in IT, and there's morons manning the HR desk. The exact ratio depends on the company, the culture, the legacy and numerous other factors. In your case, it could be that you need new IT staff (or more, often this sort of thing is a sign of people being horrendously overworked), it might be that you're using the wrong notification procedure or the notifications aren't making it through to the correct people.

          For example, a similar complaint in one company I worked for was because the manager was sending to an email address that hasn't existed for 2 years and he was ignoring the bounced notifications. I looked at his mailbox and found 3 emails notifying them of the procedure change in a folder they "never looked at because it was just spam". Which is of course where they were moving all the IT group emails to. IT were being blamed, but the cause was someone outside of IT being stubborn and ignorant.

          If it's that bad where you work, I'd talk to your support manager and maybe review the current processes to see what can be improved. They're probably aware of faults, and you won't be the only person complaining if it is that bad - maybe present documentation of previous failures and present them with the security risks if that helps.

          But, again, I'm not trying to deflect blame from IT departments. I'm simply painfully aware of places where overworked competent staff are being blamed for the failures of others.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 8 Oct 2015 @ 7:25pm

            Re: Re: Re: Re:

            When these changes were implemented at the original company, the procedures dictated by management (not HR or IT) meant that instead of getting the job done, the paperwork had to be meticulously filled out. Every jot and tittle had to be there. A two minute became 2 hours, all in the name of tracking and better service.

            As the years went by, no matter what company I did work for, the actual response time continued to get worse. Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done.

            The result was finding ways to bypass the system to get what we needed done. In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box.

            I am in the position these days of being my own support, there is only my close family and friends that I have to deal with. Other than the local ISP that is.

            Happy days.

            reply to this | link to this | view in chronology ]

            • icon
              PaulT (profile), 9 Oct 2015 @ 1:35am

              Re: Re: Re: Re: Re:

              "the procedures dictated by management (not HR or IT)"

              Well, there's your problem... I'll be willing to bet it's the least efficient, most tedious, least effective method for anything other than the management's preferred tracking mechanism. If so, people will have been quick to find corners to miss, and once those who know why those corners are being cut have left, the quality of work is bound to deteriorate.

              "Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done."

              Which, of course, means that further problems are created and exacerbated by the delays caused by the management demands and other work slips behind further.

              "In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box."

              For most people who have an genuine interest in a career in IT, a helpdesk job is a stepping stone. It's a way into a company to progress into a more interesting role internally, or a stopgap to still get paid while looking for a decent job elsewhere. In my experience, those who spend an extended length of time in such a job are either unmotivated to do better or don't have the skills to progress.

              There are exceptions, of course, but my experience is that anyone who spends more than 2+ years in such a position in one company is either desperate for work or as advanced as they can get. Those who have the skills to look outside the box will tend to progress somewhere outside of support.

              "Happy days."

              Yeah, my days of working a helpdesk are far behind me at this point (I hope). I don't miss those days at all.

              reply to this | link to this | view in chronology ]

    • identicon
      RR, 8 Oct 2015 @ 6:20am

      Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am

      A commenter on Ars said he had created additional logins for himself and they couldn't figure out how to delete them.

      It's trivial to imagine racking up $5000 in a post incident audit. Trivial.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Oct 2015 @ 11:03am

        Re: Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am

        Its trivial to rack up $5000 in a pre incident audit. Trivial.

        FTFY

        reply to this | link to this | view in chronology ]

  • icon
    Spike (profile), 8 Oct 2015 @ 5:31am

    Its a problem when the majority of Juries are morons when it comes to anything that might require some technical knowledge. Infact, the Jury screening process probably weeds out people with half a clue regarding information security...

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 8 Oct 2015 @ 6:24am

      Re:

      To the overwhelming majority of prosecutors, that's a feature, not a bug. They want stupid jurors, almost as much as they want people who are willing to believe without question anything presented to them.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2015 @ 5:48am

    sounds as if the feds were using the same exaggeration formulae that Hollywood and the entertainment industries use to come to the ridiculous amounts they lose when A PERSON DOWNLOADS A COPY OF ONE FILM!
    what is it with the DoJ etc that they simply must win, they simply must affect as many people as possible and they must get the maximum sentence for the most minor of deeds?? damned ridiculous!! they would be the first to complain if the shoe was on the other foot!!

    reply to this | link to this | view in chronology ]

  • identicon
    ScytheNoire, 8 Oct 2015 @ 6:46am

    Not hacking

    The broadness of items they claim he did under this ridiculous CFAA law shows that they have no understanding of computers and security. What happened here is not hacking.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Oct 2015 @ 7:09am

    Mike, there is a huge difference between sharing a login for a user password, for the purpose of sharing content, and posting a admin password and encouraging people to do damage.

    However, this will get overturned on appeal.

    reply to this | link to this | view in chronology ]

  • icon
    Black Bellamy (profile), 8 Oct 2015 @ 7:58am

    Someone is lying

    I worked for a very large publishing company and was instrumental in the development, deployment and operation of their CMS. At that time our CMS was cutting edge and supported many different publications at once, so it's probably quite similar to the one the LA Times uses, in terms of both complexity and functionality.

    So when someone claims that it cost them more than $5000 to undo the "hack" as described - which is basically changing three lines of text - I would call bullshit.

    Someone notices the issue and emails some manager. That manager contacts an editor. An editor logs into the CMS, "checks out" the article, makes the change in a run of the mill text box, clicks preview, then publish. This takes 10-15 minutes tops.

    How anyone could extrapolate $5000 or even that extra-insane-with-sugar-on-top $929,977 figure is beyond me. Just liars lying to other liars who lie to everyone.

    I don't blame the liars though. Liars gonna lie. I blame Matthew's attorneys.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Oct 2015 @ 8:30am

      Re: Someone is lying

      I blame a system that has bought in to the idea that you can terrorize people into following arbitrary rules by making examples of anybody that upset the people in power.

      reply to this | link to this | view in chronology ]

  • identicon
    Camp Counselor, 8 Oct 2015 @ 10:15am

    Keep 'em coming.

    Another citizen enrolled in criminal camp.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 8 Oct 2015 @ 11:02am

    POINT OUT SOME FACTS..

    1. as soon as he was dismissed...
    His passwords would have been ERASED.
    This is AUTOMATIC, and the sysop's should of done it.
    2. ANY SMART person has a log of WHO changed things on ANY SERVER, ANY DATA...even windows keeps an IDEA of who did what and when.
    was any of this pointed out, or shown?
    3. SAID BEFORE...system links to the NET, should not have any direct Links to the MAIN SYSTEM.. Anything Submitted for CHANGE from a Internet, is to be CHECKED before admitting to the MAIN SERVERS...
    PERIOD..NO IF/AND/ Or But.

    So, HOW can the Feds, SHOW damages, when there wasnt any??
    They DIDNT ASK the LA Times..they bypassed them. and Made up their OWN NUMBERS..

    Is this RIGHT for the gov.??

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 8 Oct 2015 @ 11:29am

      Re: POINT OUT SOME FACTS..

      I'm just CURIOUS if you talk LIKE that in PERSON, or only ON THE INTERNET.

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 8 Oct 2015 @ 12:17pm

        Re: Re: POINT OUT SOME FACTS..

        yes I do..speak in this way..
        its interesting that MANY people dont hear the Points. people are saying, and If you add abit of Expression...they tend to listen better..
        Listen to News and Politics..

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 9 Oct 2015 @ 1:21am

          Re: Re: Re: POINT OUT SOME FACTS..

          "its interesting that MANY people dont hear the Points. people are saying, and If you add abit of Expression...they tend to listen better."

          Actually, when I see that someone's randomly capitalised words in the middle of sentences, especially to the degree you did above, I ignore the post and scroll past it. It's extremely annoying, and annoying me is no way to get your point across, even if the words are true.

          reply to this | link to this | view in chronology ]

          • icon
            nasch (profile), 9 Oct 2015 @ 6:10am

            Re: Re: Re: Re: POINT OUT SOME FACTS..

            Actually, when I see that someone's randomly capitalised words in the middle of sentences, especially to the degree you did above, I ignore the post and scroll past it.

            Same here. This was one of the few I took the time to read, maybe because it was in list form. Another thing that will get me to skip is a big run-on sentence with random line breaks.

            reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 8 Oct 2015 @ 4:05pm

    Ha, haa, ha, ha, haaa ...

    ... and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.

    Sorry. I think it's pretty ludicrous to expect the US Congress to do anything useful nowadays; "useful" for "The People" at least. They consider their full time job grandstanding and raising campaign finance funding. "Governing" as their electors would hope them to do is the least of their considerations. They, along with most entities in power today (just as through most of the rest of our history), have no effective oversight.

    Our governments today are no better than the Roman Empire's, and every bit as compromisable by deep pocketed power hungry wannabe tyrants. We have what we have because they allow us to have it, as that's useful for them.

    reply to this | link to this | view in chronology ]

  • identicon
    GEMont, 10 Oct 2015 @ 5:09pm

    What do millionaires do for fun in their spare time? Politics!!

    "...Congress needs to do something."

    But Congress Critters ARE doing something!

    You can hear them if your quiet enough....

    "One million to the Caymans, .5 million to the Swiss Bank, 250,000 to the Bank in Dubai, and the rest to the offshore in Mexico. Now where did that bimbo go with the cocaine... its such a huge yacht!"

    ---

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.