Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login
from the seems-extreme dept
Two and a half years ago, we wrote about former Reuters editor Matthew Keys being indicted based on charges that he’d shared the login information for the content management system to his former employer, the Tribune Company, in an online forum and then encouraged members of Anonymous in that forum to mess things up. Some people used that access to change a story on the LA Times website. Keys insists that he didn’t do this and the feds have no direct evidence linking him to whoever leaked the login (he also claims at the time of the leak he no longer had access to the Tribune Company’s systems).
As we noted at the time, if we accept the DOJ’s version of what happened, what Keys did definitely was the wrong thing to do. But the result was little more than annoying vandalism — and nothing Keys did should qualify as “criminal hacking.” The changes to the LA Times were up for less than an hour and quickly reverted. There was little evidence that it created any real damage, and certainly no lasting damage. And yet, because this is a “computer crime,” the feds came down on Keys as if he was part of some massive criminal conspiracy. In order to use the already problematic CFAA, it needed to show more than $5,000 worth of damage, which is crazy. Even crazier… is that the feds argued $929,977 worth of damage, based on some ridiculously exaggerated estimates of the amount of time people had to work on this issue.
And now a jury has convicted Keys on all three counts. Sentencing will be in January, and while lots of people are throwing around the statutory maximum of 25 years in jail, prosecutors have said they’ll likely ask for “less than 5 years” according to Motherboard’s Sarah Jeong, who was at the courthouse.
I think it’s clear that Keys was in the wrong in handing out the login to the Tribune’s systems, if he actually did it. But should that equate to criminal hacking charges and jailtime, because it resulted in a bit of online vandalism and some annoyance for a sys admin somewhere? That seems doubtful. As Keys himself points out in a pinned tweet in his Twitter feed, if sharing logins is a criminal act, all of you who share your HBO Go or Netflix logins may want to be careful.
The problem, once again, comes back to the ridiculous CFAA and the bogeyman of “computer hackers.” It was wrong to give out the login, but the idea that it did even $5,000 in damage (as required by the CFAA), let alone nearly a million in damages, is ludicrous. It’s even more ludicrous that this should be a criminal offense with any jailtime at stake. Go after him in a civil case for actual damages (of which there would be very little) and move on. Keys, for his part, has said the verdict is “bullshit” and he’s planning to appeal.
It’s way past time that we fixed the CFAA, and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.
Filed Under: anonymous, cfaa, defacement, hacking, login, matthew keys, vandalism
Companies: tribune company
Comments on “Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login”
I wonder what the offline version would be? I mean, if I gave someone my security pass for my office and he made a mess of the kitchen, maybe broke a couple of things in the reception area, it wouldn’t be expected that I get prosecuted for breaking and entering or industrial espionage. Sure, if I gave him keys to the server room or showed him how to access and alter private databases, I’d expect greater trouble. But, this?
I hate the use of flawed physical analogies for digital activities, but I wonder what the best analogy would be to get across how silly this looks to anyone who doesn’t panic when the word “hacker” is uttered.
Re: Re:
I hate the use of flawed physical analogies for digital activities
Digital Activity IS physical activity! Just because YOU do not understand that technology is still a very physical event does not make it NOT REAL OR PHYSICAL.
Just because it takes far less HUMAN physical activity means nothing, someone still have to lift at least a finger at some point to get the machine to do some physical work.
Re: Re: Re:
“get the machine to do some physical work”
Was it a robotics factory? or, are you speaking a strange dialect that looks like English but has a different dictionary?
Re: Re: Re: Re:
I think the AC is pointing out that until the heat-death of the universe, any and all events everywhere and everywhen are physical at some level. Therefore, SHOUTY DERISION OF YOUR INSUFFICIENTLY MIND-NUMBINGLY-ABSTRACT-YET-PARADOXICALLY-LITERAL USE OF THE WORD ‘PHYSICAL’.
The problem is the word hacker
I don’t know if I agree here, Mike. (And I almost always agree with you.)
I think the problem here is your internal definition of ‘hack’, this time. Let’s drop that word and substitute what we’re really concerned about: defeating the security of a secured computer system.
Did Keys do that? Absolutely.
Equating it to sharing a login for Netflix: I think that’s a bit of a red herring. Unless Anonymous could have paid a sum of money to the Tribune Company and gotten themselves their own login, I don’t think the two situations really compare.
As for criminal versus civil: I don’t know really which way I lean. If Keys went into a grocery store and fired off a few rounds from a gun, but only managed to do some minor property damage, would you support only charging him civilly for that minor property damage? I wouldn’t. I think the potential for damage should weigh in on whether something is a criminal or civil– not strictly the actual damage.
Re: The problem is the word hacker
Since firing off a gun could kill someone, that doesn’t seem to be a very good model for this case.
Re: The problem is the word hacker
The difference is, the sound a gun makes immediately signals “life-threatening danger” to people nearby. That is instinctive and for a good reason – guns can kill.
Changing a few lines of text on a news website to something prank-esque doesn’t risk anyone getting killed. That’s a huge difference.
333 hours
Apparently it took 333 hours to fix the issues.
If that time is JUST for removing the access for that user and checking logs to see what else the account was used for, plus reverting the page, then their systems are broke.
If it also included doing a security audit that should have been done in the first place to cover off any other still active accounts for people who have left, then that has nothing to do with the actions which occurred, and is something that should be part of their regular activities.
333 hours of work sounds rather suspect for what the actions caused, if they have an effective system.
Re: 333 hours
The CFAA and Headlines like this is their most effective system for protecting corporate systems.
/Sarc
Re: 333 hours
Investigators: How many hours did it take to recover from this hack?
Tribune: Well we did not really keep track but this hack was evil but also funny so only half evil. 666 is evil so divide that in half and well it took us 333 hours to recover!
nothing like being used as a scapegoat to hide the misuse of funds into the pockets of the corrupt.
That company has a sys-admin that should be fired (if not the whole IT staff and some VPs). First thing you do when someone leaves a company is lock them out of secure systems. If you can’t do that easily, that is your fault, not the person who left or got fired… Especially to the tune of nearly a million dollars.
Of course the over reaction makes me wonder if there are other issues like regulatory or contractual problems this company has if the fact that their data vault is guarded by novices comes to light. Easier to throw the book at some guy saying he ‘hacked’ the system.
Re: Re:
“That company has a sys-admin that should be fired (if not the whole IT staff and some VPs). First thing you do when someone leaves a company is lock them out of secure systems.”
Maybe, but I’ve worked in some disorganised companies where HR didn’t bother to properly inform IT of people coming and going (among other things). Numerous times, I’d have someone turning up for work with no accounts or equipment set up because the form had been submitted the previous evening – and people’s accounts being open for days because nobody had informed us they’d left. Especially if you’re not on the same site, you can’t know what’s happened with some random person’s employment status until you’re notified.
I’m not necessarily making excuses, but the process failure might not just be with the IT side. It would be wrong to scapegoat some IT staff when the actual problem was some HR monkey leaving the notification until the evening so they could pick their brat up from school and then forgetting to submit it when they made it home (as happened with one useless person I once worked with).
Re: Re: Re:
And here I thought that this was the normal IT procedures. HR did everything by the book and IT couldn’t get its act together.
The number of times I have informed the IT support staff that someone was no longer employed but their userids and passwords were still active weeks after the IT support was notified is enough to give rise to doubting the capabilities of the IT support area.
Decades ago, it was a simple matter of calling someone and getting everything revoked immediately. Then the bright sparks running the management team brought in all the systems to monitor and control these processes and the time taken went out to days or in some cases weeks before any action took place.
Re: Re: Re: Re:
Well, both are true of course. There’s plenty of muppets in IT, and there’s morons manning the HR desk. The exact ratio depends on the company, the culture, the legacy and numerous other factors. In your case, it could be that you need new IT staff (or more, often this sort of thing is a sign of people being horrendously overworked), it might be that you’re using the wrong notification procedure or the notifications aren’t making it through to the correct people.
For example, a similar complaint in one company I worked for was because the manager was sending to an email address that hasn’t existed for 2 years and he was ignoring the bounced notifications. I looked at his mailbox and found 3 emails notifying them of the procedure change in a folder they “never looked at because it was just spam”. Which is of course where they were moving all the IT group emails to. IT were being blamed, but the cause was someone outside of IT being stubborn and ignorant.
If it’s that bad where you work, I’d talk to your support manager and maybe review the current processes to see what can be improved. They’re probably aware of faults, and you won’t be the only person complaining if it is that bad – maybe present documentation of previous failures and present them with the security risks if that helps.
But, again, I’m not trying to deflect blame from IT departments. I’m simply painfully aware of places where overworked competent staff are being blamed for the failures of others.
Re: Re: Re:2 Re:
When these changes were implemented at the original company, the procedures dictated by management (not HR or IT) meant that instead of getting the job done, the paperwork had to be meticulously filled out. Every jot and tittle had to be there. A two minute became 2 hours, all in the name of tracking and better service.
As the years went by, no matter what company I did work for, the actual response time continued to get worse. Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done.
The result was finding ways to bypass the system to get what we needed done. In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box.
I am in the position these days of being my own support, there is only my close family and friends that I have to deal with. Other than the local ISP that is.
Happy days.
Re: Re: Re:3 Re:
“the procedures dictated by management (not HR or IT)”
Well, there’s your problem… I’ll be willing to bet it’s the least efficient, most tedious, least effective method for anything other than the management’s preferred tracking mechanism. If so, people will have been quick to find corners to miss, and once those who know why those corners are being cut have left, the quality of work is bound to deteriorate.
“Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done.”
Which, of course, means that further problems are created and exacerbated by the delays caused by the management demands and other work slips behind further.
“In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box.”
For most people who have an genuine interest in a career in IT, a helpdesk job is a stepping stone. It’s a way into a company to progress into a more interesting role internally, or a stopgap to still get paid while looking for a decent job elsewhere. In my experience, those who spend an extended length of time in such a job are either unmotivated to do better or don’t have the skills to progress.
There are exceptions, of course, but my experience is that anyone who spends more than 2+ years in such a position in one company is either desperate for work or as advanced as they can get. Those who have the skills to look outside the box will tend to progress somewhere outside of support.
“Happy days.”
Yeah, my days of working a helpdesk are far behind me at this point (I hope). I don’t miss those days at all.
Re: Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am
A commenter on Ars said he had created additional logins for himself and they couldn’t figure out how to delete them.
It’s trivial to imagine racking up $5000 in a post incident audit. Trivial.
Re: Re: Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am
Its trivial to rack up $5000 in a pre incident audit. Trivial.
FTFY
Its a problem when the majority of Juries are morons when it comes to anything that might require some technical knowledge. Infact, the Jury screening process probably weeds out people with half a clue regarding information security…
Re: Re:
To the overwhelming majority of prosecutors, that’s a feature, not a bug. They want stupid jurors, almost as much as they want people who are willing to believe without question anything presented to them.
sounds as if the feds were using the same exaggeration formulae that Hollywood and the entertainment industries use to come to the ridiculous amounts they lose when A PERSON DOWNLOADS A COPY OF ONE FILM!
what is it with the DoJ etc that they simply must win, they simply must affect as many people as possible and they must get the maximum sentence for the most minor of deeds?? damned ridiculous!! they would be the first to complain if the shoe was on the other foot!!
Re: Re:
Not too surprising they might have picked up a few of Hollywood’s tricks, given they basically work for them.
Not hacking
The broadness of items they claim he did under this ridiculous CFAA law shows that they have no understanding of computers and security. What happened here is not hacking.
Mike, there is a huge difference between sharing a login for a user password, for the purpose of sharing content, and posting a admin password and encouraging people to do damage.
However, this will get overturned on appeal.
Someone is lying
I worked for a very large publishing company and was instrumental in the development, deployment and operation of their CMS. At that time our CMS was cutting edge and supported many different publications at once, so it’s probably quite similar to the one the LA Times uses, in terms of both complexity and functionality.
So when someone claims that it cost them more than $5000 to undo the “hack” as described – which is basically changing three lines of text – I would call bullshit.
Someone notices the issue and emails some manager. That manager contacts an editor. An editor logs into the CMS, “checks out” the article, makes the change in a run of the mill text box, clicks preview, then publish. This takes 10-15 minutes tops.
How anyone could extrapolate $5000 or even that extra-insane-with-sugar-on-top $929,977 figure is beyond me. Just liars lying to other liars who lie to everyone.
I don’t blame the liars though. Liars gonna lie. I blame Matthew’s attorneys.
Re: Someone is lying
I blame a system that has bought in to the idea that you can terrorize people into following arbitrary rules by making examples of anybody that upset the people in power.
Keep 'em coming.
Another citizen enrolled in criminal camp.
POINT OUT SOME FACTS..
1. as soon as he was dismissed…
His passwords would have been ERASED.
This is AUTOMATIC, and the sysop’s should of done it.
2. ANY SMART person has a log of WHO changed things on ANY SERVER, ANY DATA…even windows keeps an IDEA of who did what and when.
was any of this pointed out, or shown?
3. SAID BEFORE…system links to the NET, should not have any direct Links to the MAIN SYSTEM.. Anything Submitted for CHANGE from a Internet, is to be CHECKED before admitting to the MAIN SERVERS…
PERIOD..NO IF/AND/ Or But.
So, HOW can the Feds, SHOW damages, when there wasnt any??
They DIDNT ASK the LA Times..they bypassed them. and Made up their OWN NUMBERS..
Is this RIGHT for the gov.??
Re: POINT OUT SOME FACTS..
I’m just CURIOUS if you talk LIKE that in PERSON, or only ON THE INTERNET.
Re: Re: POINT OUT SOME FACTS..
yes I do..speak in this way..
its interesting that MANY people dont hear the Points. people are saying, and If you add abit of Expression…they tend to listen better..
Listen to News and Politics..
Re: Re: Re: POINT OUT SOME FACTS..
“its interesting that MANY people dont hear the Points. people are saying, and If you add abit of Expression…they tend to listen better.”
Actually, when I see that someone’s randomly capitalised words in the middle of sentences, especially to the degree you did above, I ignore the post and scroll past it. It’s extremely annoying, and annoying me is no way to get your point across, even if the words are true.
Re: Re: Re:2 POINT OUT SOME FACTS..
Actually, when I see that someone’s randomly capitalised words in the middle of sentences, especially to the degree you did above, I ignore the post and scroll past it.
Same here. This was one of the few I took the time to read, maybe because it was in list form. Another thing that will get me to skip is a big run-on sentence with random line breaks.
Ha, haa, ha, ha, haaa ...
Sorry. I think it’s pretty ludicrous to expect the US Congress to do anything useful nowadays; “useful” for “The People” at least. They consider their full time job grandstanding and raising campaign finance funding. “Governing” as their electors would hope them to do is the least of their considerations. They, along with most entities in power today (just as through most of the rest of our history), have no effective oversight.
Our governments today are no better than the Roman Empire’s, and every bit as compromisable by deep pocketed power hungry wannabe tyrants. We have what we have because they allow us to have it, as that’s useful for them.
What do millionaires do for fun in their spare time? Politics!!
“…Congress needs to do something.”
But Congress Critters ARE doing something!
You can hear them if your quiet enough….
“One million to the Caymans, .5 million to the Swiss Bank, 250,000 to the Bank in Dubai, and the rest to the offshore in Mexico. Now where did that bimbo go with the cocaine… its such a huge yacht!”
—