Reuters Editor Faces 10 Years In Prison Because Vandalism Is A Federal Crime When It Involves Computers

from the don't-do-that dept

In what seems like a pretty cut and dry case, Reuters editor Matthew Keys has been indicted for letting some hackers into the content management system of his former employer, Tribune, after he was fired. Barring a case of mistaken identity (and if that defence were raised, things would get interesting) it doesn't look good for Keys, as the indictment includes some damning IRC chat logs:

According to a federal indictment first obtained by the Huffington Post, Keys used a chat site to pass information to Anonymous. Using the name AESCracked, Keys handed over the login credentials and told hackers to "go fuck some shit up", the indictment says.

The hacker accessed at least one Los Angeles Times story and altered it, the charges say.

On the one hand, when compared what happened with Aaron Swartz, this is a step in the right direction. We're not talking about someone with positive intentions who walked the line between hacking and innovation, but someone who acted with obvious malice. But on the other hand, this highlights the big problem with federal hacking laws. The damage amounted to little more than inconvenience for a system administrator, making this essentially a case of small-scale vandalism—but because it involves computers, it's elevated to a federal crime. This really makes no sense. Computers and the internet are present in every part of life today, and computer crime can happen at every scale. In this case, it was the sort of reckless but small act of spite that would result in a much less serious punishment if it didn't happen online, and if it didn't allow the government to place Anonymous in the villain role of another story.

The case against Keys looks strong, and I'm guessing it will end with some sort of deal for a lesser punishment—possibly in exchange for information about other hackers. The real penalty will be the damage done to his career by this breach of trust (which further highlights the pointlessness of trying to put him in jail), but the biggest takeaway is that federal computer crime laws are in serious need of reform. Elevating the severity of simple crimes because they involve what is now one of the most common tools in the world is a senseless imbalance of justice, and makes it much harder to identify and combat serious crime online.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymous, cfaa, hacking, matthew keys, vandalism


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 15 Mar 2013 @ 5:46am

    So what's your argument? You think it should be a crime, but not a federal crime? I appreciate that you feel the need to follow in your master's footsteps by lashing out anytime a computer crime statute is enforced, but I don't even understand what your argument is. Why shouldn't this be a federal crime?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 15 Mar 2013 @ 5:50am

    Re:

    No, because, and this may be hard for you to grasp, they're the same damn thing. Vandalism is vandalism, sure. But if doing it through a PC nets you 10 years and doing it in person gets you max 1 year, then I think the punishment is flawed.

    link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 15 Mar 2013 @ 5:57am

    Re: Re:

    Which vandalism statute are you looking at? What's the max. sentence?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 15 Mar 2013 @ 6:05am

    Well the punishment is harder as its on the INTERNATIONAL NETWORK which is global. I would guess there thinking is it impacts around the globe and puts enforcement to shame.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 15 Mar 2013 @ 6:11am

    Re:

    Computer hacking, like copyright infringement, affect big corporations, and their preferred tactic to defeat these is draconian punishments. Fixing security issues and business models requires them to invest more money and effort than lobbying for draconian laws.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 15 Mar 2013 @ 6:16am

    Spread the blame where it's due

    Keys was *fired* and the System Admin didn't disable his account straight away? That's just sloppy IT.

    link to this | view in thread ]

  7. icon
    PaulT (profile), 15 Mar 2013 @ 6:17am

    Re:

    "So what's your argument?"

    It's clearly stated in the article, to my mind. Did you read it this time?

    "Why shouldn't this be a federal crime?"

    Because if the same thing happened offline, it probably wouldn't be?

    link to this | view in thread ]

  8. icon
    MilWorker (profile), 15 Mar 2013 @ 6:30am

    Re: Re:

    Corporations are not legally empowered to apply force, or punish, anyone. Only governments have that power, as handed down by the people through a constitution, or as taken by a fascist/despotic/dictatorial regime. Frankly, this may come down to a free speech issue, though he not only incited the techno-violence (that's not the best word, but it might do), but he also provided the ammunition (passwords) and pointed the gun (posting on an IRC channel known to be used by Anonymous or similar hackers).

    I think he will ultimately lose, though the charge should not be hacking. It shouldn't be vandalism either. He technically did neither. Is there a federal law against inciting mischief? Aiding and abetting a criminal enterprise? In an analog sense, he left the keys to the store on a park bench with a note saying "these are the keys to store down the street, have at it."

    Nevermind that the administrator should have locked him out of the system before he left the building on his last day. That the companies systems should have been properly firewalled and segmented to authenticate persons and authorize access only to areas relevant to that persons position. I'm sure Anonymous will cheerfully confirm that corporations and governments the world over do a horrible job of closing the door on folks when they walk out.

    link to this | view in thread ]

  9. icon
    PaulT (profile), 15 Mar 2013 @ 6:31am

    Re: Spread the blame where it's due

    Or, a misjudged order from management - there's plenty of times in large corporations where bad security decisions are ordered from up high despite warning of consequences. Of course, the IT staff would still be blamed when those consequences happen...

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 15 Mar 2013 @ 6:34am

    Re:

    This kind of draconian sentencing should be a clear violation of the eighth amendment. Too bad its been years since anyone cared about the constitution here in the US. Heck, most people here have no idea what that even is.

    link to this | view in thread ]

  11. identicon
    Mr. Applegate, 15 Mar 2013 @ 6:34am

    Sorry, but if you are let go and your accounts aren't disabled by the time you hit the parking lot, there is something wrong with the system (and that should be on management or IT).

    If he knew someone elses login, then that should be on person who said, here is my login information.

    I know so many accounts for all of my clients I actually keep lists (electronically secured), so that if I don't work for them any more I can hand them a list and say "these accounts need to be changed for your security".

    link to this | view in thread ]

  12. icon
    That One Guy (profile), 15 Mar 2013 @ 6:37am

    Re: Re:

    Actually in this case it's even more insane, as he didn't even do the vandalism himself, but rather gave someone else the ability to do so, so he's essentially facing 10 years for aiding and abetting the digital vandalism.

    link to this | view in thread ]

  13. icon
    markmeld (profile), 15 Mar 2013 @ 6:44am

    I have not seen details, yet, that would lead me to the conclusion that the case against Keys is strong. If someone could point me to links that describe the evidence in detail, I'd be grateful. Thanks.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 15 Mar 2013 @ 6:49am

    We're not talking about someone with positive intentions who walked the line between hacking and innovation..

    There's nothing innovative about downloading someone's paid database.

    link to this | view in thread ]

  15. icon
    Wally (profile), 15 Mar 2013 @ 6:55am

    Re:

    Take your mouse cursor and scan the entire article word for word. If you see a hand in stead of an arrow...click on that spot. If you are using FireFox 19...look at the PDF attached to the article. There are plenty of links to how the case against Keys is strong.

    Now, that being said...the FBI handling these investigations is equivalent of a third party private eye investigation. The FBI is law enforcement and the US Secret Service is military. On Swartz's first charges brought up by the FBI, they handled everything within the Boyd's if the law. They did not wrongfully arrest Aaron Swartz. The DOJ and the US Secret Service handle investigations differently and as we have seen, not too well.

    In the case of Keys, it's evident that he did in fact send passwords of his colleagues (of whom work for a major news agency) to Anonymous. That and Haymenn isn't prosecuting.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:01am

    With all of the incessant whining about the legal misfortunes of Aaron Swartz and now this douche- as well as the evils of US judicial system I offer the following:

    http://www.cnn.com/2013/03/13/world/meast/saudi-executions-beheading/index.html?hpt=wo _c2

    link to this | view in thread ]

  17. This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 15 Mar 2013 @ 7:05am

    Mis-directed several ways at once.

    First, Reuters disavows all knowledge of, and certainly on the surface isn't in any degree connected to this, so WHY is it in the headline? -- I guess someone wished to tarnish Reuters.

    2nd, you conflate "hacking" with giving password to someone else. My guess is that this guy was well aware of penalty and wished to dodge it.

    3rd: "The real penalty will be the damage done to his career by this breach of trust (which further highlights the pointlessness of trying to put him in jail)" -- That's a typical elitist dodge which results in skating. Let's just do it the old-fashioned way: put him in jail (briefly) then he can start over having paid his debt to society.

    4th, computer crimes -- real ones like this -- are such a potentially pernicious area that stiff punishments are needed. And without those for pressure, he wouldn't be pressured to rat out his pals. So Mike's whole argument in last para is "soft on crime", because fits with both his pro-piracy notions, and his assertions that malicious mischief and innovation are indistinguishable.



    Take a loopy tour of Techdirt.com! You always end up at same place!
    http://techdirt.com/
    Where Mike daily proves the value of an economics degree.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:07am

    Re:

    The argument is that something can be legal or illegal, a misdemeanor or a felony, etc. It should not matter whether it's done via computers or by waving a purple string around.

    It's the act that is or is not illegal, not the method of delivery. Or at least it should be.

    link to this | view in thread ]

  19. icon
    Atkray (profile), 15 Mar 2013 @ 7:12am

    Re: Spread the blame where it's due

    This is what I thought, How was it that his access still worked.

    Also, using a password to access a system is no more hacking that using a key to open a door is lock picking.

    Unauthorized access, absolutely. Hacking, not so much.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:19am

    Re: Re: Re:

    wrong- it's conspiracy, which results in identical penalties to the underlying offense

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:21am

    Re: Re: Spread the blame where it's due

    the law specifies unauthorized access, since when it was drawn up, there wasn't actually any difference in practice

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:22am

    Re:

    I wouldn't put it past some prosecutors to attempt to get that themselves, regardless of it being an actual punishment.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 15 Mar 2013 @ 7:32am

    um, I disagree that the Reuters editor shouldn't face the full penalty. a) it's conspiracy, not aiding and abetting- he is the hacking equivalent of someone who hires a hitman to commit a crime. ( no, I'm not conflating his crime with murder- I'm saying his role in the crime ( he 'commissions' the crime, so to speak) is the same)
    b) he wanted them to "go fuck some shit up"- sounds more like he wanted them to do more damage and they refused to me.
    c) it's punished severely because when the law was drafted, hacking was generally only done to cause severe damage.
    Does the law need to be updated? probably. it doesn't necessarily make it ridiculous.

    link to this | view in thread ]

  24. icon
    Wally (profile), 15 Mar 2013 @ 7:32am

    Re:

    The difference is that Keys did not hand over passwords to Government Passwords. The fact that the FBI is investigating or accusing Keys over this does not mean he committed a federal crime. The Computer Fraud and Abuse Act clearly dictates the difference that handing over private information that can affect the commerce of an organization (web page defacement in this case), and the fact that he is clearly an accessory in the second person to Anonymous' acquisition of those passwords on a non-Gvt. computer system.

    My guess is simply that he gets 5 years for the social engineering man in the middle attack (as being disgruntled employee would be his motivation), and another five years for violating the privacy and aiding an organization known for illegally hacking computers from time to time. Hence the 10 years.

    It's not a federal offense because no US Government computer systems were affected by the attack.

    link to this | view in thread ]

  25. icon
    PaulT (profile), 15 Mar 2013 @ 7:34am

    Re:

    I love this type of argument. You can't argue the facts, so now it's "this doesn't matter because the middle east is worse"? It's a shame you can't hold yourself to higher standards.

    link to this | view in thread ]

  26. icon
    Ole Juul (profile), 15 Mar 2013 @ 7:36am

    Re: Re:

    In the case of Keys, it's evident that he did in fact send passwords of his colleagues . . .
    I guess I missed that in the article. So, did Keys actually have to "hack" to get that? If not, then I'd be curious as to why the colleague gave out his password. If the colleague gave it out willingly, then that would complicate, if not weaken, the case. Something seems fishy here.

    link to this | view in thread ]

  27. icon
    PaulT (profile), 15 Mar 2013 @ 7:37am

    Re:

    So, would you agree with the 10 years and federal status of the crime if he had given a spare back door key to the office to some people and said "go fuck shit up"? If not, why not?

    link to this | view in thread ]

  28. icon
    Wally (profile), 15 Mar 2013 @ 7:39am

    Re:

    One key difference is that this case falls squarely in the jurisprudence of the FBI. The investigation and prosecution are both handled by the FBI rather than the US Secret Service.

    The other key point is that the FBI is handling this case rather well.

    link to this | view in thread ]

  29. icon
    PaulT (profile), 15 Mar 2013 @ 7:40am

    Re: Mis-directed several ways at once.

    "you conflate "hacking" with giving password to someone else"

    Because that's exactly what happened here, perhaps? Facts are your enemy, again.

    link to this | view in thread ]

  30. identicon
    Pixelation, 15 Mar 2013 @ 7:53am

    Ironic

    Looks like he's in trouble for giving them the keys.

    link to this | view in thread ]

  31. icon
    Wally (profile), 15 Mar 2013 @ 8:03am

    Re: Re: Re:

    To answer your question about whether or not he had to hack to obtain the passwords:

    There are many types of attacks for hacking and accquiring passwords. One in particular is a social engineering attack where you simply look over someone's shoulder to see what they are typing as a password. Another is a macro virus or a Trojan sent in an e-mail attachment that looks legitimate.

    Both are considered social engineering hacking attacks. My guess is that Keys had to have used the former to gain access illegally due to the fact that most IT admins can more easily detect the latter. The other key factor into this speculation on how Keys did it (as it has been clearly established he did do it with mal-intent) is that he's an editor and likely has a photographic memory.

    Hacking to get the passwords aside, Computer Fraud and Abuse Act basically says that if you are in the responsible second party of an event, you also get charged to the same extent as those persons carry out an attack based on the information given to them. Keys was also an accessory to the crime. Both of which are punishable for 5 years for each offense.

    link to this | view in thread ]

  32. icon
    Wally (profile), 15 Mar 2013 @ 8:05am

    Re: Re: Re: Re:

    Though it should be noted that if it were a bunch of passwords from federal computer system, he would be facing 10 years and $5,000 for each offense and that would fall out of FBI jurisprudence and straight into the DOJ and the US Secret Service.

    link to this | view in thread ]

  33. identicon
    Stuart, 15 Mar 2013 @ 8:11am

    If you break into my system with the intent to do damage and I find you ...
    Shooting you in the face is not a problem.
    If you paint your "art" on my house ..
    Shooting you in the face is not a problem.

    People do not get to mess with other peoples stuff because they feel like it.
    Fuck them.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 15 Mar 2013 @ 8:17am

    Re: Re:

    The best part is that physical vandalism is much harder and more costly to repair than reverting a webpage.

    link to this | view in thread ]

  35. icon
    Wally (profile), 15 Mar 2013 @ 8:18am

    Re:

    For Point A) Computer Fraud And Abuse Act states that being a willful accessory to these sort of crimes is in fact punishable as if you were committing them yourself...and since when is hiring a hitman to kill someone or to do your dirty work not a crime?

    For Point B) What's been established by you is his motive. Your Point B implies that Keys is a disgruntled employee...and in my view (and that of the FBI aparently...who actually uses paychology to figure out motive while profiling a suspect) who handled the situation poorly and could have done something better than get a a website hacked.

    For Point C) The damage done was to the Ruter's web server...which not only handles stories but also does regular up to date stock reports. The Computer Fraud and Abuse Act had this specifically in mind when it was drafted and hacking the site would have caused economic damage well over $5,000 for its customers.

    5 years for the social engeneering hack, 5 years for accessory to a crime which he organized and asked for.

    link to this | view in thread ]

  36. icon
    Leigh Beadon (profile), 15 Mar 2013 @ 8:18am

    Re: Mis-directed several ways at once.

    1) "Reuters Editor" is how a huge amount of the coverage of this story has introduced Keys. It's not uncommon to describe a person by their profession, which you'd know if you had one.

    2) I agree that it's a questionable conflation, but it's how the law is written -- and it also does make some amount of sense. Many major hacks in the past have been more about social engineering and found passwords than about any sort of technological measure. More specific definitions of unauthorized access would be good, though.

    3) "Elitist dodge which results in skating" -- what?

    4) "whole argument in last para is "soft on crime"" -- this isn't a political race, blue, you can't distract everyone with buzz terms like "soft on crime". I think he should face trial and penalties for his crimes -- but I question whether it makes any sense for the FBI to come swooping down on him with a federal indictment.

    "assertions that malicious mischief and innovation are indistinguishable." -- that's hilarious. I guess you didn't read the line in the post where I specifically noted that this was a case of malicious mischief and not innovation. Jeeze, now that I realize you didn't read the post, I wish I hadn't wasted time reading your comment...

    link to this | view in thread ]

  37. icon
    Leigh Beadon (profile), 15 Mar 2013 @ 8:26am

    Re:

    a) it's conspiracy, not aiding and abetting- he is the hacking equivalent of someone who hires a hitman to commit a crime.

    Who cares if it's "conspiracy"? Conspiracy is generally just a charge that gets tacked on every time a crime involves two or more people talking. I could "conspire" with my friend to jaywalk and that wouldn't make it a federal crime.

    b) he wanted them to "go fuck some shit up"- sounds more like he wanted them to do more damage and they refused to me.

    Maybe. I still don't see what makes it a federal crime, other than "computers!"

    c) it's punished severely because when the law was drafted, hacking was generally only done to cause severe damage.
    Does the law need to be updated? probably. it doesn't necessarily make it ridiculous.


    I don't think we're in disagreement here about anything other than the appropriateness of the term "ridiculous". I consider an old and obsolete law badly in need of an update that is still enforced despite not making much sense in a case like this to be exactly that.

    link to this | view in thread ]

  38. icon
    PaulT (profile), 15 Mar 2013 @ 8:29am

    Re: Re: Re: Re:

    Wow, you're really reaching here!

    He wasn't an editor, he was a web producer (the role of editor is taken from the linked Guardian headline, and doesn't quite mesh with the body text). If you read the PDF, he's accused on letting people gain access to the CMS. That is, the content management system that a web producer almost certainly has some kind of admin access to in order to do his job.

    I'm not sure why you're going into hacking techniques or talking about colleagues' passwords - he gave them access to a system he accessed as part of his old job, and the passwords apparently hadn't been changed. That's it, at least based on current evidence.

    About the only thing that indicates hacking is the comment that "it takes a while to grant one username access to every site", which could indicate that. It could also indicate that he created a new username and tried granting it universal admin access in such a way that he's cover his tracks - but that's using the system in the way its intended, not hacking.

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 15 Mar 2013 @ 8:38am

    Don't make a mountain out of a molehill here, he did something that can be fixed with the backspace key.

    Next crime, I received $0.05 from a transaction than I should have, I'm now guilty of money laundering.... on the internet.

    link to this | view in thread ]

  40. icon
    Wally (profile), 15 Mar 2013 @ 8:38am

    Trolls just please shut up...here's why...

    I can give a good reason for the swooping FBI indictment. Keys had malicious intent and handed the passwords over to Anonymous. Social engeneering attacks are what hackers mostly had to use to hack into corporate office servers and/or telenet servers when the Computer Fraud and Abuse Act was drafted...if anything, it was ahead of its time. Some of social enginerring attacks actually include looking over a person's shoulders. Given the fact that his profession as an editor is likely because he can quickly read and observe mistakes, I think it's fairly safe to speculate that he had a photographic memory and used it to carry out his misdeeds.

    It's easy to forget the Routers is a financial business site and that literally thousands upon thousands of users rely on it for their financial news. Heck, some peopl actually make stock purchases and trades based on what Rueters posts on their website. The Computer Fraud and Abuse Act also states somewhere that any person attacking in a way that affects the commerce of individuals is punishable.

    I think it's reasonable to say that he should be punished to a somewhat full extent. When it comes to affecting the economic stability of individuals, that's 5 years maximum prison time in of itself. He also carried out the social engeneering attack to carry out an attack willfully...that's another 5 years.

    link to this | view in thread ]

  41. identicon
    DCX2, 15 Mar 2013 @ 8:39am

    Re: Re: Re: Re:

    If my wife kicks me out, and I use my keys to leave my door unlocked and tell some hoodlum to "go fuck shit up", what crime did I conspire to commit, specifically?

    link to this | view in thread ]

  42. identicon
    DCX2, 15 Mar 2013 @ 8:48am

    Re: Trolls just please shut up...here's why...

    I assaulted someone. But I COULD have killed them. So punish me for murder?

    Get real. Most well-rounded adults consider that punishment should be based on how much damage a given action did, not how much damage it could have done under some imaginary scenario that did not happen.

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 15 Mar 2013 @ 8:57am

    Re: Re: Re: Re: Re:

    I suspect that you've actually missed Wally's point: that was was used wasn't 'hacking' in the traditional sense: it was more akin to a 'phishing' attack, which shouldn't carry a 10-year custodial sentence.

    link to this | view in thread ]

  44. icon
    PaulT (profile), 15 Mar 2013 @ 8:58am

    Re: Trolls just please shut up...here's why...

    Once again, try not acting smug before you're read the story and understood the concepts involved.

    For a start, Reuters wasn't the site hacked - it was his previous employer. We won't go on to your other misconceptions (which as ever, are technical concept you have a shaky grasp of), but half your comment is based on an outright fallacy.

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 15 Mar 2013 @ 9:13am

    Re: Re: Trolls just please shut up...here's why...

    PaulT, just leave it. Wally isn't one to own up to his misinterpreting of a situation. And he's always right. /s

    I mean look at him, he's already telling people "Trolls just please shut up" and then defending his comments with wild inaccuracies based on something he doesn't understand. There's no point trying to correct someone like that. Sometimes, I think Denis Leary's definition of people with Asperger's is spot on. More so lately when I see Wally go on about subjects he knows little about.

    link to this | view in thread ]

  46. icon
    PaulT (profile), 15 Mar 2013 @ 9:20am

    Re: Re: Re: Trolls just please shut up...here's why...

    It's worth pointing out, as Wally does occasionally seem to learn from corrections, and has even admitted error - something rare in some places round here. But, I don't like leaving fallacies and incorrect claims go unnoticed, lest less informed lurkers are fooled.

    So far, he hasn't understood which company Keys helped attack, his job role there, the type of system or type of access gained nor apparently the real consequences of that attack to the company (unless he's wishing to have prosecutions based on potential, rather than actual, damage - a scary prospect).

    In other words, despite his attempts to "educate" people, he doesn't seem to know the basics of the case despite having (presumably) read the same articles I did. I'd like people to understand the facts, not someone's misinterpretation of it.

    link to this | view in thread ]

  47. icon
    PaulT (profile), 15 Mar 2013 @ 9:26am

    Re: Re: Re: Re: Re: Re:

    Was it, though? Unless I missed something, there's no indication he used anything other than his old password or one he already knew (and then apparently created a new one for the crime itself). That's not phishing, that's lax security - remembering someone leaves the back door open, rather than picking the lock or smashing the window. That Wally is not regaling us with his surface knowledge of a few hacking techniques is pretty irrelevant, unless there's facts I've not noticed.

    It definitely shouldn't carry the sentences either way, of course.

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 15 Mar 2013 @ 9:34am

    Re: Re: Re: Re: Trolls just please shut up...here's why...

    True, true.

    Yeah, a lot of people seem to be misunderstanding the case. The guy was let go from his previous job and handed over his credentials to someone at Anonymous. He didn't do the actual hacking, he didn't even know what they were going to do. Etc.

    But it does seem to be that he, Wally, is saying prosecutions should be based on POTENTIAL damage/harm as opposed to ACTUAL. His bit about Reuters being a financial organization/site that thousands (or millions) use is testament to that. I read that and thought so what? That's not at all related to the story or what happened.

    link to this | view in thread ]

  49. icon
    Rikuo (profile), 15 Mar 2013 @ 9:34am

    Re: Trolls just please shut up...here's why...

    Wally...reread the article again before you start commenting. I do it anytime I have a point I want to make: I want to make sure that anything I say is relevant and not incorrect.

    "Reuters editor Matthew Keys has been indicted for letting some hackers into the content management system of his former employer, Tribune, after he was fired. "

    He didn't allow anyone into Reuters (not Routers), he let them into his former employer, Tribune!

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 15 Mar 2013 @ 9:37am

    Federal

    I have no problem with any crime involving the Internet being a federal crime. It's very likely to cross state borders, for one thing - and even if it doesn't, law enforcement is not likely to KNOW that at first glance.

    However, being a federal crime should not imply that the punishment should be harsher. Spray painting the road just outside Yellowstone should be approximately the same as spray painting the road just inside Yellowstone.

    link to this | view in thread ]

  51. icon
    Wally (profile), 15 Mar 2013 @ 9:46am

    Re: Re: Trolls just please shut up...here's why...

    Ok, Keys gave passwords of his previous employer (Rueters) over to Anonymous.

    A) I would like you to tell me how you think he got those passwords (I only speculated on "how" and not on whether or not he did hand the passwords over). Acquisition of those passwords by Keys is a violation of the Computer Fraud and Abuse Act. Either way, even if the Rueters website was or was not hacked, he still illegally got passwords and handed them over. He had intent of harm by passing them over to Anonymous (whom quite admirably did not act upon his request).

    B) The trolls I speak of are the ones stating that by some weird reason his accessory to attempt harming a website (which of all things reports on economic financial situations and has customers and investors depending on said news) should get lessor charges.

    C) I did not mean to come off as smug, but there is a specific reason the FBI handled it the way they did and as Mike Mansick pointed out in the article, the FBI did something right in a stepping forward toward actual restraint in pressing charges in this case.

    link to this | view in thread ]

  52. icon
    John Fenderson (profile), 15 Mar 2013 @ 9:47am

    Re:

    Why shouldn't this be a federal crime?


    The better question is why should it be a federal crime? Where are the supporters of state's rights?

    link to this | view in thread ]

  53. icon
    John Fenderson (profile), 15 Mar 2013 @ 9:49am

    Re: Re: Re:

    Corporations are not legally empowered to apply force, or punish, anyone.


    No, but the people they buy off are.

    link to this | view in thread ]

  54. icon
    Wally (profile), 15 Mar 2013 @ 9:55am

    Re: Re: Trolls just please shut up...here's why...

    The "Rueters" "Routers" mixup is autocorrect from iOS6. That does not make me automatically open to criticism on my speculations on the case. Read some of the comments from the article to understand why I reacted the way I did.

    ""Reuters editor Matthew Keys has been indicted for letting some hackers into the content management system of his former employer, Tribune, after he was fired. "

    He didn't allow anyone in...he just handed them the passwords.....after he got fired..that sure as heck sounds like a disgruntled employee to me.

    The content management system reports the constant rise and fall of stocks and condities trades and prices....not just financial or business news.

    link to this | view in thread ]

  55. icon
    Wally (profile), 15 Mar 2013 @ 10:02am

    Re: Re: Re: Re: Re: Trolls just please shut up...here's why...

    The reason why it relates is that Keys put a financial news institution in harm's way. That is also a very clear violation of The Computer Fraud and Abuse Act. It shows his malicious intent.

    link to this | view in thread ]

  56. icon
    nasch (profile), 15 Mar 2013 @ 10:10am

    Re: Re:

    It's not a federal offense because no US Government computer systems were affected by the attack.

    It doesn't have to involve government computers to be a violation of the CFAA:

    "It governs cases that implicate a compelling federal interest, where U.S. government computers, or those of certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce." Note the "or".

    link to this | view in thread ]

  57. icon
    Wally (profile), 15 Mar 2013 @ 10:13am

    Re: Re: Trolls just please shut up...here's why...

    If you intend to kill someone, and they survive....that's legally considered attempted murder.

    Likewise, if you hand over your security credentials to the wrong people with the intent of harming your former employers by giving said wrong people access to the content control of your employer's entire website, and nothing happens...it's the same as if you had done it in accordance to the Computer Fraud and Abuse Act. The reason the FBI hasn't indicted Keys on further charges is simply because nothing happened to constitue no more than 10 years in prison...ergo nothing happened so the potetial minimum of 10 years in prison is the direct result of only the intent of William Keys in harming Reuters.

    It was likely his intension because he got fired or let go and he was not happy about it. He had the motive to do it and that's why he was investigated.

    link to this | view in thread ]

  58. icon
    nasch (profile), 15 Mar 2013 @ 10:14am

    Re: Re:

    The FBI is law enforcement and the US Secret Service is military.

    The Secret Service is a law enforcement agency under the DHS, not the military.

    link to this | view in thread ]

  59. icon
    nasch (profile), 15 Mar 2013 @ 10:21am

    Re:

    If you break into my system with the intent to do damage and I find you ...
    Shooting you in the face is not a problem.


    Pretty sure you go to jail for a long time if you kill someone for breaking into your computer. Claiming self defense in a homicide trial works when you are protecting yourself or others from bodily harm, or possibly protecting your physical property, depending on jurisdiction. Even if you found someone in the act of vandalizing your web site (and how likely is that?) and shoot them in the face, I doubt you could get away with it. And if you're talking about tracking them down later and killing them, well that's first degree murder.

    link to this | view in thread ]

  60. icon
    Wally (profile), 15 Mar 2013 @ 10:23am

    Re: Re: Re: Re: Re: Re: Re:

    The sentence is carried in it and not only that, Keys decided to provide security credentials for hackers to access Reuters' content control system. I don't know how that can't cary 10 years after looking through the Computer Fraud and Abuse Act. Punishment is typically justifiably doubled with potential harm to financial institutions...mostly due to the fact that they have a huge affect on the economy. But I guess missing my point seems to be a tad bit of a hobby.

    link to this | view in thread ]

  61. identicon
    Duane, 15 Mar 2013 @ 10:29am

    Someone is confused...

    1- Keys didn't do any vandalism. He gave up his credentials to an unknown third party. He had no say or control in what they did. It's like he was fired from a job where he had keys to a building, and he handed those keys to the fist gangbanger he saw on the street. He didn't vandalize the shop, but he does bear some responsibility.

    2- No "hacking" occurred here. Unauthorized access, sure, but that's not "hacking." To use my analogy above, once you're given the key, you don't have to "Break and Enter."

    3- Shame on the IT and HR staffs at Reuters for not having a solid employee termination procedure in place, and following it. I work for a very small company, but we always ensure that people's accounts are disabled or passwords changed before they come out of the firing meeting.

    4- I agree that the punishment needs to fit the crime. The question is, what fits? It's like we have someone who has released a tiger onto a city street, but the tiger just took a nap under a shady tree, and was recovered without harm to anyone. Do we punish him harshly, because the tiger was capable of maiming and killing the dozens of people in the street, or let him off with a small fine and a warning, because nobody was hurt? Keys gave is password up, so he had no control over what was done. They could have filed plausible stories which would alarmed the public and caused a panic. (War of the Worlds, anyone?) That's extreme, but they certainly had more potential for harm than they ultimately caused.

    link to this | view in thread ]

  62. identicon
    Anonymous Coward, 15 Mar 2013 @ 11:16am

    Re: Re: Re: Re: Re:

    You conspired to fuck shit up

    link to this | view in thread ]

  63. icon
    Rikuo (profile), 15 Mar 2013 @ 11:17am

    Re: Re: Re: Trolls just please shut up...here's why...

    Okay, auto-correct does sometimes piss me off too, so I won't harp on about that.
    Thing is, you said that he had let people in (by giving them the passwords) into Reuters and then went on at great length to say how damaging that is because its Reuters and its so important to so many people. Your entire comment is thus nullified when people point out to you that he hadn't allowed anyone into Reuters but a separate system entirely.

    link to this | view in thread ]

  64. icon
    nasch (profile), 15 Mar 2013 @ 11:19am

    Re: Re: Re: Trolls just please shut up...here's why...

    I would like you to tell me how you think he got those passwords

    How about they were passwords he had access to as part of his job that hadn't been changed?

    Given the fact that his profession as an editor is likely because he can quickly read and observe mistakes, I think it's fairly safe to speculate that he had a photographic memory and used it to carry out his misdeeds.

    I think it's an extremely tenuous speculation supported by no evidence whatsoever.

    link to this | view in thread ]

  65. icon
    Rikuo (profile), 15 Mar 2013 @ 11:22am

    Re: Re: Re: Trolls just please shut up...here's why...

    Again, READ THE FUCKING ARTICLE.

    "Ok, Keys gave passwords of his previous employer (Rueters)"

    Keys is working NOW for Reuters. His previous employer was Tribune. He has done NOTHING to harm Reuters, but has acted to harm Tribune. Again, read the article before you go keep going on.

    link to this | view in thread ]

  66. icon
    Bergman (profile), 15 Mar 2013 @ 1:25pm

    Re: Re: Re: Re:

    Conspiracy to deface a building is a 1 year sentence.

    Conspiracy to do the same thing online, where it's easier and cheaper to fix than in the bricks & mortar world should not be punished ten times more severely.

    link to this | view in thread ]

  67. icon
    Wally (profile), 15 Mar 2013 @ 2:00pm

    Re: Re: Re: Re: Trolls just please shut up...here's why...

    Thank you for pointing that out to me.

    I still think it constitutes 10 years in prison though...I refuse to budge on that point :-)

    link to this | view in thread ]

  68. icon
    Ole Juul (profile), 15 Mar 2013 @ 2:08pm

    Re:

    There's nothing innovative about downloading someone's paid database.

    Are you suggesting that they have a "paid database" with the system passwords? Now that's innovative.

    link to this | view in thread ]

  69. icon
    Wally (profile), 15 Mar 2013 @ 2:09pm

    Re: Re: Re: Re: Trolls just please shut up...here's why...

    I am aware of this now and I thank you.

    The thing is that Keys had intent to let others gain illegal access to Tribune's system. That in itself constitutes willful intent of harm which is still worth 10 years in accordance to the Computer Fraud and Abuse Act.

    Why Reuters would even be crazy enough to keep Keys employed with them after all that in the first place is beyond me though. If I had a secretary that gave out client information (which is confidential by law) that pulled a stunt like that, he/she would be gone in a flash.

    link to this | view in thread ]

  70. icon
    Wally (profile), 15 Mar 2013 @ 2:14pm

    Re: Spread the blame where it's due

    It is sloppy IT, but that does not constitute the actions Key's took.

    link to this | view in thread ]

  71. icon
    JMT (profile), 15 Mar 2013 @ 2:38pm

    Re:

    "Why shouldn't this be a federal crime?"

    Perhaps you should read the article before commenting, since your question is clearly answered.

    Why don't you tell us why this should be a federal crime? Why does "on a computer" increase the penalty tenfold?

    link to this | view in thread ]

  72. identicon
    DCX2, 15 Mar 2013 @ 3:06pm

    Re: Re: Re: Re: Re: Trolls just please shut up...here's why...

    You don't get it, do you?

    The vandalism that was done was easily undone. No irreparable harm happened to anyone. And yet you want to make this guy a felon and throw him in prison for a decade?

    This is kinda like being thrown into prison for a decade and labeled a felon because you were jay walking. The punishment is totally disproportionate to the harm. That is the whole problem with the CFAA! It punishes crimes of widely varying levels of harm with equal gusto. It might be the law, but it should be unconstitutional.

    link to this | view in thread ]

  73. icon
    Wally (profile), 15 Mar 2013 @ 4:50pm

    Re: Re: Re: Re: Re: Re: Trolls just please shut up...here's why...

    You want to talk the US Constitution...fine, you've got it dude:

    The intent was malicious intent, and that is not covered freedom of expression

    That being said, it seems to me that people are wrongfully comparing this to the case of Aaron Swartz's rights being violated in the same sense of his activist activities. Please tell me when Aaron Swartz ever gained illegal access to a website's server only to deface a former employer's web page? Since when did Aaron Swartz ever to intend to hand over the information he gathered to the wrong people to be used against his former employer?

    Lets look at what Aaron Swartz's clear intentions were before we start making snap judgments and comparisons to Mr. Keys here....

    Aaron Swartz intended to release public domain information and documents that you had to pay JSTR or PACER to see the documents digitally. That is peaceably protesting and taking the extra step for the greater good of everyone.

    Matthew Keys intended to have hackers deface the web page of his former employer, the LA Times, with his security credentials.

    Which person had a better intent here??? Which person actually had a chance to defeat the charges stacked up on them?

    It is extremely evident that Matthew Keys violated the Computer Fraud and Abuse Act via direct second person accessory. There is no way in Hell that defacing the LA Times' website is an act of freedom of expression because when that happens, it violates the freedom of expression that the LA Times has a right to under the First Amendment to the Constitution of the United States and simultaneously the freedom of the Press clauses therein.

    In short, his method was illegal according to the Computer Fraud and Abuse Act as he was second party to the act he willfully conspired with or hired/convinced others to deface the LA Times website, and he violated the very Constitutional rights rights of the LA Times by having their website defaced.

    link to this | view in thread ]

  74. icon
    Wally (profile), 15 Mar 2013 @ 5:00pm

    Re: Re: Re: Re: Re:

    How about accessory to domestic assault and battery. So loosing your house, your wife, your kids is the only punishment you deserve??? I don't think so...the last time I checked, you would get arrested for that, tried and convicted for up to 7 years for it. But given your comment here:
    http://www.techdirt.com/articles/20130314/17103322330/reuters-editor-faces-10-years-prison-be cause-vandalism-is-federal-crime-when-it-involves-computers.shtml#c1070

    I am not surprised one iota you have a bit of trouble understanding the basic fundamentals of the legal terms in conspiracy, accessory, willful intent, and constitutional rights.

    link to this | view in thread ]

  75. icon
    Wally (profile), 15 Mar 2013 @ 5:07pm

    Re: Re:

    The term "conspiracy" is also coupled with willful intent when an act is committed. The differences are quite clear on various terms. You can conspire to kill the president and if someone actually goes through with the plan and gets arrested and you get implicated..would you not be investigated by the Secret Service or the FBI?

    Leigh, the point is that Matthew Keys not only conspired to have the LA Times website defaced, but handed over his security credentials to hackers so that they could do it. That does not lawfully remove him from telling them to do it for him. He conspired with the hackers with full willful intentions of defacing the LA Times website. He might not have caused irreparable damage but he did block the constitutional rights of the LA Times by having hackers deface the site.

    link to this | view in thread ]

  76. icon
    Ole Juul (profile), 15 Mar 2013 @ 9:57pm

    IT

    I wonder if Wally has any idea of how content management systems work or even what CSS is, and that he himself downloads the CSS when he accesses the site. Wally, do you even write any html yourself, or are you just pretending to know something about the "crime" involved here?

    I would like you to know that the damage done by the person who defaced the page(s) in question is undone in seconds. And yes, it would be prudent to check logs to make sure of what exactly happened, but that is what a sysadmin is paid for and can do in a couple of minutes. The reference to damage over $5,000 is just bogus. The actual damage is under $10 worth of a highly paid employee's time. The whole thing is completely childish and if the offended web publisher wants to get paid for revamping their security, then they are being dishonest. That the government legal workers are taking this to such heights, or even seriously, just makes me embarrassed for them. They should be more mature and know better.

    link to this | view in thread ]

  77. icon
    Wally (profile), 16 Mar 2013 @ 1:21pm

    Re: IT

    Willfully defacing a website and violating a tribune's right to free press is also a crime. The point is that even if the damage done is not irreparable and can be fixed in minutes is irrelevant to the fact that it actually happened. Keys had security credentials and gave them to a third party to deface the LA Times website. That is a crime. He handed over security credentials to hackers and told them to got fuck up the website.

    I wonder if Ole Juul has ever read up on the legal implications of willful intent, conspiracy, and violating a news organization's rights. Didn't take me too long to think outside of potential damage.........At least I have the ability to think outside the box Ole Juul.

    link to this | view in thread ]

  78. icon
    btrussell (profile), 17 Mar 2013 @ 3:39am

    Re: Re: Re: Re: Re: Re:

    "fuck shit up"

    Is that the opposite of talking out of your ass?

    link to this | view in thread ]

  79. icon
    btrussell (profile), 17 Mar 2013 @ 4:20am

    reread the article again before you start commenting

    "...reread the article again before you start commenting. I do it anytime I have a point I want to make: I want to make sure that anything I say is relevant and not incorrect."

    Good advice for all!

    I hate it when I miss this step.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.