Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login
from the seems-extreme dept
Two and a half years ago, we wrote about former Reuters editor Matthew Keys being indicted based on charges that he'd shared the login information for the content management system to his former employer, the Tribune Company, in an online forum and then encouraged members of Anonymous in that forum to mess things up. Some people used that access to change a story on the LA Times website. Keys insists that he didn't do this and the feds have no direct evidence linking him to whoever leaked the login (he also claims at the time of the leak he no longer had access to the Tribune Company's systems).As we noted at the time, if we accept the DOJ's version of what happened, what Keys did definitely was the wrong thing to do. But the result was little more than annoying vandalism -- and nothing Keys did should qualify as "criminal hacking." The changes to the LA Times were up for less than an hour and quickly reverted. There was little evidence that it created any real damage, and certainly no lasting damage. And yet, because this is a "computer crime," the feds came down on Keys as if he was part of some massive criminal conspiracy. In order to use the already problematic CFAA, it needed to show more than $5,000 worth of damage, which is crazy. Even crazier... is that the feds argued $929,977 worth of damage, based on some ridiculously exaggerated estimates of the amount of time people had to work on this issue.
And now a jury has convicted Keys on all three counts. Sentencing will be in January, and while lots of people are throwing around the statutory maximum of 25 years in jail, prosecutors have said they'll likely ask for "less than 5 years" according to Motherboard's Sarah Jeong, who was at the courthouse.
I think it's clear that Keys was in the wrong in handing out the login to the Tribune's systems, if he actually did it. But should that equate to criminal hacking charges and jailtime, because it resulted in a bit of online vandalism and some annoyance for a sys admin somewhere? That seems doubtful. As Keys himself points out in a pinned tweet in his Twitter feed, if sharing logins is a criminal act, all of you who share your HBO Go or Netflix logins may want to be careful.
The problem, once again, comes back to the ridiculous CFAA and the bogeyman of "computer hackers." It was wrong to give out the login, but the idea that it did even $5,000 in damage (as required by the CFAA), let alone nearly a million in damages, is ludicrous. It's even more ludicrous that this should be a criminal offense with any jailtime at stake. Go after him in a civil case for actual damages (of which there would be very little) and move on. Keys, for his part, has said the verdict is "bullshit" and he's planning to appeal.
It's way past time that we fixed the CFAA, and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anonymous, cfaa, defacement, hacking, login, matthew keys, vandalism
Companies: tribune company
Reader Comments
Subscribe: RSS
View by: Time | Thread
I hate the use of flawed physical analogies for digital activities, but I wonder what the best analogy would be to get across how silly this looks to anyone who doesn't panic when the word "hacker" is uttered.
[ link to this | view in thread ]
The problem is the word hacker
I think the problem here is your internal definition of 'hack', this time. Let's drop that word and substitute what we're really concerned about: defeating the security of a secured computer system.
Did Keys do that? Absolutely.
Equating it to sharing a login for Netflix: I think that's a bit of a red herring. Unless Anonymous could have paid a sum of money to the Tribune Company and gotten themselves their own login, I don't think the two situations really compare.
As for criminal versus civil: I don't know really which way I lean. If Keys went into a grocery store and fired off a few rounds from a gun, but only managed to do some minor property damage, would you support only charging him civilly for that minor property damage? I wouldn't. I think the potential for damage should weigh in on whether something is a criminal or civil-- not strictly the actual damage.
[ link to this | view in thread ]
333 hours
If that time is JUST for removing the access for that user and checking logs to see what else the account was used for, plus reverting the page, then their systems are broke.
If it also included doing a security audit that should have been done in the first place to cover off any other still active accounts for people who have left, then that has nothing to do with the actions which occurred, and is something that should be part of their regular activities.
333 hours of work sounds rather suspect for what the actions caused, if they have an effective system.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: 333 hours
The CFAA and Headlines like this is their most effective system for protecting corporate systems.
/Sarc
[ link to this | view in thread ]
Of course the over reaction makes me wonder if there are other issues like regulatory or contractual problems this company has if the fact that their data vault is guarded by novices comes to light. Easier to throw the book at some guy saying he 'hacked' the system.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Maybe, but I've worked in some disorganised companies where HR didn't bother to properly inform IT of people coming and going (among other things). Numerous times, I'd have someone turning up for work with no accounts or equipment set up because the form had been submitted the previous evening - and people's accounts being open for days because nobody had informed us they'd left. Especially if you're not on the same site, you can't know what's happened with some random person's employment status until you're notified.
I'm not necessarily making excuses, but the process failure might not just be with the IT side. It would be wrong to scapegoat some IT staff when the actual problem was some HR monkey leaving the notification until the evening so they could pick their brat up from school and then forgetting to submit it when they made it home (as happened with one useless person I once worked with).
[ link to this | view in thread ]
Re:
Digital Activity IS physical activity! Just because YOU do not understand that technology is still a very physical event does not make it NOT REAL OR PHYSICAL.
Just because it takes far less HUMAN physical activity means nothing, someone still have to lift at least a finger at some point to get the machine to do some physical work.
[ link to this | view in thread ]
Re: Re:
Was it a robotics factory? or, are you speaking a strange dialect that looks like English but has a different dictionary?
[ link to this | view in thread ]
what is it with the DoJ etc that they simply must win, they simply must affect as many people as possible and they must get the maximum sentence for the most minor of deeds?? damned ridiculous!! they would be the first to complain if the shoe was on the other foot!!
[ link to this | view in thread ]
Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am
It's trivial to imagine racking up $5000 in a post incident audit. Trivial.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
The number of times I have informed the IT support staff that someone was no longer employed but their userids and passwords were still active weeks after the IT support was notified is enough to give rise to doubting the capabilities of the IT support area.
Decades ago, it was a simple matter of calling someone and getting everything revoked immediately. Then the bright sparks running the management team brought in all the systems to monitor and control these processes and the time taken went out to days or in some cases weeks before any action took place.
[ link to this | view in thread ]
Not hacking
[ link to this | view in thread ]
Re: Re: Re:
For example, a similar complaint in one company I worked for was because the manager was sending to an email address that hasn't existed for 2 years and he was ignoring the bounced notifications. I looked at his mailbox and found 3 emails notifying them of the procedure change in a folder they "never looked at because it was just spam". Which is of course where they were moving all the IT group emails to. IT were being blamed, but the cause was someone outside of IT being stubborn and ignorant.
If it's that bad where you work, I'd talk to your support manager and maybe review the current processes to see what can be improved. They're probably aware of faults, and you won't be the only person complaining if it is that bad - maybe present documentation of previous failures and present them with the security risks if that helps.
But, again, I'm not trying to deflect blame from IT departments. I'm simply painfully aware of places where overworked competent staff are being blamed for the failures of others.
[ link to this | view in thread ]
However, this will get overturned on appeal.
[ link to this | view in thread ]
Someone is lying
So when someone claims that it cost them more than $5000 to undo the "hack" as described - which is basically changing three lines of text - I would call bullshit.
Someone notices the issue and emails some manager. That manager contacts an editor. An editor logs into the CMS, "checks out" the article, makes the change in a run of the mill text box, clicks preview, then publish. This takes 10-15 minutes tops.
How anyone could extrapolate $5000 or even that extra-insane-with-sugar-on-top $929,977 figure is beyond me. Just liars lying to other liars who lie to everyone.
I don't blame the liars though. Liars gonna lie. I blame Matthew's attorneys.
[ link to this | view in thread ]
Re: The problem is the word hacker
[ link to this | view in thread ]
Re: Someone is lying
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Keep 'em coming.
[ link to this | view in thread ]
Re: 333 hours
Tribune: Well we did not really keep track but this hack was evil but also funny so only half evil. 666 is evil so divide that in half and well it took us 333 hours to recover!
[ link to this | view in thread ]
POINT OUT SOME FACTS..
His passwords would have been ERASED.
This is AUTOMATIC, and the sysop's should of done it.
2. ANY SMART person has a log of WHO changed things on ANY SERVER, ANY DATA...even windows keeps an IDEA of who did what and when.
was any of this pointed out, or shown?
3. SAID BEFORE...system links to the NET, should not have any direct Links to the MAIN SYSTEM.. Anything Submitted for CHANGE from a Internet, is to be CHECKED before admitting to the MAIN SERVERS...
PERIOD..NO IF/AND/ Or But.
So, HOW can the Feds, SHOW damages, when there wasnt any??
They DIDNT ASK the LA Times..they bypassed them. and Made up their OWN NUMBERS..
Is this RIGHT for the gov.??
[ link to this | view in thread ]
Re: Response to: Anonymous Coward on Oct 8th, 2015 @ 5:25am
FTFY
[ link to this | view in thread ]
Re: POINT OUT SOME FACTS..
[ link to this | view in thread ]
Re: Re: POINT OUT SOME FACTS..
its interesting that MANY people dont hear the Points. people are saying, and If you add abit of Expression...they tend to listen better..
Listen to News and Politics..
[ link to this | view in thread ]
Re: The problem is the word hacker
Changing a few lines of text on a news website to something prank-esque doesn't risk anyone getting killed. That's a huge difference.
[ link to this | view in thread ]
Ha, haa, ha, ha, haaa ...
Sorry. I think it's pretty ludicrous to expect the US Congress to do anything useful nowadays; "useful" for "The People" at least. They consider their full time job grandstanding and raising campaign finance funding. "Governing" as their electors would hope them to do is the least of their considerations. They, along with most entities in power today (just as through most of the rest of our history), have no effective oversight.
Our governments today are no better than the Roman Empire's, and every bit as compromisable by deep pocketed power hungry wannabe tyrants. We have what we have because they allow us to have it, as that's useful for them.
[ link to this | view in thread ]
Re: Re: Re: Re:
As the years went by, no matter what company I did work for, the actual response time continued to get worse. Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done.
The result was finding ways to bypass the system to get what we needed done. In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box.
I am in the position these days of being my own support, there is only my close family and friends that I have to deal with. Other than the local ISP that is.
Happy days.
[ link to this | view in thread ]
Re: Re: Re: POINT OUT SOME FACTS..
Actually, when I see that someone's randomly capitalised words in the middle of sentences, especially to the degree you did above, I ignore the post and scroll past it. It's extremely annoying, and annoying me is no way to get your point across, even if the words are true.
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Well, there's your problem... I'll be willing to bet it's the least efficient, most tedious, least effective method for anything other than the management's preferred tracking mechanism. If so, people will have been quick to find corners to miss, and once those who know why those corners are being cut have left, the quality of work is bound to deteriorate.
"Except of course for senior managers. They expected and got their instant response, it being irrelevant as to whether or not there were other much more serious/urgent tasks to be done."
Which, of course, means that further problems are created and exacerbated by the delays caused by the management demands and other work slips behind further.
"In addition, the skills to be found in IT support groups seem to have deteriorated over the years. Extremely specialised but no general problem solving skills and certainly not expected to look outside the box."
For most people who have an genuine interest in a career in IT, a helpdesk job is a stepping stone. It's a way into a company to progress into a more interesting role internally, or a stopgap to still get paid while looking for a decent job elsewhere. In my experience, those who spend an extended length of time in such a job are either unmotivated to do better or don't have the skills to progress.
There are exceptions, of course, but my experience is that anyone who spends more than 2+ years in such a position in one company is either desperate for work or as advanced as they can get. Those who have the skills to look outside the box will tend to progress somewhere outside of support.
"Happy days."
Yeah, my days of working a helpdesk are far behind me at this point (I hope). I don't miss those days at all.
[ link to this | view in thread ]
Re: Re: Re: Re: POINT OUT SOME FACTS..
Same here. This was one of the few I took the time to read, maybe because it was in list form. Another thing that will get me to skip is a big run-on sentence with random line breaks.
[ link to this | view in thread ]
What do millionaires do for fun in their spare time? Politics!!
But Congress Critters ARE doing something!
You can hear them if your quiet enough....
"One million to the Caymans, .5 million to the Swiss Bank, 250,000 to the Bank in Dubai, and the rest to the offshore in Mexico. Now where did that bimbo go with the cocaine... its such a huge yacht!"
---
[ link to this | view in thread ]