Appeals Court Upholds Matthew Keys' Two-Year Sentence For A 40-Minute Web Defacement
from the can-never-have-too-much-deterrent-apparently dept
The Ninth Circuit Court of Appeals has upheld Matthew Keys' conviction and sentence of two years for a 40-minute web defacement he didn't actually perform himself. That works out to basically 18 days for every minute of mild disruption the LA Times suffered, as it (very briefly) suffered through a headline changed to read "Pressure builds in House to elect CHIPPY 1337."
Prosecutors actually wanted five years for this momentary mild hacking, but still managed to end up with two years after the LA Times submitted enough paperwork to make it appear as though this 40-minute malicious hiccup racked up $1 million in CFAA damages.
The appeals court isn't there to question the accuracy of the LA Times' bill of lading, but it does use the inflated figure to affirm the part of the sentencing affected by the claimed damages. From the unpublished opinion [PDF]:
Concerning employee response time, the district court did not abuse its discretion by relying on loss estimates based on employees’ testimonies or on the worksheet prepared by a Fox 40 executive. In response to Keys’s challenge to inconsistencies in the employee salary evidence, the district court appropriately re-reviewed the trial testimony and considered the amount in light of national statistics on the value of non-liquid employee benefits.
The government presented evidence that nearly all of the 20,000 Fox 40 Rewards Program members cancelled their participation in response to Keys’s conduct. Starting essentially from square one, the database took three years to rebuild. The district court did not abuse its discretion in relying on the Fox 40 executive’s representation that this process cost $200,000. It was appropriate for the district court to order restitution in the amount it cost Fox 40 to replace the member database, as it would be difficult to determine the fair market value of such an asset.
Basically, this database could have been worth any amount, so why not the $200k the LA Times claims it's worth. That adds to the restitution amount owed by Keys and also plays a small part in the sentencing. But in total, this is overkill for a 40-minute web defacement, especially one performed by someone else using Keys' login credentials. The move may have been petty and amateurish but it's extremely difficult to believe the momentary elevation of Chippy 1337 to the front page of the LA Times' website warrants a two-year sentence and thousands of dollars in fines.
But it appears the DOJ is happy with this outcome. And having completed its prosecution of Keys, it's presumably performing an OJ Simpson-style hunt for the person who actually performed the defacement.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: appeal, cfaa, hacking, matthew keys, sentence
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
So, a 30 second outage should be the punishable the same as a few weeks by your assessment? That's strange considering that the sentencing seems to hinge on the amount of money that was supposedly lost.
Oh, and if it's the time you have the biggest problem with out of the following sentence, you and I have very different priorities " conviction and sentence of two years for a 40-minute web defacement he didn't actually perform himself".
[ link to this | view in chronology ]
Re: Re:
As for the "didn't perform himself", we have been over this many times. He provided the password and asked for it to be done. There isn't much wiggle room there for the simple reason that without him, nothing would have happened.
[ link to this | view in chronology ]
Re: Re: Re:
Not entirely true. The original claim was changed, which if you look at the history involved inflating damages involved with the breach. This appears to have been so that it would fall under the CFAA rather than other statutes. Part of that appears to be inflated claims of how much damage was done during the downtime, so the length of time is utterly relevant.
"It's sort of like breaking and entering, it's not how long you stay, it's that you broke in"
Well yes, except the actual crime appears to have been more like "gave the keys to someone who later committed breaking & entering". Rather different surely, even if they both deserve some kind of punishment?
As ever, nobody's saying he should get away scott free. Only that this seems disproportionate to the actual crime committed.
"we have been over this many times"
Have we indeed? Well, one of the advantages of you having now bothered to present an identifiable handle is that we can now search & verify what the previous arguments are. Whereas before, we only had your woefully untrustworthy bare assertions.
So, now, we can discuss recorded, verifiable exchanges, rather than whatever your biased memory tells you it was. This goes both ways, so you can prove I'm wrong about your biases shtick rather than go on a childish rant when you don't like how I'm recalling your actions. Being honest is fun, isn't it?
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
2 years -- or any -- seems long to you because you have no respect for the property of others. This stems from no valid motive except rabid urge to bring down civilization, as indeed, you pirates do in attacking copyright. You want the full protections of modern law while acting like barbarians.
This person was the one who got caught, and apparently key to the crime. I'd go a year per EIGHT minutes as prosecution wanted.
Around here not long ago, group of idiots were out smashing mailboxes one night, and an owner shot and killed one at distance; he was acquitted by the jury. That's how valuable your lives actually are when destructive, kids: less than a mailbox.
Easy way to avoid problems is DON'T destroy or even tamper with property.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"This person was the one who got caught, and apparently key to the crime. I'd go a year per EIGHT minutes"
Go away, troll.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"Around here not long ago, group of idiots were out smashing mailboxes one night, and an owner shot and killed one at distance; he was acquitted by the jury."
I'll need a source for that, I don't believe the words of a known mental case and fantasist without proof. It should be well reported, since according to you it's part of the public court record and a notable case. Provide the link, please.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I would argue no. It's not "rather different". If you help someone commit a crime, I would argue you are just as guilty as the person committing the crime. I believe it's called "aiding and abetting" here in the U.S.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"I believe it's called "aiding and abetting" here in the U.S."
Therefore, a rather different crime with different severity and sentencing structure to breaking and entering? You did contradict yourself there slightly.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I won't bother to correct you, as you will just come back and spew the same stuff again. Duration of the break in isn't the issue, the breaking in is the issue. Just work with it, it's the truth.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Right...
[ link to this | view in chronology ]
Re: Re:
The attempt alone, regardless of outcome, is the largest factor. My concern here is, do we have the right guy and/or is someone skating free or should they be locked up right beside him?
[ link to this | view in chronology ]
Re: Re: Re:
But, I'd still argue that the downtime is a major issue. Part of this is merely curiosity - how can a 40 minute downtime cause the damage that is claimed here? The story doesn't add up from what I understand. It's also interesting from the legal angle, since the amount of claimed damage is what's being used to sentence him, then timing is important in my mind there.
[ link to this | view in chronology ]
Re: Re: Re: Re:
This is a very tough question. I'm sure they suffered some financial loss of some sort. They probably had technicians fixing it, then technicians finding out how it happened. They probably had some kind of internal investigation to figure out who would hang for allowing this.. etc... I would also argue that they, perhaps rightfully so, took a PR hit and were basically embarrassed. How do you put a dollar amount on that? No clue! Million dollars? Bullshit!!
With that said, I personally think 2 years is fine. He will probably serve 60 to 80 percent if he's a non-repeat offender, and it will serve as a good example to the rest of the people that want to deface others property. I realize that won't be a popular opinion, and I'm ok with that. Obviously the penalties for the crime he committed were not sufficient enough to deter him from committing it in the first place. It's not like this is a crime of passion or a spontaneous act, he had clear premeditation and intent. He should do the time.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Was just 40 minutes of defacement or downtime the objective, or was the objective worse and just thwarted? what if there was evidence to further use the site for something else nefarious?
Even if it was more of a "joke" attack they still are not okay to interfere with other people lawfully going about their day.
But I do agree with you here, there is a LOT of missing information and something definitely smells about all of this, but I cannot say that this person is definitely undeserving of the punishment they could be receiving, but I also cannot say that they are.
[ link to this | view in chronology ]
Re: Re: Re: Re:
They could have heard 10 songs
Think of how much 10 songs are worth on the Internet...I think the going rate is $9.62 million for a Bakers' dozen
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Good job partisan citizens!
I think it is clear that they have a lot of bias in their reporting.
You "would" be right, but only if those places criticized all parties equally.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Winning again, the court is back on our side, the Dems are on the run, see the features on Fox News! MAGA!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
No. What was said, and why is that relevant here? Do you have multiple sources so that we can compare the biased.
"see the features on Fox News"
Lol, "LA Times and NYT are biased. You can see this by looking at the most demonstrably biased source out there!"
You guys would be scary if you didn't overplay your hand to the point of obviousness.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
It is the people that think they are not biased I have found to be the most biased and hypocritical of all.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
What is that you are smoking?
It must be addictive because you simply can not do without it, do you need a prescription?
What exactly do you think the word "biased" means?
I imagine that to you it means anything you disagree with, that makes sense when you are a narcissistic blowhard.
I recall a court case where Fox News claimed their programming is not really news and that it is entertainment. I'm sure that the subsequent news reports of this court case by competing networks are considered by yourself as fake news because everyone knows that Fox is the only true source of the unbiased news.
Hey - did you notice that Fox News no longer claims to be "Fair and Balanced"? What does this mean to you?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
But it does make your bias pretty clear to assume that because I am not on YOUR side that I am obviously on their side.
There is just no way I am not on either of your sides, is there? Just call me an objective 3rd party tired of your party sycophancy, when your side does no wrong and its those other evils bastards ruining everything because WE are perfect.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Do continue with your somewhat silly conclusions, I find it humorous.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
If you hack a website, then you deserve to be tossed in jail.
[ link to this | view in chronology ]
Re:
Apologies here, but this seem a little fishy. Could you clarify for me?
- Which piece of software did you switch to? You state that it's security software, but also state that it had a vulnerability capable of bringing down your entire site when it was exploited. That seems to contradict the "working perfectly fine" statement if the original was focused on security.
- You state that the exploit was fixed in the "software you use". Do you mean that you switched back again to the original software once the patch was issued? If so, why did you decide to switch the software completely to a different vendor that may have had similar vulnerabilities?
- What were the timescales and losses involved? The suggestion is that it wasn't a short-term outage, so I'm curious as to what drove you to redevelop your site twice to include different software, rather than switch providers or insert some mitigation to avoid the exploit from happening again before the patch was available on the original.
I appreciate the emotional response if you've been the victim of an exploit, but what you've stated really doesn't add up. It would be nice to have further details.
"If you hack a website, then you deserve to be tossed in jail."
Oh, and as people seem to be missing, the first line in this article and headline of the original inked article clarify that he didn't hack the site himself. He supplied details to those who did, but he didn't perform the hack. Does this change your opinion as to the proportional punishment?
[ link to this | view in chronology ]
Re: Re:
Toss him in jail, he's a criminal. That's the right thing to do, yes.
[ link to this | view in chronology ]
Re: Re: Re:
Anyway, my questions were aimed at the first AC and his questionable tale and not the story of Keys. It seems like a very unlikely yarn, but I'm happy to be proven wrong if someone other than the troll brigade fancies responding.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
But, I do wonder why you people are so obsessed with gender. I mean, which chromosomes I have mean nothing in regard to the arguments made on a tech forum. But, here you are apparently claiming that it's more important than any other words I say. Rather strange.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
But, I'm not surprised you're no longer married, even if you have found a rather strange way to overcome your loss. Perhaps you need to find a hobby other than obsessing over the gender of commenters on tech sites?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
lol.. You must be new hear? The self riotous indignation that flowith from the hard line commenters here is incurable. To tell you the truth, I'm glad. It's what keeps me reading the comments. Just when they think they've reached self righteous bliss, one of them will say something clever and they'll fall all over each other modding themselves up with the insightful button. It's fantastic to watch.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Upon your official application to the Republican Party being accepted, you are entitled to receive One Free Apology for any actual or imagined slight that you wish to drone on about in detail. At the "Free" level, you will receive a personal apology not to exceed 5 minutes from a Certified Apologist of the Republican Party. Longer and even more professional apologies are available for a fee, including the Grand Pubah Apology given by Donald J. Trump himself in the Lincoln Room at the White House. Please inquire for prices.
I think this will help a lot to get people what they really need, and then get them enrolled in the Republican Party. You know I think we need an additional slogan to MAGA - how about MYR - sounds like "meer", it means Make Yourself Rich. That's a good slogan, right? Remove the regulations, lower the taxes, get the government out of the way, accelerate the opportunities for us hard working individuals so money moves faster to the hands of those who deserve it. MAGA - MYR ! yay!
[ link to this | view in chronology ]
Re:
If you hack a website, then you deserve to be tossed in jail.
Good point. We don't have enough people who commit non-violent crimes packed into prisons. There's a particular shortage of script kiddies who've digitally spray-painted 'U p0wned' on someone's blog. Existential threat to national security right there, feeding our devolution into anarcho-linuxian debauchery.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
So by your own judgement, you should be thrown in jail for the term of your natural life for you have operated outside of the law and must be punished.
Law without justice and mercy is law that will make you a slave. Pile law upon law and there becomes no avenue for freedom, just fear and terror.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Does not matter whether you intended to or not
Go To Jail - Go Directly To Jail - Do Not Collect $200
You may have not broken any laws that you are aware of, how many does that leave that you are not aware of and possibly have broken?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Consider the the basic principle in court for the citizens is that "ignorance of the law is no excuse". Yet ignorance is what is maintained because the law is so complex. Just to give you an example, the Torah has 600+ laws/rules/regulations. This has been enormously expanded over time by those great lawyers, the Rabbis. But compared to the legislators of today, the applicable Jewish laws are very few. When a single piece of legislations grows from 80 pages to over 20,000 pages (with the increase in the number of laws, rules and regulations to thousands upon thousands), we have created a situation where anything other than ignorance is not possible. Apply this to the thousands of sets of legislations that has been brought into existence and to which more is being added to every day.
Consider that the prosecutors want "way over the top" punishments for the smallest of crimes for everyone who has no influence.
Consider also, how many things were normal day to day activities and are now crimes.
Consider that the legislators write the law in the broadest sense possible and generally pile more and more law on the existing law without considering the full impacts of what they are doing.
Consider that there is little rationality about what is written into law.
Consider how many judges are wise enough to dispense justice and mercy, or even if they are allowed to.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
three felonies a day
[ link to this | view in chronology ]
Re: Re: Re:
Yet, we're swamped with ACs who are apparently trying to pretend that people are asking him to not be punished at all. Strange, that.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Everyone left because of Chippy?
[ link to this | view in chronology ]
Re: Everyone left because of Chippy?
There's things to be suspicious about here, but his access to the Times really isn't one of them. From what I understand, they verified that his login was used.
[ link to this | view in chronology ]
Re: Re: Everyone left because of Chippy?
I'm a developer so access sharing of CRMs between businesses under the same umbrella is not lost on me. What I was wondering is how they don't state he destroyed the FOX40 rewards info (which would be digital destruction of property or vandalism), just that all the people left because of the virtual vandalism to a site that is mostly unrelated as far as the public is concerned. There has to be more to it than "40 miinutes of vandalism to a site for another city made all of these people stop using this rewards program and it cost us $200k to undo that damage". That part of the story doesn't make sense to me.
[ link to this | view in chronology ]
Re: Re: Re: Everyone left because of Chippy?
Why? The location of the site is irrelevant, only whether or not the guys could access the site with the credentials Keys supplied them (which they could). The damages themselves are questionable, as is Keys' full responsibility for the hack, but the idea that it happened and the guy working at a different company was responsible is not really in question.
What specifically do you have a problem with, other than Fox40 not being in LA (which is irrelevant)?
[ link to this | view in chronology ]
Re: Re: Re: Re: Everyone left because of Chippy?
I'm not familiar with either the site or the program themselves, so I can't be sure that makes sense with the underlying facts, but that's how I interpret his comments.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Off-topic trivia [was Re: ]
You are probably mis-remembering — “Senator Endorses Destroying Computers Of Downloaders” (by Mike Masnick, Techdirt, Jun 17, 2003).
(Dead hyperlink omitted.)
Utah's senior senator should not be mis-remembered.
[ link to this | view in chronology ]
Re: Off-topic trivia [was Re: ]
Please replace "blow up" with "destroy".
I feel so much better now.
[ link to this | view in chronology ]
Re: Re: Off-topic trivia [was Re: ]
No, that's not it. The “blow up” part is reported in other stories.
[ link to this | view in chronology ]
Re: Re: Off-topic trivia [was Re: ]
(Oops, sloppy-focused “preview” on my last comment, and got “submit” instead, before I was done with that reply. Well, everyone makes mistakes, right? Anyhow, where was I…)
Senator Hatch apparently wasn't confusing “pirates“ with “hackerz”. So you shouldn't confuse them either. It's not a super-duper big deal, but there is some significant difference.
Senator Hatch wanted to blow up computers belonging to copyright scofflaws. Remember that.
From the 2003 Techdirt story, again:
(Emphasis added.)
Remember that.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
slap on the wrist is more like it - bad boy!
How many bankers are in jail as a result of their world wide market melt down? How many of them were subject to indictment? How many were even investigated? How much did those assholes pocket as a direct result of their scams?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
Doing that of course increased Demand, which increased Home prices, and you now have your housing bubble, which in the end popped. Banks sure don't want to lose money. So they're only going to normally give loans to those they think will pay them back. I saw it coming. I couldn't afford a house at the prices they were going for. Way to much for what you were getting. So I waited and waited and when it finally popped, I got my house. Since then my house is worth almost double what I paid for it. Which is why nothing happened to the banks, it was the Government that created the problem. Are they going to throw themselves into jail? No!
Sony got fined to the whole OS thing int he Playstaton and you could get some money back because of that, though not easy, and like always the lawyers end up with most of it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Did you mention the fake ratings of those securities which bundled high risk loans?
Did you mention their shorting of stock of those who purchased their high risk securities that were falsely claimed as being low risk?
Yeah, it was all the fault of those lazy people thinking they deserve a hand out.
[ link to this | view in chronology ]
If...
"... the software I was running worked perfectly fine..."
how was
"... my own website was also defaced by some idiot..."
Paying for supervised alarm services makes me unhappy, since my building has never been broken into; but I do it anyway. Can't be angry about fixing poor site security, much less after you've been breached.
[ link to this | view in chronology ]
he didn't actually perform himself
He intentionally shared his credentials to the person(s) who did do that damage. All parties involved with this criminal act should be awarded the same exact punishment.
I do agree that the punishment seems excessive and does not seem to fit the crime. But he and person(s) unknown do deserve equal punishment for the entire crime.
[ link to this | view in chronology ]