Man Temporarily Nukes Five News Websites, Walks Away With Less Prison Time Than Matthew Keys, Who Attacked ZERO Websites
from the [shrug-emoji] dept
So, if someone can be sentenced to two years in prison for 40 minutes of newspaper website defacement performed by a party other than himself, it stands to reason someone who took down five websites would be looking at a minimum of ten years in jail.
Welcome to the hilarious and tragic world of CFAA-related sentencing. Matthew Keys was hit with a two-year sentence for supposedly sharing his login password (something Keys has steadfastly denied doing), an act that resulted in someone else subjecting the L.A. Times website to a 40-minute inconvenience. The momentary vandalism of the site's landing page suggested Congressional representatives were being pressured to elect CHIPPY 1337. No. Seriously. That was the extent of the "damage."
Once the DOJ decided this was worth pursuing under the CFAA, internal L.A. Times' emails regarding the "hack" suddenly cost $225/each to create. The feds wanted five years but settled for two. And while Matthew Keys served his sentence, no one in the federal government made any effort to locate the person who actually performed the website defacement.
A more serious hacking -- one that resulted in five news websites being completely unreachable for a short period of time -- has netted the "hacker" involved with a very lenient sentence.
The 36-year-old man who hacked and temporarily shut down Palo Alto Online and other Embarcadero Media websites nearly four years ago was sentenced Wednesday in San Jose federal court to time already served, one-year of home incarceration with electronic monitoring, three years of supervised release and $27,130 in restitution to the company.
Ross Colby was indicted on April 6, 2017, following an investigation by the Federal Bureau of Investigation of the Sept. 17, 2015, crime, which took down five news sites owned and operated by Palo Alto-based Embarcadero Media: Palo Alto Online, Mountain View Online, Almanac Online, PleasantonWeekly.com and DanvilleSanRamon.com.
Colby was convicted of all charges, but will only be serving zero years. The six months he spent in jail prior to his trial will be all the time he's required. Colby claimed -- during an interview with the FBI -- to have performed the hack at the request of a Menlo Park resident (Hiruy Amanuel) who wished to have stories about him removed from the websites. Amanuel, currently located in Ethiopia, denies he asked Colby to hack the sites.
Like in the Keys' case, the end result was a temporary defacement. But this hack also made the sites' content unreachable by readers. The temporary damage Colby caused was far more significant than the minor prank pulled by someone (not Matthew Keys!) with Keys' login info.
Colby deleted the content of all of Embarcadero's websites and replaced it with an image of Guy Fawkes, the icon of the activist group Anonymous, and posted a message stating: "Greetings, this site has been hacked. Embarcadero Media Group (Alamanac) (sic) has failed to remove content that has been harmful to the wellbeing and safety of others. Failure to honor all requests to remove content will lead to the permanent shutdown of all Embarcadero Media websites." Each website's URL was replaced with the text "Unbalanced journalism for profit at the cost of human right, Brought to you by the Almanac."
So, why the disparity in sentencing? Well, it boils down to several things, starting with the law itself. The law is broad and vague and can be beaten to fit/painted to match almost any "unauthorized access."
Furthermore, CFAA charges are confounding for juries, judges… even the DOJ itself. It's tough to assess the actual damages of a website defacement, so the DOJ relies on the aggrieved party, which has every motivation to portray momentary inconveniences as internet apocalypses. Meanwhile, judges and juries get swamped in techno-jargon, with no one to lead them in the promised land of "laymen's terms" but the prosecution.
In Colby's case, a couple of attempts to get him perceived as incapable of standing trial tried the court's patience, as did Colby's hiding of a recording of his interview with the FBI. And yet, he got less time than Keys did for a more serious attack on multiple websites -- one Colby actually performed, rather than farmed out to a willing miscreant.
Because the law makes so little sense, the outcomes will be nonsensical. The only hope is a complete rewriting of the law -- one that takes charging security researchers and internet jokesters out of the equation. The government may claim harsh sentences are needed to act as a deterrent, but this assertion makes no sense when it showed zero interest in finding the person who actually defaced a Tribune website with borrowed credentials.
Filed Under: cfaa, hacking, hiruy amanuel, matthew keys, news websites, ross colby
Companies: palo alto online