Former Reuters Journalist Matthew Keys Sentenced to Two Years for Hacking (opens in new tab)

(motherboard.vice.com)

66 pointscitizensixteen9y ago63 comments

63 comments

Such a BAD use of tax payer money. So now we have to pay for 2 years of jail time (Probably 1 year for good behavior) for giving a key (That was actually not proven but was believed by the juror. The crime was the defacing of ONE page. This key also should have been revoked after he left the company.

The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.

> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.

That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.

tptacek9y ago

In this case, the problem wasn't so much that Trib Corp had poor security (they probably do though), but rather that an insider exfiltrated credentials to one of their servers to an IRC channel. There are a few companies in our industry where that attack wouldn't be devastating, because of very carefully designed security programs. But there are not many of those companies. Most companies you've heard of are just as vulnerable as Trib Corp was.

matt_wulfeck9y ago

But charging them with hacking? And putting them in prison for 2 years?

1 more reply

baldfat9y ago

Those keys were those of an ex-employee. When you let a person go or they leave the company those credentials should have been changed.

1 more reply

ikeboy9y ago

>At trial, prosecutors presented evidence of loss ranging between $10,206 and $13,147

>In an unexpected twist, while going over the defense’s objections to the PSR, Judge Kimberly Mueller limited the amount of loss (for purposes of sentencing) to whatever had been presented at trial, thus drastically reducing the amount of prison time recommended by the sentencing guidelines. In the end, by the judge’s own determination, the appropriate range for sentencing was between 37 and 46 months.

So the actual sentence wasn't based on inflated numbers, and was lower than recommended based on actual numbers.

(Or are you saying the "evidence" of loss presented at trial was fake?)

baldfat9y ago

I am saying that they INFLATED the loss to go over the $5,000 thresh hold.

1 more reply

matt_wulfeck9y ago

If someone broke into the tribune's printing office (which perhaps didn't collect the key or change the lock when they fired someone) and that person changed the headline and a byline for an article in the paper that went out to thousands of people, I still have a hard time believing a court would put that person in prison for 2 years because of it.

At some point we have to acknowledge these tough cyber laws do nothing but pass down intentionally harsh sentences to the unlucky few Americans that get the book thrown at them.

I predict we'll look back at them with the same embarrassment and shame we do mandatory minimum drug sentencing laws now.

gamblor9569y ago

Consider that your hypothetical scenario includes at least two distinct criminal charges: breaking and entering, and vandalism. In some jurisdictions, these would each be misdemeanors punishable by up to 1 year in jail. In most jurisdictions, these would be felonies, punishable by more than a year in jail (varies by jurisdiction and circumstances of charges but usually 2 to 5 for low-level crimes like these).

So one way to look at this is that he got the same amount of time, or less, he likely would have gotten if he had physically broken in and changed the title of the physical print of the paper (or had been an accomplice to others who actually perpetuated the criminal acts).

tptacek9y ago

I don't know about that. What's the value of an entire print run of the Los Angeles Times? It's probably quite a bit more than the damages the court imputed to Keys.

matt_wulfeck9y ago

I guess the fundamental difference driving my thinking is I believe it's futile to hand out prison sentences for crimes such as these. I'm dubious that it acts as any real deterrent to "hacking", and it waste tax-payer money.

It's also becoming clear that the plaintiffs in these cases are completely washing their hands of their own responsibility for the crime. I understand that this is common in case law such as this, but if we want to actually secure this country against real cyber criminals then we need companies to step up and take responsibility for what's happening within their networks.

sparkzilla9y ago

For those catching up, I made a timeline of the case: http://newslines.org/matthew-keys/

Magi6049y ago

This is a great timeline. Thank you. It puts a lot of things into context.

citizensixteenOP9y ago

Nice timeline.

snake_plissken9y ago

I've read like 20 stories and I still can't figure out what Keys did that is actually illegal. He (or someone else) posted the login credentials to the Tribune's CMS, and then someone used those credentials to login and deface the site? Or am I missing something?

That's like saying you can get in trouble for giving someone a key to your old apartment, and then they go use it to unlock the door and do whatever they feel like inside. Or can you get in trouble for this, as maybe, an accessory?

williamscales9y ago

What you describe in both cases is illegal.

j / k navigate · click thread line to collapse

63 comments

baldfat9y ago

> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.

tptacek9y ago

matt_wulfeck9y ago

But charging them with hacking? And putting them in prison for 2 years?

1 more reply

baldfat9y ago

Those keys were those of an ex-employee. When you let a person go or they leave the company those credentials should have been changed.

1 more reply

ikeboy9y ago

>At trial, prosecutors presented evidence of loss ranging between $10,206 and $13,147

So the actual sentence wasn't based on inflated numbers, and was lower than recommended based on actual numbers.

(Or are you saying the "evidence" of loss presented at trial was fake?)

baldfat9y ago

I am saying that they INFLATED the loss to go over the $5,000 thresh hold.

1 more reply

matt_wulfeck9y ago

At some point we have to acknowledge these tough cyber laws do nothing but pass down intentionally harsh sentences to the unlucky few Americans that get the book thrown at them.

I predict we'll look back at them with the same embarrassment and shame we do mandatory minimum drug sentencing laws now.

gamblor9569y ago

tptacek9y ago

I don't know about that. What's the value of an entire print run of the Los Angeles Times? It's probably quite a bit more than the damages the court imputed to Keys.

matt_wulfeck9y ago

sparkzilla9y ago

For those catching up, I made a timeline of the case: http://newslines.org/matthew-keys/

Magi6049y ago

This is a great timeline. Thank you. It puts a lot of things into context.

citizensixteenOP9y ago

Nice timeline.

snake_plissken9y ago

williamscales9y ago

What you describe in both cases is illegal.

j / k navigate · click thread line to collapse