Sophos Cloud Optix
The crook who cracked into the email of numerous celebrities, including Scarlett Johansson and Mila Kunis, has been sent to prison.
A federal judge in Los Angeles, California, sentenced 36-year-old Christopher Chaney, of Florida, USA, yesterday.
Although Chaney had already pleaded guilty, thus sparing the expense and complexity of a trial, and although the prosecution had apparently asked for a sentence of just under six years, Judge Otero hit Chaney with a mammoth ten year stretch.
One report suggests Chaney drew an over-the-odds sentence because he continued his cracking activities even after he knew he was under investigation and his computer had been seized.
As we wrote earlier this year, Chaney’s modus operandi seems to have been to use the ‘forgot password’ feature on his victim’s email accounts.
He’d then use publicly accessible information – the sort of stuff many of us share in bits and pieces on social networking sites – to answer his victims’ security questions and finish off the password reset.
Having got hold of the new passwords and illegally accessed the accounts, Chaney would activate the ‘forward a copy of incoming mail’ option. This means he could continue to harvest his victims’ private emails, even if they changed their passwords back.
Chaney stole nude photos, lurid text messages and emails. Many of these were then shared with two online celebrity gossip sites.
Interestingly, although Chaney drew a harsh penalty, we haven’t heard of anything happening to the gossip sites that willingly went public with the stolen material.
The story might have been different had the gossip-mag journalists been in Australia.
Sydney-based journalist Ben Grubb, for example, was briefly arrested in Queensland, Australia, in 2011, and had his iPad confiscated, after he published a supposedly private Facebook photograph that he had acquired from a security researcher.
The researcher had apparently got hold of the photo – a privacy-protected picture of a rival’s wife – as a “proof of concept” for a conference talk about a security flaw in Facebook’s privacy system.
The researcher couldn’t resist sharing the photo with Grubb, who couldn’t resist publishing it online (albeit blurred).
In the end, Grubb wasn’t charged, quickly got his iPad back, and was vindicated – at least in the public’s eyes – by strong criticism of his arrest.
But Queensland police obviously felt strongly enough to go after Grubb under a Queensland law dating back to 1889, which dispassionately observes that “a person who receives tainted property, and has reason to believe it is tainted property, commits a crime.”
And there are two important lessons in that:
• Don’t put tainted property online, especially if it affects the privacy of others.
It’s easy to say, “But the information’s out there now, so the crime of getting it in the first place is already done.”
Have some concern and respect for the privacy of others. The way data breaches seem to be going, you may very well need the same sort of concern and respect in return some time soon.
• Review all your account settings if you think you’ve been hacked.
After a malware attack, an unexpected password change, or anything else which suggests that someone else has been riffling around in your digital stuff, be sure to check your configuration settings.
Be on the alert for changes which might let the crooks carry on their dirty work even after your initial cleanup.
Crooks can add new accounts to your PC, set email forwarding options (like Chaney did), change firewall settings, install remote access software, and much more. If you are unsure what to look for, ask someone you know and trust for help.
Image of hands courtesy of Shutterstock.
What has struck me as interesting is the reaction of many commentators who have argued that the sentencing was out of kilter with other security breach and privacy crimes, wall st crimes, white collar crimes, etc and the fact that performers like Johansson seek “free” publicity.
Then again it’s one thing to seek free publicity of one’s film career but another thing all together of what goes on behind closed doors. Let’s not confuse the role of performers as that as the be all and end all of complete public spectacle, in the end they are human with their own need to privacy and identity outside of those wrought by the media and peeping toms…
Does he deserve what he got? Maybe, maybe not, maybe maybe. I'm not a judge. But that sends a message.
If YOU violate my privacy I will hunt YOU down and do things to YOU that would get me 20 years in a classroom run by old, smelly nuns.
To me, some of the penalties of certain electronic crimes are light. Sometimes only months in jail or 2 years for complete system database hacks? Information is still very valuable and there needs to be a standard and a no-tolerance policy. The fact that the person was STILL continuing to undermine accounts while being investigated says a lot.
Not that I think people who do this shouldn't be punished, but today I read about a man who sat on his 4-month-old baby, stomped on his hands and feet and received a suspended sentence. Where is the logic or the justice in that?
Ten years? He should have killed someone and negotiated five. Lives are cheap – unlike emails.
Do I read this correctly that someone could hack my email and set up a forwarding diversion and I wouldn't be notified? Isn't that the main WTF? Perhaps someone in a security company (hint …) should be devising a way of ensuring that the owner of an email account would always know if a divert was active.
10 years is not enough; 20 years would send a stronger message to Chaney and others of his ilk.
Chaney will probably receive time off for good behavior and be released in a couple of years. Chaney should have received, and should have been forced to serve all of, a 20 year sentence.
Going forward, anyone who hacks the computer and/or online accounts of another person (celebrity or otherwise) should receive 10- to 20-year sentences without the possibility of parole. Hacking crimes should be much easier to prove and prosecute than U.S. law currently allows.