Matthew Keys gets 2 years for helping Anonymous deface the LA Times

shutterstock_168125789

The Feds had wanted a 5-year jail sentence for Matthew Keys – the journalist convicted of handing over login credentials for the Los Angeles Times’s parent company and then telling Anonymous to “go f**k some s**t up.”

Instead, they got two years.

Keys was sentenced to 24 months in prison on Wednesday, he tweeted. He says his legal team plans on filing a motion to stay the sentence.

In October 2015, Keys was found guilty on three counts of criminal hacking under the Computer Fraud and Abuse Act (CFAA): the same law under which late activist Aaron Swartz was prosecuted.

His crime involved handing over his website login credentials for The Los Angeles Times, a Tribune Media-owned newspaper. At one point, Keys had worked for a companion Tribune property, KTXL Fox 40 in Sacramento, California, and he had login information to the joint content management system.

With the login in hand, an Anonymous-affiliated hacker altered a news story on the LA Times’ site, changing its headline, byline and sub-headline to include the name “CHIPPY 1337” and tweaking an article to read:

House Democratic leader Steny Hoyer sees ‘very good things’ in the deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.

The defacement was short-lived: Tribune Company system administrators had the s**t un-f**ked after 40 minutes.

As Motherboard has reported, to be convicted under the CFAA, the damage done by Keys’s crime had to exceed $5000. Prosecutors claimed that Keys caused $929,977 worth of damage to the Tribune Company, having spent thousands of dollars protecting its servers, as US Attorney Benjamin Wagner said in a press release.

The crime took place in 2010. Keys wasn’t indicted until 2013, at which point he lost his job at Reuters, where he was working as a social media editor.

Keys has maintained his innocence throughout, claiming to have gone on an internet chat relay forum to recruit attackers claiming Anonymous affiliation because he’d been working on a story about the group.

Prosecutors, on the other hand, painted Keys as a disgruntled employee who wanted to “taunt and torment” the TV station that fired him in 2010.

In the end, of course, the court agreed with that version of the story.

On Wednesday morning, Keys published a post on Medium in which he reiterated his innocence and his – and others’ – belief that the CFAA has once again been misused by prosecutors.

I am innocent, and I did not ask for this fight. Nonetheless, I hope that our combined efforts help bring about positive change to rules and regulations that govern our online conduct. As I’ve previously written, nobody should face terrorism charges for passing [a login].

While his legal troubles have elicited sympathy from those who want to see the CFAA revised, we can’t ignore the fact that handing over logins to a sensitive system such as the LA Times’ content management system opens the door to a world of hurt for a corporation.

Sure, the LA Times sysadmins undid the mischief in 40 minutes. But far more ruinous outcomes can be sparked by crooks getting their hands on logins, be it through phishing or having them presented on a silver platter on a chat forum.

Image of Anonymous Mask courtesy of Twin Design / Shutterstock.com