Sophos Cloud Optix
The Feds had wanted a 5-year jail sentence for Matthew Keys – the journalist convicted of handing over login credentials for the Los Angeles Times’s parent company and then telling Anonymous to “go f**k some s**t up.”
Instead, they got two years.
Keys was sentenced to 24 months in prison on Wednesday, he tweeted. He says his legal team plans on filing a motion to stay the sentence.
In October 2015, Keys was found guilty on three counts of criminal hacking under the Computer Fraud and Abuse Act (CFAA): the same law under which late activist Aaron Swartz was prosecuted.
His crime involved handing over his website login credentials for The Los Angeles Times, a Tribune Media-owned newspaper. At one point, Keys had worked for a companion Tribune property, KTXL Fox 40 in Sacramento, California, and he had login information to the joint content management system.
With the login in hand, an Anonymous-affiliated hacker altered a news story on the LA Times’ site, changing its headline, byline and sub-headline to include the name “CHIPPY 1337” and tweaking an article to read:
House Democratic leader Steny Hoyer sees ‘very good things’ in the deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.
The defacement was short-lived: Tribune Company system administrators had the s**t un-f**ked after 40 minutes.
As Motherboard has reported, to be convicted under the CFAA, the damage done by Keys’s crime had to exceed $5000. Prosecutors claimed that Keys caused $929,977 worth of damage to the Tribune Company, having spent thousands of dollars protecting its servers, as US Attorney Benjamin Wagner said in a press release.
The crime took place in 2010. Keys wasn’t indicted until 2013, at which point he lost his job at Reuters, where he was working as a social media editor.
Keys has maintained his innocence throughout, claiming to have gone on an internet chat relay forum to recruit attackers claiming Anonymous affiliation because he’d been working on a story about the group.
Prosecutors, on the other hand, painted Keys as a disgruntled employee who wanted to “taunt and torment” the TV station that fired him in 2010.
In the end, of course, the court agreed with that version of the story.
On Wednesday morning, Keys published a post on Medium in which he reiterated his innocence and his – and others’ – belief that the CFAA has once again been misused by prosecutors.
I am innocent, and I did not ask for this fight. Nonetheless, I hope that our combined efforts help bring about positive change to rules and regulations that govern our online conduct. As I’ve previously written, nobody should face terrorism charges for passing [a login].
While his legal troubles have elicited sympathy from those who want to see the CFAA revised, we can’t ignore the fact that handing over logins to a sensitive system such as the LA Times’ content management system opens the door to a world of hurt for a corporation.
Sure, the LA Times sysadmins undid the mischief in 40 minutes. But far more ruinous outcomes can be sparked by crooks getting their hands on logins, be it through phishing or having them presented on a silver platter on a chat forum.
Image of Anonymous Mask courtesy of Twin Design / Shutterstock.com
As much as it appears likely that Keys is at least at some degree complicit in the defacement, they undid the damage in ~40 minutes. I’m not sure the fact that they subsequently spent nearly $1 million dollars protecting their servers after this wakeup should be considered part of the damage he personally caused, and this is starting to seem like yet another abuse of the act originally ironically designed to prevent abuse…
According to the court, based on the verdict of the jury, it doesn’t “appear likely he was complicit.” He was found guilty, so there’s no maybe about it.
So if a criminal shoots someone in the face but doctors are able to save the persons life in just a few hours the perp should be left off??? What a moronic thing to say. He did it with the intention to cause as much damage as possible. He should have received 10 years.
Huh? Your analogy is weak AF. They fixed it within 40 minutes.. meaning it was undone. If your hypothetical person’s face healed in 40 minutes I’d be open to adjusting dude’s sentence. But in this case, the law explicitly lays out the terms for prosecution – damages must be in excess of $5,000. A better analogy would be someone breaking into your garage, putting a Trumper sticker (Trump bumper sticker) on your car, and you taking it off within 40 minutes. You then install a $1 million security system because you never want it to happen again. Would the “perp” really be responsible for $1 million in damages? Methinks not. Heck, they should be thanking him, as he showed them potential vulnerabilities to their system.
Arguing that he caused $1 million in damages is, as you would term it, “a moronic thing to say.”