Keys won't be sentenced to anything resembling 25 years. Even his prosecutors have said so.
He's also far more responsible for his actions than Andrew Aurenheimer was. Keys, while working as a social media editor at Reuters, used his access from a previous job at a Tribune subsidiary to let anonymous Internet hackers break into the LA Times, one of the largest newspapers in the world; the attackers used it to modify stories. His "hack" was a straightforward abuse of the trust misplaced with him.
Keys defense fixates on the rapidity with which those stories were taken down. But of course, that's not the whole story. The Tribune Corporation, like every major corporation, usually must follow a complex process after a breach. The cost far exceeds that of simply taking a story down.
Keys has, by all accounts, fantastic attorneys. The sentencing phase of this trial is just now starting, right? How can they possibly be letting a freshly convicted felon talk like this? Isn't he harming his case here?
Edit: my comment originally claimed, incorrectly, that Keys had used Reuters access to compromise the Tribune Company; he did not; rather: he used his access from a previous job at a Tribune subsidiary to do it.
The worst thing is, that according to the report he's both claiming that giving a login to strangers to "fuck it up" is "an act of journalism" and simultaneously protesting that he's completely innocent and it must have been someone else using his login to pass another of his logins to hackers whilst masquerading as a person with a grudge against his ex-employer. It's basically the reductio ad absurdum version of all the more sensible arguments people have made about computer crime legislation not upholding free speech and giving insufficient attention to burden of proof.
I agree that this is the sort of low level vandalism whose sentencing time should be measured in days rather than years, but it doesn't really help the case of civil liberties when the usual supporters of the cause rush to make someone so undeserving a martyr.
I wouldn't focus to much of what is said in proximity to court proceedings. When you're facing jail time you don't really have the luxury of doing anything else than trying to argue the best defense possible, often by embellishing or excusing your side of the story. Especially with the aggressive prosecution in the US.
Keys has been arguing this line for a while though. He's been unusually vocal in his own defense in the months leading up to the trial (compare that to how relatively quiet Aaron Swartz [0] was) -- and I think it's a calculated tactic. Not necessarily a wrong one, but Keys' reputation as being savvy about online and social media is very well deserved.
But I think that it is likely to severely backfire on him. A lot about the justice system is public relations -- check out the press releases feed at the Dept of Justice [1]...and he's doubling down in such a way that the prosecutors and judge can only lose face if they go lenient with him. The best defense for him is to be contrite and ask for leniency -- that's the whole point of his defense lawyers arguing that it was just a simple webpage defacement. Instead, he's arguing federal-level type coverup and incompetency, from the FBI investigation to the jury-by-trial itself. If the judge slaps him on the wrist, the judge is basically insinuating "Yeah, you're right...our court system is a joke!".
From what I can tell, not many judges choose to go that route.
Most Journalists think that laws are for little people and that the end justifies the means - just look at News International and how hundreds of journalists have got off on a technicality.
The journalists I know definitely don't think News International is representative of their field. If you'd like to tar most journalists with that particular brush, you'll have to try harder.
True, true, but there are journalists who don't hesitate to paint with broad brushes and push buttons in order to get page views or please an audience and seldom get called out by more reputable journalists.
The problem is that the law is written for bank wire cyber criminals and this guy did the real life equivalent of opening up the fire escape to let in a raving homeless person.
Yes he should get punished. Fired, fined, maybe even a couple days or weeks in jail. But the justice system has not caught up to the internet.
We have have a thing called assault. A thing called battery. A couple things called murder. Morality is a grey scale.
I'd say it's more like handing a copy of his keys to miscreants (of any type) with a note attached "DO HARM THERE" after being evicted. If proven in court, I'd expect a guilty verdict on a charge of criminal mischief.
Having no authority to order the harm, and having no plausible way to realize a tangible benefit from any harm that may occur, I fail to see how that is a criminal act. At worst, that's just a civil lawsuit against him.
And it would be a pretty strong affirmative defense if the landlord did not re-key all of his locks at the time of the eviction.
If this had happened in a physical place rather than on a web site, no one would be going to jail. Someone would be sued in civil court, and be forced to pay no more that the amount that a locksmith typically charges to re-key all the locks on a property.
And if the landlord so much as left a window open, the defendant probably wouldn't have to pay anything at all!
What does his authority have to do with it? His intent seems entirely clear. Again: the chat transcripts, which are traceable to him through the network, show him expression discouragement at the minimal amount of damage the IRC hackers were willing to do. What he wanted to have happen was even worse.
I'm also not sure how "the employers didn't rekey the lock" is any kind of defense at all.
The hackers are the ones actually responsible for the damage that occurred, as evidenced by the fact that they did not do as much as he asked of them.
You leave your bike propped up against a wall, unlocked. Someone starts shouting "Hey, steal this bike! Steal it!" When you return, your front wheel is gone. Someone tells you about the shouting guy. So you sue him for the loss of your front wheel. You are able to get a recording of that guy complaining that only the front wheel got stolen. It doesn't matter. He didn't steal your wheel. He could have wanted someone to steal your whole bike and your wallet, but the fact remains that he didn't do it.
Now suppose that you did lock up your bike. But you used a TSA-approved luggage lock. Now the guy passes out copies of the TSA master key along with the shouting. But anybody could have had that key already. He still didn't steal your wheel.
Now instead of a known-insecure lock, you use a good lock, but you had at some point given the shouting guy a key to it. After you two have a falling-out, you keep using the same lock. While on the surface it looks different, this is the same situation as the TSA lock, because your lock is not truly secure if its keys are not controlled by you, and you alone. He still didn't steal your wheel. At worst, you can recover from him the cost of replacing your u-lock, as he made it unfit for its intended purpose.
Wishing misfortune on others is not a crime. It isn't very nice, but it is not criminal, and does not create civil liability. I can say as often as I like that I would be happier if Bank of America's corporate headquarters were destroyed by a lucky meteorite strike. If an arsonist tries to burn it down instead, I am in no way responsible. I didn't give that guy any tangible benefit for doing the crime. I could not have harmed him in any way if he did not do it. The person was not acting as my proxy. If the arsonist cannot be identified, I am not an acceptable scapegoat simply because I wished harm upon the victim. I have malicious intent, it is certain. But I have not performed the malicious act.
(I won't be able to respond further, because "HN: You're submitting too fast. Please slow down. Thanks." It looks like tptacek can post about 10 times more often than I can, so I can't meaningfully participate in a discussion with that account.)
No, the real life equivalent of what he did would be giving some teenagers unsupervised access to the office copy machine. It wasn't bright, but it doesn't sound like a life-defining felony.
How can you believe that giving a group of anonymous people you suspect to be hackers a username/password, then telling them that it's superuser access, then giving them the admin URLs, then giving them the URL to the user manuals for the console, then creating them new accounts...is the same scope as letting a bunch of teens use your "office copy machine"? (unless your company's business is literally the copy machine...I suppose)
I just pulled up the Los Angeles Times, and something literally resembling a copy-scan-fax machine plugged directly into a Wordpress site comes to mind.
In reading the transcript, it's clear this person deserves to be punished according to the maximum penalties prescribed by the applicable laws. It is not as clear to me that the laws being applied accurately reflect the harm incurred, or even the potential for harm given the nature of the compromised system.
He won't get 25 years. But federal sentences for any type of fraud, including those issued under the CFAA, are based upon the actual or intended loss - whichever is higher. In other words, if the government argues at sentencing that his intent was to seriously disrupt the entire paper's site for an extended period of time by giving out these credentials to a known hacking group, they can claim an intended loss of millions of dollars. A sentence based upon an intended loss of more than $1 million will start at about two years and go up from there, basically depending on how the judge feels that particular day.
Anyone who has suffered a significant breach where authentication systems are suspect knows that likely you'll have to build a parallel 'clean room' system where the legacy system a d infrastructure are completely untrusted, from hardware firmware and software, then there are policy changes, etc. That can easily pass into millions territory. It's laughable to claim simple defacement.
To be fair the Tribune subsidiary should have revoked that access a LONG TIME AGO. The million dollars spent after the attack was to fix their security I bet.
Don't think what he did was right and he did have someone illegally attack the LA Times but it does seem strange that this case is so big and the charges against him so large.
You leave a job, you keep the keys to your office, your employer forgets to take them back, you then deliberately copy the keys and hand them out to vandals. What court in the world would put any of the responsibility for that on the company?
Trib didn't spend millions in cleanup, but if any breach investigation were done --- to rule out the attackers having done things to retain access after credentials were revoked, and to ensure Trib's clients that no PII was taken --- would easily run into the mid tens of thousands.
Even the tens of thousands could be a stretch for the actual cost.
When I was handed a copy of my Pre-Sentencing Report, for an incident that took place on June 21, 2011, they billed from June 16-24.
I pointed out that I did not own a time machine, then they quickly changed the dates to June 21-27 and dropped the "damages" by over 60%. That's the difference between certain prison time and probation with house arrest.
(This was Sylint, maybe they're just scumbags and wanted to make as much money as they could off my mistake.)
I'm sorry, but this just isn't correct. It's hard to imagine any outside forensics investigation happening for less than $20k ($50k is a more reasonable estimate), and those outside investigations are often mandatory in breach cases. Insurance companies and, sometimes, regulated data protection usually require that the company take steps to ensure that everyone knows the limits of the attack --- and those limits, as you know, aren't at all obvious from the attackers overt actions.
It looks like the attackers just fucked up a bunch of web pages. But they broke in; how do you know they didn't leave backdoors, or exfiltrate databases? You often don't, unless you engage an outside firm to verify.
> It's hard to imagine any outside forensics investigation happening for less than $20k
In my case, Sylint was the web host and the forensics investigator. That might also explain their duplicity and lack of consistency in the reports to the court.
Aside, is knowing how to use Encase really that lucrative? I should switch specialties.
I agree that EnCase jockeys are overpaid, and I generally think of forensics as a lower-status specialty than software security, but website breach investigations are much more annoying than just imaging hard drives.
I can only imagine, especially if the logging/auditing policy was "pretty much non-existent" and you don't know how extensive the access was for a given user account (nor how much of that access could have been used in the short window of compromise).
Four years ago, I knew practically nothing about the security industry (or of business). I was a self-taught web programmer who knew really obvious ways to defend websites from attackers.
You work for a bank and you have the keys to the vault. You quit. The bank doesn't immediately change the locks to ensure that their security isn't compromised.
What happens to the keys after that is in my made up example doesn't matter. The bank is at fault because the bank has a responsibility to ensure the security of their operation, irrespective of how ethically or unethically their former employee acts from that point onwards.
A newspaper is an information bank especially in the Internet age.
EDIT: I should have specified "the bank is at fault for the total amount of damage" not that the bank is at fault full stop.
>The bank is at fault because the bank has a responsibility to ensure the security of their operation
Yes, and in the case of the Tribune company here, it cost them tens of thousands of dollars to "repair" the breach. That's the punishment for their failing of responsibility. It's not like they are suing to recover that money.
But I'm not sure how that absolves the actual criminal here.
I guess what I'm saying is that if your job is security and you fail at security and because of your failure at security a former employee is able to do some damage he or she if of course guilty of whatever crime.
But the amount of money that you spent to clean up the mess because you failed at your job initially, that doesn't matter and shouldn't influence the trial. The crime is a crime no matter how large or small the damage.
Consider a warehouse guarded by a night watchman, but sometimes he takes a smoke break (hence, failing to do his job). Some vandal comes by and tags the building with graffiti. Later, some other vandal comes by and burns the place to the ground. You think both vandals deserve equal treatment?
One is vandalism, the other is arson, destruction of property, and probably a bunch of additional crimes. They should be handled differently because they're different crimes.
The point is that two people who vandalize should be treated equally even if one vandalizes a poor person's house and the other vandalizes a rich person's house. The exact dollar amount of the vandalism shouldn't matter because either way we've all agreed by way of the law that vandalism is wrong.
Yes of course, and within vandalism there probably are different fines or sentences depending on just how much property you damage. But if you're going to label "anything where some property is damaged" as vandalism then 9/11 was vandalism, right?
You also neglected to address arson and the idea that a whole building burned down. I don't think any part of the justice system would seriously suggest that destroying a building and spray painting a building are the same. I don't think they'd be investigated the same, charged the same, etc.
The problem here is that the CFAA has definitions and those definitions are what determine what the crime is. So yes someone breaking into your Facebook account and posting a "turns out I'm gay everyone!" comment is -- again according to a strict reading of the law -- just as bad as someone breaking into VISA and forcing them to re-issue all the credit cards in the country. That's because the law doesn't distinguish damages or anything like that. In part that's because in reality you don't do any actual damage, you just cause people to have to take action to mitigate that your specific knowledge causes problems with their security.
This makes sense too, if you break into a bank it might be reasonable to attempt to force you to pay for the repairs to the vault door, but it would not be reasonable to force you to compensate the bank's shareholders for the loss of goodwill (and share price!) they suffer because the bank's security wasn't able to keep you out.
The CFAA makes knowing, purposeful access to computer systems you don't have permission to use a crime, and a felony when that access is used to attempt to perpetrate additional crimes. It's a simple statute.
There are two common arguments against CFAA.
The first is that it shouldn't be a felony to access computer systems without authorization. The logic goes: if you use access to a computer system to perpetrate a fraud, charge fraud. If theft, charge theft.
A variant of this argument suggests that maybe "serious hacking" should be a felony, but things like reusing an old password, or guessing the URL after the login screen, those things shouldn't be felonious.
These arguments are problematic. For instance, in cases where the offender has used their unauthorized access solely to cause economic harm to someone else, there may not be a better crime to charge. The vandalism statutes weren't designed for offenses that can easily rack up tens of thousands of dollars. There's also the basic issue of trespass and violation of property rights. And, of course, civil remedies to these problems have their own problems, prominent among them the fact that all the burden for collecting those remedies falls on the victim, who under civil law receives no assistance from the rest of society.
The second set of arguments against CFAA is that the sentences are draconian. This argument seems much more straightforward. A particular problem with CFAA is that the sentence scales with damage, but damage can trivially scale with the induction variable of a program's loop; it does not seem intuitively just that typing an extra '0' into a single program can ratchet your sentence by years.
A variant of this argument suggests that damages are also inflated by victims and prosecutors. This is likely very true, but it's less meaningful in this case than in others, because even the most charitable view of the offenses charged suggest he did more than 15k of damages, and is facing a multi-year sentence.
I think CFAA should be reformed so that damages accelerate sentences only to the extent that the prosecution can prove intent to cause damage. That wouldn't much help Keys, though, who is convicted of deliberately trying to maximize the harm to Tribune Corporation.
I would also be in favor of factoring in "what kind of precautions did you take?" to the whole thing, though I have no idea how you could practically do that.
But I do think that most reasonable people would agree that finding someone's browser still logged in to Facebook and making a joke (whatever kind of joke that is) is substantially less bad than cracking the person's password.
Just the same as there are "breaking" and "entering" for forcing your way into someone's home (versus just "entering" if the door or window is unlocked) the severity of the computer crime is in proportion to how hard the people who owned the computer were trying to keep it under their control.
Don't have any kind of access control for your computer at all? Sorry, we're statutorily limited to the lesser charges. Fix your security and if this happens again we can nail them!
EDIT:
So if you say that the X axis is the amount of effort that the entity expends to keep the system secure, then the Y axis is the maximum intent that can be inferred, and your function is something that you think is reasonable like say y=x.
In other words, if a company makes no serious effort to secure their systems or control access no malicious intent can be inferred from someone "accessing without authorization", whereas someone who has to mission impossible style break into your facility says a lot about their level of malicious intent.
I don't think you're right about breaking into people's houses. Breaking a locked window and opening an unlocked window probably doesn't net you a different charge at all.
There are various definitions, here's one that I read that bolstered my claim but there are others that don't; "force" can mean as little as pushing an already open door open further.
I think it's fair if a vandal uses a copied key to enter the office and pee on the rug, then the company should cover the costs of changing the locks, but the vandal is responsible for the damage to the rug. Changing the locks is a direct consequence of the company's failure to collect the keys (and needs to be done regardless of what if any vandalism has taken place), but the follow on damage was not caused by mere negligence or happenstance.
Right. I think the reasonable complaint in these cases is that the damages should cover the cost of investigation that resulted directly from the breach, not the cost of fixing the original security vulnerability and/or auditing the entire system.
If you break into a bank, then the bank is right to ask for damages of amount stolen + amount necessary to sweep their building for any backdoors you might've added and repair any damage. That's fair. They shouldn't be suing for the cost of an upgrade to their security system or a new training course for their security officers.
The bank is at fault for the amount of damage due to their own negligence, which would be the amount greater than what it would have cost to re-key the locks. And you have to re-key the locks instead of recovering the keys that had been issued, because you have no way of knowing whether the keys were copied or not.
In the case of username/password keys, "changing the locks" can be done as easily as running an automated script nightly against the HR employee database, to suspend login privileges from anyone who is on leave or no longer an employee, or at worst, by having your sysadmin's lackey, who makes $30/hour, spend 2 minutes on doing that every time it is needed.
The people who broke in are responsible only for the damages they caused directly, not for the cost of fixing things that were already broken when they showed up, or for investigating and implementing measures to stop the next gang of vandals that might enter.
So what is the actual financial impact of a defaced web page? How do you prove that? If you give crowbars and sledgehammers to a gang of vandals, to what extent are you responsible for the damage they cause with them? If they only use those tools for legit demolition work, are they obligated to pay you a cut of their revenue?
it does seem strange that this case is so big and the charges against him so large.
Because he was caught up in the Feds surveillance of Anonymous.
It is at least worth noting that Keys says it wasn't him. FTA:
-----
“Let’s be clear: I never passed a username or password to Anonymous,” he said.
Keys, who went on to serve as deputy social media editor for Reuters before his indictment in 2013, said he was investigating Anonymous in chatrooms when his username was used without his permission by parties unknown. Five years ago, Anonymous was in the news for its attacks on Visa and PayPal — and, according to Keys, he was just doing his job.
“It occurred to me that no one had looked into these guys,” he said. “They were talking at a level above my head. … Anybody could co-opt [the username] and it looks like in this case somebody did.”
Keys said the Tribune company — by then his former employer to whom he nonetheless pitched his story about Anonymous — should have supported him. This was about freedom of the press, not passwords.
“Tribune Media – what are they thinking?” he said. “Do they care about journalism at all? Do they care about the government prosecuting a journalist who decided to keep his sources undisclosed? That is beyond disgusting.”
He says it wasn't him, but if it was someone else, they were much more thorough than just his username, since there's network evidence tying Keys to this as well (see again the search warrant).
Hmm. If we accept the premise that the Tribune is at fault for not securing their systems, does that mean Keys is at fault for not securing his password?
Yes, I agree...in fact, Tribune should be secretly thanking Keys...no matter what his actual intent, the incident got them to implement proper security...the $900K they spent they would've had to spend anyway and is a bargain compared to what could've happened.
But "oh the company should've had better security" is a not strong legal defense, in the same way that "the victim shouldn't have been walking alone at might" is not.
edit: just to clarify, I'm being flippant here since most of the main arguments for and against Keys have already been made...but I don't interpret Keys's actions as any kind of "white hat" hacking. According to the evidence, he most certainly tried to get Anonymous to burn the company to the ground, and he and Tribune are very lucky they didn't.
However, I do think it's dishonest for the Tribune to claim $900K in damages when that was the amount used to shore up their security after the breach. But the $17K they spent as incident response seems very reasonable. But to then tack on the $900K so that the maximum possible prison time is more politically palatable helps to perpetuate the worst parts of the CFAA and the justice system.
So, I have a very strong opinion of this whole matter, and the person behind it. I've forced myself to ignore everything I wanted to write or reply to about it, but what struck a chord was your perspective, which is that credentials should have been revoked.
Journalism is a set of very specialized jobs. It's also a small cultural subset and after a time, everyone knows everyone. When you change jobs in news, you either go to an another news organization or pretty much retire from news (meaning you leave it and go do something else - it's rare that you'd ever come back to it and the barrier to re-entry becomes steeper.) What I mean to say is that your reputation definitely precedes you and it sticks around for a very long time.
There are some in this thread who have written or implied that "most journalists" have no ethics or self-restraint and all they're guided by is the end result. In some organizations, that's true and those places keep their notoriety all to themselves. For every bad apple in every industry, there are thousands of notable ones who do their work, and more than enough of them have self-respect to uphold their integrity.
Having said all that, I don't disagree with what you're saying at all. But here's an anecdote to help illustrate the culture and level of trust typically found in news. In early 2013 Nelson Mandela got sick. Many news organizations prepared a number of packages for the eventuality of his death - that included everything ranging from special reports, photo galleries, videos, memorials, and other special projects. A very talented colleague of mine put together a montage of Nelson Mandela's 1994 acceptance speech being read by various children living in South Africa today. It was pretty moving and showed just how things changed in those 20 years since. The project was finished, and readied in case it was ever needed. Then in mid-2013, that person left us and went to work for a large national newspaper, which was a great career move for them.
Soon thereafter, a number of staff changes occurred and on the evening (local time) of Nelson Mandela's death, no one was left on duty who remembered the tribute package existed. The ones who did weren't on duty at the time and the material they could immediately put together was very lacking and would take some hours, perhaps a day to properly acknowledge the man and his work.
That ex-colleague of mine tried to get in touch with duty editors, but was unable to get through. Given the timing and possibility that this material would never see the light of day, they remotely logged into our CMS (because none of the credentials were yet revoked), prepared the material as a draft and sent a note to the entire office letting them know it was ready for publishing. Some of the recipients on that list probably didn't even yet know the sender had left the organization, but from the email trail were very grateful to have the package ready to go.
This is the kind of hard-working journalist with integrity I'd have expected Matthew Keys to be.
But that is in the law. I think most people understand there's usually a big gap between the threatened sentence and the subsequent actual sentence in the event of a conviction.
People are objecting to the law as it is written and as it is abused by the government to make these indictments, in this case actually achieving conviction:
"Each of the two substantive counts carry a maximum penalty of 10 years in prison, three years of supervised release and a fine of $250,000. The conspiracy count carries a maximum penalty of five years in prison, three years of supervised release and a fine of $250,000."
The guidelines are pretty broad for the Computer Fraud and Abuse Act and the judge will have a lot of leeway in sentencing.
If he was smart, he'd apologize and take responsibility for what happened and ask for leniency. Coming out publicly after being convicted and calling it "bullshit" and crying like a child won't win him any favors with the judge and could certainly backfire on him.
The judge should give him a suspended sentence and put him on a 5-8 year probation with some community service and a stiff fine. As much as I believe in jail time for hackers who do malicious things, I don't think his crime warrants jail time.
Then you would agree that the law should not have enabled the government to indict and then convict him on charges that carry years of jail time, that it should instead have led to conviction on charges that don't warrant jail time.
That is the argument about the CFAA -- that the law should be revised to rein in the government's crazy abuse of it.
That is the argument about the CFAA -- that the law should be revised to rein in the government's crazy abuse of it.
I absolutely agree the law should be revised. The only problem is trying to set a decent spectrum of punishments that have clear delineation points. This is the main reason I feel it hasn't been revised. The law is broad in its application, and the feds can argue that judges still have the ability to hand down more lenient sentences where they feel its applicable.
I do agree because of its broad and vague terminology, the feds have used it to go after a wide range of offenses. Sometimes merited, but I fell in this case, not so much.
There are no felony charges that don't warrant jail time.
There are, however, federal sentencing guideline ranges that could result in probation instead of a custodial sentence given: no remunerative intent, no prior convictions, &c.
I think a lot of people could agree that this is a crime that should have landed in the lower range of the guidelines (but might not, given the CFAA guideline damage scaling).
I don't think CFAA sentences should scale with damages at all, unless the prosecution can prove an intent to cause those damages (that's tricky in this case because the prosecution can put on a pretty good case demonstrating that intent).
I'm guessing the news agency with its leaked username/password hired some outside security firm to assess to breach and certify all is good - and that is what cost thousands? Could we have some consideration of what is fair and rational here? Leaking a username/password should not generally involve any jail time period.
If the company claims to have business-critical resources, then it should also be sentenced for not protecting them enough. What's happening here is weak password-based security, non-deactivated credentials of a former employee, and an attempt to fund the security firm from the penalties on the hackers.
Why should the business be prosecuted for not protecting themselves better? I can only see the point behind arguing that a business should be prosecuted for not protecting their _customers_ or _the public_ better.
While I might want my accountants to be prosecuted for leaving their doors unlocked overnight, I wouldn't want the local baker prosecuted for doing the same.
Well, he could very well have cost his former employer tens of thousands of dollars—it would be appropriate for any sentence to be at least roughly the amount of time it would have taken him to earn that sum.
Financial damages, have him actually pay for (possibly a set percentage of) them instead of spending money to keep someone away from work to inflict the same damage on him.
Just in the interest of being thorough (because I'm not at all interested in his guilt or innocence), there seems to be some confusion about the IP address:
"As Keys tells it, he was merely gathering information as a journalist about Anonymous, but did not have his IRC handle registered—so, he supposes, someone else, using an entirely different IP address, was using that nickname instead."
"'That was one of several names that I used, but it wasn't locked down, it wasn't registered and it looks like somebody did use it. It was connected to an IP address that wasn't mine. The FBI agent admitted that he didn't have any records of [that IP address].'"
"However, exhibits displayed during the defense’s opening arguments show supposed emails from Brandon Mercer, Keys’ ex-boss, saying, “If you bill a thousand dollars an hour, that will help us get it prosecuted,” suggested the government is misrepresenting the true cost. In another email from the exhibits, Mercer estimated the damage at around $3,800."
So? That should normally be covered by damages and not punishment. The reason the defense "fixates" on how long the story was up for is because that actually has to do with the severity of the crime.
He's also far more responsible for his actions than Andrew Aurenheimer was. Keys, while working as a social media editor at Reuters, used his access from a previous job at a Tribune subsidiary to let anonymous Internet hackers break into the LA Times, one of the largest newspapers in the world; the attackers used it to modify stories. His "hack" was a straightforward abuse of the trust misplaced with him.
Keys defense fixates on the rapidity with which those stories were taken down. But of course, that's not the whole story. The Tribune Corporation, like every major corporation, usually must follow a complex process after a breach. The cost far exceeds that of simply taking a story down.
Keys has, by all accounts, fantastic attorneys. The sentencing phase of this trial is just now starting, right? How can they possibly be letting a freshly convicted felon talk like this? Isn't he harming his case here?
Edit: my comment originally claimed, incorrectly, that Keys had used Reuters access to compromise the Tribune Company; he did not; rather: he used his access from a previous job at a Tribune subsidiary to do it.