Such a BAD use of tax payer money. So now we have to pay for 2 years of jail time (Probably 1 year for good behavior) for giving a key (That was actually not proven but was believed by the juror. The crime was the defacing of ONE page. This key also should have been revoked after he left the company.
The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.
> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.
That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.
In this case, the problem wasn't so much that Trib Corp had poor security (they probably do though), but rather that an insider exfiltrated credentials to one of their servers to an IRC channel. There are a few companies in our industry where that attack wouldn't be devastating, because of very carefully designed security programs. But there are not many of those companies. Most companies you've heard of are just as vulnerable as Trib Corp was.
Of course. We're able to make the distinction of being hacked versus someone crawling through an open window. If only jurors could be expected to do the same.
What distinction is it that you're trying to make? Crawling into a building through an open window is no less of a crime than picking the locks. In fact: it's exactly the same crime.
Picking the locks is breaking and entering, going through an open window is illegal trespass, assuming you don't have to move any parts of the window. At least where I live. It depends on whether or not you have to use even the slightest amount of force to gain access. It also depends on your intent to commit a crime inside. If I'm looking for you because I've found your toddler wandering around outside and I open an unlocked door to call out your name, it isn't a crime. I'm not sure what happens if I pick a locked door in that situation, getting pretty contrived now. But let's say I heard your kid crying inside that you'd abandoned, it wouldn't be a crime to pick the lock and rescue him/her.
> Although rarely listed as an element, the common law required that "entry occur as a consequence of the breaking".[7] For example, if a wrongdoer partially opens a window with a pry bar—but then notices an open door, which he uses to enter the dwelling, there is no burglary under common law.
There are more results if you search for "breaking and entering", it was all pretty consistent.
Yes, but that's using force to open the door, which was in my original claim about no force on an open window.
Reading that WP article again, turns out I was just considering the common law part. It later says:
> The common law definition has been expanded in most jurisdictions, such that the building need not be a dwelling or even a building in the conventional sense, physical breaking is not necessary, the entry does not need to occur at night, and the intent may be to commit any felony or theft.
So I'll give it to you for "physical breaking is not necessary", even though I don't actually know about the jurisdiction in question. (I didn't rtfa.)
Oh, I was literally just arguing the other side about going through an open window because I didn't know for sure if it was burglary. (Common law says no, but that's probably updated, but maybe not in some places, but I didn't check them all.)
I don't see how you could access a computer without using "force", any input from a human constitutes force in my opinion. So no disagreement as far as the actual crime is concerned, I'm just nitpicking for fun...
Can you be more specific about the murky situation we're talking about here? I moved offices from Oak Park back into Chicago a few months back. The landlord never collected the key. My old office was rented out (I can see from the window). Can I go look around inside it?
It's not that you have the right to go back. Rather, by failing to change the locks they might have some liability if you did go back.
If a lessor or landlord in Illinois does not change or rekey the unit's lock before the day the new tenant or lessee takes possession, and a THEFT occurs at that dwelling unit that is attributable to the lessor's failure to change or rekey the lock, the landlord is liable for any damages from the theft that occurs as a result of the lessor's failure to comply with the lawhttp://www.securitydepositlaw.com/blog/chicago-tenants-right...
No, that's actually not true of commercial leases in Chicago. It's true of residential leases because residential landlords have a whole bunch of very specific issues about key changes.
But stipulate that it was true. What bearing does that have on this case? If I go into that office and steal $5000 worth of computer equipment, am I not liable for felony grand theft because the landlord has civil liability to the tenant?
Liability can be shared and a tenant may greatly prefer going after an ex. landlord vs. some random person.
Granted, this does not apply in your case, but Chicago does have mixed use Residential/Commercial leases which is covered.
Now suppose a tenant goes back to retrieve their property the day after there lease ends. Which under some situations they are allowed to do. Key works, the enter building...
IANAL, but would suggest this is a situation the owner would like to avoid.
Your concern here is over moral hazard. You're saying, the law makes landlords liable for theft so that they'll do their duty to secure their building. I'm not arguing this point; moral hazard makes a lot of sense. If you want to argue that Trib Corp should have some negligence liability here, fine.
But there is no sense in which that kind of liability mitigates the criminal actions of others. If I go into a building for which the landlord is liable for theft, and I steal $5000 worth of crap (or cause $5000 worth of damage), I'm going to be prosecuted for that if I'm caught, no matter the landlord's liability. Criminal liability isn't shared due to negligence, and when criminal liability is shared (among accomplices and co-conspirators), it's not divided up among the parties --- because that would be silly.
Morale hazard does play into what they can clam as damages. If reverting the defacement using there CMS system costs 500$ and results in 2,000 in lost profit NP. If it takes someone a few hours to verify that was the only change, NP.
But, they can't claim time related to revoking his permissions because they should have done that in the first place. Ditto for performing a security audit ect.
This is a normal user using there CMS system, not an admin or developer messing with things.
I'm only going on here because I'm worried I've been unclear about the nature of the damage here.
If you're objecting to the idea that, having caused a breach, the convicted attacker is now on the hook for securing the application they broke, so that the attack they used is no longer viable, I agree. That is in no way fair.
But that's not what's happening.
Instead, having been breached, and only because they've been breached, the victim is now in a position of needing to assess the extent of the damage done. They can't guess --- at least, not if they're a major corporation --- because continuing to operate when you have reason to believe you've been systemically compromised is unethical and dangerous.
That's the difference between a DF/IR audit and a security audit. A security audit tries to find all your vulnerabilities. A DFIR audit tries to scope the compromise and retain evidence. Of the two, the DFIR audit has a narrower scope and more specific purpose.
But, weirdly, it's also more expensive. There are more application security consultants than there are DFIR auditors, and DFIR auditors are often selected by insurance companies, not by the market.
At any rate: the costs we're talking about Keys having incurred are not a bonanza of free assessment work Trib gets to bill to Keys.
Someone logged into the CMS system using an active account and changed something in the CMS system. Are they required to do an audit of anything outside the CMS system, no.
I accept that you feel an external audit is required. But, is it a reasonable expense directly incurred, no.
PS: As a parting piece of evidence. Was $10,206 to $13,147 likely to include DFIR audit and all other costs? No.
>At trial, prosecutors presented evidence of loss ranging between $10,206 and $13,147
>In an unexpected twist, while going over the defense’s objections to the PSR, Judge Kimberly Mueller limited the amount of loss (for purposes of sentencing) to whatever had been presented at trial, thus drastically reducing the amount of prison time recommended by the sentencing guidelines. In the end, by the judge’s own determination, the appropriate range for sentencing was between 37 and 46 months.
So the actual sentence wasn't based on inflated numbers, and was lower than recommended based on actual numbers.
(Or are you saying the "evidence" of loss presented at trial was fake?)
As someone who works in this field and has been a party to breach investigations, it is really hard for me to imagine a breach in which the website of the Los Angeles Times is defaced costing less than $5000. I'm actually surprised --- as, apparently, were the prosecutors --- that the established losses were capped at ~$15,000.
If you're operating a company with real customers and real cash flow at any kind of real scale, and you suffer a serious breach, figure $50,000-$60,000 is table stakes for getting that breach resolved.
The intuition you need, to price these things out, is that once an attacker obtains unexpected unauthorized access to a system, the very next thing they do (and, in this case, the very next thing they tried to do --- much to Keys chagrin) is extend and persist access. Which means that if you're resolving a breach, you have to re-assess every system that the attackers got unexpected access to and verify that they didn't (a) implant something that will restore access in the future or (b) uncover some latent vulnerability that would allow them to do that.
Nobody reliably assesses internal systems (those systems you get unexpected access to once you successfully obtain unauthorized access). Nobody. An attacker gets behind the login prompt on a CMS you've deployed? You probably need to re-assess the whole CMS, because a big chunk of your security for that CMS probably relied on the idea that attackers don't know and can't reach all the URL endpoints behind the login prompt. The attacker gets code execution somehow? Now they're on your internal network, and the same goes for every system on the internal network.
It adds up fast. And your insurance company will (a) demand that you pay it, and (b) shortlist your DFIR vendors for you.
It is surprising to mere mortals that reverting a web page to a previous version, as GP described, costs that much. I can see an argument to include costs of investigation, and a much more tenuous argument to include costs to fix a vulnerability, but frankly the arguments not to include those costs seem more compelling. After all the defendant in this case didn't design and implement the relatively weak security. That was a business decision by managers and executives.
[EDIT:] I see you've added some material that explains why investigations cost more. That seems reasonable, but in many cases attackers are not within the reach of prosecution. If we allow firms to blame the "hacker" for needing to investigate how bad their security is, ISTM we're letting them shift the blame to parties who can't actually fix their problems.
Can you be more precise about "relatively weak security"? The accused in this case exfiltrated credentials to the system that was compromised. Most companies would fall to that attack.
Meanwhile: they clearly can't just revert the web page. Keys gave a hacker group a login for a web application. How, exactly, does Trib Corp know how much damage the hacker group did to the server? There needs to be an investigation, and the norm is that the investigation should be done by a third party.
Meanwhile, there's a principle in the law that you take the victim as they come. In US tort law, it's called "the eggshell skull rule". It means if you hit someone over the head with a book or something and unexpectedly fracture their skull because it turns out to have been as thin as an eggshell, you are still responsible for the damage you caused.
It's my understanding that credentials were used to access a system from "outside" some time after the employment of the user associated with those credentials ceased. That is weak, relative to other firms that take the steps necessary to retire the credentials of former employees. I've worked at such firms; I know they exist. You probably have a better sense of the "average" state, however.
It isn't at all clear to me that the eggshell rule is relevant to this situation. This was not an act of violence. Packets were exchanged among computers, which resulted in other packets being exchanged among computers. The "legal reasoning by tortured analogy" one sees so often on HN has really crippled our collective intelligence.
The rule isn't about violence. It's about the fact that someone who commits a wrong can't rely on the victim's prior diminished circumstances to mitigate the impact of their own wrong.
The person who smacks the eggshell-skulled victim upside the head with a magazine couldn't imagine that doing so would have fractured their skull. People don't normally have skulls as thin as eggshells. "Tough shit", says the law. "If you don't want to expose yourself to the risk of fracturing someone's skull, don't hit people upside their heads with magazines."
By the same token, whatever frailties existed in Trib Corp's internal security, necessitating expensive post-breach cleanup, are justifiably imputed to Keys, not to Trib Corp.
Wow I wish that "rule" applied somehow to cyclists and pedestrians killed by motorists. That would be handy!
As described above, against a firm with a modicum of security procedure, this "attack" would have been a no-op. As in, all the same actions could have been taken, and they would have had no effect whatsoever. "Attacks" like this take place every day, and many even succeed, with no action from prosecutors whatsoever.
You and I have different conceptions of justice. It may well be that yours conforms more exactly to that enforced by the courts; we don't live in a perfect world.
That rule very much does apply to cyclists killed by motorists! But remember, the rule is that you impute harm caused by a tort or a criminal offense. You have to start by establishing the driver was at fault.
It's a commonplace that motorists are very rarely charged in these situations, because they "didn't see the cyclist" and also "why was the victim riding a bicycle on the street?" I guess we've established that the eggshell rule is yet another legal instrument to increase the "discretion" of LEOs, prosecutors, and judges, as if they really needed more of that.
That's a coherent argument, but then I feel like I get to point out that you're litigating the whole concept of the justice system, not Keys sentence in particular. Keys is both extremely lucky and extremely privileged compared to the average person serving a multi-year sentence.
I'm much more concerned with the obvious flaws of the system than I am with the "concept" of the system. I'm sure Keys would prefer not to trade sentences with e.g. the average drug "offender", but I doubt he'd consider himself "extremely lucky and extremely privileged". What could that even mean, for a person who shouldn't have been incarcerated a day, convicted, with evidence circumstantial at best, of an act that shouldn't even be a crime?
Despite the big scary words [seriously, "exfiltrating" and "exhorting" in a single sentence; whom are we trying to convince?], it shouldn't be a crime. No fraud took place here. No personal or business data was stolen. No one was hurt. The damage was the online equivalent of "Kilroy was here" on a bathroom wall. The "victim" in the case is a giant media conglomerate responsible for the silencing of thousands of independent local voices. That is, they have no difficulty continually broadcasting their animating political philosophy: "More power and wealth for us! Glory to the top-down authoritarianism that makes us rich!" We don't hear the opposing side in that debate.
Rather, when it's heard, it's quickly silenced as in this case. (Keys was explicitly fired for political reasons. Who doubts he was prosecuted for the same reasons?) There isn't a chance that a similar episode at a small-town newspaper or independent broadcaster or even a popular online-only media site would receive the publicly-funded attention of a federal prosecutor. Most of those dream of higher public office, and they all know whom to make happy and whom to ignore, to make those dreams come true.
Resident HN Qin Dynasty fans might think the problem I describe is one of insufficient enforcement, that if only every knucklehead site defacement could be punished with the full weight of the USA-Justice Dept., we'd live in a utopia. Please realize, however, that this arbitrary authoritarianism is the only possible use of such a law, because it is the design of the law. There will never be enough federal prosecutors to send everyone involved with any defacement anywhere to prison. The point is not to prevent site defacement. The point is to centralize, to provide every benefit to large corporations and deny the same to other firms. That's actually the point of most laws that get passed nowadays. In this case, since this is a media company, the specific point is to control public discourse and destroy those who challenge it, and thereby to keep those profits and campaign donations up. For the rest of us, the cure is worse than the disease.
Security experts are the real fools, when they support the criminalization of minor shit like this. You're going to get paid anyway, whether someone goes to FPMITAP or not. In fact, you'd probably get paid more, if more people were comfortable poking giants in the eye. Executives bitch about all consultants, but do you imagine there is any particular type of consultant they'd be happier to fire? Giant corporations are not good, they are not your friends, and you owe them only the services they purchase. You don't owe them any political allegiance, and sending people like this to prison actually harms you in the long run.
Very little of this is responsive to what I wrote earlier. I think the problem here is that you're unconsciously building a whole lot of hindsight into your analysis. You know now that very little damage was done to Trib Corp (or whoever). But at the time, that was not known. It took a very expensive investigation to resolve those questions. The cost of that investigation should be borne by the people whose actions necessitated it.
I suppose there's a completely coherent argument to be made that anything you do with a computer to someone else's computer that doesn't cause physical, kinetic damage shouldn't be a crime. I'm unlikely to agree with that argument, though, so while it's good to know that that's what you think, we're probably at diminishing returns on this thread.
Responsive? I thought we were talking about the law. You asked, incredulously, if I thought a certain set of actions should be legal. I told you why I think they should. In short, the harms of inconsistently-enforced inherently-arbitrary only-for-bigcos laws such as these exceed those of not having such laws.
I stipulated at the very top of the thread that the investigation was surely very expensive. Most citizens wish these giant conglomerates, whether in media or banking or whatever, were smaller. We're not mollified when the costs of their giant size are passed along to the taxpayer and average citizen.
Actual crimes with actual harms to actual victims should still be crimes, whether they involve computers or not.
No, investigations for very small tech companies also cost far more than $20,000. Source: I've been a party to those, too.
Even if you adopt the position that we should have laws that treats victims differently depending on how big their companies are, that wouldn't have much bearing on this case.
I'll further stipulate that the costs of investigating vulnerabilities at tiny two-engineer firms far exceed the costs of investigating vulnerabilities at giant conglomerates like Tribune Media. When those vulnerabilities amount to "don't turn off credentials for fired employees", I still say they should pay for their own damn security work, and no criminal statute should say otherwise.
That's not what they're paying for. They're paying for the cost, in employee hours and outsourced contractor hours, of ensuring that all that happened was that a page got modified. Rest assured, their CMS is surely as crappy as it was before Keys laid his stubby little fingers on it.
"Stubby little fingers"? Ouch. He's probably going to get hassled enough for his appearance in FPMITAP. It makes sense that one would need to demonize him, though. That's the same maneuver we've seen with drug users, undocumented immigrants, etc.
Why denigrate a CMS when it's well established that Tribune Media weren't removing the passwords of fired employees? If you're sure they're still not doing that, it will be grimly hilarious the next time this happens.
It's not even always about finding how bad your security is. Sometimes you might know exactly how they got in, but that doesn't affect whether you've successfully cleaned them out at all. Once someone is on your system, being absolutely sure you've cleaned the systems out of security issues is something you'll never quite be sure of, without booting trusted third party media and comparing the disk to a known good backup. Most sysadmins I know don't bother, it's easier to just restore from a known good backup and selectively copy anything over that was changed more recently. Restoring a live system from backup and making sure it's fit for production duty is quite a bit more involved than changing a password, or patching a program. It's not a huge burden, but extend it across tens of servers, and costs start piling up quick.
If you find out that someone's been coming into your house when you're not there for a few weeks, but you're not entirely sure how, you don't just change your key, you also check all your windows, possibly fix the latch or replace the window on any that are broken, etc.
This is perhaps not directly related to this story, but it seems common that hackers are taken to be liable for the cost to fix whatever weaknesses they used to make the breach. This is like not fitting any locks on your doors, and then charging the burglar to put new locks on after a burglary.
The cost should generally be limited to the actual damage done by the hacker, rather than include things that the company should have been doing anyway.
After someone uses an open window to obtain entry, does that mean that they can be charged with the cost of locating and auditing every copy of every physical key to the premises, on the basis that they could have found one and stolen it while they were in the building?
No, that's not common. The damages imputed to attackers arise directly from what they did. The problem is that people ignore a whole class of damages in these cases: the DFIR work that is required to ensure that whoever attacked you didn't also persist themselves somehow.
The problem is that that work seems essentially unlimited (you can invent crazier and crazier possibilities that you need to check for), and doesn't seem to be something that we do so much for physical intrusions which nevertheless have the same features (you can find keys, take copies of keys, even change locks or cut make false walls / doors).
Your infrastructure should aim to be robust against people persisting themselves (in this case, something that allows an employee to persist themselves beyond the validity of their credentials is a serious problem whether the hacker does it or not). Where it is not, that's your failing. Charging the hacker for finding out where your infrastructure is failing is perverse since if anything their attack made it easier to spot a failing. If they did persist themeselves, then obviously the cost to fix that belongs on the hacker, but the cost to identify such things is something you should be doing anyway.
The costs imputed to Keys in this case were under $20,000. There is absolutely no way the Tribune Corporation got a real, industry standard forensics investigation done for that sum of money.
I don't understand how you could impute the cost of auditing infrastructure for backdoors that could have been planted in a breach to the victim of the breach, rather than to the person convicted of causing the breach. We're not talking about having each of Trib Corp's applications assessed (the cost of that would be in the many hundreds of thousands of dollars, minimum).
If someone broke into the tribune's printing office (which perhaps didn't collect the key or change the lock when they fired someone) and that person changed the headline and a byline for an article in the paper that went out to thousands of people, I still have a hard time believing a court would put that person in prison for 2 years because of it.
At some point we have to acknowledge these tough cyber laws do nothing but pass down intentionally harsh sentences to the unlucky few Americans that get the book thrown at them.
I predict we'll look back at them with the same embarrassment and shame we do mandatory minimum drug sentencing laws now.
Consider that your hypothetical scenario includes at least two distinct criminal charges: breaking and entering, and vandalism. In some jurisdictions, these would each be misdemeanors punishable by up to 1 year in jail. In most jurisdictions, these would be felonies, punishable by more than a year in jail (varies by jurisdiction and circumstances of charges but usually 2 to 5 for low-level crimes like these).
So one way to look at this is that he got the same amount of time, or less, he likely would have gotten if he had physically broken in and changed the title of the physical print of the paper (or had been an accomplice to others who actually perpetuated the criminal acts).
I don't know about that. What's the value of an entire print run of the Los Angeles Times? It's probably quite a bit more than the damages the court imputed to Keys.
I guess the fundamental difference driving my thinking is I believe it's futile to hand out prison sentences for crimes such as these. I'm dubious that it acts as any real deterrent to "hacking", and it waste tax-payer money.
It's also becoming clear that the plaintiffs in these cases are completely washing their hands of their own responsibility for the crime. I understand that this is common in case law such as this, but if we want to actually secure this country against real cyber criminals then we need companies to step up and take responsibility for what's happening within their networks.
I've read like 20 stories and I still can't figure out what Keys did that is actually illegal. He (or someone else) posted the login credentials to the Tribune's CMS, and then someone used those credentials to login and deface the site? Or am I missing something?
That's like saying you can get in trouble for giving someone a key to your old apartment, and then they go use it to unlock the door and do whatever they feel like inside. Or can you get in trouble for this, as maybe, an accessory?
The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.
> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.
That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.