Can you be more precise about "relatively weak security"? The accused in this case exfiltrated credentials to the system that was compromised. Most companies would fall to that attack.

Meanwhile: they clearly can't just revert the web page. Keys gave a hacker group a login for a web application. How, exactly, does Trib Corp know how much damage the hacker group did to the server? There needs to be an investigation, and the norm is that the investigation should be done by a third party.

Meanwhile, there's a principle in the law that you take the victim as they come. In US tort law, it's called "the eggshell skull rule". It means if you hit someone over the head with a book or something and unexpectedly fracture their skull because it turns out to have been as thin as an eggshell, you are still responsible for the damage you caused.

The rule isn't about violence. It's about the fact that someone who commits a wrong can't rely on the victim's prior diminished circumstances to mitigate the impact of their own wrong.

The person who smacks the eggshell-skulled victim upside the head with a magazine couldn't imagine that doing so would have fractured their skull. People don't normally have skulls as thin as eggshells. "Tough shit", says the law. "If you don't want to expose yourself to the risk of fracturing someone's skull, don't hit people upside their heads with magazines."

By the same token, whatever frailties existed in Trib Corp's internal security, necessitating expensive post-breach cleanup, are justifiably imputed to Keys, not to Trib Corp.

That rule very much does apply to cyclists killed by motorists! But remember, the rule is that you impute harm caused by a tort or a criminal offense. You have to start by establishing the driver was at fault.

It's a commonplace that motorists are very rarely charged in these situations, because they "didn't see the cyclist" and also "why was the victim riding a bicycle on the street?" I guess we've established that the eggshell rule is yet another legal instrument to increase the "discretion" of LEOs, prosecutors, and judges, as if they really needed more of that.

That's a coherent argument, but then I feel like I get to point out that you're litigating the whole concept of the justice system, not Keys sentence in particular. Keys is both extremely lucky and extremely privileged compared to the average person serving a multi-year sentence.

Wait, you think that exfiltrating a password to a giant newspaper's CMS to a hacker group and exhorting them to "fuck shit up" shouldn't be a crime?

Despite the big scary words [seriously, "exfiltrating" and "exhorting" in a single sentence; whom are we trying to convince?], it shouldn't be a crime. No fraud took place here. No personal or business data was stolen. No one was hurt. The damage was the online equivalent of "Kilroy was here" on a bathroom wall. The "victim" in the case is a giant media conglomerate responsible for the silencing of thousands of independent local voices. That is, they have no difficulty continually broadcasting their animating political philosophy: "More power and wealth for us! Glory to the top-down authoritarianism that makes us rich!" We don't hear the opposing side in that debate.

Rather, when it's heard, it's quickly silenced as in this case. (Keys was explicitly fired for political reasons. Who doubts he was prosecuted for the same reasons?) There isn't a chance that a similar episode at a small-town newspaper or independent broadcaster or even a popular online-only media site would receive the publicly-funded attention of a federal prosecutor. Most of those dream of higher public office, and they all know whom to make happy and whom to ignore, to make those dreams come true.

Resident HN Qin Dynasty fans might think the problem I describe is one of insufficient enforcement, that if only every knucklehead site defacement could be punished with the full weight of the USA-Justice Dept., we'd live in a utopia. Please realize, however, that this arbitrary authoritarianism is the only possible use of such a law, because it is the design of the law. There will never be enough federal prosecutors to send everyone involved with any defacement anywhere to prison. The point is not to prevent site defacement. The point is to centralize, to provide every benefit to large corporations and deny the same to other firms. That's actually the point of most laws that get passed nowadays. In this case, since this is a media company, the specific point is to control public discourse and destroy those who challenge it, and thereby to keep those profits and campaign donations up. For the rest of us, the cure is worse than the disease.

Security experts are the real fools, when they support the criminalization of minor shit like this. You're going to get paid anyway, whether someone goes to FPMITAP or not. In fact, you'd probably get paid more, if more people were comfortable poking giants in the eye. Executives bitch about all consultants, but do you imagine there is any particular type of consultant they'd be happier to fire? Giant corporations are not good, they are not your friends, and you owe them only the services they purchase. You don't owe them any political allegiance, and sending people like this to prison actually harms you in the long run.

Very little of this is responsive to what I wrote earlier. I think the problem here is that you're unconsciously building a whole lot of hindsight into your analysis. You know now that very little damage was done to Trib Corp (or whoever). But at the time, that was not known. It took a very expensive investigation to resolve those questions. The cost of that investigation should be borne by the people whose actions necessitated it.

I suppose there's a completely coherent argument to be made that anything you do with a computer to someone else's computer that doesn't cause physical, kinetic damage shouldn't be a crime. I'm unlikely to agree with that argument, though, so while it's good to know that that's what you think, we're probably at diminishing returns on this thread.

Responsive? I thought we were talking about the law. You asked, incredulously, if I thought a certain set of actions should be legal. I told you why I think they should. In short, the harms of inconsistently-enforced inherently-arbitrary only-for-bigcos laws such as these exceed those of not having such laws.

I stipulated at the very top of the thread that the investigation was surely very expensive. Most citizens wish these giant conglomerates, whether in media or banking or whatever, were smaller. We're not mollified when the costs of their giant size are passed along to the taxpayer and average citizen.

Actual crimes with actual harms to actual victims should still be crimes, whether they involve computers or not.

No, investigations for very small tech companies also cost far more than $20,000. Source: I've been a party to those, too.

Even if you adopt the position that we should have laws that treats victims differently depending on how big their companies are, that wouldn't have much bearing on this case.

I'll further stipulate that the costs of investigating vulnerabilities at tiny two-engineer firms far exceed the costs of investigating vulnerabilities at giant conglomerates like Tribune Media. When those vulnerabilities amount to "don't turn off credentials for fired employees", I still say they should pay for their own damn security work, and no criminal statute should say otherwise.

That's not what they're paying for. They're paying for the cost, in employee hours and outsourced contractor hours, of ensuring that all that happened was that a page got modified. Rest assured, their CMS is surely as crappy as it was before Keys laid his stubby little fingers on it.

"Stubby little fingers"? Ouch. He's probably going to get hassled enough for his appearance in FPMITAP. It makes sense that one would need to demonize him, though. That's the same maneuver we've seen with drug users, undocumented immigrants, etc.

Why denigrate a CMS when it's well established that Tribune Media weren't removing the passwords of fired employees? If you're sure they're still not doing that, it will be grimly hilarious the next time this happens.

It's super weird of you to try to position me alongside drug prohibitionists and deporters of immigrants. I take offense. Thankfully, this thread was long enough already.

It's not even always about finding how bad your security is. Sometimes you might know exactly how they got in, but that doesn't affect whether you've successfully cleaned them out at all. Once someone is on your system, being absolutely sure you've cleaned the systems out of security issues is something you'll never quite be sure of, without booting trusted third party media and comparing the disk to a known good backup. Most sysadmins I know don't bother, it's easier to just restore from a known good backup and selectively copy anything over that was changed more recently. Restoring a live system from backup and making sure it's fit for production duty is quite a bit more involved than changing a password, or patching a program. It's not a huge burden, but extend it across tens of servers, and costs start piling up quick.

If you find out that someone's been coming into your house when you're not there for a few weeks, but you're not entirely sure how, you don't just change your key, you also check all your windows, possibly fix the latch or replace the window on any that are broken, etc.