This is the gambit the Electronic Frontier Foundation is now using -- as The New Web discusses, trying to compare the cost of digital vandalism to real-world vandalism and proclaiming digital vandalism as "far less".
More broadly, this case underscores how computer crimes are prosecuted much more harshly than analogous crimes in the physical world. For example, count one of Keys’ indictment charges him with conspiracy to cause damage to a protected computer. The damage was altering a news article, the equivalent of vandalism. Under the CFAA, this is a felony with a maximum punishment of five years in prison. Meanwhile, California state law criminalizes physical vandalism – like spray painting graffiti on a freeway sign– as a “wobbler” meaning it can be punished as either a misdemeanor—which comes with a maximum of a one year sentence—or a felony. If charged as a felony, the court can impose a sentence of 16 months, 2 years or 3 years.
But the damage isn't just altering a news story for 30 minutes -- and even if in the end it is just about that, it's no mere spray-painting cost. To be sure, the CMS alternation is the thrust of the indictment, but the search warrant contained more, and the indictment leaves room for more. It says, the conspiracy (i.e. planned act with a group of others to commit a crime) was "to damage computer systems used by Tribune Company". It says Fox 40 was targeted, not just the Los Angeles Times news article with the Chippy stuff.
Then the indictment says:
In furtherance of the conspiracy, and to accomplish the objects of the conspiracy, at least one member of the conspiracy committed and cuased to be committed various over acts within the Eastern District of California and elsewhere including, but not limited, to the following: (emphasis added)
Then it only talks about the damage to the CMS (content-management system, or system for posting the news article). It doesn't talk about the Fox 40 email list mentioned in the search warrant. Is that going to come later in a superseding indictment or does the "not limited to" cover it?
Because in the search warrant, we see this:
7. On or about December 1, 2010, KTXL Fox 40 (hereafter "Fox 40"), a television station located in Sacramento, California, learned that its email contact list had been compromised. The email list was located on the "P2P Server" of Fox 40's parent company Tribune Media, located in Los Angeles, California. The first person to notice the problem was Fox 40's news producer (the "Producer"), who began receiving unsolicited e-mails from an unknown person who claimed to have the e-mail list
The producer contacted the FBI and identified Matthew Keys, a disgruntled former employee, as a suspect.
The affidavit then notes that using his own accounts, Keys maintained the social media. Hey, that happens a lot, people. I've found myself in that situation as well. You're hired as a consultant and don't have the company's email address or are you part of their email system. But you're asked to make their social media presence. So you do, but using your own credentials. No company should allow that to happen. You should have an employee that makes and controls these accounts and have them supervised, not let casual outsiders run your sensitive public-facing interactive media.
The affidavit talks at length about all those fake emails causing havoc and also notes that Keys affirmed he had infiltrated Anonymous as well. Then it talks about the damages to Fox 40:
31. According to the Managing Director, Technology Architect at Tribune Media, approximately 333 man hours were spent by Tribune employees resopnding to the compromise of Tribune Media's server on December 14, 2010, at an estimated labor cost of $17,650.40. This estimate did not include costs relating to hardware and/or service uptrades implemented by Tribune following the intrusion, costs relating to the stolen e-mail list affecting Fox 40 News in Sacramento, nor ad revenue losses taken as a result of the attack
And continue reading the affidavit in support of the search warrant to see what the government has on Matthew Keys, which is a lot. Much of this is not showing in the indictment letter. I'm not a lawyer, but it seems to me that "not limited to" in the indictment means that any or all of this could be part of the trial. I need Orin Kerr or someone of that type (i.e. not Mike Masnick or Anonymous lawyers) to analyze the search warrant affidavit and the indictment and tell us what will stick out of it. But it's not 30-minute vandalism as EFF and the laptop tech press are saying because of the damage to Fox.
Oh, they may believe like Anonymous and AESCracked (Keys) that Fox "isn't" media and therefore doesn't deserve protection under the First Amendment. Oh, the tech press then "isn't" media because it's a bunch of corporate press releases selling gadgets, and doing Google's lobbying.
My comment at the Next Web:
The damage is to the public trust, for one, and an entire system of credibility that hinges on the idea that journalists don't think they can get to commit crimes in some autonomous realm only they live in, then plead exoneration because they were only getting a story. It didn't work for James O'Keefe on the Acorn story, even though he essentially got to the truth about Acord. It didn't work in the Food Lion case.
But specifically in this case, the damages aren't said to be only 30 minutes. The search warrant mentions the much higher costs of repairs related to also stealing the Fox News affiliate email lists, which had government emails among them. The indictment
I'm glad you're seeing through the law-faring gambit that Matthew Keys was merely performing journalism when he tried to join Anonymous as a hacker. Legal precedent suggests that you don't get to commit felonies and then say you were just pretending in order to get closer to sources in a story. That won't wash.
But the lawyers aren't just invoking that cover story, they're claiming that in fact the account AESCracked wasn't always under his control. Watch the full video of them on Huffington. They're claiming vaguely that somehow AESCRacked's account wasn't always under his control -- and they'll count on invoking the dynamic nature of IPs, or different IPs showing on the log ons on the IRC channel, to make that case.
As for this "30 minutes" stuff, that is only partially what the case is about. The search warrant also speaks of the estimated damages for stealing a list of Fox New affiliate emails, and government emails.
http://3dblogger.typepad.com/w...
The idea that real-world spray-painting isn't prosecuted as harshly as digital-world vandalism of a web page isn't one that flies in the real world of the costs of the digital world -- web staff and computer programmers and their time to clean up messes, reinforce the system hacked, and recover losses of ad revenue. That price is going to be fixed above the $5000 of the CFAA and is going to be more compelling in a jury trial, if it comes to that.
The geeks always want to disguise the costs of their own time out of the Internet, which is why they want to make everything free. In a case like this, it comes back to haunt them.
And the tech press seems to want to avoid a hard discussion of the loss in public trust involved in a journalist making common cause to attack another media property on the grounds that it "isn't really media" (Fox News). They don't seem to realize that the same could be said about them, as they are merely corporate press releases to sell gadgets much of the time.
Recent Comments