Such a BAD use of tax payer money. So now we have to pay for 2 years of jail time (Probably 1 year for good behavior) for giving a key (That was actually not proven but was believed by the juror. The crime was the defacing of ONE page. This key also should have been revoked after he left the company.
The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.
> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.
That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.
In this case, the problem wasn't so much that Trib Corp had poor security (they probably do though), but rather that an insider exfiltrated credentials to one of their servers to an IRC channel. There are a few companies in our industry where that attack wouldn't be devastating, because of very carefully designed security programs. But there are not many of those companies. Most companies you've heard of are just as vulnerable as Trib Corp was.
Of course. We're able to make the distinction of being hacked versus someone crawling through an open window. If only jurors could be expected to do the same.
What distinction is it that you're trying to make? Crawling into a building through an open window is no less of a crime than picking the locks. In fact: it's exactly the same crime.
Can you be more specific about the murky situation we're talking about here? I moved offices from Oak Park back into Chicago a few months back. The landlord never collected the key. My old office was rented out (I can see from the window). Can I go look around inside it?
>At trial, prosecutors presented evidence of loss ranging between $10,206 and $13,147
>In an unexpected twist, while going over the defense’s objections to the PSR, Judge Kimberly Mueller limited the amount of loss (for purposes of sentencing) to whatever had been presented at trial, thus drastically reducing the amount of prison time recommended by the sentencing guidelines. In the end, by the judge’s own determination, the appropriate range for sentencing was between 37 and 46 months.
So the actual sentence wasn't based on inflated numbers, and was lower than recommended based on actual numbers.
(Or are you saying the "evidence" of loss presented at trial was fake?)
As someone who works in this field and has been a party to breach investigations, it is really hard for me to imagine a breach in which the website of the Los Angeles Times is defaced costing less than $5000. I'm actually surprised --- as, apparently, were the prosecutors --- that the established losses were capped at ~$15,000.
If you're operating a company with real customers and real cash flow at any kind of real scale, and you suffer a serious breach, figure $50,000-$60,000 is table stakes for getting that breach resolved.
The intuition you need, to price these things out, is that once an attacker obtains unexpected unauthorized access to a system, the very next thing they do (and, in this case, the very next thing they tried to do --- much to Keys chagrin) is extend and persist access. Which means that if you're resolving a breach, you have to re-assess every system that the attackers got unexpected access to and verify that they didn't (a) implant something that will restore access in the future or (b) uncover some latent vulnerability that would allow them to do that.
Nobody reliably assesses internal systems (those systems you get unexpected access to once you successfully obtain unauthorized access). Nobody. An attacker gets behind the login prompt on a CMS you've deployed? You probably need to re-assess the whole CMS, because a big chunk of your security for that CMS probably relied on the idea that attackers don't know and can't reach all the URL endpoints behind the login prompt. The attacker gets code execution somehow? Now they're on your internal network, and the same goes for every system on the internal network.
It adds up fast. And your insurance company will (a) demand that you pay it, and (b) shortlist your DFIR vendors for you.
It is surprising to mere mortals that reverting a web page to a previous version, as GP described, costs that much. I can see an argument to include costs of investigation, and a much more tenuous argument to include costs to fix a vulnerability, but frankly the arguments not to include those costs seem more compelling. After all the defendant in this case didn't design and implement the relatively weak security. That was a business decision by managers and executives.
[EDIT:] I see you've added some material that explains why investigations cost more. That seems reasonable, but in many cases attackers are not within the reach of prosecution. If we allow firms to blame the "hacker" for needing to investigate how bad their security is, ISTM we're letting them shift the blame to parties who can't actually fix their problems.
Can you be more precise about "relatively weak security"? The accused in this case exfiltrated credentials to the system that was compromised. Most companies would fall to that attack.
Meanwhile: they clearly can't just revert the web page. Keys gave a hacker group a login for a web application. How, exactly, does Trib Corp know how much damage the hacker group did to the server? There needs to be an investigation, and the norm is that the investigation should be done by a third party.
Meanwhile, there's a principle in the law that you take the victim as they come. In US tort law, it's called "the eggshell skull rule". It means if you hit someone over the head with a book or something and unexpectedly fracture their skull because it turns out to have been as thin as an eggshell, you are still responsible for the damage you caused.
It's not even always about finding how bad your security is. Sometimes you might know exactly how they got in, but that doesn't affect whether you've successfully cleaned them out at all. Once someone is on your system, being absolutely sure you've cleaned the systems out of security issues is something you'll never quite be sure of, without booting trusted third party media and comparing the disk to a known good backup. Most sysadmins I know don't bother, it's easier to just restore from a known good backup and selectively copy anything over that was changed more recently. Restoring a live system from backup and making sure it's fit for production duty is quite a bit more involved than changing a password, or patching a program. It's not a huge burden, but extend it across tens of servers, and costs start piling up quick.
If you find out that someone's been coming into your house when you're not there for a few weeks, but you're not entirely sure how, you don't just change your key, you also check all your windows, possibly fix the latch or replace the window on any that are broken, etc.
This is perhaps not directly related to this story, but it seems common that hackers are taken to be liable for the cost to fix whatever weaknesses they used to make the breach. This is like not fitting any locks on your doors, and then charging the burglar to put new locks on after a burglary.
The cost should generally be limited to the actual damage done by the hacker, rather than include things that the company should have been doing anyway.
After someone uses an open window to obtain entry, does that mean that they can be charged with the cost of locating and auditing every copy of every physical key to the premises, on the basis that they could have found one and stolen it while they were in the building?
No, that's not common. The damages imputed to attackers arise directly from what they did. The problem is that people ignore a whole class of damages in these cases: the DFIR work that is required to ensure that whoever attacked you didn't also persist themselves somehow.
If someone broke into the tribune's printing office (which perhaps didn't collect the key or change the lock when they fired someone) and that person changed the headline and a byline for an article in the paper that went out to thousands of people, I still have a hard time believing a court would put that person in prison for 2 years because of it.
At some point we have to acknowledge these tough cyber laws do nothing but pass down intentionally harsh sentences to the unlucky few Americans that get the book thrown at them.
I predict we'll look back at them with the same embarrassment and shame we do mandatory minimum drug sentencing laws now.
Consider that your hypothetical scenario includes at least two distinct criminal charges: breaking and entering, and vandalism. In some jurisdictions, these would each be misdemeanors punishable by up to 1 year in jail. In most jurisdictions, these would be felonies, punishable by more than a year in jail (varies by jurisdiction and circumstances of charges but usually 2 to 5 for low-level crimes like these).
So one way to look at this is that he got the same amount of time, or less, he likely would have gotten if he had physically broken in and changed the title of the physical print of the paper (or had been an accomplice to others who actually perpetuated the criminal acts).
I don't know about that. What's the value of an entire print run of the Los Angeles Times? It's probably quite a bit more than the damages the court imputed to Keys.
I guess the fundamental difference driving my thinking is I believe it's futile to hand out prison sentences for crimes such as these. I'm dubious that it acts as any real deterrent to "hacking", and it waste tax-payer money.
It's also becoming clear that the plaintiffs in these cases are completely washing their hands of their own responsibility for the crime. I understand that this is common in case law such as this, but if we want to actually secure this country against real cyber criminals then we need companies to step up and take responsibility for what's happening within their networks.
I've read like 20 stories and I still can't figure out what Keys did that is actually illegal. He (or someone else) posted the login credentials to the Tribune's CMS, and then someone used those credentials to login and deface the site? Or am I missing something?
That's like saying you can get in trouble for giving someone a key to your old apartment, and then they go use it to unlock the door and do whatever they feel like inside. Or can you get in trouble for this, as maybe, an accessory?
The recommendation of 7 years is just crazy and even the lowered 5 years is just nuts. If you just look at the cost to the newspaper it was at one point almost a million dollars when the fix for the page was one editor reverting the page.
> In order to be convicted of felony under the particular provisions of the Computer Fraud and Abuse Act which prosecutors used to charge Keys, the conduct must exceed a threshold of $5,000.
That someone is responsible for paying a company to sure up their security is an issue. Or the inflation of cost to so Federal Prosecutors can get another win under their belt. That over reach is pretty high in this case.