[tptacek]

Can you be more precise about "relatively weak security"? The accused in this case exfiltrated credentials to the system that was compromised. Most companies would fall to that attack.

Meanwhile: they clearly can't just revert the web page. Keys gave a hacker group a login for a web application. How, exactly, does Trib Corp know how much damage the hacker group did to the server? There needs to be an investigation, and the norm is that the investigation should be done by a third party.

Meanwhile, there's a principle in the law that you take the victim as they come. In US tort law, it's called "the eggshell skull rule". It means if you hit someone over the head with a book or something and unexpectedly fracture their skull because it turns out to have been as thin as an eggshell, you are still responsible for the damage you caused.

[jessaustin]

It's my understanding that credentials were used to access a system from "outside" some time after the employment of the user associated with those credentials ceased. That is weak, relative to other firms that take the steps necessary to retire the credentials of former employees. I've worked at such firms; I know they exist. You probably have a better sense of the "average" state, however.

It isn't at all clear to me that the eggshell rule is relevant to this situation. This was not an act of violence. Packets were exchanged among computers, which resulted in other packets being exchanged among computers. The "legal reasoning by tortured analogy" one sees so often on HN has really crippled our collective intelligence.

[tptacek]

The rule isn't about violence. It's about the fact that someone who commits a wrong can't rely on the victim's prior diminished circumstances to mitigate the impact of their own wrong.

The person who smacks the eggshell-skulled victim upside the head with a magazine couldn't imagine that doing so would have fractured their skull. People don't normally have skulls as thin as eggshells. "Tough shit", says the law. "If you don't want to expose yourself to the risk of fracturing someone's skull, don't hit people upside their heads with magazines."

By the same token, whatever frailties existed in Trib Corp's internal security, necessitating expensive post-breach cleanup, are justifiably imputed to Keys, not to Trib Corp.

[jessaustin]

Wow I wish that "rule" applied somehow to cyclists and pedestrians killed by motorists. That would be handy!

As described above, against a firm with a modicum of security procedure, this "attack" would have been a no-op. As in, all the same actions could have been taken, and they would have had no effect whatsoever. "Attacks" like this take place every day, and many even succeed, with no action from prosecutors whatsoever.

You and I have different conceptions of justice. It may well be that yours conforms more exactly to that enforced by the courts; we don't live in a perfect world.

[tptacek]

That rule very much does apply to cyclists killed by motorists! But remember, the rule is that you impute harm caused by a tort or a criminal offense. You have to start by establishing the driver was at fault.

[jessaustin]

It's a commonplace that motorists are very rarely charged in these situations, because they "didn't see the cyclist" and also "why was the victim riding a bicycle on the street?" I guess we've established that the eggshell rule is yet another legal instrument to increase the "discretion" of LEOs, prosecutors, and judges, as if they really needed more of that.

[tptacek]

That's a coherent argument, but then I feel like I get to point out that you're litigating the whole concept of the justice system, not Keys sentence in particular. Keys is both extremely lucky and extremely privileged compared to the average person serving a multi-year sentence.