ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.
A U.S. District Court judge last week sentenced Matthew Keys to two years in prison after he was found guilty of conspiring with the hacker group Anonymous to break into the Los Angeles Times' website and modify a news story.
Keys had been site administrator for KTXL Fox 40, which was owned by Tribune, the same company that owned the Times.
He was charged under the Computer Fraud and Abuse Act.
U.S. District Judge Kimberly J. Mueller ordered Keys to surrender June 15 to begin serving his sentence.
His lawyers are expected to appeal the sentence and file a motion for bail pending appeal.
Keys was dismissed from KTXL Fox 40 in 2010 and took credentials he had secretly created with him, according to the prosecution.
He used those credentials to steal a list of email addresses of KTXL Fox 40 viewers who had signed up for an affinity program, sent anonymous harassing emails to viewers and former colleagues through a proxy server, and launched an eight-day campaign of accessing the content management system to lock his replacement out of that system, prosecutors said.
Keys later created a backdoor for the Tribune CMS, gave that to Anonymous and told them which Tribune properties to target. He also repeatedly urged Anonymous to attack the Los Angeles Times.
One Anonymous member finally did hack into the Times and deface one of its stories.
His offense was serious enough to require a substantial prison sentence, the prosecutors argued, adding that he targeted the justice system following the verdict. The prosecution recommended a sentence of five years.
Pointing out that the Probation Department had called for an 87-month term and describing that as "reasonable and the best way to promote sentencing uniformity," the prosecution suggested that five years was "sufficient, but not greater than necessary to comply with the purposes of sentencing."
Keys retweeted the comments of people who thought the sentence was too harsh.
"...and so, any lingering sympathies regarding my subscription to @latimes dies today," tweeted dexterdyne.
"What happened to [Matthew Keys] is mind-blowingly scary," tweeted Saina Behnejad. "And ridiculous. Priorities?!"
Electronic Frontier Foundation spokesperson Karen Gullo pointed the E-Commerce Times to an EFF blog post on the case.
A donation site for Keys' legal fund has been set up.
"Justice is relative, but I do think the punishment is within the realm of acceptable discretion," observed Yasha Heidari and attorney at the Heidari Power Law Group.
"Keys' intent played a heavy hand in his punishment and the prosecution of the case," he told the E-Commerce Times. "It's one thing to negligently forget your employer's keys while at Starbucks; it's quite another to deliberately hand over the keys in a sketchy part of town to some hoodlums and provide them a map to the employer's office."
Keys' lack of remorse probably played a part in the sentence, Heidari remarked. "Considering he was found guilty beyond a reasonable doubt, I don't think he did himself any favors by proclaiming his innocence."
The sentence "is relatively lenient compared to other high-profile CFAA prosecutions such as Andrew Auernheimer," observed Charles King, principal analyst at Pund-IT.
"Keys is lucky in the sense that the case was tried by a judge who understood how thin the charges against him really were," he told the E-Commerce Times.
"It's entirely reasonable to look at this from the other side -- that Keys' crime was so trivial that prosecutors were forced to inflate its effects in order to charge him and take the case to trial," King said, "but that also casts light on the remarkable flexibility the CFAA grants to police and prosecutors. I expect prosecutors were really interested in sending a signal about the repercussions of supporting the activities of Anonymous."
The person who actually hacked the Times website -- allegedly a hacker with the moniker "Sharpie," who lives in Scotland -- has not yet been charged, although prosecutors reportedly have known his identity since at least 2015.