Journo who went to prison for 2 years for breaking US cyber-security law is jailed again

Deletion of employer's YouTube account deemed violation of release

Former journalist Matthew Keys, who served two years in prison for posting his Tribune Company content management system credentials online a decade ago in violation of America's Computer Fraud and Abuse Act, has been ordered back to prison for violating the terms of his supervised release.

On Monday, Keys, 34, a resident of Vacaville, California, received an additional six-month sentence and 18 months of supervision with computer monitoring requirements, according to the US Attorney's Office of the Eastern District of California. The sentence follows from a judge's finding that Keyes intentionally deleted a YouTube account he was managing on behalf of his then employer, Comstock’s Magazine.

"Businesses and individuals are already struggling against threats to the integrity of their data from hackers and data thieves,” said Acting US Attorney Talbert in a statement on Monday. "They should not also have to worry about data destruction from former employees seeking retribution."

Keys's attorney, Mark Reichel, told The Register in a phone interview that he's appealing the decision.

"The reason we are appealing is the Federal Computer Fraud and Abuse Act is continuously being reinterpreted and reexamined in the courts of appeal, so any district judges ruling on a novel approach or unique circumstance as presented here clearly need to be reviewed in the appellate courts," said Reichel.

Initially indicted in 2013 [PDF] for posting his corporate username and password to IRC, which allowed a miscreant claiming to be a member of the Anonymous hacking group to alter a Los Angeles Time article, Keys was convicted under the controversial CFAA – recently narrowed by the US Supreme Court – and served his two-year sentence.

Following his release in 2018, he began working in 2019 as the digital editor at Comstock’s Magazine in Sacramento, California, where he also managed the publication's social media and YouTube accounts.

According to the USAO, he resigned unexpectedly in January 2020, less than a year after he started and three months before his supervised release term was set to expire. He allegedly refused to turn over the credentials for the magazine's online accounts and subsequently is said to have emailed the publisher to express frustration with the publication's work environment and business practices.

"He accused editors of badgering him after hours, interrupting his sick leave, creating a hostile work environment, 'making comments about protected classes,' spreading lies about his work, and lying about the reasons for his departure," according to the judge's April 20, 2021 order [PDF].

A new assistant editor was hired around February, 2020, to take the place of Keys. But she found she could not login to the Google account associated with the magazine's YouTube channel – the password had been changed and the videos were gone. Comstock's filed a police report and the ensuing investigation led authorities to conclude that Keys was responsible.

According to the judge's order:

[S]oon after he resigned, in the early morning hours between February 9 and 10, the password for the magazine’s Google account was changed, a recovery email address deleted, and the only recovery tools available to secure the account were Keys’s old Comstock’s email address and his phone number.

Google’s records for the same timeframe confirmed that someone logged into Comstock’s account. Monitoring software captured screenshots of someone using Keys’s laptop to look at accounts and passwords related to Comstock’s during that same early-morning window. And the next night, the browsing history on Keys’s iPhone shows it was used to search for 'how to delete youtube account,' that it navigated through the YouTube options necessary to delete an account, and that it landed on a YouTube address containing the text string 'deletesuccess.'

The judge found the government's case persuasive, and Keys' explanation implausible, and concluded that Keys violated his release requirements.

Reichel nonetheless argues that what happened was not a CFAA violation, particularly in light of the US Supreme Court's recent Van Buren decision. "[The government] may think he did this and they obviously don't like it, but that doesn't make it a federal crime," he said. "Everything done with a computer does not become a CFAA violation."

Reichel hopes to have the case reviewed by the US 9th Circuit Court of Appeals. ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022