Skip to content
Naked Security Naked Security

Feds ask for 5 years jail for journalist who handed over newspaper login

Matthew Keys was convicted of handing over login credentials for a website and then telling Anonymous to “go f**k some s**t up.”

Federal prosecutors want a 5-year jail sentence for Matthew Keys – the journalist convicted of handing over login credentials for the Los Angeles Times’s parent company and then telling Anonymous to “go f**k some s**t up.”

Which they did, though it wasn’t all that asterisk-worthy. Rather, the damage inflicted was more along the lines of gleeful tweaking.

An attacker claiming affiliation with Anonymous ultimately defaced a Los Angles Times news story, changing its headline, byline and sub-headline to include the name “CHIPPY 1337” and tweaking an article to read:

House Democratic leader Steny Hoyer sees ‘very good things’ in the deal cut which will see uber skid Chippy 1337 take his rightful place, as head of the Senate, reluctant House Democrats told to SUCK IT UP.

System administrators at the newspaper’s parent company, Tribune Company, reversed the defacement after 40 minutes.

That was in 2010. Keys wasn’t indicted until 2013, at which point he lost his job at Reuters, where he was working as a social media editor.

Keys was found guilty last year on three counts of criminal hacking under the Computer Fraud and Abuse Act (CFAA): the much-reviled law under which late activist Aaron Swartz was prosecuted.

To be convicted under the CFAA, the damage done by Keys’ crime had to exceed $5,000. Prosecutors claimed that Keys caused $929,977 worth of damage to the Tribune Company.

US Attorney Benjamin Wagner at the time of Keys’ conviction said in a press release that, although Keys “did no lasting damage,” he caused the Tribune Company to spend “thousands of dollars protecting its servers.”

Keys’ lawyer, Jay Leiderman, said during the trial that the damages didn’t meet that minimum requirement and claimed the Tribune Company inflated the damages to help the government get a conviction under the CFAA.

Keys has maintained his innocence from the get-go and opined that his conviction was “bullsh*t.”

The defense filed a sentencing memorandum on Wednesday, asking the court to impose no prison time at all or to opt for a “non-custodial sentence.”

The 69-page document defended Keys’ history as a journalist. His defense team had tried to argue that Keys was working undercover so as to report on Anonymous.

Keys’ attorney, Jay Leiderman:

In recent years, Matthew’s sacrifices have paid off in the form of impactful journalism that has received national attention.

His stories have encouraged discourse, influenced policy and won the attention and accolades from his peers in the industry, public interest groups and even law enforcement officials.

The attorney pointed out that if the prosecution gets its way in terms of sentencing, Keys will be put away for far longer than others convicted for such crimes:

[Keys] faces a far more severe sentence than any member of Lulzsec served. 60 months, which the Government seeks, would be more than any person engaged in hacking crimes during this period – by about double!

Leiderman also said in the memorandum that the man who actually carried out the attack against the Los Angeles Times, George David Sharpe, aka “Sharpie,” hasn’t been charged, either in the US or in his native UK.

The defense lawyer also pointed to a 1987 incident wherein TV pirates took over Tribune-owned WGN-TV, hijacking its signals for 24 seconds in what became known as the “Max Headroom” pirating incident.

Nobody found the culprit. Keys’ crimes pale compared to such an incident, where public safety could be jeopardized by blocked safety programming, Leiderman wrote:

Unlike hijacking a TV signal, altering the content of one LA Times article did not render the rest of the website inaccessible, posed no immediate or future danger or threat to the public and did not – by the government’s own admission – cause any lasting damage to the computer equipment used to operate the website or the website itself.

Prosecution filed its own sentencing memorandum on Thursday.

Assistant US Attorney Matthew Segal wrote that Keys deserves five years for his crimes:

A sentence of five years imprisonment reflects Keys’ culpability and places his case appropriately among those of other white-collar criminals who do not accept responsibility for their crimes.

Keys is scheduled to be sentenced on 23 March.

Readers, what do you think: does a punishment of 5 years in prison fit Keys’ crime?

Please let us know what you think in the comments section.

Image of Newspaper in handcuffs courtesy of


Before giving an opinion as to how Keys should be punished, I’d want to know his motivation for handing over the credentials. I feel like motivation here would be key (excuse the pun).


i think 5 years is acceptable considering the willingly gave credentials to a known hacker group. This sort of thing should have stiff consequences. plus a 5 year sentence will be knocked down to no more than 3 years when all is said and done.


The “I’m innocent” claim is severely diluted by the “oh yeah I was under cover” backpedal–unless an I.T. insider knew about the sting and forgot to testify. It’s one thing to lose security due to an ignorantly-bad password, but another when someone in a position of trust betrays that trust.

This act “caused” Tribune to invest thousands in security, but a) is it security they should’ve had anyway? b) no matter how good the security model is, it’s quite tough to prevent an authorized user going rogue.

And what sort of sentence will/did Chippy1337 receive?


I’m going to give a full honest opinion about my friend Matthew Keys, who I have been following on social media since 2009. First, I don’t consider Keys, capable in any way or form possible, to be involved in the alleged crime, which was a password sharing. By the way, if this is really a crime, then actor and comedian Andy Samberg of Saturday Night Live (NBC) fame, should also be prosecuted for sharing a password live on TV, back in September 2015, during the Emmy Awards on FOX Television Network. The password he shared, was for the HBO web site and he told the audiences “Go watch HBO for FREE, cause they don’t care about it (Sharing passwords).”

On the other hand, the state of Tennessee already passed a law that will consider a felony, to share a log in credential for any streaming sites like Netflix or Apple Music. I’m not kidding you all!

Upon sentencing, I will go on a virtual campaign to get Andy Samberg prosecuted the same way Keys was prosecuted. If the Computer Fraud laws are really that important to prosecute, then, they should prosecute presidential candidate Hillary Clinton, for allegedly sending e-mails using a G-Mail account, but I’m sure they won’t…

I’m just pointing out the fact, the US Government is prosecuting more of the truth tellers than the hackers out there. They did with the late Aaron Swarts and they did with Barrett Brown. Why is Matthew Keys being prosecuted? Because he did an investigation about Anonymous and Wikileaks, which the US Government didn’t liked at all. The excuse they gave, was in the form of several e-mails sent out by Keys, to a former Tribune’s Sacramento TV station manager, who now works for the San Francisco Gate. The e-mails in question where part of the evidence included in the trial against Keys, so he was being prosecuted for something else, than giving a password.

I had never seen so much injustice being done in this life… Hoping Keys gets probation, with restitution, but believe that on appeal, the wrongful conviction gets overturned.


sorry I’m late to the party.

I’d not heard of the Samberg/HBO thing and assumed immediately that HBO would’ve immediately locked the account. A quick search confirmed this.

While Samberg’s action isn’t exactly virtuous, it was more joke and PR stunt than deliberate malice. I wouldn’t be surprised if HBO bans him for life or tries to bill him for every program watched on that account after the broadcast. And he’d likely hope that he won’t receive that bill but will probably pay it if he does. The word ‘guilty’ is technically correct here but is not used to its full severity.

The main difference is that (assuming Keys is guilty) this was an intentionally clandestine act with harmful intent. OTOH Samberg made no attempt to conceal his action–in fact that’s the point.

Again, not defending Samberg’s childish stunt or convicting Keys prematurely, but as the accusation stands, there’s no “friendly joke” side to giving illicit access to an external person on the sneaks with the instruction “go fsck some sh*t up.”

If Keys was running a sting operation, he probably should’ve let his employer know about it first. Five years is too much, but probation is too little for betraying a position of trust. Any sysadmin knows the weakest security link is always your humans. Every day I trust these folks to use their passwords properly, and if one were to maliciously share a password and cause me hours of extra work due to a grudge or greed…well that goes a bit beyond “sorry bro, my bad.”


Seems that LAT should share the blame, as they left their systems open to such simple security measures. I’m puzzled as to why a perpetrator faces no charges, but an accessory gets the book thrown at him.


I’m also curious if Chippy will be prosecuted.

However, don’t blame the LAT. Most systems are wide open with “simple security measures” if someone who’s trusted with access shares that access. Without the sort of safeguards you see in movies with voiceprint and retina scan confirmation of access badges–which most users find annoying at best–every system will fall to a simple account authentication. You can’t block a user going rogue next week without blocking all your legitimate users today as well.


I’ve studied the CFAA, specifically the loss/damages provisions and how they are measured across the circuit courts. While I wasn’t focusing on district court cases, only circuit court cases, I am sure the million dollar damages is inflated. Unfortunately, “economic harm” counts “customer goodwill” towards the $5,000 threshold, and if you’re in a courtroom that is favorable to business and private enterprise, then the level of specificity that is required to prove damages drops significantly. For instance, in some cases “$100/hour to determine the nature of the breach by so-and-so, standard market rate” is not specific enough, whereas in other cases a single line item bill that just says “$6,000 security consultant” is enough. It unfortunately appears to depend on entirely specious elements, at times. I don’t have the cases in front of me, but I can say the first one was in the 9th Circuit, whereas the second was probably in the 5th, if memory serves.

18 U.S.C. § 1030(3)(8): the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information

18 U.S.C. § 1030(e)(11): the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!