Damage is assignable to the guy who provided credentials to people he knew were not supposed to have them. It is very much like the master key I have from my former employer. They didn’t ask for it back so I didn’t volunteer (didn’t leave on good terms). But if I provided it to some random joe on the street and the building got burglarized, I’d be criminally liable. It is a preventable hazard. The difference with the girlfriend is that she did not actively give them to someone. She intended for them to be lost.
Sure, the company should share liability but what they did was negligence, not a criminal act. If someone using those credentials were to break into the financial management system and steal all the employee paychecks, then the company would be liable for a civil suit based on negligence.
Except, of course, they’ve no doubt forced everyone to sign binding arbitration agreements instead.
If the victim does not suffer financial harm, that does not excuse the criminal act. If you are held up at gunpoint, and it turns out you have no money on you to steal, the perpetrator will still be convicted of armed robbery. The lack of financial harm will not even reduce his sentence. Courts focus on the intent of the criminal and less so on the outcome of the crime.
Which is why a significant fine and significant probationary time would serve as a deterrent. The only plus in the incarceration is making money for the prison system.
Personally, I think the Times should be fined for not adhering to best IT practices and contributing to the cost of an investigation. (In this case, I’m corporate-victim blaming.)
I’m not OK with harshly punishing people for things that didn’t happen but could have. If you drive drunk but get home safely, I do not think your punishment should be the same as if you plowed your car into a crowd and killed dozens of people, even though that could have happened.
Therefore, the person currently in charge of credentials, and not Matthew Keys - who was not supposed to have them, right? He had them because the credentials manager actively gave them to him, and that was a preventable hazard as you say.
Yes, sure, you’d be liable - but you shouldn’t be punished as harshly as the person who didn’t recover the key, nor as much as the actual burglar. There is a scale of responsibility here, and the person who is not employed by the company is not in any way obligated to remediate their security failures. The only reason you’d have any liability at all is because presumably you know that key still works, even though it certainly shouldn’t. If you could produce a policy document from your former employer that unequivocally states that locks are always changed when a master key goes missing, you have even less culpability. Security assurance is not your job, nor are you a cop (presumably). It’s simply not your responsibility to safeguard their keys.
In my opinion an appropriate punishment for the Times would be to have their website defaced and perhaps a small fine, say .5% of their income, levied for failing to secure their infrastructure. An appropriate punishment for Matthew Keys would be 120 hours of community service. An appropriate punishment for the actual hackers would be 400 hours of community service each; they didn’t really harm anyone, but they were trespassing.
This wasn’t my argument. My argument was that the actual sentencing was not proportional to the actual crime.
As far as prison costs, it’s an economic cost that is shared by the taxpayers. The cost of probation + $250,000 fine vs. the cost of incarceration +$250,000: which costs the taxpayers more?
Judges often have a discretionary window for sentencing and they ask for sentencing recommendations. In this particular instance (if you read the linked story), the L.A.Times/Tribune Co. is claiming that the cost of doing what should have been their due diligence is on Keys. That is, they had to actually update their security protocol as they should have done when Keys left, but they were squeezing every bit of profit out of their company for their shareholders and decided IT wasn’t cost effective. (I’m very familiar with this company as I had a spouse who used to work for them and friends who still work for them.)
By the way, do you know what it takes to change a federal statute? An act of Congress. And since we currently have an unresponsive Congress, I know I not holding my breath in trying to change laws.
That’s exactly what’s being argued. Many here seem to think Keys was overpunished. Do you know what it’s called when a point is being debated and you assume your opinion is correct without offering any argument or considering anyone else’s?
Again, why should I believe that?
That would be the sysadmin who should have revoked Keys’ privileges when he left the company. That guy should not have allowed Keys to have credentials that he was not supposed to have.
In that case, it could be argued that you were negligent for not returning a physical object that belonged to the company and not you.
In Keys’ case, there was no physical object, and no need to tell anyone at the company his username and password – there’s no physical object involved, so the onus is on the sysadmin.
Arguments by analogy only have force if the analogy isn’t different in important ways from the situation it’s being compared to.
If you are not in favor of the punishment, change the law. Until that happens, it is what it is and judges don’t get to change it.
Keys gave credentials to a known hacking group. He had to know what they would do with them. That is a criminal act. He doesn’t get off based on what happens to other people, or the fact that other people are equally or more culpable in this case, or on what your opinion is of what the law ought to be.
You want to change it? Do the hard work necessary to change it. You want to just gripe and do nothing? Then you’re like the guy at the end of the bar, banging his glass on the table and shouting about what this country needs.
The judge disagrees with you. Since he could have been imprisoned for up to ten years, he got off comparatively light. Especially since the sentencing recommendation was 7 years. Keys’ attorneys argued that the actual damages to Tribune company were (as you imply) very light and did not pass the $5000 threshold for imprisonment. The jury disagreed. The judge can’t change that.
Yes, changing laws is hard. But Congress critters respond to organized constituent pressure. If you don’t want to take up that challenge, then you obviously don’t feel that strongly about the issue.
You can certainly think that it is disproportionate. I do too. But you can’t argue it was invalid. It is in line with existing law. And since Keys provided his credentials to Anonymous and encouraged them to “go fuck some shit up,” I have a hard time working up sympathy for him.
So you’re saying since the judge diagrees with me, I’m not allowed to criticize the sentencing?
eta: Because you’re arguing so forcefully with those of us who disagree with this sentence. I don’t understand your point.
eta#2 [quote=“pjcamp, post:30, topic:76601”]
You can certainly think that it is disproportionate. I do too. But you can’t argue it was invalid.
[/quote]
By the way, I said the first but I’m pretty sure I didn’t say it was invalid. I think you’re arguing too many points when I’m arguing about one: the judge’s discretionary sentencing.
Last I checked, only the Affluenza types get to modify the law. And they don’t have to go through congress to do it, either; they can get it done on a case by case basis without any of that tedious folderol.
And that, my friend, is what this conversation is really all about. About the breakdown of law itself, due to the corruption of monied interests.
Yeah, I’m working on that, but there’s a lot of other people getting in my way - mostly people who have a hard-on for cruelly and disproportionately punishing non-violent offenders, but also rich people.
You can criticize it all you want but your critique is with the underlying law and the decision of the jury, not with the judge. His sentence was in line with that of others whose intent was to “fuck some shit up.” According to the way the law is written, what the judge decided was not unreasonable.
You want to change it? Nag your congress critters. That’s too much trouble? Then you’re just the guy at the end of the bar, banging his glass on the table and shouting about what’s wrong with this country.
I’ve about had my fill of people, especially millenials, bitching endlessly about what’s wrong and yet always managing to find a detailed justification why they don’t need to do anything. In the recent Wisconsin election, Democrat JoAnne Kloppenberg was narrowly defeated in an election for state Supreme Court against a Tea Party Republican. She was expected to win the election. That margin of defeat is more than accounted for by the large number of Bernie Sanders voters who showed up, check off Sanders, and went home, leaving the rest of the ballot blank.
That’s pretty goddamn sad. If people can’t be bothered to make the most minimal effort to try to change things, just check some more boxes for god’s sake, why should anybody listen to them? You argued that Congress does nothing. Mostly that’s true, but mostly it is because Congress has a finely honed sense of who votes and who doesn’t.
But a bipartisan consensus has built up behind a criminal justice reform bill to reduce mandatory sentencing and incarceration rates across the board. Likely a bill will move this year or next. That didn’t come out of nowhere. It was the product of 15 years of building constituencies to the point where congress critters on both sides of the aisle see profit in listening. That’s how democracy works.
You could join the EFF or the ACLU and put some money behind your mouth. That would be something. But if all you want to do is bitch and do nothing, well, . . . . have a nice day.
You’re getting very hostile and addressing my comments as some sort of betrayal to system, and attacking me for criticizing a federal judge’s discretionary sentencing decisions. And now you bring EFF into this discussion to try to attack me?
I wonder why? But I really don’t wonder enough to continue discussion with someone who believes that their opinion is the only one that matters.
No. That’s not the analogous situation at all, a better one would be she went to a place frequented by robbers where they planned robberies and put the keys on a table with a sign saying ‘These open the apartment at 123 Someplace Lane’.
Well, the idea was not to make a perfect analogy, but rather to try to illuminate Xeni’s point that our system has punished a middle class worker more harshly for aiding in the commission of an incredibly minor, victimless crime than it punishes wealthy parasites for actually committing major crimes that actually killed people.
your critique is with
Nope. Thanks for depositing with logical positivism in agency juris filings though. I hope your outing with the app ‘fingered’ is a total blast, too.
