Matthew Keys spoke to reporters on April 13, 2016 after his sentencing hearing in federal court in Sacramento, California.Cyrus Farivar
On Wednesday morning, less than two hours before journalist Matthew Keys’ sentencing hearing in federal court, Ars received an e-mail with an attached nine-page letter making a shocking claim, which for now is impossible to confirm: “Matthew Keys is innocent.” Absent further information, it’s impossible to say with certainty that this letter is not a hoax.
The message, which was authored by someone under the pseudonym “Sam Snow,” was also sent earlier in the year to Keys’ defense team, government prosecutors, and the judge.
It will likely have no material impact on the forthcoming appeal in Keys’ conviction. Keys’ lawyer, Jay Leiderman, told Ars that the letter was essentially too little, too late.
When Ars asked Keys if he was Snow, he answered flatly: “No.” Keys declined further comment. He also declined to explain why he is protecting Snow, who may or may not be a real person.
In the letter, Snow also claims that Keys promised him off-the-record protections as a source in his earlier reporting into Anonymous, adding, “I also know Matthew well enough to know that he will go to jail if it means protecting a source, because that’s what good journalists do.” (Snow claims he taught Keys how to use IRC and how to communicate with Anonymous.)
During the sentencing hearing, US District Judge Kimberly J. Mueller briefly mentioned the existence of Snow’s letter but noted that she did not read it.
She also confirmed with government prosecutors and Keys’ defense team that they did not want to bring it up—they said in court they did not. Hours later, Judge Mueller sentenced Keys to 24 months in prison, roughly six months after being convicted of three counts of conspiracy and criminal hacking.
The message makes extraordinary claims:
[Keys] never gave a username and password for any computer system to any hacker or hacking group. He never conspired to hack his former employer, and he never sent e-mails to any of his co-workers or the audience of the TV station where he worked.
I know he did not do any of the things for which he has been accused—because I did them, and again this is something I can prove.
When Ars responded to Snow’s @yandex.com e-mail address that he used to contact us, asking him to provide further detail and possibly to meet in person, he said, “You know why I can’t do that.”
In addition to the letter, Snow included three new IRC screenshots from #internetfeds.
That was the very Anonymous IRC chatroom that Keys is accused of participating in and was ultimately where, according to his jury trial, he passed CMS credentials to members of the hacktivist group that ultimately resulted in a defacement of a Los Angeles Times article.
Keys was accused of handing over a username and password for former employer KTXL Fox 40’s content management system (CMS) to members of Anonymous and instructing people there to “fuck some shit up.” Ultimately, that December 2010 incident resulted in someone else using those credentials to alter a headline and sub-headline on a Los Angeles Times article. (Both Fox 40 and the Times were sister companies under Tribune Media.) The changes lasted for 40 minutes before editors reversed them.
Prior to the Times defacement, a number of e-mails were sent to Fox 40 from various @yahoo.co.uk e-mail accounts that bore the names of X-Files characters, including Fox Mulder and Walter Skinner.
These e-mails taunted Fox 40 for its lax security and claimed to have taken a number of Fox 40 viewers’ e-mail addresses from a company marketing database.
Someone then contacted some of those viewers directly.
That activity ultimately led to an indictment against Keys in 2013, and he was convicted by a federal court jury. Keys has consistently maintained that he was not behind the X-Files e-mails or the CMS handover. His attorneys have vowed to appeal.
Enlarge / This is one of the three screenshots that “Sam Snow” sent to Ars.
“This guy should have come forward three years ago when we really could have done something with it,” Leiderman said.
The lawyer also said he is reasonably confident that Keys is not Snow. However, Leiderman also said he did not know who Snow actually is.
So why did it take so long for the Snow letter to become public? “It would have muddied the waters,” Leiderman said. “In the end, it was too convenient and too on point and the most likely event was not going to be that [Keys] looked innocent, but that he was looking to put on false evidence.”
Pranks gone wild
In the letter, Snow described himself as someone who met Keys on a dating website in 2009.
The pair dated briefly, but they eventually decided to just be friends.
Eventually, Snow said, Keys gave him a key to his apartment, with an open invitation to come by anytime he wanted.
Around the “middle of 2010,” according to Snow, Keys started to have some work problems.
Some weeks later, Keys left Fox 40, and it weighed heavily on him. Keys seemingly became more “sad and depressed.” After Snow’s computer died in mid-November, he asked to borrow one of Keys’.
Snow said he was surprised that there was no password on the computer, and further, many websites that required logins, like Facebook or Gmail, had the usernames and passwords saved automatically in the browser.
On that computer, Snow claims he found a number of documents that included login credentials for the Fox 40 CMS.
When I entered the web address, there were credentials that had already been filled in.
I figured those were probably ones Matthew used for work, and I cleared them out. My guess is they probably wouldn’t have worked anyway since he hadn’t worked for the station.
But some of the passwords in the document did work. Most of them were only for the Fox station in Sacramento, but a few of them were superuser passwords for the website and the video system used by the station. One even allowed me access into a section of the website where there were thousands of e-mail addresses for viewers of the station, and it looked like it had recently grown because the station was running a contest where they were giving away iPads.
As a way to prank Fox 40 viewers and staffers—and to make a bizarre attempt to vindicate Keys’ departure from the station—Snow said that he began sending e-mails purportedly coming from various X-Files characters.
This went on for a couple of days—I’d come over, use Matthew’s laptop (usually he was out of town; once he was in the apartment but he didn’t know I was using his VPN or writing the e-mails, I guess he assumed I was checking Facebook or something), check the Gmail, then check the Yahoo mail and write back.
Sometimes this happened during the day, sometimes it happened really late at night.
I even learned how to use parts of their CMS to do things like reset passwords, and just to screw with some of the people there I changed the passwords of a few employees.
I figured the worst thing that would happen is they’d get a few phone calls from angry customers and they’d have to reset their passwords a few times.
I certainly didn’t mean for it to get blown out of proportion the way it had and if I had known the police or the feds would get involved I wouldn’t have bothered at all.
Snow admitted that he kept Keys “in the dark” about the full nature of his activities, but he said he was doing research on Anonymous, which Keys apparently said was OK.
By December, Snow said that he encouraged Keys to begin investigating Anonymous and wanted to be an off-the-record source for Keys.
Snow added that he was using Keys’ computer to monitor Anonymous’ IRC channels but that they were largely a “waste.”
As a way to get Anonymous’ attention and help Keys do his job as a young freelance journalist, “I had to really get the group’s attention.”
Snow explained that in the IRC channel, LulzSec cofounder Sabu invited him to #internetfeds, where Snow then apparently handed over the CMS login and password that Keys was convicted of handing over. Not long after, Snow showed Keys how to use IRC and told him to keep using the same nickname that he, Snow, had used—”AESCracked.” After a while, Keys began to notice some chatter about a possible attack on the Los Angeles Times, which disturbed him. He wanted to tip off the Times, but he didn’t know anyone there, so he contacted his former colleagues at Fox 40 instead.
According to Snow, after Keys got off the phone with Brandon Mercer, his former boss, he was disappointed that they were not going to run with his tip. Keys also apparently “said his boss kept asking about e-mails that the station had been receiving from someone named Fox Mulder and that his old boss kept accusing him of sending the e-mails.” Keys denied to Mercer that he was sending the e-mails, and he has maintained that denial.
As Snow tells it, days later, a user on #internetfeds with the nickname “Sharpie” bragged to other members that he had managed to cause a short-lived defacement on a Times article.
By January 2011, the IRC channel was shut down over concerns of leaks to the media.
As Keys was trying to work with other reporters to advance the story, he wanted more #internetfeds screenshots that Snow may have kept.
Snow said he copied a few more for Keys and then turned up in person to deliver them.
After Keys copied them, Snow said he returned home.
While Snow was away, Keys apparently was checking those files, and Keys was quite angry that they made it seem like AESCracked (who Anonymous believed was Keys, an ex-employee at Fox 40) was the one that had handed over the CMS login and password to Anonymous. Keys confronted Snow.
As Snow writes, “I said it was pretty shitty that their security didn’t turn off the username and password after he left, and he said it wasn’t the point, that he felt like I had betrayed him and that I had no business doing what I did.” Understandably, as Snow tells it, Keys went ballistic:
He [Keys] was upset to the point he started yelling. He said he felt I had betrayed him, and that none of my pranks were funny. He said I had put his reputation with his old co-workers at the station in jeopardy and that I possibly damaged his career as a result.
Things got so heated that his neighbor came over to ask if everything was okay.
I took that as a sign that I should probably leave, and I took the thumb drive on my way out.
I chucked it in a trash can on the way to the bus stop.
So why hasn’t Snow come forward sooner? Because he thought the charges against Keys “would be resolved in his favor” and that “the thought of spending 25 years in prison over someone changing a few words on a web article is frightening.” (Snow was referring to the maximum sentence Keys could have faced.)
All said and done
After the sentencing hearing concluded, Leiderman told Ars that he had received a copy of the letter in January 2016 (it is dated January 3, 2015). He said it was far too late and contained far too little verifiable proof to be useful in Keys’ defense.
First off, if Snow hadn’t hidden behind a pseudonym, “that would have helped tremendously.” Had Snow used his real name, and had he informed Leiderman earlier, the letter could have had an impact. “We would have seen what we could have put together and see what we could have done for a motion for a new trial,” he continued. “But something like this, especially after a conviction, it tends to smack of radioactivity. You just don’t want to go near it because it could poison everything.”
Even now, Leiderman explained that any appeals are limited to the “four corners of the transcript” taken during trial.
As such, the letter cannot be considered for the purposes of an appeal.
However, if the crux of Snow’s message can be verified somehow, it might be able to be used as part of a post-appeal habeas corpus motion—yet another filing that would challenge Keys’ incarceration on account of new evidence. “We’d need to get an investigator on it and pin this person down and take sworn statements and things like that,” Leiderman added. “And it would really need to be powerful and persuasive evidence to try to get a hearing as to whether it should be reopened or some such like that. Habeas corpus are extraordinarily difficult—their rates of success are close to zero.”