News

Hacker guilty on all counts in attack on Palo Alto Online

Federal jury convicts Ross Colby Wednesday in San Jose

After a six-day trial that involved hours upon hours of technical testimony, a federal jury on Wednesday, June 6, convicted former San Francisco resident Ross M. Colby of two felonies and three misdemeanors relating to computer hacking that preceded the Sept. 17, 2015, take-down of Palo Alto Online and four other websites of parent company Embarcadero Media.

The jury of eight women and four men deliberated for a day and a half. Sentencing is set for Sept. 19. For each of the felony convictions, Colby faces a fine of up to $250,000, a prison term not to exceed 10 years, or both, according to indictment documents. He also faces a fine of up to $100,000 and a maximum one year in prison for each of the three misdemeanors. (The actual sentence will be affected by factors including past criminal record, if any, cooperation in the case and the judgment of the court.)

Colby, 35, at one time worked for the former EMC Corporation as a software engineer. He was also employed as the chief security officer and IT administrator at Earnest, a San Francisco-based personal- and student-loan lender, where he reviewed data-compliance contracts between the lender and large clients such as Goldman Sachs, Verizon, Nationwide, AARP and Intuit, according to court documents.

He did not express emotion as the five guilty verdicts were read. He did not testify during the trial nor were there any witnesses called for the defense, which relied on raising doubts about the prosecution's evidence. The case went to the jury on Tuesday morning.

Jurors found Colby guilty of one felony count for transmitting a program, code, command, or information to a computer, intending to cause damage; one felony count of attempting to do the same; and three misdemeanor counts of unlawfully obtaining information from a protected computer.

Help sustain the local news you depend on.

Your contribution matters. Become a member today.

Join

During the trial, the prosecution presented as evidence a trail of IP addresses linked to Colby that had been used to access Embarcadero Media's accounts and data -- including the accounts of the three IT employees -- more than 200 times.

Three jurors, who asked not to be identified, said the jury deliberations were extensive and difficult. They said the jury ultimately rejected the defense's theory that another person could have been responsible for the hacks.

"The most compelling evidence was his (Colby's) access via the VPN (a private internet address allowing user anonymity) and to his email account," said juror 11, a statistical research manager.

There was enough of an overlap between his access to the Embarcadero accounts and his own email accounts from the same IP addresses to find he was the culprit, she said.

Juror 10, a software engineer, said it wasn't believable that another person might have hacked the company, as had been suggested by Colby's attorney.

Stay informed

Get the latest local news and information sent straight to your inbox.

Stay informed

Get the latest local news and information sent straight to your inbox.

Juror 11 agreed.

"The common-sense explanation stood out to me versus it all being a setup," she said. "I believed the testimony of the roommate," who testified that Colby had told him he had hacked a news website.

Juror 5 said he and juror 1, who are both software engineers, weren't initially convinced by the IP-address evidence alone.

"We wanted to be convinced by more logs. The IP addresses alone seemed insufficient to convict, but the defense did not raise enough questions regarding someone else having done it," he said.

Juror 11 said they did their own digging into the logs and sent questions to the judge regarding the scope of their responsibilities.

The fact that much of the evidence was circumstantial was not problematic, she said.

"With cyber-crimes, there are a lot of cases where you won't have direct evidence. You won't have video showing someone sitting at a keyboard committing the crime. It was all circumstantial," she said. In these kinds of cases, she added, jurors must ask themselves, "How do we convict people of cyber-crimes without direct evidence?"

Embarcadero Media Publisher and President Bill Johnson was present throughout the trial and as the verdict was read.

"We are grateful to the FBI and federal prosecutors for their hard work on this case, and for the jury's patience in digesting an enormous amount of technical information. This was not only a sophisticated attack on our business but also on the First Amendment and the work we do as journalists in the public interest," he said.

U.S. Assistant Attorney Joseph Springsteen, during his closing argument prior to the jury deliberations, noted the gravity of the hack, which prosecutors said was strategic.

"Make no mistake. This was not a prank; this was not a harmless act. ... It's not vandalism. It was a serious and targeted attack on Embarcadero Media," he said on June 1.

The hack caused more than $32,000 in damage, but there was also damage done to Embarcadero's reputation, Springsteen said. It is ironic that Embarcadero Media, which was the first newspaper in the United States to have published its news on the World Wide Web, should have been targeted, he noted.

"These acts brought (an institution) of the community for 40 years to its knees. Imagine how vulnerable they must have felt -- how helpless," he said.

"The defendant did it over and over and over again. It's not casual. This is not brief. It was methodical and repeated and intentional," he said.

During her closing arguments, Defense Attorney Vicki Young argued that there was insufficient evidence tying Colby to the intrusions. She said that since some intrusions into the Embarcadero systems had come from a virtual private network (VPN) and therefore were not traceable, another person besides Colby could have been responsible. She also argued that intrusions made from the IP address at Colby's San Francisco residence were made on two days in July 2015 when, his father testified, he had been visiting the family home in Massachusetts.

But federal Prosecutor Susan Knight said Colby's father's testimony was vague and not credible regarding the timeline of his son's presence in Massachusetts. Knight said the evidence showed Colby was still in San Francisco from July 23-25. Colby not only accessed Embarcadero IT employee Cesar Torres' account on those days, but he also accessed his own personal email from San Francisco.

The same virtual private network (VPN) IP address used in one of the hacks was also used to log in to Colby's personal email and Facebook accounts, Knight said, citing evidence presented at trial.

This was the evidence the jurors said they found most compelling.

Colby declined to comment after the verdict. Currently a Richmond, California resident, he remains out of custody on $50,000 bail.

Craving a new voice in Peninsula dining?

Sign up for the Peninsula Foodist newsletter.

Sign up now
Sue Dremann is a veteran journalist who joined the Palo Alto Weekly in 2001. She is a breaking news and general assignment reporter who also covers the regional environmental, health and crime beats. Read more >>

Follow Palo Alto Online and the Palo Alto Weekly on Twitter @paloaltoweekly, Facebook and on Instagram @paloaltoonline for breaking news, local events, photos, videos and more.

Hacker guilty on all counts in attack on Palo Alto Online

Federal jury convicts Ross Colby Wednesday in San Jose

by / Palo Alto Weekly

Uploaded: Wed, Jun 6, 2018, 11:15 pm

After a six-day trial that involved hours upon hours of technical testimony, a federal jury on Wednesday, June 6, convicted former San Francisco resident Ross M. Colby of two felonies and three misdemeanors relating to computer hacking that preceded the Sept. 17, 2015, take-down of Palo Alto Online and four other websites of parent company Embarcadero Media.

The jury of eight women and four men deliberated for a day and a half. Sentencing is set for Sept. 19. For each of the felony convictions, Colby faces a fine of up to $250,000, a prison term not to exceed 10 years, or both, according to indictment documents. He also faces a fine of up to $100,000 and a maximum one year in prison for each of the three misdemeanors. (The actual sentence will be affected by factors including past criminal record, if any, cooperation in the case and the judgment of the court.)

Colby, 35, at one time worked for the former EMC Corporation as a software engineer. He was also employed as the chief security officer and IT administrator at Earnest, a San Francisco-based personal- and student-loan lender, where he reviewed data-compliance contracts between the lender and large clients such as Goldman Sachs, Verizon, Nationwide, AARP and Intuit, according to court documents.

He did not express emotion as the five guilty verdicts were read. He did not testify during the trial nor were there any witnesses called for the defense, which relied on raising doubts about the prosecution's evidence. The case went to the jury on Tuesday morning.

Jurors found Colby guilty of one felony count for transmitting a program, code, command, or information to a computer, intending to cause damage; one felony count of attempting to do the same; and three misdemeanor counts of unlawfully obtaining information from a protected computer.

During the trial, the prosecution presented as evidence a trail of IP addresses linked to Colby that had been used to access Embarcadero Media's accounts and data -- including the accounts of the three IT employees -- more than 200 times.

Three jurors, who asked not to be identified, said the jury deliberations were extensive and difficult. They said the jury ultimately rejected the defense's theory that another person could have been responsible for the hacks.

"The most compelling evidence was his (Colby's) access via the VPN (a private internet address allowing user anonymity) and to his email account," said juror 11, a statistical research manager.

There was enough of an overlap between his access to the Embarcadero accounts and his own email accounts from the same IP addresses to find he was the culprit, she said.

Juror 10, a software engineer, said it wasn't believable that another person might have hacked the company, as had been suggested by Colby's attorney.

Juror 11 agreed.

"The common-sense explanation stood out to me versus it all being a setup," she said. "I believed the testimony of the roommate," who testified that Colby had told him he had hacked a news website.

Juror 5 said he and juror 1, who are both software engineers, weren't initially convinced by the IP-address evidence alone.

"We wanted to be convinced by more logs. The IP addresses alone seemed insufficient to convict, but the defense did not raise enough questions regarding someone else having done it," he said.

Juror 11 said they did their own digging into the logs and sent questions to the judge regarding the scope of their responsibilities.

The fact that much of the evidence was circumstantial was not problematic, she said.

"With cyber-crimes, there are a lot of cases where you won't have direct evidence. You won't have video showing someone sitting at a keyboard committing the crime. It was all circumstantial," she said. In these kinds of cases, she added, jurors must ask themselves, "How do we convict people of cyber-crimes without direct evidence?"

Embarcadero Media Publisher and President Bill Johnson was present throughout the trial and as the verdict was read.

"We are grateful to the FBI and federal prosecutors for their hard work on this case, and for the jury's patience in digesting an enormous amount of technical information. This was not only a sophisticated attack on our business but also on the First Amendment and the work we do as journalists in the public interest," he said.

U.S. Assistant Attorney Joseph Springsteen, during his closing argument prior to the jury deliberations, noted the gravity of the hack, which prosecutors said was strategic.

"Make no mistake. This was not a prank; this was not a harmless act. ... It's not vandalism. It was a serious and targeted attack on Embarcadero Media," he said on June 1.

The hack caused more than $32,000 in damage, but there was also damage done to Embarcadero's reputation, Springsteen said. It is ironic that Embarcadero Media, which was the first newspaper in the United States to have published its news on the World Wide Web, should have been targeted, he noted.

"These acts brought (an institution) of the community for 40 years to its knees. Imagine how vulnerable they must have felt -- how helpless," he said.

"The defendant did it over and over and over again. It's not casual. This is not brief. It was methodical and repeated and intentional," he said.

During her closing arguments, Defense Attorney Vicki Young argued that there was insufficient evidence tying Colby to the intrusions. She said that since some intrusions into the Embarcadero systems had come from a virtual private network (VPN) and therefore were not traceable, another person besides Colby could have been responsible. She also argued that intrusions made from the IP address at Colby's San Francisco residence were made on two days in July 2015 when, his father testified, he had been visiting the family home in Massachusetts.

But federal Prosecutor Susan Knight said Colby's father's testimony was vague and not credible regarding the timeline of his son's presence in Massachusetts. Knight said the evidence showed Colby was still in San Francisco from July 23-25. Colby not only accessed Embarcadero IT employee Cesar Torres' account on those days, but he also accessed his own personal email from San Francisco.

The same virtual private network (VPN) IP address used in one of the hacks was also used to log in to Colby's personal email and Facebook accounts, Knight said, citing evidence presented at trial.

This was the evidence the jurors said they found most compelling.

Colby declined to comment after the verdict. Currently a Richmond, California resident, he remains out of custody on $50,000 bail.

Comments

Thomas J. Watson
Professorville

on Jun 7, 2018 at 12:52 pm
Name hidden, Professorville

on Jun 7, 2018 at 12:52 pm

Due to violations of our Terms of Use, comments from this poster are only visible to registered users who are logged in. Use the links at the top of the page to Register or Login.


Midtown Resident
Midtown
on Jun 7, 2018 at 2:12 pm
Midtown Resident, Midtown
on Jun 7, 2018 at 2:12 pm

This is clearly a major victory for law enforcement in an apparently difficult case to prosecute. I am concerned that the large resource requirement, along with high standards ensuring conviction, makes it likely that this is a very small tip of the iceberg. Better security seems unattainable now and I would like to see someone take on the consequences of hacking for the general population. People may look at this conviction as an excuse to "whistle past the graveyard."


resident
Midtown
on Jun 7, 2018 at 4:19 pm
resident, Midtown
on Jun 7, 2018 at 4:19 pm

I hope that at some point in the future we get some clues about the motive for this crime


AskingForAFriend
Registered user
another community
on Jun 8, 2018 at 1:09 pm
AskingForAFriend, another community
Registered user
on Jun 8, 2018 at 1:09 pm

So let me get this straight...
Know the hacker's identity: blame the hacker
Don't know the hacker's identity: blame the company storing others' PII with lax security standards
...am I missing something here?


resident
Midtown
on Jun 8, 2018 at 1:14 pm
resident, Midtown
on Jun 8, 2018 at 1:14 pm

@AskingForAFriend - I blame both of them. If you read earlier news reports, the newspaper had very shoddy security policies in place before the hack. At least in this case, they are claiming that the hacker didn't steal any customer financial information, which can't be said of many other hacked businesses.


Town Square Moderator
Registered user
Another Palo Alto neighborhood
on Jun 8, 2018 at 1:28 pm
Town Square Moderator, Another Palo Alto neighborhood
Registered user
on Jun 8, 2018 at 1:28 pm

@AskingForAFriend
@resident
No credit card or personally identifying information of readers or subscribers was on the servers that were hacked. The hacker did have the ability to access a server that contained email addresses and reader passwords used only for the purpose of posting comments on Town Square when the comment thread was restricted to registered users. There was no evidence that the hacker actually accessed that server, however.


AskingForAFriend
Registered user
another community
on Jun 8, 2018 at 2:03 pm
AskingForAFriend, another community
Registered user
on Jun 8, 2018 at 2:03 pm

@resident re: the hacker didn't steal any customer financial information
I don't think this was the intent based on the statement he placed on the front page in 2015, stating the paper had "failed to remove content that has been harmful to the wellbeing and safety of others." Web Link


AskingForAFriend
Registered user
another community
on Jun 8, 2018 at 2:23 pm
AskingForAFriend, another community
Registered user
on Jun 8, 2018 at 2:23 pm

@Town Square Moderator

"The hacker did have the ability to access a server that contained email addresses and reader passwords" The same people that write their password on a post-it note stuck under their laptop (or, y'know, put it in a Google Doc) are the same people to re-use their favorite password on every single site they use.

*Nudge* to my 100-year-old grandmother and anyone else who uses this practice: to change your password on this site, scroll to the top, click "Member Center," then look for the very light grey font that reads "Change your password;" it's right above the black and bold font asking for your name, address, phone number, and the... zip code in which you work? (Grandma, those fields are not required)

Moderator's Note: This is why immediately after the hack we communicated with all of the people whose email addresses and passwords could have been accessed and advised them to not only change their passwords on our site but on any site where they were using the same password.


resident
Midtown
on Jun 8, 2018 at 2:48 pm
resident, Midtown
on Jun 8, 2018 at 2:48 pm

I'm always suspicious of websites that ask for your email address. I'm really glad I didn't fall for this one.


AskingForAFriend
Registered user
another community
on Jun 8, 2018 at 4:11 pm
AskingForAFriend, another community
Registered user
on Jun 8, 2018 at 4:11 pm
musical
Palo Verde
on Jun 8, 2018 at 5:04 pm
musical, Palo Verde
on Jun 8, 2018 at 5:04 pm

So in our current political environment, will this Ross Colby get the full maximum $250,000 fine plus prison term of 10 years?


AskingForAFriend
another community

on Jun 15, 2018 at 12:46 pm
Name hidden, another community

on Jun 15, 2018 at 12:46 pm

Due to violations of our Terms of Use, comments from this poster are only visible to registered users who are logged in. Use the links at the top of the page to Register or Login.


Name hidden
East Palo Alto

on Jun 15, 2018 at 1:49 pm
Name hidden, East Palo Alto

on Jun 15, 2018 at 1:49 pm

Due to repeated violations of our Terms of Use, comments from this poster are automatically removed. Why?


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Post a comment

Sorry, but further commenting on this topic has been closed.