Slashdot Mirror

Never forget that the same Oregon State convicted Randal Schwartz while he, actually, was working to improve Intel's security. His behaviour was considered to be an intrusion, and compared to theft and private property break-in. DMV selling off public data is not violation of one's privacy rights, though, in their opinion...

Please excuse my ignorance here. But I take a huge performance hit when I use emacs beacuse I don't know how to do line folding. Let me explain (and excuse the simplistic example). Suppose a file with the following content:

Line one
Line two
line three
line four
Line five

I'd like a command line where I type: "all /Line/" and the editor shows me...

Line one
Line two
Line five

And then I could do "less /two/" and the editor shows...

Line one
Line five

And then I do a change... "s/e/x/g" and the buffer now shows...

Linx onx
Linx fivx

And then I type "all" to show the entire file without regular expression folding.

Linx onx
Line two
line three
line four
Linx fivx

Wala! This is the kind of editing I like.
Would someone show me how to do this with Emacs so that I can retire THE.

Clark

The second requires the hacking be used for monetary or material gain beyond just gaining unauthorized access to the computer (unless access is valued over $5000).

And you think that the amount will never be reached? Do you think that the system owners won't inflate any amounts so it becomes over this amount?

How about Randal Schwartz? For what he did he had to pay $68K. Do you really think that stealing a little computer time and access was worth that much?

And how about Kevin Mitnick? One of his crimes was
"downloading of Sun's source code cost the company $80m"

Yes, that right, the same code you can now get for free from Sun. Do you really think that he could have caused that much damage to Sun?

If you attacked my server at home, I could easily make up a figure close to that of $5,000, based on my normal hourly billing rate and making up an amount of time it took to rebuild my system.

If you truly believe that this law will not be used unjustly, then let me tell you about this nice bridge I have for sale.... hardly used, going cheap....

What you're saying is that smart people like him, who sometimes use a little poor judgment, should be given life sentences in prison? You're saying that was Randall did is on the same level as murder?

But if you are going to release this into the wild, people on various ISPs are going to see packets coming from your machine and accuse you of trying to hack them. If it infects a "sick" host, makes it well, then infects a few more "sick" host, and then deletes itself and all tracks it can from the first one, it's harder for them to find you to use as a scapegoat.

Read up about Randall Schwartz and David McOwen before you jump in and run something like that, even if it is on your employer's computers and for good purpose. The fact is, sometimes you have to do your job annonymously.

Now lets get on scaling buildings in a single bound.

Ok... they were working on that one.

The good news is he likely won't serve any time.

The bad news is quite bad though. As a felon he is legally barred from many rights full citizens (which he NO LONGER IS in the eyes of the law) have.

It is illegal for him to own a firearm ever again everywhere, (in some states, not his state of Oregon) to ever vote again, and of special interest to people in the I.T. field:

It is illegal for him to work in certain technical jobs ever again. Such as working for a certification authority in at least one State.

Also, a lot of people are under the impression that all felons are intrinsically untrustworthy individuals.

The above still applies even if the persons motives were pure.

P.S. Randal Schwartz would likely have not been convicted if he were in Nevada. The laws here provide for implied authorization of an employee to access employer's systems unless their is "clear and convincing" evidence to the contrary. He still could've been fired though (Nevada is an at will state).

The moral: Don't try to do any favors. If you want to break into systems as a good guy, find a way to do it LEGALLY.

Consult a lawyer for legal advice.

Randal Schwartz (co-author of Programming Perl) did just this thing and was taken to court and Convicted of three felony counts, with (deferred) jail time. Read all about it at

State of Oregon v. Randal Schwartz

When I was kid I wanted a Hop Rod Gas Powered Pogo Stick There was a road test of one in an April issue of Road and Track in the late 60s

From Intel's Prosecution of Randal Schwartz (linked from Friends of Randal Schwartz):

Some Highlights from the Ongoing Farce

• No evidence that Intel disapproved of Randal's behavior exists, except as remembered after the decision was made to prosecute him. Not so much as a hand-written note indicates anyone had a problem with Randal beforehand.
• Lest those testifying for the prosecution, all of whom had financial interests in the good will of Intel, forget Intel's concern in this matter, an Intel Security person sitting at table next to the prosecutor served as a convenient reminder.
• Intel was heavy-handed in making its presence felt throughout. The police prepared the search warrant at Intel premises, three Intel employees helped search Randal's house, and one helped police interrogate Randal.
• This interrogation produced the prosecution's "best" evidence: police statements that put the words of a full confession in Randal's mouth. Indeed they claim Randal confessed to a history of hacking everyone he had done business with. (All these other "victims" provided witnesses for the defense, and Randal was charged with none of this activity.)
• The police claim to have memorized Randal's highly technical statements with the aid of a few "cryptic" notes, and reproduced them accurately later at the station. It is hard to overstate what an incredible feat of memory this is. Det. Lilley, who produced the more complete statement, didn't know what the word "directory" means in computer lingo. Mere mortals with similar backgrounds would have found it impossible to follow the discussion, much less memorize it verbatim.
• In other contexts, Intel had previously authorized Randal to commit both the acts allegedly unauthorized in this instance: cracking passwords and building a gateway to the Internet.
• Randal was well aware of the steps a computer criminal usually takes to avoid detection of his activities and took none of them.

Well, here's information from a police report where a cop actually talked to him: it's found at this address:

I asked Randal why he was using the "CRACK" program to obtain passwords and asked if he realized that these passwords would access
the SSD system. Randal advised that he did realize this and that he wanted to get his E-mail quicker

Weird, eh? But check this out:

I asked Randal why he would need forty to fifty passwords and he said, "I needed them in case they caught me doing it and knew they would shut
me down so the more passwords I had, the longer I could continue doing what I wanted to do." Randal advised that he had the capability to do it and he knew he could do it. I asked Randal if this was wrong and in violation of Intel policy and Randal said, "Yes it is, but I knew I could do it anyway." Randal said that he wanted to do it because he wanted to be efficient in getting his E-mail very fast and he felt was important and when they shut him down, he wanted to continue doing what he was doing and since he had the capability to do it and knew he could do it, he did it without permission.

Well from that, what he himself said to a policeman, he comes across as a dirt-common script kiddie.

There is an informative FAQ on the case.

http://www.lightlink.com/spacenka/fors/police/inte lrep.txt

For the lazy, I take an excerpt below :)

The reason for making this report public is that it specifically mentions that Randal was using Intel resources to crack password files from at least one other company.

On Thursday, October 28, at 12:30 in the afternoon, I noticed an unusual process running on a Sun computer which I administer. Further checking convinced me that this was a program designed to break, or crack, passwords.

---

It took a while to find anything that actually said what this man was accused of doing. Finally, I dug into the newspaper articles refered on the "Friends of Randal Schwartz" site, getting this from the Dr. Dobb's link:

http://www.lightlink.com/spacenka/fors/press/ddj96 03.html

• It was two years ago this month, however, that Schwartz was indicted on three felony charges - one count of altering computer systems without authorization, and two of accessing a computer with intent to commit theft. The victim was Intel's Hillsboro, Oregon supercomputing division where Schwartz had been working for several years as a consultant. [...] Intel is asking restitution, somewhere in the neighborhood of $70,000, even though an Intel attorney acknowledges that the company found no evidence that Schwartz planned to use the "stolen" information.

• In his defense, Schwartz said that he was only trying to show Intel how inadequate its security system was. At the time, Schwartz was working under two Intel contracts: one to deploy DNS servers for the entire corporation, and another as a system administrator for some network-support machines. Since both contracts were running out, he'd hoped to generate a new contract to improve Intel's security. To that end, Schwartz ill-advisedly ran Crack, a commercially available password-breaking program that uses brute force to discover vulnerable passwords. His plan was simply to put together a proposal - based on real data - for improving Intel security. The sort of information he intended on presenting in the proposal included nearly 50 network passwords he'd discovered (including that of one ambitious vice president whose password was "pre$ident").

  Before Schwartz could put his proposal together, however, an Intel employee noticed an unauthorized program was hogging computer time. Upon discovering Schwartz's Crack run, he notified security, and in the flip of a bit, Schwartz went from being an "independent consultant" to an "industrial spy." Even though management recommended that Schwartz simply be confronted because there was clearly no criminal intent at work (Schwartz ran Crack under his own login and didn't try to dissimulate his efforts), Intel's jackbooted security team (maybe needing to justify their jobs) opted to call in the sheriffs department.

  Schwartz admits that he made a number of '"bone-headed" mistakes - not clarifying the rules about Internet access, not reporting the first cracked password, not immediately reporting the results of the run - for which he probably deserved termination. However, he also says that his actions "were motivated by my desire to give Intel the best possible value for the money they were paying me," adding that none of his acts were based on malicious intent. In summary, Schwartz said: "I am sorry that I caused Intel any grief or hardship, and that in hindsight, I should have been clearer about my intention and actions."

  The upshot of all this is that Schwartz is in a financial bind. There's little chance he will ever work at Intel again, even though he has given the company five years of good measure. Nor is he likely to work at any company that agrees with Intel's beliefs about him. With dim employment prospects, Schwartz has so far spent about $135,000 on his defense. When it's all said and done, he will probably end up paying $160,000 before even considering appeals.

"Sure, it does document the legal case, but is there a way to actually find what you did?"

Intel investigative report lays it out pretty well, along with notes from police interrogation. Those appear to tell us he cracked passwords that he should not have and he ran a program on Intel computers that enabled him to access the computers from outside Intel, which he had been previously caught doing and instructed to stop. I don't see what he's complaining about; he committed crimes and was punished proportionately.

"Sure, it does document the legal case, but is there a way to actually find what you did?"

Intel investigative report lays it out pretty well, along with notes from police interrogation. Those appear to tell us he cracked passwords that he should not have and he ran a program on Intel computers that enabled him to access the computers from outside Intel, which he had been previously caught doing and instructed to stop. I don't see what he's complaining about; he committed crimes and was punished proportionately.

Sure, it does document the legal case, but is there a way to actually find what you did ?

See the FAQ for the 3 claims, or the Intel report for their (non-legal) take.

-dair

Sure, it does document the legal case, but is there a way to actually find what you did ?

See the FAQ for the 3 claims, or the Intel report for their (non-legal) take.

-dair

What I'm saying is that ideas like this -- a crude incremental search, name by name, or a more clever search that sticks to just dictionary words, with at most minor variations (3733T haXXorspeak, doodz!), is profitable and therefore will be attempted, and indeed is attempted and, to a limited extent, used.

Much as you'd like to out-pedant me here, we're basically talking about a password cracking scheme, and password cracking schemes are not as computationally complex as the travelling salesman problem. Sorry, but you just made that up -- admit it. Indeed, these things get used pretty regularly -- just ask Randal Schwartz.

The fact of the matter is, you guys are belittling this strategy for the list generation aspect of it, when in fact that could be done once and the result can be dumped into a file for future usage. Is there some work involved in getting that? Of course there is -- just look at the everyicon project. But you can take steps that control the complexity of the work involved, and cause the total execution time to be Not That Bad. Once you've done it once and dumped the result to disc somewhere, you never have to do it again. Then just start sending out the spam as per usual and Mr Marketer is happy.

Is this hard? Is this complex? Yes and yes. But keep in mind that how hard it is to legitimately harvest a large pool of targets^H^H^H^H^H^H^Haddresses. It is also hard and complex, and arguably its a lot more expensive. (Anything that costs a lot is more expensive than something that possibly cannot be done, or at least not completely...). Given the choice, I don't see why it's such a mystery to you guys why a lot of people would want to try this, and indeed, why a lot of people do try it.

DOn't turn your vitriol against me, turn it to the boneheaded managers & marketers that are having people do this stuff. Question the theory if you want to, but it's being done, and I'm just reporting that fact. Back off.

A good place to find some info and related links Beyond Mark Morrissey's report it's kind of boiled down to a "Did not-Did too" argument. I've not taken any side in the debate, but it is a case worth reviewing if you ever feel the urge to test security without having a job description or contract outlining that as your responsiblity.

--

I think their screwing around of Randall Schwartz cost them a lot of support in the Open Source community.

Note that there was no disclosure of classified material here, just violations of Policy.

If you have a job to do, you do it. If you try to go through all of the Proper Authorities, you'll have long grey whiskers by the time you get their formal rejection.

I'd be willing to bet that the "authorized" software on the computers in question was some version of Windows, Microsoft Office, and a couple of buggy, inconvienent, locally written Visual Basic programs for filling out timesheets and accessing databases. And nothing else.

I'm sure every Slashdotter has a list of extra programs that need to be installed on any Windows system to make it halfway usable. (The last "unauthorized" program that I loaded was bzip2. Big scary threat, that.)

The point of "policy" is generally to cover the arses of the Powers the Be; if anything goes wrong, it's because "somebody violated Policy". I have worked in a number of secure environments; I have never seen one where *all* the Policies were followed. Scenario: You're the only one in the office when you are hit with A Sudden Need. Do you (a) Shit in your pants, (b) Carefully collect all of the classified data from your desk (and everybody elses desk, if you're watching their stuff for them) and lock it in the safe. Don't forget to sign the logs, or (c) duck down the hall to the loo and hope that nobody notices. Policy, of course, says (b), with (a) as the only alternative. Of course, (c) would leave your classified data open to any Soviet spies[1] who happened to sneak past the armed guards at the gate.

It's not just the Government; look up Randall Schwartz to see just how bad it can get.

[1] Yeah, I know. There hasn't been a Soviet Union for ten years. The US Department of Defense and State Department (the CIA is part of the State Department) have been busily trying to put it back together, as it was the only justification for their existance.

--

I answered their questions as best I could, even though I was told I did not have to; I had nothing to hide.

That's a reasonable attitude if the police/FBI are really your friends. Unfortunately they're usually more interested in finding evidence for a conviction. Remember what happened to Randal Schwartz.

In particular, see Randal's comment on the police interviewing.

--adrian.

I answered their questions as best I could, even though I was told I did not have to; I had nothing to hide.

That's a reasonable attitude if the police/FBI are really your friends. Unfortunately they're usually more interested in finding evidence for a conviction. Remember what happened to Randal Schwartz.

In particular, see Randal's comment on the police interviewing.

--adrian.

They now have the perfect ammunition to claim that these projects have received help in theirtasks from people who are willing to engage in criminal persuits

open source programmers already include criminals (Randall Schwartz)

This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.

Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.

I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.

I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.

Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.

By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here for more information.

One of the local providers to Ithaca, NY, Lightlink Internet does that already. They offer high speed radio, DSL, etc... and you pay a reasonably small per month fee, and you can pull the maximum bandwidth that your connection physically allows, but you pay $10/Gigabyte over 1 gigabyte per month, so that way you can get quick downloads by using lots of bandwidth in short bursts, but if you don't pull down too much, you don't pay much. If oyu want to download a shitload of stuff, you pay more. It works well, the company I work for uses the service, and it's worked out quite well.

Thus, an economy based on property and ownership needs IP.

However, I believe that there are alternative economic models possible. Check out some of the local currency projects, which base their value on time of labor - these alternative economics could definately support a lack of IP.

Ithica, New York's HOUR System
Participatory Economics Project

That's why I won't work for Intel, if they treat consultants that way.

I have to agree that this is a little extreme. Remember a few years ago, when Oregon's similar law was used against Randal Schwartz? (Co-author of the Camel book). If you violate a non-disclosure agreement or confidentiality agreement, there are already a ton of civil penalties that can be applied -- we don't need to add criminal ones, too. I look at this as just another shade of the DMCA, the trademark laws, or the recent secret search warrant laws - they give the state and large companies more weapons to attack individual developers with, another crime that no average juror could be expected to understand well enough to vote on.

Probably the same as everyone else. They've been a client of mine since the incident; for proof, see the check they sent me!

Randal Schwartz was working as a contractor at Intel, and ran into a situation where he cracked some passwords as a matter of expediency. He reported the bad passwords to Intel (this is how he was "caught"). This was somewhat embarrassing to a certain VP of Intel, who was using the password "vicepresident". Intel then engaged in one of the ugliest, most pointless, displays of corporate muscle flexing I've ever heard of: they prosecuted Randal using some very screwy laws peculiar to Oregon.

Lessons to be learned:

1. Don't piss off wintel if you live in the Northwest.
2. Buy AMDs, buy alphas... forget Intel.
3. Don't let anyone label you a "hacker".

There's another good website on the subject (the "Friends of Randal Schwartz") here:
State of Oregon vs Randal Schwartz computer security case

This (bashing of Randal) is almost certainly a troll, but I'll reply for the benefit of those who don't already know. Randal was convicted of three felony counts for performing tasks that essentially fell within his professional scope as sysadmin. Read the whole story. It's worth learning about, because many people who work with computers are in danger of similar prosecution if they piss off the wrong person. So before you condemn Randal, answer this: have you ever accessed a corporate information resource without explicit authorization? If you say no, and you work in a large, heterogeneous corporate environment, I can rest assured that you don't get much accomplished. If you say yes, you are confessing to the crux of the charges against Randal. The real problem here is that the average person (judge, juror) has so little understanding of how computers work that many innocent actions can be portrayed as criminal. Ever grepped a password file? Now picture how that could sound in court. Anyway, if someone has a serious reason to disbelieve Randal's side of the story, please post it or a link to it. In the 4+ years since the conviction, I haven't seen any.

Find more details here.

--

Guessing passwords to enter a password protected
area is not illegally breaking into a computer system and stealing private data? Tell that to Randal Schwartz, "just another Perl hacker and convicted felon".

Rahul.net on Randal, Friends of Randal Schwartz, Randal's Homepage, Tim O'Reilly on the prosecution of Randal.

I'd say, sue CMU and see what comes from it.
© Copyright 1999 Kristian Köhntopp

Guessing passwords to enter a password protected
area is not illegally breaking into a computer system and stealing private data? Tell that to Randal Schwartz, "just another Perl hacker and convicted felon".

Rahul.net on Randal, Friends of Randal Schwartz, Randal's Homepage, Tim O'Reilly on the prosecution of Randal.

I'd say, sue CMU and see what comes from it.
© Copyright 1999 Kristian Köhntopp

[The original article seemed to be aimed at changing dumb laws instead of waiting for it to become obvious to the world that they're dumb, but this seems just as important]

Read the Randal Schwartz vs. Intel case and tell me again you wouldn't strike for another programmer?

Yes, that's the guy who wrote the book on my desk being banged up for ... I'm not really sure why.

This, you see, is how I know that "Life's a bitch and then you die".

This. :)
--

Just a word about 9netave; I have heard from many 9netave customers who have been really unhappy with their support. To the extent that I mentioned this to a customer of ours, and he laughed and said, "They don't have poor support, they have no support."

I'm extremely happy with lightlink, our local co-location provider, just 3 minutes walk up the hill. We get a 4'x2'x2' locked box, 3 IPs on a fast T1, 24 hour card access, and a bunch of freebies, for $250/mo. plus $10/gig.

Before you start, or even begin concerning yourself with the rest of the network:

1. Cover your ass before doing anything. Get permission from your superiors. In writing.
2. Tell Everyone You Know, on both networks, their bosses, their bosses' boss, and anyone else you can find what you're up to.
3. Repeat Steps #1 and #2 ad nauseam.
4. Then go poking around the network.

For more details: http://www.lightlink.com/spacenka/fors/

If so, I have to argue that common usage means a heck of a lot. Everything, in fact, because language is generally about communicating meaning in a consistent and reliable fashion. "Languages" are also, as I understand this from my linguist friend, defined in part by their capacity to change. A language that doesn't change from time to time for whatever reason is, by that definition, dead.

In the 23rd century, maybe they will be calling cheese graters floppy drives for some crazy reason, and if saying "floppy drive" to a reasonably acculturated person chosen at random on the street makes them think of shredded cheese, well, guess what? "Floppy drive" will have come to mean a thing that you use to grate cheese.

In this case, I think we have to acknowledge that the word hacker is no longer owned by hackers because it has passed into common parlance.

With all that said, here are two reasonable representations of "common usage":

From Merriam-Webster Online:
Main Entry: hacker
Pronunciation: 'ha-k&r
Function: noun
Date: 14th century
1 : one that hacks
2 : a person who is inexperienced or unskilled at a particular activity
3 : an expert at programming and solving problems with a computer
4 : a person who illegally gains access to and sometimes tampers with information in a computer system

I don't think there's an organization in the United States that could lay valid claim to canonical authority, considering the plethora of conflicting style-guides and so on. In this case, though, I think most would agree that Meriam-Webster is certainly respectable, and could lay claim to having their finger on the pulse of common usage. Unfortunately, the Oxford English Dictionary isn't available for online perusal, because they could lay claim to representing the parent dialect.

But what the M/W definition represents is a marginal victory for hackers of the benign variety, as does this one, from the Wordsmyth English Dictionary and Thesaurus:

hacker
SYL: hack-er
PRO: hae kEr
POS: noun
DEF: (informal) 1. a computer programmer who is expert at correcting programs, and who is perceived as an obsessive or reclusive person devoted solely to computers.
DEF: 2. a computer user who is able to penetrate carefully protected computer networks, such as those of a government.

In both definitions, we see both definitions living side by side, with an edge in precedence given to the more benign variety of "hacker."

I'm curious, by the way, what you call the American Civil War. Here in Virginia, some of the locals still call it something other than the Civil War, and they, since they're the descendents of the ones who rebelled and even started the armed hostilities, ought, following your logic, to be the ones who get to decide what it's called. That's a perogative most textbooks written to sell in California and Texas (which is to say "most textbooks") deny them.

I guess I'm just fine with everyone thinking "hacker" means vandal, anyhow. It doesn't change what I do one bit, which lately involves hacking on a nasty bit of proprietary software at work that made the mistake of using .dbf files even as the marketing droids try to sell us a multi-$1000 "conversion package." No coding is involved, just widespread spoofing of some indexes the designers must have thought others would be too dense to find. When I'm done, the taxpayers around here will have saved thousands of bucks, instructions on how to do what I did will be sent to other customers of the company that inflicted the horrible blob of code on us all, and I will remain a "non hacker" because there aren't any around here to confer the honor, which I understand is one of ESR's requirements for the title.

Guess I'll just have to wait for a local certification board to form.

I'll also wait to call what I'm doing "a hack," because that would upset the boss. I'll just call it "flurbing" and tell him it's a geek word for using something for other than its intended purpose.

----------
mphall@cstone.nospam.net

I just happened to be poking around when I came across this link: http://www.lightlink.com/mhp/lpp/. It says web integration as a future possibility and since it already supports multicast and realtime streaming, it sounds like it would be a minor mod, though I haven't looked at it at all. fyi