Slashdot Mirror

Don't become Randal Schwartz.

The well-known author of O'Reilly's Learning Perl was caught testing an open source password cracking package on Intel's intranet while doing consulting work there in the '90s. Intel didn't find it interesting in the same way Schwartz did, and a nasty legal battle ensued.

IIRC one of the harvested passwords was "Pre$ident", from an ambitious Intel VP.

The take-away here is that when I buy an Intel processor, I'm not getting the best performance, I'm not getting the best price, and I'm not getting the the best value. At best, I'll get crippleware. Crippleware sucked and I'm glad it died out of the marketplace back in the late 90s.

Some Intel products open security holes on your system with their defective DRM: http://extendedsubset.com/?p=30 . I just figured they couldn't get competent C programmers after what they did to Randal Schwartz http://www.lightlink.com/spacenka/fors/ . The HDCP leak was yet another example of fail. But now they want to bring this level of quality engineering directly into the CPU? Haha, no thanks guys.

Imagine the APT malware that would be possible if the CPU microcode update protections get busted wide-open like HDCP just did.

Now was it really such a good idea to hand the Elbonian Business Network a way to sell cracks for who-knows-how-many millions of CPUs for $50 each? Congratulations Intel, the black market value of a crack on your microcode just went from $100k to $M++. Did you stop to consider the fact that some of the top supercomputers on the planet are botnets? That's right: the adversary has the computational resources of a state actor and he doesn't even pay his own power bill.

I'm sitting right now within arm's reach of 14 Intel cores I've bought within the last year or two (from Atoms to i7's), never mind the stuff I have a voice in professionally. My next general purpose CPU is coming from AMD.

You might want to reconsider doing such things - you could end up in prison.

http://www.lightlink.com/spacenka/fors/

"In late July 1995, a trial jury convicted Schwartz of three felony counts under Oregon's Computer Crime Law. The charges related to his activities while working as a consultant at an Intel Corporation facility in Beaverton, Oregon."

BTW, if she was innocent, then the RIAA either illegally accessed her computer (she did not have P2P software) or lied to obtain a false settlement. IANAL but wouldn't the latter be considered a crime?

Arrrr... and this be Oregon, where unauthorized access of computers be aggressively prosecuted, so the former be too.

BTW, if she was innocent, then the RIAA either illegally accessed her computer (she did not have P2P software) or lied to obtain a false settlement. IANAL but wouldn't the latter be considered a crime?

Arrrr... and this be Oregon, where unauthorized access of computers be aggressively prosecuted, so the former be too.

The case of Randal Schwartz is directly applicable to this case:
http://www.lightlink.com/spacenka/fors/

- in Oregon - Trespass of Chattels was directly considered.

The MPAA discussion of the first counterclaim, "Electronic Trespass", refers to such Trespass.

True: Schwartz was prosecuted on criminal charges, while these are civil claims.

I cannot say anything about the correctness of the claim, but the applicability of "trespass" to the circumstances seems relevant. The MPAA makes some of the same claims that Schwartz did. They were shot down for him, though.

I've never heard a satisfactory description of why what Randall Schwartz did wasn't wrong. All I've ever heard is people who say "Well can you name anything he did that *was* wrong?"

Yes, actually, I can, because I've read the court transcripts. If you're going to invoke his name, explain what you think he did. The reason you only said his name, no doubt, is because you read a page like this, which wastes time saying what he was charged with, and listing a bunch of things that aren't actually bad but that are phrased to look bad.

And yet, if you look around, at no point does that page explain what Randall did. Just what he was charged with. Did it occur to you that the reason you think he hasn't done anything wrong is because you have no idea what he did?

The legal system presumes innocense. Slashdot arguments do not.

Now, is Randall innocent? Actually, no. Should he have been penalized in the way he was? No, certainly not, but he should have been penalized. A sensible reaction to what happened would have been to fine him a couple of hundred dollars for misdemeanor vandalism, and to move on. Yes, what happened to him was bad, but you shouln't be invoking a case you don't understand in order to make a point.

By the by, what happened to Randall wasn't about ignorance regarding computers in any way. It was simple corporate abuse of the legal system. What I asked for was a fault in justice that happened because of a clueless judge . That's not the same as "find me something bad in the legal system that had a computer in it."

By the way, if the best you can do in a nation of a third of a billion people is a single twelve year old case that has nothing to do with what was actually requested, then I'd say that we as a nation are doing pretty damned well.

> > "He installed backdoors at 3 companies"
> Objection! Assumes facts not in evidence, your honor!
Ok sorry, just Intel.
Sorry for implying you're an asshat, but that linked document made you sound like one. Guess i should read more about it from your perspective before passing judgement.
Glad your legal battle is finally over.

State of Oregon v. Randal Schwartz Washington County Circuit Court C94-0322CR
Complaint brought by Mr. Schwartz's client, the Intel Corporation

Intel v. Randal Schwartz: Why Care? by Jeffrey Kegler, February 4, 1996

From
http://www.lightlink.com/spacenka/fors/

'In early 2007, the Court ordered an expungement (pdf). The order states: ".. the defendant, for all purposes of the law, shall be deemed not to have been previously convicted or arrested." The order seals the court records and eliminates some lingering effects of the conviction.'

The pdf is available at the above mentioned site, it's short, and it's in plain English.
Conviction goes poof. Anyone trying to sue Schwartz for claiming he was never convicted
loses. In US civil society, the final review of any dispute is by a US court, which will
support Schwartz's claim he was never convicted. Period. That covers job applications,
security clearances, and all the civil rights stripped from convicts.

Regarding pardons: it is not a requirement in general to admit guilt to receive a
pardon. The US federal pardon authority is vested in the president by the constitution
and is absolute and unreviewable. Ford pardoned Nixon.

They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.

That is exactly it. Most companies don't mind their employees doing limited personal business on company time, but whereas it's legal under the ECPA to monitor personal emails sent through the company email system, it's a felony to do so for personal emails sent outside that system, even if a company computer is used to access them.

If you make 'em use the company's email system, they're less likely to do things like email company secrets to their news reporter buddies. You can't stop it all, but you can certainly raise the bar. If nothing else, this makes it easier to fire people for violating the policy, since they had to jump through hoops to do it can't claim it's a misunderstanding.

Of course, no matter where one cares to draw the line, some employer will take it too far.

Maybe his attorneys should talk to Randal Schwartz's attorneys.

Schwartz Case Upheld on Appeal (slashdot story posted 2001.04.07)

Latest data on it is from November of that year.

First Randall Schwartz and now this guy. What's with Perl?

Didn't Randal L. Schwartz also get into trouble with a past employer?

Yeah, Intel. He was convicted of three felonies. He was running a password cracking program on their servers. He had cracked computers not only on Intel's machines, but on the machines of some of their partners, as well. He'd also installed some backdoor programs on several machines at Intel. It was really stupid of him to do all of this.

Randal Schwartz of Perl fame learned the hard way that doing something illegal to show the problems with a computer system still gets you into trouble.

It could have been much worse!

I think Schwartz said it best.

I became a felon for doing my job with a bit too much enthusiasm.

He used normal security techniques of auditing passwords, he never used the passwords in a dishonest way, and he was authorized to work with the systems. The passwords never left Intel's computers, he didnt actually "HACK" or steal access.

He should of been fired if Intel had an issue, but Oregons law basically make things like using someones xbox without written permission a felony.

Just because a company doesnt like the way you go about doing your jobs shouldnt make you a criminal.

You can read more about it here. Lightlink

So long as the files you generate are plain audio files and don't need fancy stuff like playlists, you can ensure that the WAV files you distribute don't contain any metadata by running them through one of the programs available that strip fancy WAV files down to "canonical" format. Here's a shareware program for MS Windows, and here is C source for one for GNU/Linux. These all work by eliminating everything other than the header, the format chunk, and the data chunk. These programs exist because there is a lot of software that doesn't know how to parse full WAV files. Of course, this won't eliminate "metadata" embedded in the audio data.

A good format for the permission in writing you need is here:

http://www.counterhack.net/permission_memo.html

Don't end up with a massive legal bill, and multiple felonies on your record like noted Perl author Randal Schwartz did:

http://www.lightlink.com/spacenka/fors/ (Cache: http://www.lightlink.com.nyud.net:8090/spacenka/fo rs/)

Remember when people were going to switch to AMD processors after Intel's prosecution of Randal Schwartz?

That boycott didn't last too long and obviously the system hasn't changed.

You should be prosecuted for kicking somebody in the balls, not telling him his fly is down.

Ten years apart, we have two "fly's down" cases that are referred to the police.

Hmmm... I didn't think my experience was atypical. I was copying about 20GB of files across NFS. The machine (running RedHat 8) crashed five times. In fact I wrote a little script that echoed the directories copied, so when it crashed I knew where to start it after the machine came back up. A little while after that I happened to read the Beowulf network card notes (and/or Don Becker's opinions), and they matched me Realtek experiences, and suggested that the Intel EEPro 1000 was the one that worked. (Dang, I couldn't find that page after a quick googling.) I decided that although Intel is evil, I decided I'd switch all the machines over to eepros. After that I tried the same test, of transferring that 20GB via NFS. No crashes. Although I'm sure the temperature, the phase of the moon etc. probably had more to do with it, it was good enough for me.

I'm with you there. Just think about what happened to Randal Schwartz at Intel a few years ago!

Probably ought to have a chat with Merlyn about his case that definitely had some similarities... He might have some worthy insights.

Tell that to Randal Schwartz. Because he did not obtain permission for each individual action, he was convicted of Computer Crime. You can email his perl bot for more info.

Beware people with benevolent intentions, as they usually become malevolent when they realize 1) you are smarter than they are, 2) they bought an insecure product, 3) they fear you. While this contest may be on the up and up, the information they are seeking is worth far more than $250 and could easily turn into criminal investigations whether they intend them to or not.

If someone can get my library records without my knowledge, sniffing some packets is child's play.

Taking a box offline may not be an option in a lot of environments, but I can think of several cases in which this would be very useful.

1. Small/home/project server
   One of my private servers was taken over once. Very un-nice thing, resulting in several months of frustrating interaction with network provider until we figured out we'd been rootkitted. We reinstalled everything from scratch and did our best to lock it down, but it still would have been nice to have a handy forensics tool to pop on the 'doze box down the hall.
2. Intranet server
   If you have a server on your intranet and you want to run checks on it (say, to make sure you're safe against malicious/disgruntled employees in the billing department), you can pretty easily have a few hours of scheduled downtime at night.
3. Multiple identical servers
   I worked at a company that had a number of identically-configured web boxes. That was the whole point: you could take one out whenever you liked. Since the config was identical, you could take one out, run whatever tests you wanted, and if you found a problem you could fix the servers in rotation.
4. Clueless company
   If you work for someone who has no real sysadmin, and they sometimes expect you to do sysadmin-like things, it could be very nice to have such a MiniCD handy. If that's the case you probably don't have a forensics-kit laptop handy, nor expensive tools.

Of course, always get permission first.

See the web archive of the case of Randal Schwartz.

Looks like a lawsuit against Linus might be on the way. One could object to this surmise by saying that any such lawsuit would be meritless, but that hasn't stopped SCO so far.

Linus would probably come away from a legal wrangle with SCO without any penalties from the court, but he would be faced with daunting legal bills and a distracting, upsetting strain on his time. Whatever they do, they can hurt him just by putting him through the ordeal.

So is somebody going to have to set up a "Save Linus" website pretty soon, asking for donations to his defense fund? Remember Randal Schwartz and his court battle with Intel? (Here's the Friends of Randal Schwartz site.) The whole thing could turn into quite a media frenzy with Linus at the center, honored as a hero by one side but demonized as a pirate by the other. I wish there were some way to prevent it from happening, but it's all up to SCO.

None of that applies here, which has been the basis of this entire argument.

Have a look at what happened to Randall Schwartz and see if you still feel the same way.

Would you hire me?

Or would you merely stop at the apparent conviction as if that's the only ruling authority?

I'd say we do.

• Patently Absurd
• Wacky Patents
• Patent of the Week
• Weird and Wonderful Patents
• Totally Absurd Inventions
• Patently Weird

I've been arguing for a long time that whether or not it involves electrons, there should be no difference in sentencing.

We need a sane parity between electronic and non-electronic crimes. That would make the punishment assigned to me simply ludicrous.

I doubt it, considering that some cities print their own money: Ithaca, NY most notably.

I'm not even sure what the tax ramifications are of this... If I do all of my other transactions in them [Flugelbucks], how do I know what the dollar value of the transactions is?

Most likely the "fair market value" in dollars would be applied. If you're painting houses, then you have to ask: what would someone else charge in dollars for this? Now, if you can find a service that no one else can/does provide, then maybe you've found a tax loophole that can be exploited... (but probably not, because IANATA)

He posted yesterday to c.l.p.misc.

If you're referring to his conviction, his jail time was suspended, and, though I havent heard what the outcome was (or will be), his restitution sentence was sent back to a lower court for reconsideration. He was stupid, yes. But three felony counts was more stupid. IMHO, of course.

I don't think I'll be serving jury duty any time soon. But I don't recommend my method to achieve such status in general. {grin}

Your caution is well founded.

Perl guru Randall Schwartz was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.

I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.

(Mod parent up please?)

Fishbowl is right. This is pretty similar to what Randal did several years ago--a trivial hack resulting in unauthorized access, no hard or money damage done, institution embarrassed, no attempt to obfuscate source of hack, yadda yadda.

The main difference is that Randal could have reasonably argued (and ISTR he did) that the machines he broke into were at least somewhat close to his sysadmin responsibilities, giving him some expectation that running crack on them wouldn't be considered a hostile attack. I doubt the Princeton admissions officers have such an exculpatory excuse. They were after information that they had no right to, in order to use it competitively. (For example, they could have offered less financial aid to the students in question, knowing their other options were limited.)

On the other hand, Randal was prosecuted under an Oregon law, which obviously doesn't apply between New Jersey and Connecticut.

(Good grief, was that five years ago already? I feel old.)

Just how exactly does it improve the security of your systems to punish employees for exposing flaws? This guarantees that the only people scanning for vulnerabilities are outsiders and insiders with evil intent.

The only employee who should be 'scanning for vulnerabilities' here is me. Anybody we catch scanning without express written permission (generally from the CTO) is assumed to have 'evil intent'.

You can't just go off on your personal quest for vulnerable systems randomly on your employer's network, unless you actually want to end up like Randal Schwartz

Give scanning tools to employees and offer to pay them a bonus for reporting problems!

There are numerous reasons not to encourage random employeers to scan your network.

1. Some badly-written scanners will DOS even well-written OSes and applications.
2. Some legacy systems still running in corporate networks react badly to being scanned. This isn't good, but it is a reality.
3. Who needs 1,000 identical 'Tool X' scan reports of the same network?
4. Scanning generates extra network traffic and 'hits' on IDS systems. See previous item.
5. Allowing random 'good' employees to run scans will make it harder to detect the 'evil' employees.
6. How do you detect when a worm (Nimda?) or a trojan included in some shareware package starts scanning your network without the user's knowledge?
7. What happens when 'Tool X' is distributed with a trojan, or simply hacked to silently CC the report summary to scanreport2002@hotmail.com?
8. When 'Joe minimum wage' finds an easily exploited hole in the payroll server, you expect him to report it before trying it out for himself?
9. Scanning random remote IP ranges can 'bring up' backup ISDN and other toll circuits, incurring a real expense.
10. Do you encourage your average employee to check for unlocked doors and cabinets outside of their own work area, or do you have dedicated security personnel?
    ...

Check these patents:

Silly patents

Really silly patents

Really Very silly patent

Plain absurd patent

Even law firms admit many patents are silly

Are you getting bored of all this silliness yet?

I can go on

And on

And on. Even in Spanish

Incidentlly, I have just made my own patent application:
Method of recieving Karma Points from www.slashdot.org utilising process of relying entirely on external sources and/or hyperlinks - "Karma Whoring".

How much money do you think Intel got back from Randall Schwartz?

According to this page, "Randal received a deferred 90 day jail term, 5 years probation, and 480 hours community service. His legal fees have run over $170,000 and he has been ordered to pay over $68,000 in restitution".

Here is another link with more extensive information on the case for those who might be interested.

no where did i find an instance of Randall doing this to prove to Intel execs their passwords were insecure. got any links where your info came from?

he casually mentioned this lame excuse when being questioned by the authorities (both Intel and Police) but no where was it shown he told anyone in Intel that their passwords were insecure.

what was mentioned by Randall was that he wanted access to these computers for his own purpose and did so basically b/c he was could.

please do some reading

PS - i enjoy the look into his background, where essentially he has had prior problems of this same nature.

HERE

Randal had moved the process to Brillig about 5 or 6 months ago, after this process was discovered on a system named Mink. He mentioned he was told not to run it on Mink and at this time he moved it to Hermes, which he found too slow for his needs. He then changed it slightly, and moved it back to Mink where it was found for a second time. This occurrence resulted in the Mink system administrator to remove his account, and Randal then moved the process to Brillig.

not sure where most /.ers work, but i know most Fortune 500 companies would not give you essentially 3 strikes to get your sh|t together.

he should have been canned the first time his access to MINK was found to be against company policy. guess this instance shows the evils of how big bureaucratic companies work when: someone allowed him to be found out on MINK not once, but twice and yet still be allowed to work at Intel where he then did the same policy violation on BRILLIG.

I would say this was asking nicely.

It began prosaicly enough.
Randal Schwartz, who I knew from Usenet and his
very successful books on the Perl language,
was on business in Silicon Valley and agreed to meet me at
Frankie, Johnnie & Luigi Too,
an Italian restaurant in
Mountain View CA, to offer me advice for a program I was
writing.

It might seem surprising
that Randal would agree to take time
from a hectic schedule two weeks before going on trial to give
what amounted to free consulting to a stranger.

However, those who
have been interested in the Perl language for a while
know that Randal
is a legend for his generosity.

Actually, I didn't know Randal was going on trial in two weeks.
I had heard rumors that he had some sort of legal difficulties
(a civil suit I assumed) which involved Intel.
I'd known many people with matters before the
courts, some close personal friends,
and few liked to discuss them.
Therefore it was not until
Randal had fielded my Perl questions, the talk
turned to minor chit chat and Randal unexpectedly proved
willing to discuss the matter that

I discovered the person I was drinking beer with
was looking at fifteen years in a few days, and, if convicted,
would have the biggest legitimate reputation by far of
any computer criminal.

I didn't necessarily credit the story he told me -- every
accused felon tells you it was all a misunderstanding, and
they are almost always just plain guilty.
Neither, I must confess, do I have unquestioning faith in
all the conclusions D.A.'s draw.

Days later, an Oregon Jury convicted Randal of
three felonies.
Randal Schwartz was, in the eyes of the law, a
Geek Kahuna Gone Bad,
the first.

Especially eerie about the Schwartz matter
was the silence surrounding it.

This clearly was a very significant case, far more so than
some which have drawn a lot of attention.
Randal Schwartz was either
the most dangerous computer criminal ever,
or something was terribly amiss, I had to know which.
That night I put the project I had discussed with Randal
on a shelf, where it remains.

"Feel free to stop dancing around the issue
any time you like and
tell me what this is all about."

On July 25, 1995, a Washington County jury in Hillsboro, Oregon
convicted Randal Schwartz of three felony counts:

Count 1: Randal did
between November 1, 1992 and November 1, 1993,
"unlawfully, knowingly and without authorization alter a computer and
computer network consisting of Intel computers Mink and Brillig".

Count 2:
Randal did between August 1, 1993 and November 1, 1993,
"unlawfully, and knowingly access and use a computer
and computer network for the purpose of committing theft of the Intel SSD's
password file".

Count 3: Randal did,
between October 21, 1993 and October 25, 1993,
"unlawfully, knowingly
access and use a computer and computer system for the purpose of committing
theft of the Intel SSD individual user's passwords."

"Look, son, Randal may be a what you call a Geek Kahuna,
but the law is the same for him as everyone else."

Actually, Randal was not tried under the usual criminal
laws, but Oregon's Computer Crime law.
Uses of this law are rare.
I can discover only two convictions under it since 1991,
and in one there was no trial.
The purpose for a separate Computer Crime Law
was to avoid having bad guys escape on technicalities,
something its drafters felt that
even an extensive revision of traditional criminal law would allow.
This they accomplished by making it a felony
to knowingly do anything
"unauthorized" on a computer.
Unusually for a law with severe penalties,
there is no requirement to show the defendant caused or intended
any harm.
All that is necessary is to show
that the proper authority did
not like whatever was done.

The first count is that, pure and simple --
Randal putting a
program on an Intel computer which Intel did not like.
The "stolen" property of the second and third counts
was never removed from Intel's premises, Intel was never
deprived of any of the economic benefit of the
property, and no evidence was presented
Randal intended to do either of these things.
These "thefts" consist entirely, again, of doing things
which Intel decided afterwards
it did not like and which it claims that Randal
was not allowed to do -- this time with
password files involved.

Criminal laws with wide applicability and severe
penalties are a feature of totalitarian states, and
may be a necessary evil in free ones.
In Randal's case, where he was trying to be helpful
and caused no harm,
the potential evil in applying such a law
is far more apparent than its necessity.

At the least,
a free society asks that a serious crime
genuinely reflect one of its serious concerns,
and not simply be a tool the powerful can use
against the powerless whom they find obnoxious.

A good test of this can be made when a powerful
individual breaks the law.
But for computer crime, which is complex and
technical, such tests are
available only as a matter of luck, since
the powerful decide who gets investigated.

However, we have such a stroke of luck in this case.
An Intel VP confessed on the stand to a more serious
infraction of Oregon's computer crime law.
And the Washington County D.A.'s office,
which so eagerly talked tough when facing the
powerless Randal,
has observed a demure silence on this topic.

The defects in the law should easily have
been enough to prevent
this case ever coming to trial, and made discussion of the rest
of this matter moot.
But at each step of the way, as one person or another faced
the prospect of telling Intel "no", they chose instead to
praise the Emperor's fine new suit.

Some Highlights from the Ongoing Farce

• 
  No evidence that Intel disapproved of Randal's behavior
  exists, except as remembered after the decision
  was made to prosecute him.
  Not so much as a hand-written note indicates anyone had a
  problem with Randal beforehand.
  
• 
  Lest those testifying for the prosecution,
  all of whom had financial interests in the good will of Intel,
  forget Intel's concern in this matter,
  an Intel Security person sitting at table next to the prosecutor
  served as a convenient reminder.
  
• 
  Intel was heavy-handed in making its presence felt throughout.
  The police prepared the search warrant at Intel premises,
  three Intel employees helped search Randal's house,
  and one helped police interrogate Randal.
  
• 
  This interrogation produced the prosecution's "best" evidence:
  police statements that put the words of a full confession
  in Randal's mouth.
  Indeed they claim Randal confessed to a history of hacking
  everyone he had done business with.
  (All these other "victims" provided witnesses for the defense,
  and Randal was charged with none of this activity.)
  
• 
  The police claim to have memorized Randal's highly technical
  statements with the aid of a few "cryptic" notes,
  and reproduced them accurately later at the station.
  It is hard to overstate what an incredible
  feat of memory this is.
  Det. Lilley, who produced the more complete statement,
  didn't know what the word "directory" means in computer lingo.
  Mere mortals with similar backgrounds would have found it
  impossible to follow the discussion,
  much less memorize it verbatim.
  
• 
  In other contexts, Intel had previously
  authorized Randal to commit both the acts
  allegedly unauthorized in this instance:
  cracking passwords and building a gateway to the Internet.
  
• 
  Randal was well aware of the steps a computer criminal usually takes
  to avoid detection of his activities and took none of them.
  

As I go through the records in this matter, more and more
startling and troubling material continues to come out.
It is as if this case was an entry in a contest to see
how much misbehavior could be squeezed into a case where nobody
was shot or beaten.
I document my progress into this shambles in the
Letters from Cybersalem.




The Letters From Cybersalem

CS0: Announcement.
Obviously, the letter which announced the series.

CS1: Disclosures and Disclaimers.
My connections
to Intel and Randal, and various other things which need to
be said. Nothing stunning IMHO, but you have a right to know and
to judge that for yourself.

CS2: Wizard Prosecutions: Then and Now.
A comparison of the quality of
the prosecution in the Salem, Massachusetts of 1692 and
the Hillsboro, Oregon of 1995.
Witchcraft prosecutions have declined sadly in the last
300 years.

CS3: The Unindicted: Ed Masi.
It is so easy to make a case for the crime of which
Randal was convicted,
an Intel VP testifying against Randal made a
full confession under oath on the stand.
It's all here.

CS4: Shocked, Shocked.
Randal's "crime" caused no harm, which is perplexing
since harm is basic to both the legal theory and lay
intuition of what "crime" means.
The policy infraction to which Ed Masi confessed
is shown to have quite likely caused real and serious harm to Intel.

CS5: Leadfinger.
This imbecility is not without its literary appeal.
A nicely Kafkaesque touch is added by the reluctance of the
Intel nabob who ordered Randal nailed to identify himself.
Of course, nobody forced him to come forward.

CS6: Unlearn Perl in 41 days!
Rich Cower of Intel security, adds to the list of
remarkable intellectual feats performed on behalf of the
prosecution. On June 13, 1995, he answers most questions about
Randal's Perl scripts with assurance, but passes on others
until he can look at the code.
41 days later he testifies under oath he does not know Perl.

CS7: The Essential Cower.
As Network Security Expert at Intel,
Cower played quite a role in the case.
He was present at the search,
participated in Randal's interrogation,
was an expert witness and
as State's Expert sat next to the prosecutor
for the whole trial.

CS8: What Does Familiar Mean?
However, this Intel "expert", when shown the seminal
work in modern network security, Cheswick and Bellovin,
does not recognize the cover.

CS9: Shortcut to Expertise.
An examination of Cower's background and qualifications,
as revealed in his testimony.

CS10: Too Stupid for Their Own Good?
Randal's local paper was
The Oregonian,
already notorious for ignoring the Packwood scandal.
It heaped abuse on Randal and the whole
"computer programming subculture"
during the trial.
I recommend anyone planning to work as a programmer
in Oregon read this one.

CS11: Oregon Employees have No First Amendment Rights
Unbelievable?
That is Judge Nachtigal's ruling.
Read it.

CS12:
Oops! There Goes Another Personal Right
Judge Nachtigal also discovered that the law
allowed "silly" (her word) prosecutions,
which in the D.A.'s words
show his "office must have an awful lot of time on their hands".
These are forbidden by the due process protections of the
14th Amendment,
but Nachtigal finds that
"we may want that authority there with computers",
and the charges against Randal stand.

CS13: The Confidence of the Public
This one is entirely uncommented quotes.
Here are some snippets.
The prosecutor: "I don't represent Intel."
The judge: "Not yet."
The detective: "We could probably use two or three more people".
The Associated Press:
"Intel Corp. is handing the local police $100,000 to have two
detectives concentrate their computer theft efforts
at the company."

CS14: Moore's Lawlessness
It would be surprising if Intel's heavy-handed contempt for the law
were unique to this case.
As Tim Jackson's new book shows, it is not.

An Open Letter to Intel

We wish to express our strong objection to the prosecution of
Randal Schwartz and Intel's role in it. We believe it necessary
that Intel repudiate the criminal charges made against Randal in
Oregon v. Schwartz, refund any "restitution" paid based on those
charges and offset the costs of Randal's defense against them.
This is the minimum that fairness requires since what happened
was at worst a policy breach and since Randal also suffered loss
of income, loss of reputation and a good deal of anguish.

The full list of signers

The current signature count, with subtotals by country

Signers whose names you might recognize

Comments made by the Signers

The Open Letter closed to new signatures on October 4,
1999. Thanks to all the over 2000 signers!

To get an auto-reply giving Randal's own statement, and
discussing how you can contribute to his Legal Defense Fund, send
an empty message to

Randal's Defense Fund mail daemon
.

Steve Pacenka maintains

the Friends of Randal Schwartz website
,
which is dedicated to archiving all relevant materials from
all sides of this issue.

There is also
Randal's award-winning website
.
How come he gets an award and I don't? :-)

You can subscribe to

the fors-discuss mailing list,
by sending a empty message to
join-fors-discuss@telelists.com.

There is also
fors-announce,
a moderated announcement list for Randal's case.
This can be subscribed to by
sending a empty message to join-fors-announce@telelists.com.

Press Coverage

I want to thank this site's host ISP
A2I (rahul.net).
for its steadfastness and generosity.

The hyperlink in the story to the overview of the Schwartz case is responding, "User over daily limit".

Use the mirror here.

Also IIRC it seemed like Intel management wanted to handle it differently than Intel Security which called up the Sheriffs office, I think, to have Randal arrested.

IMHO he only used really bad judgement and is obviously not a cracker bent on maliciousness.

I think it's too bad that the courts came down as hard as they did on him. At least he's not still in prison.

Some background from the other side: an affidavit from one of the Intel folks is here:

http://www.lightlink.com/spacenka/fors/police/inte lrep.txt

Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).

Personally, I'm not at all surprised that they threw the book at him.

Maybe the solution is education. I doubt the jury in the case had a clue what the issue was or how you secure a network in the first place.

And if you don't know about the case, goto http://www.lightlink.com/spacenka/fors/.

Good luck, Randal. May the Schwartz be with you.