Slashdot Mirror
Schwartz Case Upheld on Appeal
RichardtheSmith writes: "For those of you who followed the prosecution and conviction of Randal Schwartz back in 1995, you might be interested to hear that the Oregon Court of Appeals finally ruled on his appeal. The gist of it is that they upheld the three convictions, but overturned the approx. $70,000 restitution award to be paid to by Schwartz to Intel. There was also some language in the Court's decision holding out a ray of hope that a future appeal based on a slightly different legal tack could succeed. For background on this case look at the Friends of Randal
Schwartz website. Regardless of what you think about what Randal did, or whether it rose to the level of criminality (I certainly don't), it's certainly a fascinating and chilling tale."
HTH
I read the police reports and the accused's response to the police reports (plus any other mateiral I could find ont his). Sorry Mr. Schwartz. I have to concur. You were asked on 2 different occasions to cease exactly the activity you were eventually convicted of. If you truly were a white hat, how many passwords beyond 40 would you need to prove your point?
I don't buy for a minute that you were looking for holes... The list of similar types of stunts at other past employers (some contract employers with whom you no longer have a contract with) etc shows a pattern. You are the classic arrogant geek. "I CAN do it so who is the man to tell me not to."
You yourself, in numerous passages during the police interviews, state that you knew, full well, that what you were doing was both illegal and frowned upon by Intel.
So, we have an arrogant geek who feels justified doing what he has done because his internal set of standards for what is a hack hasn't been crossed. Well, got news for you partner. It isn't your definition of hacking that gets consulted when times like this occur.
Save the pity. Obey the policies of a contractor or leave but don't whine when someone catchs you twice and explicity tells not to do that again followed by another incident and your arrest. Please...
I have an idea for all you Linux/Perl/Unix geeks that think that somehow he should be deified because he used NIX tools on an Intel-owned box to show the man how bad his security was. Imagine he used non-nix tools and cracked passwords on a VALinux box as a contractor? Do you really think this story wouldn't be told differently on this forum? Imagine he was caught twice and told to quit and given a stern warning. Imagine he did it again. Imagine the story then.
Don't do the crime (and you yourself said it was a crime more than once) if you can't do the time.
--I don't think that's particularly ironic, as you suggest. ALL ASIC design companies use UNIX platforms for their design tools (synthesis, simulation, APR etc). The sofware companies that make these tools provide only token (if any) support for other OS's like windows and linux, leaving hardware companies with little choice.
Fool me once, shame on you
Fool me twice, shame on me
Fool me three times, go to court and get your socks sued off
I used to work as a contractor for Intel (a lowly "green badge" to the cognoscenti). While I didn't especially enjoy my time there, I don't really have any grudge against the company, and therefore no reason to embellish things. That disclaimer out of the way...
What Schwarz did was just plain stupid. The first thing any new Intel employee notices upon entering an Intel facility -- and I worked in the same campus Schwarz did -- is that Intel is VERY paranoid about security and intellectual property. They may do a shitty job of it, as Schwarz discovered, but they are nonetheless quite serious about it. I watched more than one person get chewed out just for not properly using copyright and trademark symbols in internal documentation, and getting access to additional resources of any kind involved quite a bit of time and red tape. Intel is terrified that "Intel intellectual property" (which may as well be one word the way it's used at Intel) will leak out to Sun or AMD or some other competitor. To play with that fear is foolhardy.
Nonetheless, I think it's pretty plain that Intel overreacted in this case, since Schwarz obviously had no malicious intent. But if you shove your arm in the bear cage and tweak the bear on the nose, you can't claim surprise if you draw back a bloody stump.
On an unrelated note: Intel is also terrified of having its intellectual property "contaminated" (their word) by the GPL. Employees must get permission to work on open source projects from their supervisors who must certify that the project is unrelated to the employee's work at Intel. (To be fair, they grant this readily most of the time.) Intel's main interest in Linux isn't as a competitor to Microsoft; it's as a competitor to Sun, since Linux is most often installed on Intel platforms. Ergo, if you're going to approach Intel about supporting an open source project, you should approach them in this light: how can my project harm Intel competitors? There's nothing sinister about it; Intel's interest in open source is purely business and entirely non-ideological.
HE:
1.) installed aprogram so that he could access two intel machines from a remote location
2.)copied a password file from a machine
3.) cracked the password file using a cracker tool
There are no legitimate reasons for doing any of these things, and it was clearly unauthorized use of the system. IOMNSHO, his punishment fit the crime perfectly, and there is nothing to debate here.
Uh, this is the real Randal.
Someone cracked my slash password.
I think it's ironic that you felt qualified to audit intel's password security, yet used a password of "slashdot" for your slashdot account.
Idiot.
--Shoeboy
From Intel's Prosecution of Randal Schwartz (linked from Friends of Randal Schwartz):
Some Highlights from the Ongoing Farce
-- No, no -- Not that one!
So does Dell - I heard they even cover the Sun logos at Dell so that customers and business partners touring the plant will not know they use Sun equipment. Of course, I also heard they are replacing the Sun boxes with new 16 - way NT / Win2K machines which are tagged Dell, but are actually manufactured by someone else (I forget who at the moment)...
So should you also be charged with three felonies and be forced to pay a huge fine for your crack?
Python
Python
BTW, you might want to try some of the links in the story. They're informative; far more informative, to put it bluntly, than your post.
Stating on Slashdot that I like cheese since 1997.
Not as embarassing as the screenshot of one Microsoft website that had given a Roxen error message... Too bad I can't find that one right now, does anyone still have it? =)
It seems there's a great reluctance on the Net to say what he actually did. It took quite a bit of work to find it.
The law in Oregon is wrong. It's far too broad. However, I'm going to have to support Intel on this. Schwartz should have told them what he was going to do, if he had no criminal intentions. By compromising the computers without forewarning, he put the rest of the company in not insignificant danger.
Yes, as it turns out, their system security was crap. That's not an excuse to go cracking it without warning them that you're going to do it.
Do I think he should go to jail for it? No. But I believe Intel's within their rights to fire him for it, and to demand compensation for fixing the mess. Had he only told them what he wanted to do (heck, call it a "security analysis by simulated break-in" even, if he really thought they wouldn't let him do it) the whole mess could have been avoided.
----------
Well, here's information from a police report where a cop actually talked to him: it's found at this address:
I asked Randal why he was using the "CRACK" program to obtain passwords and asked if he realized that these passwords would access
the SSD system. Randal advised that he did realize this and that he wanted to get his E-mail quicker
Weird, eh? But check this out:
I asked Randal why he would need forty to fifty passwords and he said, "I needed them in case they caught me doing it and knew they would shut
me down so the more passwords I had, the longer I could continue doing what I wanted to do." Randal advised that he had the capability to do it and he knew he could do it. I asked Randal if this was wrong and in violation of Intel policy and Randal said, "Yes it is, but I knew I could do it anyway." Randal said that he wanted to do it because he wanted to be efficient in getting his E-mail very fast and he felt was important and when they shut him down, he wanted to continue doing what he was doing and since he had the capability to do it and knew he could do it, he did it without permission.
Well from that, what he himself said to a policeman, he comes across as a dirt-common script kiddie.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
He also used crack(1) to attempt to get passwords. If it isn't your computer, that's "hacking" (in the media usage of the word) and a felony under many state's laws. That's basically it. Probably Randall didn't mean any harm in it, but he did it, and even admitted it.
BTW: Randall wasn't an Intel employee -- he was a contractor.
There are no end of recent examples that merely staying innocent of wrongdoing is not sufficient to keep you out of jail, if you get unlucky or piss off the wrong people
No. Pissing off the wrong people in *combination* with wrongdoing can send you to jail. Merely pissing off Intel drones wouldn't have meant a damn thing if Randall hadn't been cracking Intel computers at the time (a wrongdoing at least in Oregon).
http://www.lightlink.com/spacenka/fors/police/inte lrep.txt
For the lazy, I take an excerpt below :)
The reason for making this report public is that it specifically mentions that Randal was using Intel resources to crack password files from at least one other company.
On Thursday, October 28, at 12:30 in the afternoon, I noticed an unusual process running on a Sun computer which I administer. Further checking convinced me that this was a program designed to break, or crack, passwords.
---
So what's a pageview on /. going for these days? Andover must really be hurting for cash to resort to these "4 common items in your kitchen that can kill you - after the commercial"-type teasers.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Wow, he impersonated people? He kicked people when they were down?
You're probably the most cowardly person I've *EVER* seen on slashdot.
In case anyone's wondering: no, Randal hasn't gone bonkers. Someone's managed to hijack his Slashdot account. He even got the "Your email and password have been changed" email from the system, and has the IP address from which it was done, for all the help it will do him.
To whomever did it: You're a great example of humanity. The guy just took it bending over again from the legal system, and you feel the need to play pre-pubescent 31337 haxx0r tricks to screw with him even more. Not that I expect the highest standard of decency from Slashdot trolls, but this *is* a real person you're impersonating.
He's a nice guy, and he's helped a lot of people. Not in a UNICEF or Amnesty International sort of way, but he's done his bit. Hell, if CmdrTaco read any of his O'Reilly books, he helped this place get made. That's irony.
But, in the end, this is "only Slashdot". I see amazing crap like this here, and I see amazing discussion here. Unfortunately, things like this are making me take this place less and less seriously.
Anyway, if you know Randal, you know this wasn't him anyway...
In case anyone's wondering: no, Randal hasn't gone bonkers. Someone's managed to hijack his Slashdot account. He even got the "Your email and password have been changed" email from the system, and has the IP address from which it was done, for all the help it will do him.
To whomever did it: You're a great example of humanity. The guy just took it bending over again from the legal system, and you feel the need to play pre-pubescent 31337 haxx0r tricks to screw with him even more. Not that I expect the highest standard of decency from Slashdot trolls, but this *is* a real person you're impersonating.
He's a nice guy, and he's helped a lot of people. Not in a UNICEF or Amnesty International sort of way, but he's done his bit. Hell, if CmdrTaco read any of his O'Reilly books, he helped this place get made. That's irony.
But, in the end, this is "only Slashdot". I see amazing crap like this here, and I see amazing discussion here. Unfortunately, things like this are making me take this place less and less seriously.
Anyway, if you know Randal, you know this wasn't him anyway...
> Basically, internal politics at intel played an important role. Intel is a very large company with many divisions, and some of
> them get along about as well as the Israelis and Palestinians.
Whether or not these are Randal's actual words, this is much the case: Intel is a place where the concept of a team rarely extends beyond the people who report to your immediate boss, & sometimes not even that far. (A very effective way to ensure one's continued future at Chipzilla is to eliminate your competition.) A screw-your-neighbor mentallity I have not seen in other workplaces.
And now for an OT question: is this Heidi Wall, whom the pseudo-Randall talks so much about, Larry Wall's daughter?
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
My friends, I had hoped to win on this appeal, but alas, I have failed.
This means the failure of all my precious hopes and dreams. Now that I am branded a convicted felon for life, there is no way Heidi Wall will ever go out with me.
Truly, this is a sad day, but perhaps it is for the best. Far too many hours have I spent daydreaming about Heidi instead of doing actual work. And it has been truly uncomfortable for me to talk to Larry about Perl when all I can think about is his hot little daughter.
More importantly, I think Larry and Tom found out about my attraction to Heidi (although I have been circumspect) and decided to cut me out of the royalties on the latest version of the Camel book. I could just be being paranoid here though, since Tom has alway hated me, and he has a strange, unholy control over Larry.
As much as it pains me to say it, I must admit that this is in Heidi's best interest too. Now that she has Shoeboy, why would she want a repulsive old man like me? I could never hope to compete with Shoeboy's wit, charm and gorgeous body. (I'm not gay, but damn, the dude is hot.) Shoeboy can make her truly happy, and I wish them the best.
One thing is for certain though, I'm recommending that no one ever work for Intel.
--Randal Schwartz
Yes, half my community service time was commuted to a fine. This was done by a judge on a letter from my probation officer, with the entire history of the case available to him. He had every option to say no, or to change the rate of hours-to-fine at something other than the conventional $5/hr. He accepted my probation officer's proposal as requested.
So, instead of doing 480 hours of service, I did 240, and paid a $1200 fine. With the judges approval. This is public record.
So I continue the challenges not so much for me (although getting my weapons and free-travel rights back would be nice), but for my fellow Oregonians who are now even more at risk because of my case.
The money is not the issue. Yeah, I could always use a few extra bucks, but instead I've dedicated a significant amount of my income toward having justice show up in this case, rather than the confusion that has come out so far.
I'm not stupid. When I'm told "don't do this", I don't do it.
As for the "illegal" and "frowned upon", those came from the police reports. I'm still amazed at how much information they have in those reports that I didn't say, or said in a context that doesn't fit how the reports played them back.
They took about ten lines of cryptic notes from a two hour conversation. They had tape recorders in the car, they didn't use them. They had video cameras at the police station. They didn't use them. I'm told it's common practice to allow interrogators to "play loose".
As an example, please answer the question honestly:
If you can answer that with "no", you are in the minority, or have never worked for a large company. You mean you've never called a personal call on the PBX? That's against the corporate policy of every large company I've worked for, and yet every day, people are calling their wife, kids, doctor, car dealer, sports ticket vendor, etc.So I answered "yes" to that. Now how does it show up in the report: "Mr. Schwartz knowingly violated Intel policy".
Crap. How am I supposed to get a story across when things are taken and presented that far out of context?
That's the mess that this case is. I answered very honestly and broadly during the interrogation, but the only parts that were written down were the parts when taken out of context imply that I knew that I was harming Intel. Nothing of the sort. Just a bunch of out-of-context remarks by skillful interrogators.
I did some things that I was later told to stop, yes.
But please don't paint me as such a defiant fool.
The passwords from brillig were obtained by typing "cat /etc/passwd". The passwords from the SSD YP cluster were obtained by typing "ypcat passwd". Nothing was protected.
But the perpetrator just gave it back to me (THANK YOU). Ignore the few articles
that have references to Heidi Wall, but the rest are mine.
Basically, internal politics at intel played an important role. Intel is a very large company with many divisions, and some of them get along about as well as the Israelis and Palestinians.
I made the mistake of getting involved in helping a group of sysadmins in another division. This was a fatal error. Ordinarily I would not have suffered such a lapse in judgement, but I was busy thinking about that sweet, divine piece of blonde femininity, Heidi Wall, and wasn't thinking too clearly.
That would actually make the code not Open Source, because of Part 5 of the Open Source Definition:
5. No Discrimination Against Persons or Groups
The license must not discriminate against any person or group of persons.
My Web Page
Running crack against the passwords from machines that he should have known he was not supposed to have access to (belonging to a group he had been let go from) also seems quite foolish. It's not explicitly stated (as the gate case is), but presumably it was also against company policy to run crack without authorization.
Whether Randall likes it or not, what he was doing was obviously against the rules of his workplace, and unfortunately was also against the law. As they say, "ignorance of the law is no excuse". He is correctly convicted of the items alleged against him, as far as I can see, since there is no appearance that (as he claims) he actually had authorization from the responsible managers to try to crack those systems, and it is definitely the case that his "gate" was against the rules and he'd been warned about it once before doing it again.
If you think that the law should be changed, by all means, change it, but he's guilty as the statute is written.
I agree with Randall that the $70k levied against him is probably excessive, but on the other hand, what was the cost of the work that went into confirming that he did indeed ONLY do what he claimed? That's not always a trivial task.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Common carrier status already doesn't apply. They removed a post containing Co$ material.
--
Vidi, Vici, Veni
--
Vidi, Vici, Veni
Then, Tom Christiansen came and chewed them all out.
--
Vidi, Vici, Veni
Well, I don't know how you can condone it just because it is speech either, but in the case of the anti-doctor web site a court seems to agree that it is protected speech. (Last I heard. I don't know if that's the final decision.)
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
I wish I had the money right now to go out and buy an Intel product to counteract your zealous boycott. I did so last summer in a similar case when I bought a set-top DVD player in protest of the deCSS shrillness on here.
What a coincidence, so did most of the slashdotters responsible for that self same shrillness. You didn't think they'd actually back up their political beliefs with action, did you?
--Shoeboy
But the perpetrator just gave it back to me (THANK YOU). Ignore the few articles
that have references to Heidi Wall, but the rest are mine.
Uh, you aren't going to press criminal charges against me, are you?
--Shoeboy
I knew of the case, from Randals website links, but didn't know EXACTLY what the case was about until this report. So, even after Randal KNEW he had been violating many, many, INTEL procedures, he STILL ran crack on the password files he had nabbed? Fuckin' A. He didn't even work for INTEL at the time he was caught. I wouldn't run crack on my password files, even while I'm a legetimate sysadmin, let alone if I were to leave the company. I'm grateful to all he's done for the Perl community, but this was just dumb-ass ARROGANCE.
Geeks, especially ubergeeks, tend to have a perspective that they know better than their management how computers should be run. I think this is understandable, and makes sense from a geek point of view. As a geek and manager, I also understand the management point of view.
Frequently, conflicts arise between policy (management) and desire (geek). Management usually wins the war of words with their geeks, but it does not always win the war of intentions.
Randall fits a classic ubergeek profile, from reading his responses -- he apparently
- values convenience over policy
- sees himself as a (potentially) anarchic do-gooder
- likes to create clever hacks
- wants to keep his computing options open
Also, please remember that it was 1994; the internet was a wildly different place. Computers with net access were harder to find; security was viewed differently. There wasn't even such a thing as web based e-mail in 1994.A gateway allowing e-mail checking was a compelling application for him. It also would be a compelling application for someone intent on distributing Intel chip design secrets, worth multi-tens of millions. It's not hard to connect the dots, and see why they would prosecute so aggressively, from a different department than the one he worked in. Reading Mark(last name?)'s written comments in the FAQ are pretty illuminating -- he understands exactly what's happened; Randall's mostly do-gooder, some skirt-the-system work was noticed in a particularly sensitive venue in a particularly sensitive company. The rest was just bad bad news.
It fits a pattern that many geeks fall into to comply with the letter of a management law, and skirt the intent for their own convenience. I just call this bad judgment, not criminal intent. (Given the Oregon law, this is not even a valid point where he's being tried, but I believe it is probably personally important to him to make the distinction.)
In any event, regrets / congratulations on the decision, and may you overcome the giant in the end. Also, may your admin duties be either ratified by management, or subdued in the future!
There is an informative FAQ on the case.
--
I'm assuming the reason he was appealing was mainly to save face and not have the to pay the restitution fines. Unless the appeals process puts it on hold, he's all ready off probation and most likely done w/ his community service hours. So, all this appeals process has done was save him from paying restitution, but he's still guilty according to the judge(s). Do you think it was worth it? I'm sure he's had to pay much more in legal fees.
-------------------------------------------
I like nonsense, it wakes up the brain cells.
-------------------------------------------
I like nonsense, it wakes up the brain cells.
-- Dr. Seuss
The best reason to boycott intel, is simply that AMD has done a far better job of implementing intel's brain-dead x86 architecture.
How about fitting the punishment to the crime, here? When a headhunter (or better still, an in-house recruiter from intel) calls you because they need a sysadmin, tell them that you're familiar with the Schwartz case, that that working for intel is simply not worth the risk of being criminally charged because some empty suit gets his panties in a bunch.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It took a while to find anything that actually said what this man was accused of doing. Finally, I dug into the newspaper articles refered on the "Friends of Randal Schwartz" site, getting this from the Dr. Dobb's link:
http://www.lightlink.com/spacenka/fors/press/ddj96 03.html
In his defense, Schwartz said that he was only trying to show Intel how inadequate its security system was. At the time, Schwartz was working under two Intel contracts: one to deploy DNS servers for the entire corporation, and another as a system administrator for some network-support machines. Since both contracts were running out, he'd hoped to generate a new contract to improve Intel's security. To that end, Schwartz ill-advisedly ran Crack, a commercially available password-breaking program that uses brute force to discover vulnerable passwords. His plan was simply to put together a proposal - based on real data - for improving Intel security. The sort of information he intended on presenting in the proposal included nearly 50 network passwords he'd discovered (including that of one ambitious vice president whose password was "pre$ident").
Before Schwartz could put his proposal together, however, an Intel employee noticed an unauthorized program was hogging computer time. Upon discovering Schwartz's Crack run, he notified security, and in the flip of a bit, Schwartz went from being an "independent consultant" to an "industrial spy." Even though management recommended that Schwartz simply be confronted because there was clearly no criminal intent at work (Schwartz ran Crack under his own login and didn't try to dissimulate his efforts), Intel's jackbooted security team (maybe needing to justify their jobs) opted to call in the sheriffs department.
Schwartz admits that he made a number of '"bone-headed" mistakes - not clarifying the rules about Internet access, not reporting the first cracked password, not immediately reporting the results of the run - for which he probably deserved termination. However, he also says that his actions "were motivated by my desire to give Intel the best possible value for the money they were paying me," adding that none of his acts were based on malicious intent. In summary, Schwartz said: "I am sorry that I caused Intel any grief or hardship, and that in hindsight, I should have been clearer about my intention and actions."
The upshot of all this is that Schwartz is in a financial bind. There's little chance he will ever work at Intel again, even though he has given the company five years of good measure. Nor is he likely to work at any company that agrees with Intel's beliefs about him. With dim employment prospects, Schwartz has so far spent about $135,000 on his defense. When it's all said and done, he will probably end up paying $160,000 before even considering appeals.
[
I just read the introduction on the website and it is so biased that it is impossible to tell what he actually did. I wish him luck on further appeals, but I wonder why Intel is so interested in him.
-Moondog
Some wise ass violates criminal statutes and is found guilty; he gets a humane punishment and a lesson. That's how the system is supposed to work. I hope he will foreswear lawbreaking in the future.
I irc-ed with Randal today. This is NOT from him. Someone has taken over his /. account to defame him.
- technik
Merlyn's /. account was hacked. He received the message 'your email has been changed' and is unable to access the #9918 account.
Do not believe the rantings originating from #9918.
This is an unbelievable insult heaped upon the injury of losing.
You can't count time spent securing a box as damage - it was insecure before the cracker arrived.
~~~~~ BigLig2? You mean there's another one of me?
Can someone, who has spent more time on this, please explain to me how this could happen? I have been trying to understand this and I still can't... :(
.forward in his home directory re-directing his email off-site. And yes, Intel owns his email on his Intel account.
Basically, Schwartz did one thing really wrong - he ran crack on the password file to check for bad passwords, and he didn't immediately report his results (or his intent to run crack in the first place).
As for copying files against instructions and stealing files, he basically had a
Really though - any decent sys admin worrying about security today gets clearance and runs crack, and forwarding email doesn't really seem like a crime - unless you are an over-ambitious security person at Intel.
If you ran crack on a system at your company (without written permission) where you do systems for the Govt, don't whine when they prosecute you...
You are right - it is kinda dumb. However, hashed passwords are world readable on a system, and good passwords cannot be reasonably broken with crack. Security affects ALL users, and crack is a reasonable security tool. There is no evidence it was used to break into accounts.
As a different example, I sometimes portscan machines on which I have accounts. If there are gaping holes, I tell the administrator. Am I a criminal for portscanning machines because I am legitimately concerned for their security ? Is it less of a problem if I simply run `netstat -al` instead of `nmap -sT` ? My real concern is that my work is not interrupted because some admin set up a machine running an old version of BIND. Because then a re-install is required, and sometimes worse.
Copying password hashes that are world readable is not a crime. Forwarding email could be illegal at anal enough companies though... His other crimes (running crack, copying password hashes) are things any user with reasonable concerns could do, and require NO special access to machines ie: he uncovered no information that anyone with an account could not easily uncover.
No. Is it ironic that Honda ships its cars around on Freightliner trucks? No, it would be stupid to have a trailer full of cars pulled by anything but a semi. Does this mean Freightliner is superior to Honda, or that people who drive them have an extra two inches on their penis? No again. Lets not be to smug and petty now...
The incident took place a few years ago, at Intel in Oregon.
"What does Heidi Wall have to do with it?" is just one of those questions.
Actually, I hope your post didn't make any sense.
I suffer from attention surplus disorder.
I'm glad it didn't make any sense. Maybe the editors would make an exception and remove the offending posts? They're not his, but despite the (+3, Informative) posts stating his account got hacked, there'll always be people who don't see them. I think they should be deleted.
I suffer from attention surplus disorder.
Talk about over-reaction! I was in a similar situation as you, when I read those forged posts (except I'm not gay), but I reacted in a more nuanced way, by asking for an explanation of these illogical posts, and keeping in mind that there might be something out of whack. Maybe you should too, before taking the chance to make your own come-out on Slashdot.
I suffer from attention surplus disorder.
IMHO, you're fucking lucky he's already spent over $100k on legal bills!
I suffer from attention surplus disorder.
It would be nice to have a brief synopsis of what the case is about!!!
I shouldn't have to click into the links and comments to figure it out. Would a sentence or two kill you?
All valid points, but do recall a few others.
Schwartz was hired at least in part, to be concerned with system security. Trying to crack a system as a way of proving it is secure is exactly what this kind of job description includes.
Lots of people seem to forget that, including the manager who caused Intel to spend about $1.5 million assisting Washington County in the Prosecution. Whatever his actual crimes may be; his biggest crime was embarrasing a VP.
Check around and you'll find athat at intel, there is a near critical mass of "peter principle" management promotions, the scale of which is very truly awesome to behold. Musical chairs in management roles is simply awesome. I know one contractor who had FIVE different supervisors in one 90 day project.
So Randall is a contractor, whose responsibility includes making the system more secure. Most Slashdotters know that this is not an on off switch. It is a continum of less or more secure and the process of getting more secure involves very intense digging, testing and fixing and more testing.
Nobody says that Randall was not one of the best at this. So some manager decides to NOT renew his contract, probably just to prove that he had the authority. Randall tried to make the point that the job is far from done.
At the other end, there is his client, - Intel, not the PHB manager - who has genuine security problems.
So Randall has been working to make it better and he considers the job not finished. He can see the problems but the boss has said "I don't wanna know about that Iceberg - go away."
If you really cared about the company and their mission, what would YOU Do?
Nobody has said that Randall ever tried to anything other than document the problem.
Does he have an economic interest in a renewed contract? Absolutely, but there was NEVER any suggestion that what was done was for any expectation of gain other than another 90-day contract extension.
Put it another way: The guy you work for is walking down the sidewalk ahead of you and his wallet is about to fall out of his back pocket. You grab the wallet, and hand it to him, with appropriate explanation. Do you expect him to thank you or have you arrested?
In Nearly All Paradigms, Shift Happens.
[Suggested moderation: +1, Interesting. +1, Insightful.]
--
--
I like to watch.
PS - No, I do not work for Sun. But if someone from Sun is reading this, be aware that I will gladly evangelize your overpriced hardware in exchange for RAM.
--
--
I like to watch.
--
--
I like to watch.
--
--
I like to watch.
I find it highly amusing that as a "convicted felon", Randy is now more employable than when he was a "Perl hacker".
--
--
I like to watch.
Yes, I know that Hemos is married. In fact, I put up this site when it was first announced:
Enjoy!--
--
I like to watch.
Michael, get the feeling you are trying to avoid "editorialization flames", but a better description or link would be appreciated.
Not really funny ... back in those days, the x86 based machines weren't capable of running as servers. (Linux zealots note: this is circa 1993).
I don't care who you are, If you breach security you are going to have to pay a price... Be it criminal or feduciary.. If you ran crack on a system at your company (without written permission) where you do systems for the Govt, don't whine when they prosecute you... I mean, Its pretty stupid that he DIDN'T tell them that he found a simple password (or that he was looking for it in the 1st place).
Part of the injury may be that they have maint. accounts on it (to do remote maintenance of systems) and only use a limited # of passwords (ala DEC in the 80's)
And don't forget that he also (by his own admittance) COPIED the password file to a different system
UPS Sucks
Not if you use shadow passwords. Only the root user can see the hashed passwords. Security affects ALL users, and crack is a reasonable security tool. There is no evidence it was used to break into accounts.
For the authorized system administrator its a reasonable tool.. for anyone else it is a hacking tool. If he had permission this would have been moot, but it wasn't..
As a different example, I sometimes portscan machines on which I have accounts. If there are gaping holes, I tell the administrator. Am I a criminal for portscanning machines because I am legitimately concerned for their security ? Is it less of a problem if I simply run `netstat -al` instead of `nmap -sT` ? My real concern is that my work is not interrupted because some admin set up a machine running an old version of BIND. Because then a re-install is required, and sometimes worse.
Do you tell the admin immediately what you did or do you wait to get "more" evidence of the bad security ? I do similar things.. but I usaually will tell the admin that I plan on doing something (in advance and depending on the admin, you CC his supervisor) and then if you find something you tell them immediately.
Copying password hashes that are world readable is not a crime. Forwarding email could be illegal at anal enough companies though... His other crimes (running crack, copying password hashes) are things any user with reasonable concerns could do, and require NO special access to machines ie: he uncovered no information that anyone with an account could not easily uncover.
Like I said, on most systems, admins are using shadow password files so JUST this kinda thing can't get done... The shadow password file is mode 0600 so without root privs, you aren't getting it.
UPS Sucks
Depends.. Did the statute of limitations for his crime pass ? Once INTEL became aware of his actions, did he cease to get promotions/etc ?
UPS Sucks
No.. I don't think things need to be blessed by lawyers ( I will NOT go into my opinion of lawyers at this time, its irrelevent to this discussion). What I'm talking about is courtesy.. You don't invade/hack/crak/etc. a system at ANY company (even when its in their best interest) without WRITTEN permission.
Why do I say written ? That way if you DO find gaping problems, they can't pull this kinda of draconian action.. You will be able to state that you had permission to perform the task.
UPS Sucks
# 1 is debatable. certainly fiing material ... always get permission in writing.
#2, #3 :
My former ISP often runs crack against their user space, looking for weak passwds.
this guy was a paid consultant of Intel. His error was FAILING TO GET PERMISSION from a superior, in writing, or having a contract that specifically granted him the right to nondestructively test corporate security.
He also exposed a VP's weak, potentially embarrassing passwd -- "pre$ident" -- which will get you fired in almost any corporation, just for political reasons.
He doesn't sound all that savvy to me, if he did not discuss his plans with a superior first.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Is there a moral to this story?
Is there an echo in here???
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Now this brings up a question: What is the name of the victim? Is it Intel Corportation? Can a corporation be a crime victim? And the nature of the injury? Certainly a person can receive a broken arm, or loss of life, but how exactly can a corporation be injured?
If you are saying that because corporations do not have arms that can be broken or lives to lose that they can't be injured and therefore cannot be victims in a criminal sense, then you would have to say that persons who are deprived of property are not victims since there was no bodily injury. Perhaps those who are raped are not injured (and therefore no crime committed) unless there was physical damage.
Just trying to understand your position....
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
I'm not counting the time it takes to patch the original security hole, but the amount of time it takes to find out if the cracker altered the system or created new holes. That takes far more time and effort than a simple patch. In this particular instance we're talking about someone who had long term access (legitimately) to systems and would have had ample time and opportunity to loosen things up to suit his tastes.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
...nobody proved that he actually did anything damaging and the penalties are so draconian. While I agree that the penalties seem severe, a cracked box is damaged from the standpoint that many man-hours must be expended to secure it (or likely rebuild it).
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
The authorization issue is discussed in the appeal. It is discussed as if it was done in accordance with the policy and explicit permission. Many things are doen without permission and against policy without explicit permission.
If a company installs spyware, or self-helps on shutting down your system (via UCITA), is it a violation? What about if I tell X, not to use my publically accessible website; if they then access it, is it a violation? Now, what if they accessed the site unintentionally (via a link, typo)?
This questions will be asked again.
Fight Spammers!
and while you are doing so also boycott companies that help keeping Intel's monopoly including Slashdot's owner "VA Linux".
--
If Microsoft is the solution, I want my problems back
Ok. So then when during the trial it became known that an Intel VP did something even naughtier a while back, one would think that this fine Oregon Computer Crimes Law would be immediately applied to him too, right? Hmmm... How odd, it wasn't. Also odd, in ten years, only two other people have been charged with violating that law. Maybe, just maybe, it's being used to target people on the whims of Intel and the like.
--
Dyolf Knip
There is some commentary on the Oregon computer crime law at Remarks on Oregon vs. Schwartz
Schwartz, against Intel's instructions, made a portal that he could connect to from a different computer... grounds for firing, certainly -- this was not grounds for criminal charges!
:(
Schwartz copied files from one intel computer to another one... yes against instructions... and it is grounds for firing but not for criminal charges....
Can someone, who has spent more time on this, please explain to me how this could happen? I have been trying to understand this and I still can't...
I'm a consultant and free-lance writer, so I don't have any big-company bias. I've read all the links associated with this article, at least as much as I was able to in the limited time I devote to /. reading. So let's review the bidding, shall we?
Unlike other people of opinion on /., I disagree that the Oregon law as envisioned by the Oregon legislature is overbroad, but that the lax definition of terms is what makes the law appear overbroad. In this particular case, given the usual level of knowledge by state law enforcement in 1993 of matters computer, it's not surprising that the State of Oregon decided to prosecute. It was the use of this law in the first place by the prosecutors that leaves me cold. According to my own experiences, the proper place to prosecute this case would be in civil court, if Intel felt that it has sustained substantial loss because of Mr. Schwartz's actions.
Lessons to be learned
Your client is not your friend. Your client is not to be trusted to "do the right thing". Therefore, in all written consulting contracts, state that any disputes arising from the execution from the contract, including any alledged criminal conduct alledged by either party, shall first be submitted to arbitration.
If someone in your client company "asks you for a favor" insist that the employee write you a letter formally asking you to perform that favor. One of the gray areas in this case had to do with whether Mr. Schwartz had authorization to do what he did, so make sure you have sufficient proof that you as the contractor believed you had authorization. Such letters should be channeled through your primary contact.
If part of your contract involves tightening up security, ensure the contract includes clauses authorizing you to perform the operations required to test and measure security. Make sure this clause is as specific as possible. Name program names, if you have favorates. This is an amplification of the authorization point above.
Don't communicate with the company with a company-provided and -administered e-mail account, EVER. Your contract should specify that all electronic mail communications shall be sent to your personal e-mail account, and that only communications from your e-mail account shall be considered to be from you. Negotiate appropriate SMTP access for contracts involving on-site activities, and also get them to agree that traffic to and from your personal e-mail account is owned by you and not the company.
As much as possible, use your own equipment to perform work for your client. The only time you should use client-provided equipment is when there is no alternative; e.g. you have to use a proprietary ICE as part of your work. Consider renting equipment that you will use under your own name (reimbursed under invoice by your client) so that YOU, not the client, owns any data generated by the instrument or equipment. Alternatively, specify in your contract that you own all data until you have received payment from the client.
Your contract should also specify what use you may use of company computing resources, including network connectivity. Insist that you be able to use their resources for your e-mail, for Web browsing for the purpose of research, and for any other application that you feel necessary to perform your duty for your client company. If your contract calls for you to be on-site during specific hours, as opposed to being on site only when performing specific tasks, your contract should also specify that you may make reasonable recreational use of their network resources.
Ensure your contract identifies a single individual as your point of contact. Insist that all company requests be funnelled through that single individual. Even better, have the contract specify a primary and an alternate, with specifics as to when the alternate may take the place of the primary. Your reports on your activities goes to your primary (or alternate). Any delegation of contact responsibility needs to be in the form of a letter from your primary -- accept nothing less.
Disclaimer: I am not a lawyer, nor do I play one on stage or screen.
note the spelling - 'brake', not 'break'.
He got caught shoplifting and then said "I was just gonna show you how easy it was to steal stuff. Honest."
He is real sorry he got caught. That does not mean he should not be punished.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~
--- -- - -
Give me LIBERTY, or give me a check.
1st post!
1st post!
He was only doing it to improve security; it was a favor.
1st post!
He should have left it alone to Intel. Would you want someone breaking into your house and changing the locks?
Hacking is not like breaking into a house. It's like testing all the locks on a house.
It's cracking.
I don't need anyone testing my locks.
He should have been fired, but not prosecuted.
Are you kidding? He committed a crime! Lock him up!
Our rights are slowly slipping away. We need to stop this abuse of power. Corporate lobbying has created the opportunity for the lawsuit.
It's people like you who voted for Nader and cost Gore the election.
Good, Gore is just as business - protective as Bush. We need to vote for Nader to show those Democrats that we won't stand for this!
If you write a book on assassinating government
employees and then start driving by their houses,
expect to get into trouble. The behavior is
DERANGED. This man needs psychiatric help.
C//
and people here spell 'fuck' 'fsck' What's your point?
Not to mention he kept doing the shit after being told to stop. This fool had so many chances to avoid this, yet continued on with his actions.
Alan C. Bonebrake, Judge.
This guy was just plain STUPID! When somebody tells you to stop doing something, and then you continue doing it, then they tell you to stop again, and you resume doing it on another computer, and then you are reprimanded yet a THIRD time, and then you go "I'll show them!" and access things you shouldn't using somebody else's account, you'd damned well better be prepared to accept the consequences!
What a moron! So many chances to change his behavior, yet he totally refused to do so. If he didn't like their policies, he should have simply left.
The most disturbing thing is the restitution award, which was fortunately overturned. If someone breaks into your house that's bad, and it's punished, but not as harshly as if someone breaks into your house and actually steals or destroys your stuff. It's clear that Intel wanted to make an example of the guy, and poured money and effort into a prosecution which the police wouldn't have been capable of mounting on their own.
That bothers me. A lot.
There are no end of recent examples that merely staying innocent of wrongdoing is not sufficient to keep you out of jail, if you get unlucky or piss off the wrong people. Any new opportunities for putting people behind bars when they haven't noticeably harmed other citizens should be resisted on general principle. Do you really want the insane War on Some Drugs to be extended to Some Hackers? Friends, if this goes much further it's time to sell the computer and take up the violin.
Brackets contain world's first nanosig, highly magnified:[.]
...to avoid creating posts like this one.
Brackets contain world's first nanosig, highly magnified:[.]
I find it intreguing that he was prosecuted under oregons own computer crime law, which is rarely used, so much as one law for all.
Knowledge Speaks, Wisdom Listens -- Jimi Hendrix
Implict in this case is a troubling concept. But if you follow the mental experiment, it could shake some fundamental principles of how the Western economy works.
There are 2 main branches of law, Criminal and Civil. The defining characteristic of Criminal law is "victims with injury"; civil law (a/k/a "equity law") deals with contracts.
Now Randal was an employee of Intel, and all employment arangements are contractual in nature. Please see my page relating to employment drug testing for information about employment contracts: http://www.ip4noman.org/principles.html
Now what Randal did was perhaps a violation a of professional conduct (certainly), or a breech of his contract w/Intel (although I doubt it), and subject to cancelation of it, or even the pursuit of civil remedies, but this is claimed to be a CRINMINAL case...
The Lawful Arrest FAQ points out that the objective proof that a crime occured is called "corpus delicti", which requires
Now this brings up a question: What is the name of the victim? Is it Intel Corportation? Can a corporation be a crime victim? And the nature of the injury? Certainly a person can receive a broken arm, or loss of life, but how exactly can a corporation be injured?
You see, corporations are defined under the law as an "Artifical Person" for these reasons:
I personally question the notion that these "artifical persons", or "corpses" as Dave Ratcliffe calls them, these human constructions which own most of the property in America, which have more political clout than any natural person, which have more financial resources than any of us, I question whether these soulless abstractions without a moral consciousness can be considered an honorable creature (honor is requirement to being a party to a contract). I question what it means for a corporation to own land or TV stations, and wonder where the present system will take us. I especially question the notion that corporations can be injured, or can be crime victims.
The case of Randal Schwartz is extremely important, and is related to many cases of late (mafiaboy, Emmanual Goldstein/2600, Kevin Mitnick, Oprah Winfrey's free-speech case against the cattle industry, etc.)
If we don't protest this, soon we all will/could be accuesd of some non-crimes like "uttering a trademarked expression without paying propery royalty, and in a disparaging fashion leading to loss of the profit that a corporation rightly deserves" or some such foolishness...
We live in interesting times, this year of our lord, nineteen hundred eighty four...
Implict in this case is a troubling concept. But if you follow the mental experiment, it could shake some fundamental principles of how the Western economy works.
There are 2 main branches of law, Criminal and Civil. The defining characteristic of Criminal law is "victims with injury"; civil law (a/k/a "equity law") deals with contracts.
Now Randal was an employee of Intel, and all employment arangements are contractual in nature. Please see my FAQ relating to employment drug testing for information about contracts: http://www.ip4noman.org/principles.html
Now what Randal did was perhaps a violation a of professional conduct (certainly), or a breech of his contract w/Intel (although I doubt it), and subject to cancelation of it even the pursuit of civil remedies, but this is claimed to be a CRINMINAL case...
The Lawful Arrest FAQ points out that the objective proof that a crime occured is called "corpus delicti", which requires
Now this brings up a question: What is the name of the victim? Is it Intel Corportation? Can a corporation be a crime victim? And the nature of the injury? Certainly a person can receive a broken arm, or loss of life, but how exactly can a corporation be injured?
You see, corporations are defined under the law as an "Artifical Person" for these reasons:
I personally question the notion that these "artifical persons", or "corpses" as Dave Ratcliffe calls them, these human constructions which own most of the property in America, which have more political clout than any natural person, which have more financial resources than any of us, I question whether these soulless abstractions without a moral consciousness can be considered an honorable creature (honor is requirement to being a party to a contract). I question what it means for a corporation to own land or TV stations, and wonder where the present system will take us. I especially question the notion that corporations can be injured, or can be crime victims.
The case of Randal Schwartz is extremely important, and is related to many cases of late (mafiaboy, Emmanual Goldstein/2600, Kevin Mitnick, Oprah Winfrey's free-speech case against the cattle industry, etc.
If we don't protest this, soon we all will/could be accuesd of some non-crimes like "uttering a trademarked expression without paying propery royalty, and in a disparaging fashion leading to loss of the profit that a corporation rightly deserves" or some such foolishness...
We live in interesting times, this year of our lord, nineteen hundred eighty four...
Well, I do have some acquired material possessions, some of which are very important to me. And I admit that I have a notion that the space around me "belongs" to me, and if nasty people enter into it without my permission (especially those that try to coerce me into taking my posessions or otherwise coerce me), then I feel I am violated.
But very often you hear Republicans, Democrats, Libertarians, capitalists, lawyers, etc. talking about "property rights" . I want to question what "rights" are in general, and especially "property rights".
If things can be owned, then which things? Can land be owned? (Apparently Chief Seattle didn't think so) What about dogs, cattle, or chattel (slaves)? Can a "nigger" be owned? How about a whore? How about a ward of the State (prisoner or mental patient)?
(Personally, I believe that all creatures, all "things with eyes and a brain and a beating heart" no matter how different looking from me, are all animus, posessing the animating force. All these things breath (aspire), thus possess spirit, the breath of life. All animals are born free, perfect reflections of God, and are natural "persons", and cannot, and should not be "owned" or considered "ownable". Yes I am vegetarian and try very hard to not consume the products animals)
Consider: Can the title to a man's debt be owned? Many banks and bill-collecters think so. All over the world, ownership by the many is being displaced by ownership by the powerful few: men and corporations. Can one man or corporation own the ocean, or the earth?
I believe we all have a right to live and be free, to live our lives however we wish, as long as we are non-violent. But I queston all "rights" beyond this, including "property rights", because of a basic contradiction.
A right is inherent, intrinsic, or perhaps God-given. It is axiomatic, fundamental, assumed, not provable, but seems proper. A right is enjoyed by all, thus, non-exclusive. A right cannot be forfeited, waived, stolen, or transferred. No creature has a "right" to violate someone else's life or liberty.
Can "property rights" meet this definition? No, because "property rights" are by nature exclusive . "It's MY property, NOT YOURS!" So-called "Property rights" can only exist when denied to others. "Property rights" is a paradox!
Like I said, if you follow this line of thinking, it leads you to question some fundamental principles that we were all brought up believing. Perhaps this is how the evolution of ideas works.
Peace,
Sorry about that. Looks like my paste bounced...
- seems to be fundamental to our American Economic system
- is one of the basic mechanisms of slavery
My reading of the Constitution and of history suggests that Consumer Credit is a form of labor-contracts (peonage, endentured servitude, etc) which was outlawed by the 13th Amendment.Yes I will admit that this is not one of my more popular theories
But I guess if you weren't so dull as state the obvious, you'd probably would have done something useful with your life (instead of attending law school and becoming a parasite upon decent working folks
I have read the paper, I have also corresponded with Jim Bell at length on other lists. He is in my opinion a dangerous and obsessive lunatic. Jim is not charged with 'writing a paper'. Anyone who relies on the articles by Declan McCullagh is hearing only the parts of the story that fit Declan's own anti-establishment nihilist politics.
The reason Jim is on trial is
He wrote an article about killing government officials
He wrote a series of letters to federal agents making unspecified threats
He admits to pouring a noxious chemical of some kind on the doormat of a federal agency
He attempted to obtain materials to make sarin gas
He was subsequently charged and plea bargained
After his release he compiled a list of government officials home addresses, and visited their houses to conduct surveilance.
Now that may be a weak case for conspiracy etc. However it iws misleading in the extreeme to claim that the government is prosecuting him for the Assasination Politics article alone, that Bell is an entirely detached academic observer who did not take any steps to attack government officials. The AP article is only one piece of evidence that demonstrates that Bell is a paranoid crazy who is very likely to kill someone. The fact is that Bell admitted in the previous case to going beyond talking about murdering government officials to actively planning attacks - albeit attacks well short of murder.
On the specifics of the paper itself, it was nothing more innovative than observing that Chaum's Digital cash coupled with an auction scheme would be a good way to hire hitmen. The scheme is pretty Rube Goldberg and has a number of problems, not least the fact that no US court is likely to consider the auction site as a legitimate exercise of the first ammendment, nor is any foreign government going to tollerate it. Beyond that as several cipherpunks have pointed out the scheme itself does not work since the hit man has no assurance that they would be paid the cash rather than an impostor. In fact if the board was set up it would be filled by the same federal agents who post the 'I solve problems' classifieds in soldier of fortune.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Note the date. At that time shadow passwords were being denounced in much of the UNIX community as security through obscurity after all Moriss had written the gospel on the subject, trust in cryptography not access controls. The fact that Moriss was head of the NSA at the time the argument was going on was beside the point. I agree that the system admin should have used shaddow passwords, and at the time I was making that very argument. However the amount of shite we got for going against the weenie types was substantial, it is not surprising that the sysadmin was not running shaddow passwords at the time, in fact Sun may not even have supported them when the system was installed.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I suggest those angered by this convicition add a limitation to any software the put under open source or GPL to disallow use by the prosecutors office, the jury members, and all of Intel. Then send a note to the prosecutors office and Intel informing them of this restriction and the reason for it. Then actively develop very useful software and contribute it everywhere appropriate. Buy AMD processors. Let Intel know why.
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
Just sick! So now the government wants to keep us from publicizing any information about who they are? How can this even be vaguely constitutional? The dude didn't threaten anyone - even the government admits as much. They are going after him because they don't like his particular brand of freedom of speech.
-- Give me ambiguity or give me something else!
-- Give me ambiguity or give me something else!
snippet taken from Wired article
other Wired article
360 degrees of Karma
So even though you can get it online, (the jury list) it wouldn't matter to the judge he'll lock any media up for posting it.
Obtaining someone's address and driving by ther homes does not constitute a crime, they don't even have any proof he did it to begin with, so please read about the case before posting irrelevant information. If it were your life on the line, you would want people to know the truth if you were getting shafted, and help out by any means.
360 degrees of Karma
I'm glad I've been avoiding intel processors. The newest intel processor I've used is a P166 on a dual cpu MB. I've preferred and recommend amd to friends for years. Now Ihae another reason to avoid intel products.
And, how do you justify having this accident three times, after having been warned that it was against company policy? I can't install Linux on my machine at work; I can't install anything on my machine at work without violating company policy. That's why I don't.
That said, it still sounds like a heavy penalty for a light offense.
"Hardly used" will not fetch you a better price for your brain.
Getting permission before testing security is crucial; however, it's not always protection against overreaction from the powers that be. What Schwartz did was foolish and the prosecution was a massive overreaction, but I think that enough has been said about his case. Something similar happened in our IS department, but the people involved *did* have permission - and weren't prosecuted.
When I worked for Information Systems at my university, I discussed password security with my supervisor which led to a demonstration of L0phtCrack and a revision of our security policy. We occassionally use it to recover forgotten passwords on NT4 workstations. A year or so later, a pair of colleagues asked permission to run a security audit and test NT system security. After permission was granted they broke out the latest version of L0phtCrack and a few other tools, then demonstrated results to their supervisor. The climax of the demonstration was when one logged in to her workstation with her password. It seemed that few people were taking security seriously, including higher-ups (little surprise).
Anyway, their supervisor became extremely irate - she didn't mind them running the audit, but was incensed that they'd cracked *her* password. She terminated both of them on the spot. They were fired for doing their jobs. Go figure.
Anyway, about a week later when tempers had cooled (and work orders were piled sky-high) IS asked one of the guys to come back. In the interim my department hired him, for better pay and working conditions. He's one of the best techs I've ever worked with and we were lucky to get him. Needless to say, he declined to return to IS. The other guy wasn't asked back (conflict of personalities with his supervisor), but found a much better position the same day he was terminated - again, for higher pay and better working conditions.
I guess the moral of the story is that there's really no protection against getting canned. But if you do your job properly, things will turn out in the end.
Easy: some older Linux distributions would automatically install set up "routed" and advertise a route to the Internet if you happened to have two network interfaces (beats me why). Or you might intend to configure something in "linuxconf" and accidentally choose the wrong default. Some distributions install a DNS server if you install everything, and they may well turn it on, serving your /etc/hosts file (by no means an unreasonable thing to do at home).
That isn't even taking into account the possibility that anything that you install, or the ActiveX component you run in IE or your Outloook mail attachment, might carry a computer virus that turns your machine into something that tries to break in on other machines.
I'm not defending Schwartz's conduct--I think what he did was stupid and he probably should have been fired and made to pay to clean up his mess. However, many people do need to install new software as part of their job (Intel is very much into Java, Linux, and some open source); if an employer is so prone to misjudgement, I wouldn't feel safe doing such work as part of my job there.
Why should you worry about this if you don't run Crack? Because there are lots of other mistakes and activities that could be misconstrued as illegal computer activity:
You have to be able to rely on your employer to behave reasonably even when you make a mistake. When it comes down to it, a company like Intel will be able to present enough evidence and experts in court to make just about anything look like illegal activity to a non-technical jury.
Intel didn't have enough of a clue to distinguish harmful activity from stupid mistake in this case. That means that if you are going to do anything non-trivial with software (like run Linux, run X11, run VNC, write scripts), given their past performance, there is a good chance that they will again behave in a haphazard and unpredictable way.
Working for Intel seems to expose you to the risk of getting a criminal record for a mistake. I don't think that's the kind of "benefit" I want from an employer. I'd look elsewhere for a job.
Should be:
"Spoofing as merlyn to preserve my precious karma and trash his"
It could happen in US where everythings fucked up Superpower-style. It's no better place than China or Russia. That's why.
Secret police, money rules, corruption, assassinations, "civilized" country yet there's beggars everywhere, millions of people prisoned, richest portion of citizens move into fortified colonies, drugs, prostitution, rasism, distinctive social classes...
And yet people still stand all this and some even say it's "the best country in the whole friggin world!". Doesn't sound like a very sane place.
Preserve old classics: copy your collection onto all hard drives.