Slashdot Mirror
Schwartz Case Upheld on Appeal
RichardtheSmith writes: "For those of you who followed the prosecution and conviction of Randal Schwartz back in 1995, you might be interested to hear that the Oregon Court of Appeals finally ruled on his appeal. The gist of it is that they upheld the three convictions, but overturned the approx. $70,000 restitution award to be paid to by Schwartz to Intel. There was also some language in the Court's decision holding out a ray of hope that a future appeal based on a slightly different legal tack could succeed. For background on this case look at the Friends of Randal
Schwartz website. Regardless of what you think about what Randal did, or whether it rose to the level of criminality (I certainly don't), it's certainly a fascinating and chilling tale."
HE:
1.) installed aprogram so that he could access two intel machines from a remote location
2.)copied a password file from a machine
3.) cracked the password file using a cracker tool
There are no legitimate reasons for doing any of these things, and it was clearly unauthorized use of the system. IOMNSHO, his punishment fit the crime perfectly, and there is nothing to debate here.
Uh, this is the real Randal.
Someone cracked my slash password.
I think it's ironic that you felt qualified to audit intel's password security, yet used a password of "slashdot" for your slashdot account.
Idiot.
--Shoeboy
It seems there's a great reluctance on the Net to say what he actually did. It took quite a bit of work to find it.
The law in Oregon is wrong. It's far too broad. However, I'm going to have to support Intel on this. Schwartz should have told them what he was going to do, if he had no criminal intentions. By compromising the computers without forewarning, he put the rest of the company in not insignificant danger.
Yes, as it turns out, their system security was crap. That's not an excuse to go cracking it without warning them that you're going to do it.
Do I think he should go to jail for it? No. But I believe Intel's within their rights to fire him for it, and to demand compensation for fixing the mess. Had he only told them what he wanted to do (heck, call it a "security analysis by simulated break-in" even, if he really thought they wouldn't let him do it) the whole mess could have been avoided.
----------
Well, here's information from a police report where a cop actually talked to him: it's found at this address:
I asked Randal why he was using the "CRACK" program to obtain passwords and asked if he realized that these passwords would access
the SSD system. Randal advised that he did realize this and that he wanted to get his E-mail quicker
Weird, eh? But check this out:
I asked Randal why he would need forty to fifty passwords and he said, "I needed them in case they caught me doing it and knew they would shut
me down so the more passwords I had, the longer I could continue doing what I wanted to do." Randal advised that he had the capability to do it and he knew he could do it. I asked Randal if this was wrong and in violation of Intel policy and Randal said, "Yes it is, but I knew I could do it anyway." Randal said that he wanted to do it because he wanted to be efficient in getting his E-mail very fast and he felt was important and when they shut him down, he wanted to continue doing what he was doing and since he had the capability to do it and knew he could do it, he did it without permission.
Well from that, what he himself said to a policeman, he comes across as a dirt-common script kiddie.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
In case anyone's wondering: no, Randal hasn't gone bonkers. Someone's managed to hijack his Slashdot account. He even got the "Your email and password have been changed" email from the system, and has the IP address from which it was done, for all the help it will do him.
To whomever did it: You're a great example of humanity. The guy just took it bending over again from the legal system, and you feel the need to play pre-pubescent 31337 haxx0r tricks to screw with him even more. Not that I expect the highest standard of decency from Slashdot trolls, but this *is* a real person you're impersonating.
He's a nice guy, and he's helped a lot of people. Not in a UNICEF or Amnesty International sort of way, but he's done his bit. Hell, if CmdrTaco read any of his O'Reilly books, he helped this place get made. That's irony.
But, in the end, this is "only Slashdot". I see amazing crap like this here, and I see amazing discussion here. Unfortunately, things like this are making me take this place less and less seriously.
Anyway, if you know Randal, you know this wasn't him anyway...
Basically, internal politics at intel played an important role. Intel is a very large company with many divisions, and some of them get along about as well as the Israelis and Palestinians.
I made the mistake of getting involved in helping a group of sysadmins in another division. This was a fatal error. Ordinarily I would not have suffered such a lapse in judgement, but I was busy thinking about that sweet, divine piece of blonde femininity, Heidi Wall, and wasn't thinking too clearly.
There is an informative FAQ on the case.
It took a while to find anything that actually said what this man was accused of doing. Finally, I dug into the newspaper articles refered on the "Friends of Randal Schwartz" site, getting this from the Dr. Dobb's link:
http://www.lightlink.com/spacenka/fors/press/ddj96 03.html
In his defense, Schwartz said that he was only trying to show Intel how inadequate its security system was. At the time, Schwartz was working under two Intel contracts: one to deploy DNS servers for the entire corporation, and another as a system administrator for some network-support machines. Since both contracts were running out, he'd hoped to generate a new contract to improve Intel's security. To that end, Schwartz ill-advisedly ran Crack, a commercially available password-breaking program that uses brute force to discover vulnerable passwords. His plan was simply to put together a proposal - based on real data - for improving Intel security. The sort of information he intended on presenting in the proposal included nearly 50 network passwords he'd discovered (including that of one ambitious vice president whose password was "pre$ident").
Before Schwartz could put his proposal together, however, an Intel employee noticed an unauthorized program was hogging computer time. Upon discovering Schwartz's Crack run, he notified security, and in the flip of a bit, Schwartz went from being an "independent consultant" to an "industrial spy." Even though management recommended that Schwartz simply be confronted because there was clearly no criminal intent at work (Schwartz ran Crack under his own login and didn't try to dissimulate his efforts), Intel's jackbooted security team (maybe needing to justify their jobs) opted to call in the sheriffs department.
Schwartz admits that he made a number of '"bone-headed" mistakes - not clarifying the rules about Internet access, not reporting the first cracked password, not immediately reporting the results of the run - for which he probably deserved termination. However, he also says that his actions "were motivated by my desire to give Intel the best possible value for the money they were paying me," adding that none of his acts were based on malicious intent. In summary, Schwartz said: "I am sorry that I caused Intel any grief or hardship, and that in hindsight, I should have been clearer about my intention and actions."
The upshot of all this is that Schwartz is in a financial bind. There's little chance he will ever work at Intel again, even though he has given the company five years of good measure. Nor is he likely to work at any company that agrees with Intel's beliefs about him. With dim employment prospects, Schwartz has so far spent about $135,000 on his defense. When it's all said and done, he will probably end up paying $160,000 before even considering appeals.
[
Yes, I know that Hemos is married. In fact, I put up this site when it was first announced:
Enjoy!--
--
I like to watch.
Merlyn's /. account was hacked.
His password must have been too easy.....
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
I wish him luck on further appeals, but I wonder why Intel is so interested in him.
Because his schwartz is bigger than theirs, ofcourse!
--- Spaceballs, the tagline.
This guy was just plain STUPID! When somebody tells you to stop doing something, and then you continue doing it, then they tell you to stop again, and you resume doing it on another computer, and then you are reprimanded yet a THIRD time, and then you go "I'll show them!" and access things you shouldn't using somebody else's account, you'd damned well better be prepared to accept the consequences!
What a moron! So many chances to change his behavior, yet he totally refused to do so. If he didn't like their policies, he should have simply left.
So even though you can get it online, (the jury list) it wouldn't matter to the judge he'll lock any media up for posting it.
Obtaining someone's address and driving by ther homes does not constitute a crime, they don't even have any proof he did it to begin with, so please read about the case before posting irrelevant information. If it were your life on the line, you would want people to know the truth if you were getting shafted, and help out by any means.
360 degrees of Karma