Slashdot Mirror
Georgia Sues RC5 User For $415,000
jeroenb writes: "David McOwen posted a message to the Anandtech forums saying the State of Georgia is prosecuting him for using their computers for RC5 while he was configurator of the computers at a school system 2 years ago. Apparantly they want him in jail for 15 years and have him pay almost half a million dollars! According to the State of Georgia, one single Distributed.net client costs 59 cents per second in datatraffic. "
What bandwidth? I've tried it myself, and the amount of time needed for a single packet is not small at all for my Duron 850. It works perfectly with my modem, I don't even see the difference
Of course Slashdot has contacted the State of Georgia, the poster and his attorney for corroboration of this story, right? Slashdot would never stoop to publishing random rumors with high sensation value on the front page without checking things out first.
Well I agree he should of asked for permission but The jail time and fees that they are asking for are more if I remember correctly then pirating software or recording rented movies those are i think like $200,000 and 10 years in prison. Helping with rc5 is in no way that bad its not evil. Yes it was wrong but it wasnt bad enough to warrant those charges
If Georgia's Internet access is so expensive, it's a good thing they didn't get slashdotted...
Oh.
You did.
Then SHUT THE FUCK UP, HYPOCRITE!
~~~
9. Atlanta is a hole, let's face it
8. That guy from "Midnight in the Garden of Good and Evil" writes their tech laws
7. I never developed a taste for grits
6. Their new state motto - "We're that state between South Carolina and Florida"
5. Two words: Billy Beer
4. In the public schools, they still teach that "we lost the War of Northern Aggression"
3. Sen. Zell Miller
2. Running RC5 is a capital offense (like anyone actually cares that you're running an RC5 client, this whole thing is pathetic really)
And the number 1 reason I don't live in Jawjuh is - net access costs 59 cents a second! What a great way to attract high tech business to your state. Backwards assmonkeys.
When you see attacks like this, it really means the poster making them has surrendered the argument. Better luck next time!
When drunk drivers who put *lives* at risk don't get that sort of time, much less financial penalty, (especially on a first offense!), this becomes an abuse of the law and of law enforcement.
My cousin was killed by a drunk driver. Our families were VERY close. He and a friend were riding home on their bikes one night and the got hit from behind. He got dragged over 200 feet, and the driver just kept on going. The friend was knocked clear but suffered numerous injuries. They were following all the laws including reflective clothing and headlamps for the bikes.
At the sentencing hearing, the defendants lawyer convinced the judge that he would lose his job if he was sentenced to a lengthy prison term. Why this mattered I have no idea. The judge gave this murderer 6 months in the county jail. Nights and weekends only. He got to continue working his job during the daytime. It later came out his employer and the owner of the company he worked for was also his uncle, so there was NO chance he would have lost his job. Six months PART TIME for murder, or vehicular manslaughter if you prefer.
Kind of puts the potential penalties in this case into perspective, doesn't it?
59 cents per second in data trafic? First, what does a distributed client do for traffic like 5,000 bytes/hour? If you installed on 1000 machines, you're looking at perhaps 5mb/day tops? If it's a state/school institution, they're likely on a T1. So figure they can xfer 5mb in about 30 seconds maybe?
And realistic cost? A T1 should be about $850/month (commercial cost, perhaps cheaper for educational institution).
That is:
+360gb top transfer each month.
+143kb each second.
+423mb for one dollar.
+$0.01 for each 29 seconds.
So this comes out to 1/59th of the cost they claim. But let's assume it's 59 cents per second. At 5mb per day and 143kb per second, that's 34 seconds and $20/day. Or $7300/year.
So at the price they claim, 1,000 machines would have to be running dnet for at least 56 years to come out to $415k. Or alternately, he'd have to have been running dnet on 18,000 machines for three years. I find that highly unlikely.
Now, at the more likely cost basis of 1 cent per second for the T1, and the amount of time/bandwidth he'd have been using, it would actually be more like 1,000 machines running dnet for 3304 years or 18,000 machines running dnet for 1100 years or 1,000,000 machines running it for the last three years.
It's the prosecutions job to prove that the operating systems involved are poorly designed, with schedulers that allow idle priority processes to use so much CPU as to be noticeable to the user.
Even so, almost all computers today are overpowered for 99.9% of the tasks for which they're called upon. A usage study could easily show that a horrid scheduling algorithm that allows idle priority processes to suck CPU would have negligable effect on the users who were using the machine. If the time difference to say... spell-check a document in word, or render a web page, is unmeasurable, or under .1sec, it becomes very difficult to prove damages. Hell, with the right lawyer it might even be possible to prove malicious prosecution and get compensated for this horrible event.
--
First thing to do, find out how much bandwidth a dnet client uses to crack N keys, and deduce how much bandwidth was actually used. Then you can show what the actual bandwidth cost was, this will be a much smaller number than $400k. Then you need to find out what kind of contract they have to pay for the bandwidth. If it's unmetered, you can probably show that the effective cost of the usage was $0.00, as it certainly didn't use enough bandwidth to require a connection upgrade.
Secondly, you'll need an expert witness familiar with process scheduling to explain why the dnet client doesn't reduce the computing power of the machines, and thus there was no cost incurred by diminishing the value of the machines for their intended use.
Lastly, beg, borrow and steal enough money to pay for a truly talented lawyer. Hopefully with some luck, the prosecutor on this case will be making coffee for the rest of his life.
--
Let's say that I'm the CIO of a medium sized .com, can I give myself permission, or do I have to go to the CEO and possibly even the board of directors? Do they need to get permission from the stockholders?
:(
Let's say that I'm the #2 man at a public library and my main responsibility is the IT department. Do I need to ask the #1 man at the library, or do I need to go to the library board or the taxpayers?
It's beginning to look like there is no way to be truly safe unless you run these clients on your own personal computers at home.
It looks like the lawyer and the law firm exist according to anywho.com
n e= 564-1600&btnsubmit.x=42&btnsubmit.y=6
r &f irstname=David+Atty&street=&city=&state=GA&zip=&bt nsubmit.x=36&btnsubmit.y=10
For the goatse scared, here are the links..
A reverse search on the phone number 770-564-1600:
http://www.anywho.com/qry/wp_rl?npa=770&telepho
A search for Joyner, David Atty:
http://www.anywho.com/qry/wp_fap?lastname=Joyne
Make sure you delete the spaces slashdot puts in...
For a nonviolent crime from which the perpetrator did not gain financially, yes.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
That's not true and you know it. Any modern OS will send NOPs when there is nothing to do instead of a wait loop. RC5 is not just computation either; it's not nearly comparable to a NOP which does nothing (like you'd expect). A real instruction uses many times the circuitry that a NOP does, and most importantly, it uses the bus and RAM and cache (pretty heavilly). A machine is not idling when it's running RC5, it of course appears responsive, but nevertheless, do not be fooled, that load of 1 is not waiting for I/O, it heavy duty CPU work.
Ever stop and wonder why your 3D card gets so hot (even shuts down if not properly cooled) after a few minutes of Quake, while happily running for hours showing spreadsheets? Same principle. More circuitry involved, more heat, more power drawn, shorter life.
--
"Hot lesbian witches! It's fucking genius!"
That's backwards. Try tracking down his terms of employment and seeing if there's anything allowing personal use of corporate assets. This could be a written manual (highly unlikely), or custom (possible, perhaps likely in many environments). At that point, he would e seafe. Without it, his position is at best awkward, and he very likely was stealing.
hawk, esq.
When you are charged with a crime, you are charged with the crime, not the crime and a proposed penalty. You can look in the statutes, judicial manuals, or common law for the maximium penalty (probably the first iin this case).
Also, in some jurisdictions, the defendant is advised of the maximum penalty at arraignment.
Generally, it wouldn't even be *possible* to charge him with this without the 15 year maximum being out there . . .
hawk
--
SPF support for most open source mail servers can be found at libspf2.
NOOOOOOOOOOO!!!!!!!!!!
I work for the State of Ga. I don't want to have to install an illegal copy of photoshop to print up some fake licenses for all my machines running Linux just to satisfy to bean-counter.
I work for the State. The three of us that support the network and servers had cel phones, paid for by the state - $45 a month for 450minutes. Never once did any of us go over that. We even had a cool app we wrote where we could dial in and press 1 to do this sorta thing.
.10 a minute, even though I'd probably stay under my usage. And due to the paperwork involved, I just wouldn't answer any work calls on it.
Some state idiot was using his cel phone a LOT for personal calls, and the local paper (Atlanta Urinal and Constipation...er Journal and Constitution) ran an article on it - typical "Your Tax Dollars at work" sorta shit.
Well, before long, if you were not the head of an institution/organization, no cel phone. We now have palm pilots with the wireless internet service...a decent, but not as good substitute.
HOWEVER, as I mentioned, even with a "Do we need milk?" call once in a while, there was $0.00 cost to the state. I guess part of their justification was "perhaps the employee didn't need one for their job function".
Okay, well, I had a second phone line to my house to dial into work and do stuff from home...never seen any reimbursement for that, nor for the power I use at my house while working on something remotely.
Though, I can get my own personal cel phone and have the state reimburse me for any minutes used for work. 450 minutes for $45, works out to
So, all in all, the state now has an unhappy employee who is less productive. All because of one poorly-written one sided article in the paper.
> Reprimanded, shreprimanded. It should achieve their own felony prosecution.
I'd be more than happy with a simple reprimand. It's a matter of fairness after all -- we think the charges against Mr. McOwen are excessive; it would behoove us not to levy similar charges against the prosecuter's office.
In both circumstances, there are quite a few others who are much more deserving of investigation.
--Dan
Consider this example:
You hire me to pick stocks. I pick bad stocks -- you fire me.
I didn't steal from you.
I didn't intentionally seek to defraud your company.
I didn't hide the stocks I purchased.
I was more aggressive than normal, but not unusually so.
I simply bought the wrong stocks, and got canned for it.
Should I go to prison for losing you money?
Now imagine I didn't actually even lose you anything -- you were merely concerned that at some point in the future, the stocks I picked might possibly expose the company negatively.
Should I have even been fired?
Possibly--but possibly not. If it's not even obvious if I should be fired, how could it be obvious that I should be imprisoned?
Something to think about.
Yours Truly,
Dan Kaminsky, CISSP
The trouble is that he was not mandated to do it, and it is not obvious that he had the leeway to do it. This gives him no ass-covering material. There's no piece of paper that unambiguously says he was permitted to do what he did. He can only argue about vague general principles.
I actually think the "vague general principals" are surprisingly supportive of the RC5 client, as I laid out in my second point. Here's a document that explicitly states what he can and cannot do, and he quite oddly follows it well.
I mean, seriously. There's alot of mileage to be gotten out of the fact that this document:
1) Says sysadmins are effectively autonomous
2) Lays out restrictions that are almost entirely followed to the letter(including WRT CPU usage).
Sigwinch, read the supporting documentation I provided earlier. Those are their policies. His actions are not even clearly a violation of them!
Never take a risky action in a corporation without considering how it will sound in front of a Federal jury or Congressional committee. "So, Mr. McOwen, are you're telling us that you were converting these computers to your own use to win a $1000 prize?"
http://www.theonion.com/onion3723/nobel_fever.h
Seriously though, the Nobel Prize is a much richer purse than RC5 will ever have; you don't see people being hauled off to jail for discovering the top quark!
To a jury of bums, rednecks, and career Taco Bell cooks, that $1000 prize will be damning. Ditto for newspapers and blood-n-depravity TV news shows.
Americans love two things:
1) Seeing criminals shot down by the public.
2) Seeing Goliath shot down by David.
The problem with McOwen is that it transcends the criminal-citizen barrier: Quite a few of us could imagine doing something unique and productive at work that some bureaucrat might not agree with. This self-identification means that the criminal prosecution becomes a personal threat that we'll pay (through advertising dollars) to watch allieviated.
"Piss your boss off, go to jail." The hacker/citizen barrier is *nothing* against this.
So? The humorless gentlemen in the dark polished cars, wearing nice suits and ray ban sunglasses don't give a flying fuck that the situation is bad. All they care about is the documentary evidence that *you* made it measureably worse.
Consider the opposite situation--suppose McOwen was in a tightly controlled secure environment, with all software change controlled and all decisions made through three levels of bureaucracy. Clearly McOwen would be much worse off -- not only would he be obviously and knowingly violating the decision making policies of his organization, but he'd be doing so in a manner in stark contrast to standard operating procedure.
He'd be screwed.
But that's not how it went. There was no strong top down organizational structure; it was all UGA could do to keep their sysadmins from maliciously harassing users! There was no "line in the sand" that McOwen crossed; his job was to maximizing the value of university computing resources and he did so. If he added minutely to system insecurity, the fact that he was hired to do things in an insecure manner(telnet blah) is at least a strongly mitigating factor.
Security is a process, as Bruce says. With little process in place, there was little for him to violate.
You do if you're a career state-employed academic bureaucrat. Any one of 'career', 'state-employed', 'academic', or 'bureaucrat' would be bad news. Put them all together and it's a deadly situation. The person carrying out this campaign against McOwen is certainly clueless, likely vindictive, likely monomaniacal, and *committed*. Once a person like that starts a campaign, they'll push it as far as possible. They won't know when to give up.
Couldn't have said it better myself--this is where my reluctance to entirely blame the prosecuter's office comes from.
It would arguably have been better to continue with 40-bit DES, and let the electronic pearl harbor force Congress to clean house at the NSA.
An interesting historical what-if. An electronic Pearl Harbor would plant a pernicious seed of doubt in the validity of all electronic records though, significantly destabilizing our entire system of indentured servitude / credit card debt. Given the personal profitability of being able to legitimately challenge the veracity of your entire debt history, I'm unconvinced any quality of crypto would ever be able to save an economy thrown into a tailspin by an EPH.
"Cracking DES" had the best possible effect, I think: It destroyed political opposition while leaving public trust unsullied.
Offtopic, but... WEP is an impressive accomplishment. They actually managed to design a cryptosystem that has cipher- and key-exchange-independent insecurity (the 24-bit initialization vector).
My favorite independent vulnerability right now involved keystroke password analysis in SSH1. Effectively, you monitor the timing variations between characters in a user's password as they're sent on the network and use hidden markov chains to determine the most likely keys that are being entered. It turns out that we take longer to transition between certain keys than certain other keys, and this transition distance can be indepedently analyzed.
If they really did just make up this numbers, the case could blow up in their faces.
Well, I made up the numbers WRT $200,000/yearly for a single T1--the difference is I was showing ballpark figures, whereas they're seeking felony conviction.
Big difference
During the day, the truck is *HIS*. He can pick his own routes, make a detour for a customer who is in a huge hurry, bend the traffic regulations, and generally do whatever it takes to get the job done. He job is a big one, and he therefore has a lot of leeway to make autonomous decisions. Suppose he wants to take the truck home at the end of the day to move a sofa. If he takes 10 seconds to get the boss's permission, taking the truck is perfectly OK.
Bad example--the equivalent circumstance is McOwen physically transporting the servers to his home to run some work for him there. You can't get around that -- you mention grand theft later; the reason it's grand theft is because the trucks were supposed to be there but instead disappeared!
It's not arguable that the movement of the sofa is at all within the mission of the trucking company; however it is extremely arguable that academic research and collaborative mathematical analysis is directly within the mission of a university. It does not matter if you would have made the same choice; you merely need to accept that it was a reasonable conclusion to reach for this to be an issue of internal policy disagreement and nothing more.
If it's your job to use them that way, you just do it. However, if there is a person who could say no, and you don't ask, you have done something wrong.
I'm reminded of the history of the HP Deskjet; which was fought tooth and nail by the laser printer heirarchy at HP.
There's *always* a person who could say no to something. The question is whether the general consensus is that something is not to be done -- no human organization can operate unanimously; it creates too many absolutes of power. Mr. McOwen may have known some might have disagreed with his use of the software, but there's always someone who disagrees. The question is: Who else knew of his actions, who else approved, and how does legitimate access to company hardware turn into the equivalent of a foreign hacker maliciously breaking in and subverting computer resources?
In a criminal case it is not necessary to prove substantial monetary damages, it is merely necessary to prove that the person did something they had not been given permission to do.
"Did you have passwords to these machines?"
"Yes."
"Did you steal them?"
"No."
"Who gave them to you?"
"My employer."
"To do what with?"
"Configure the machines."
"How so?"
"In a manner that maximized their usefulness."
"Any specifics?"
"Just what's in the guide."
"Did you violate the restrictions in the guide?"
"No."
If you allow fear to govern your actions, you are letting the enemy dictate your actions.
At the point of criminal prosecution, your hope for a peaceful ending (unless you wish to plea) is over.
It's funny, but I am also being serious. The Internet search engines are already starting to correlate information with specific people.
Thus why I've told a couple girls to never do porn. We're only a scant few years away from large scale eigenvector based face searches through large image databases, and the code is almost certainly going be trained against porn--there's no larger source of stock human photography!
The prosecutor is actually a good point of approach, if you can get him in touch with a clueful expert.
A guy can hope
Anyway, I understand what you're saying
Ditto.
I just think it's McOwen's fault for not establishing a paper trail showing permission.
My hope is that McOwen saved a few emails from coworkers higher than him expressing approval for the project...
"The Young Male Sysadmin's Guide To Not Going To Prison"
I feel like I'm looking at the title of one of those "World's Thinnest Books". Of course, considering the state of the economy, a chapter on how to successfully steal bread so you don't starve to death might be useful...
--Dan
Security is having confidence that every bit on the hardware comes from a known, approved source. You lose that when you install an untrusted program, and the only way to regain it is to delete everything and start from scratch.
Except he isn't accused of attempting to backdoor the systems. He isn't accused of attempting to hack them at all.
He's accused of running undesired software.
That's a major difference. This isn't a situation where an untrusted user got trusted access. This isn't even realistically a case where a trusted user gave untrusted users access(in the sense of others being able to do anything they wanted using the computational power of the university). A trusted user did something that others disapproved of. As long as there's no belief that he hacked the machines as well as used them for undesired tasks, simply killing the tasks is sufficient.
He wasn't even running a password cracker.
A better analogy would be if you hired a mechanic to change the oil in your street-legal drag racing car with a $30,000 racing engine, telling him to only use Mobil synthetic oil, and he used olive oil instead.
Yes, the moment I see an exact catalog of specifically what McOwen was supposed to install, and in what order, I will agree that he had no discretion to install any more or any less.
I do not expect such a list to be forthcoming.
OTOH, if you installed S@H on a live banking server 'just because', they'd beat you to death with CAT5, even if you have admin privileges.
Again, university environment, not big multibillion dollar conglomerate with a stock price to keep up. Downtime is not disaster for *any* system in most universities.
By contrast, more than a few companies have hot spare buildings. You heard that right: If, one day, the office should cease to exist, everyone may go to another.
--Dan
False analogy. A good analogy would be if I hired you to clean the dog shit off my yard, and you instead dumped a truckload of dog shit on it. If you did that, you'd pay and pay and pay.
He was hired to install software. He didn't remove vast chunks of software, which would be the analogous argument. He also didn't attack the security of the systems he was using("removing the lock from the door") or attempt to view other people's information("pulled the mail from the mailbox") He did too much -- he installed extra code that wasn't actually desired.
A better example is that he was hired to clean up the dog shit, and he decided to clean up the cat shit too.
He did extra work within the constraints of his legitimate access and his job. It's that simple.
Not for security it doesn't. Security is a matter of knowing where every program on the machine came from, and knowing that no uncertified programs have even been run on the machine. It is solely a matter of trust, a matter of having a known chain of control. That trust is easy to throw away and expensive to regain.
The trust never existed.
Let me repeat that, with emphasis:
The trust that you describe, with full chain of evidence and absolute knowledge as to the source of every last byte on every last system, did not exist in this environment.
You cannot accuse somebody of losing for you what you didn't actually have!
The fact that not only did he not lose this trust, but he isn't even being accused of attempting to gain more trust than he was legitimately entitled to(via *actual* hacking) does alot to make me extraordinarily annoyed with this case.
I've seen at least one rumor that these were lab machines. Security begins with the physical, and with the vast number of people using these machines, it's literally impossible for them to have been considered anywhere even remotely within the same galactic vicinity as a "trusted base".
Yours Truly,
Dan Kaminsky, CISSP
I am not a lawyer. I may once have thought to become one, but I have since been a technologist and a cryptographer. But I do not appreciate what Mr. McOwen is being accused of, and here are my thoughts on the matter:
====
To state that this case deserves to get thrown out of court -- with the prosecuting attorneys being reprimanded for falsifying financial figures to achieve a felony prosecution -- is not only a reasonable statement, it's possibly an obvious one. I have five arguments from which I draw these conclusions:
First, Mr. McOwen's terms of employment were easily open ended enough to consider this a valid use of network resources.
Second, University policy clearly granted Mr. McOwen permission to administer the machines as he saw fit, as long as he did so "fairly and in accordance with University policy."
Third, Mr. McOwen was acting in due diligence against billions of dollars in yearly national liability from a weak computer security environment.
Fourth, the Prosecution's numbers cannot be justified in any way, shape, or form.
Fifth, the very prosecution of this case creates a grave chilling effect against the ability for computer administrators to successfully maintain the systems they are charged with.
1) The exact job specifications of Mr. McOwen's employment were not and literally could not be set in stone; his basic task was to administer the systems according to the precepts of the site they were deployed. In this case, the site was an educational institution. Educational institutions, as opposed to even corporate workplaces, exist as nodes of "basic research" and "collaborative and non-profit volunteerism". Surely, it is not inconcievable that given the extraordinarily high degree of public works that universities are known for, that he might have come to the reasonable conclusion that installation of software that contributed to a public good (the global improvement of cryptographic quality) would be a fair extension of the mission of the university.
2) The University of Georgia's computer security policies, available at http://www.uga.edu/compsec/summary.html , clearly give Mr. McOwen wide latitude to administer systems however he saw fit. It states, "Those who administer computers and network facilities shall perform their duties fairly, in accordance with University policies." As this is the primary document describing University policies with respect to computer security, it stands by itself as a sufficient source of guidance for Mr. McOwen. Users are admonished that they "...shall take full responsibility for messages that they transmit through the University's computers and network facilities"; such responsibility refers specifically to "fraud, harassment, obscenity, and the like." Surely the analysis of simple numbers does not rise to the level of obscenity! There are admonitions against Trojan Horses and computer virii, yet both tools exist to procure access where none existed before--Mr. McOwen was granted his access legitimately. Indeed, the university specifically defines Trojan Horses in a detailed guide available at available at http://www.uga.edu/compsec/use.html : "A Trojan horse is a program with a hidden, destructive function, or a program designed to trick users into revealing confidential information such as passwords." There was nothing hidden about the RC5 code, and as for destructiveness, few would argue it is destructive to a computer to ask it to compute! Though there is a mention against "cracking", it is specifically in reference to the cracking of computers--Mr. McOwen was analyzing a code specifically authorized and designed to be analyzed. Even if he had been running a genuine system cracking utility, the detailed rules specifically authorize system administrators to do so. Mr. McOwen even actively complied with the requirement to give higher priority to users with more important work by running software that immediately yielded resources requested to any other software that requested them. Given the degree to which Mr. McOwen explicitly complied with university regulations, it is difficult to see the validity of this case.
3) Statistics have shown a multi billion dollar a year loss to the country from insufficient encryption and computer security systems. Such damage is often either concentrated or traced from machines with inadequate network security. University machines, almost always under-administered and very often forced to be publically accessable due to the academic requirements of students (one could not expect a place of higher learning to be as firewalled as the FBI!), often either directly experience financial damage or indirectly contribute to theoretical litigation expenses from being used as "jumping off points" for larger attacks. By contributing to the global awareness of the dangers of insufficient security, David expressed a degree of "due diligence" towards solving a problem the university was contributing to. Such due diligence constitutes a legitimate usage of system resources as a mitigating factor in any future litigation, much as active and genuine safety research mitigates against gross negligence in product liability circumstances.
4) No actual damage can be substantiated by the prosecution. The RC5 software, far from being heavy on network traffic, is a class of code known as "embarassingly parallelizable". In other words, the system consumes extraordinarily little network traffic for the amount of processing it does. Such processing is often done on systems with only intermittent modem connectivity; the university posessed a network connection several hundred times faster with permanent connectivity. It is beyond even the pale of conception that any communication from the RC5 system did, could have, or might have been predicted to cause any form of lesser service to any other network service. Indeed:
Suppose the school spent $200,000 on their internet connection yearly, for a single T1 interface capable of transfering one million, five hundred and fifty four thousand bits per second. Suppose the "damage" lasted over two years. This would place an upper cap of damages still at but $400K, and this would be presuming that the attack consumed the entire sum total of network resources. No such claim is being made. Lets assume that each transmission consisted of sixteen thousand bits every two days, and there were a hundred machines participating. These remain ballpark figures, but they're useful for illustrating the utter lack of direct damage. Over two years, those one hundred machines would exchange 584,000,000 bits.
This seems significant, until one realizes that the network as described posessed capacity to carry approximately 97,130,880,000,000 bits. The RC5 system, as it were, used up all of 0.0006% of the network capacity.
0.0006% of $400,000, incidentally, comes out to about $2.40.
5) Prosecution of Mr. McOwen would have a drastic chilling effect on the ability of computer administrators to do their work. When something as trivial as a pocket change's worth of network bandwidth can lead to felony prosecution, it becomes too risky to do much of anything. Mr. McOwen's judgement on the matter was trusted, and even if--in retrospect--management would have made separate selections, it's a questionable matter whether he could have fairly predicted that. His actions were questionable even as a offense worthy of termination, given the wide berth that system administrators require to be effective and the vast freedoms inherent in the academic environment. They'd be laughed out of any civil court in the country, and the fact that they've reached criminal court--at the felony level, which would deprive Mr. McOwen of his freedom, his voting rights, and even his ability to simply procure employment--is a grave insult.
This case should be thrown out of court, and the defendant's legal fees covered in full. Nobody should be allowed to abuse the power of the court in this manner.
Yours Truly,
Dan Kaminsky
Certified Information Systems Security Professional
For the support of the organization, not for his own personal amusement, and most assuredly *not* for an effort to win him a prize.
:-)
It is my contention that his personal goals and the mission of his company were not in conflict, and furthermore the odds of him actually winning the prize, remote enough(even with whatever rank he managed to achieve), the prize small enough, and the actual distribution of that profit distributed enough that for all intents and purposes the value of that prize goes to zero.
In terms of the prize itself, his probabilistic share probably didn't add up to the price of a can of Mountain Dew. That's a Red Herring and you know it.
That a university is publicly oriented does not give its employees license to do whatever they think is in the public interest. A university is a corporation, just like any other, and the use of its resources must be approved by management.
First of all, you're wrong. A university is not a standard corporation any more than a political party is, particularly not a university established as a branch of the government! The explicitly avowed dedication to academic freedom means a hell of alot.
Second, I haven't seen a single shred of evidence to state that he himself didn't have the discretionary authority to decide to run this software. Administrators were exhorted to behave in a manner compatible with the values of the university; as I noted, the RC5 system was extraordinarily compatible with the values as they were laid down, down to relinquishing CPU upon request.
In fact, if one examines the documents linked in the previous post in depth, one finds an extraordinary amount of power given to system administrators -- so much, in fact, that "management" sees the need to specifically warn administrators not to be overly or overtly malicious towards students. This seems to me an implication that sysadmins had an extraordinary amount of autonomy over the systems they deployed.
Whether or not you feel this is a good thing for management or even a professional thing for Mr. McOwen, the implication that the systems were under his discretionary control is quite clearly there.
He wasn't a consultant, sigwinch. He was one of the operators.
Incidentally -- these machines were going for some time, with no complaints being rendered for quite some time. This means a couple things:
1) Other admins who noticed either approved, yielded to McOwen's discretionary authority, or were able to remove it themselves. Any way you slice it, the time he was granted helps, not hurts his position. (By contrast, a genuine attack usually *hurts* a network, causing reasonably quick corrections.)
2) Management either approved, or itself issued little low-level discretionary authority. In other words, management ordered the sysadmins to keep things running. If the sysadmins extracted more value from the sunk costs, and it was (reasonably) within the mission of the university -- so be it.
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines.
Yeah, welcome to Winamp, Windows Media Player, RealPlayer, Yahoo Messenger, and Windows itself.
Give be a break. The majority of university networks are so riddled with out of date daemons and unfirewalled ports it's ludicrous to suggest a single daemon with no known polling vulnerabilities is going to outweigh it. (By contrast, simply spoofing Winamp's update page is enough to destroy it.)
And what the fuck does that have to do with this discussion? The question is whether he had permission, not whether he would have had a good justification if he had asked for permission.
The question is if he had to ask. My point is that the burden is on the university to show he actually did need to ask, because he was clearly acting within the bounds laid out in the rules the school made public in a position that demands a large amount of autonomy.
Remember, that you would have made a different choice is irrelevant; the question is whether he had the right to make such a choice. In my mind, the fact that so much time passed between his use of university resources and his eventual shutdown means that quite a few people knew of this incident and one person elected to express discretionary priveledge and can him. That's fine--it happens--but you don't send someone to jail for it.
And even if that was our discussion, brute-force cracking RC5 is a stunt. It doesn't do a damn thing for security.
Silly. You have no idea how much Cracking DES did, do you? Do you have any idea how significant the EFF's DES Cracking book was in making sure AES happened, and in forcing 3DES to be the standard of the day?
Do you understand how recent it was that the federal government was saying it would take a foreign government inordinate and unrealistic amounts of time and money to crack even one DES key?
Do you realize how many algorithms, *today*, still depend on 40 bit RC4? Most SSL sites -- that travesty that is 802.11 WEP -- the garbage is everywhere.
Are you an idiot? Do you know nothing about computers?
Ask this again two weeks from now.
Diligent recovery from this compromise would involve...
a lot of things that didn't happen. At all. Even in the slightest.
You can't charge for damages that didn't occur. It's like filing a suit for your own wrongful death because somebody coughed next to you and they might have had TB--first of all, you ain't dead, second of all, they didn't have it!
Competent professionals help the client accomplish their mission. If they have ideas for new mission objectives, or even for cool charitable projects that don't really accomplish much, they discuss it with the boss. They *don't* run off and reconfigure hundreds of pieces of high tech equipment for their own whimsy.
I claim this did help with the mission, and that it was reasonable for McOwen to believe this was within his assigned powers. If his interpretation was at odds with that of the administration, perhaps he deserved to lose his job -- but this doesn't even pass the giggle test for felony hacking. They were HIS BOXES. He had a legitimate accounts, probably even root accounts and did things that were *arguably* legitimate.
Sysadmins *never* have the right to turn hundreds of the institution's machines into zombies for their own pet projects.
Oddly enough, who do you go to if you have a project that could really use a few hundred machines? You go to management, they look at you funny and tell you to go to the guru to decide whether or not to do it.
In most places with vast amounts of computing resources, there's usually a sysadmin at the top of the pile choosing what goes where--and if there's nobody on top of everything, like there aren't at most understaffed universities, everyone who has legitimate acccess is expected to legitimately use it--however they see fit, as long as they follow the rules.
Hardly. It's vandalism, plain and simple. The alterations he performed obviously had no relevance to the organization's mission, they had a potential serious deleterious impact on the mission, and he deliberately chose not to ask permission when doing so would have required little time or effort.
I provided extensive documentation showing the compatibility of this project to the university mission. I don't need to show it's absolutely correct -- merely that it's plausible.
Whatever deleterious effect you mention *didn't happen*, and as far as I can tell hasn't *ever* happened. Complete lack of precedent for a deleterious effect has an effect in a courtroom, you know.
The law is the least of his problems. Not only did he recklessly fuck over hundreds of his client's machines, he whined about the client's consternation on the Internet.
If the prospect of a decade of prison rape wouldn't make you run screaming like a horror movie prom queen into whatever abandoned warehouse of an online forum you could find -- you're a stronger man than I.
For the rest of his life, any time a prospective employer does a web search on him this story will show up in all its tawdry glory.
Oh, this is much better than a felony conviction. It don't say, "Have you ever been mentioned on Slashdot" on the employment forms, you know
I propose a new phrase for the Internet lexicon: "Pulling a David McOwen". It will be the Darwin Award of Career Limiting Moves.
Heh. Doctors play God, admins play BOFH. Both make mistakes, but the latter almost never kills anyone. Strip root, maybe. Strip down, though? For "hacking" his own machines?
He ran rc5, not rm -rf. He used computers to compute, not to destroy. He yielded processor when needed, rather than hog it to the exclusion of all others.
Felony hacking my ass, and *everybody* knows it.
I do feel for the prosecutor, though. I don't think he realizes how badly he's being used.
--Dan
www.doxpara.com
However, part of the subpoena restricts us from commenting on the details of pending litigation. Especially since we do not know the details or circumstances of the alleged activity, we do not want to do anything which would endanger either party's position in this case. We trust that the community understands our position in this matter.
In the more general sense, not commenting at all on the specifics of this case, it is never a good idea to run the distributed.net client software on computers you don't own or administrate. In the four years or so that we've been in operation we've been dragged in to a handful of situations where people have lost their jobs, positions, and scholarships by thinking that forgiveness would be easier to obtain than permission. Nobody, especially distributed.net, wants to see this happen.
It's important to keep in mind that the literal resource consumption of the client (which is as close to "zero" as can be) is often not the only factor important to a business. The existence of prize money with the RC5-64 project is discomforting to many organizations. One tactic which has proven to be very effective is to provide an affidavit that you will donate any winnings to a charity if a client you installed on a company or university machine finds the winning key. In many cases, this has been key to a participant receiving permission to run the client on non-owned resources.
Another frequent stumbling block is with service and support contracts which prohibit non-certified software running on workstations or servers. Your university or employer may risk losing support on their equipment if software is installed that hasn't been explicitly mentioned in the support agreements.
The bottom line is, always get permission first. It might not be as difficult to get permission as you think. And if you can't get permission, don't install the client.
We hope for a speedy and just resolution to this case, whatever that outcome should be, and that we never have to be involved in another one.
Depends on the OS. Most modernish OSes on a single processor execute a HALT rather then spin in an idle loop. Not as many do that on multiple CPUs because getting the wakeup code right is harder.
CPUs in the halt state generally use less power, and generate less heat. It may wear the CPU out a bit slower too. A box with a thermal controlled fan will use less cooling power, and in the summer less AC will be used.
Those effects should be pretty small though. The heat generated by a CPU may be the same as two office lights, and a halted CPU won't put off no heat, just a bit less. Similar for the power used. So as far as heat and power goes it would be like suing a janitor for a half mil for leaving the lights on in a bunch of offices (for a few years).
Beats me on bandwidth, but I expect that is pretty low too.
Even if damages are called for these seem totally out of line. As far as damages go, I figure this would be the kind of thing worth a stern warning, or maybe a firing, but not a lawsuit. Apparently I'm not the Stare of Georgia.
Because they suck in general, or because they don't halt rather then having an idle loop (plus sucking in general as an OS)?
When my RC5 client did updates over a 28.8 modem, the data exchange was very brief.
That that is is that that that that is not is not.
As a taxpayer, I am outraged that 99% of government computers' CPU cycles are wasted. Government admins should be required to install distributed clients that solve scientific problems. David was just trying to bring us a little closer to that ideal.
Note to the defense: never, ever use the word "cracking" to describe what RC-5 does. The prosecution will seize upon it and turn it into a bogeyman for ignorant jurists. Just describe RC-5 as a "mathematical excercise" or at most, a project that improves security in computer networks.
That that is is that that that that is not is not.
http://www.clark.net/pub/rothman/gacode.htm
I'm not sure what this falls under. Probably "Computer Theft" or "Computer Trespass". (But, IANAL.)
He could have installed f5g BonziBuddy and Gator.com on all those computers. I'd strap him in ol' sparky myself.
$.59/second only takes ~8 days on one machine to get to $400,000. Something tells me that it has been running on multiple machines for years, and this whole thing is hoax.
Alternators do not produce excess power, at least not if they're operating properly, and if they go bad and do produce excess power, that excess power burns out a fusible link, which makes you have to fix the problem.
Alternators have voltage regulators that keep the voltage right around 13.8, or whatever voltage the manufacturer has designed for, despite fluctuations in the load. It does this by increasing or decreasing the magnetic field of the rotor. This rotating field induces a current in the stator that, after rectification, is the output of the alternator. When load increases it draws more current. This will cause the alternator output voltage (the pressure that forces current through the load) to drop unless the alternator is caused to produce a higher current, which results in the voltage not going down. In order to produce that higher current, the strength of that rotating magnetic field is increased. Rotating an armature in a stronger field or rotating a stronger field with the "armature" held fixed is electrically the same--you have relative movement. If the magnetic field strength increases it takes more energy to move one relative to the other. That increased energy has to come from the engine, which means it uses more gasoline.
Radios, or any other electrical load, draw current. Some draw a little, some draw a lot, but none of them run on "free" power. The more current you have to supply to all the loads on the system, the more energy you have to use to generate that current.
I'm not trying to flame you, but until you have a better understanding of how electricity works you might want to avoid endangering yourself and your equipment by not opening your system and messing with the insides. Of course I learned a lot of what I know about how electricity works by opening up stuff and messing with the insides, but fortunately I was lucky enough (not smart, lucky) to not have severely damaged myself or started a fire.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Not to mention that moderators who replied to the post they moderated would undo that moderation.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Generally when radio stations fire you they aren't that nice about it.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
If I were the State of Georgia, I'd be more concerned about the power consumption and decreased hardware lifetimes (due to temperature from constant processor use than I would a few hundred Kb of data a day. Try feeling your CPU heatsink after a day of running the dnet client and you'll see what I mean.
--
True... I have no idea what those Georgia machines are but the machines we used when I was in high school were mass-produced low-end boxes. I doubt that they had more than the most basic CPU fan, if they had any at all.
--
The penalty *IS* the point. This proposed penalty is not just "a little steep". At face value, this easily appears to be cruel and unusual punishment. 15 years in jail? Give me a break. When drunk drivers who put *lives* at risk don't get that sort of time, much less financial penalty, (especially on a first offense!), this becomes an abuse of the law and of law enforcement.
Where as if anything had actually happened to the computers he would have been able to fix them immediately - hence costing nothing.
That depends on what the "official" purpose of the computer was. I've personally been in charge of machines where downtime cost several hundreds of thousands of dollars per hour. This makes even the time required for a quick reboot quite expensive.
Some of you kids need to realize that computers do actually get used to do real work. And that using up processor cycles on a machine that's doing real work costs real money.
On the other hand, I think the penalties they're discussing are excessive, but what he did was still wrong.
15 years and US$415k? US$0.59/minute? Who is their ISP?
--
Pretend that something especially witty is here. Thanks.
Of course, running a streaming audio server and distributed.net are very different--media is on-demand while distributed is idle time. At any rate, would you expect to go to jail for 15 years and pay 415k even for setting up a media server? I doubt it.
And I repeat: yes, I agree the penalty is too steep.
But you made it sound like you didn't think it was all that bad. Perhaps this was simply poor communication on your part.
This is what we're talking about. If he didn't sign a form promising not to install third party software, then it wasn't unauthorized.
Because this is a sufficiently ambiguous case to suggest the need for a contractual restriction. Perhaps he signed one--I don't know. Either way, the car analogies REALLY need to stop: running RC5 is NOT stealing a car and never will be. Was it bad? Maybe. Was it REALLY REALLY REALLY bad?
I've run distributed.net on one of my machines for literally years on a continuous basis. I used to run my other boxen continuously too, but have stopped doing so recently, only because of power consumption.
--
Oh, no! You have walked into the slavering fangs of a lurking grue!
Let's sue for use of spare cycles by screensavers that auto update over the net too. I work for an .edu in GA ( and I'm not speaking for them ) - and if installing mozilla (not on the sw list, because no one *bought it) is a high crime they'll have to lock up SAs up to middle management for life. Coutersuit for defamation?
No idea how discretion became disgression. Man i need to put down the crack pipe.
1. How can this be a felony, this is a civil matter. They should be sueing for damages.
2. If he was in charge of the project, he could put any software on the computers. He had full disgression on the software installed.
3. Did he agree or sign documents agreeing not to install this type of software?
4. Did he hide the Dnet software on the computers? When someone asked about the program, did he say "Oh thats the Distributed.net RC5 Program, etc..."
5. How long did it take before someone complained about the program? Why didnt they just send out an email asking them to remove the software?
6. What was the actual damages?
When working a project, as a large computer rollout, you come up with a list of common software that the end user will need. What web browser, Email client, Ftp cilent, Bookmarks preinstalled, etc.. Now I hand this project over to the IT folks to do the actual work. They want to add thier own standard troubleshooting tools, maybe PC Anywhere, Software logging, Time sync software, SSH, etc.. Did they break the companies policy by adding Time sync software? The IT department had the "implied" authority to alter the install.
The abuse of the power for both State and Federal juristiction is in the news media daily, and here is just another example. Trying to put a person away for 15 years for installing software, un- fck'ing believable.
-- A government that robs Peter to pay Paul can always depend upon the support of Paul. George Bernard Shaw (1856 - 1950)
Are you an idiot? Do you know nothing about computers? Diligent recovery from this compromise would involve 1) backing up all data on the compromised hard drives, 2) formatting them, 3) reinstalling them from scratch, 4) sanitizing all the backed-up data, 5) and reinstalling all the backed-up data. Assuming a $150/hour sysadmin, three labor hours per machine, and 200 machines, that's a direct recovery cost of $90k.
(Im assuming Windows since its 200+ pcs)
1. Click on the little cow icon in tooltray.
2. Click configure.
3. Click Help. Whoa look at that, URL and Name of program...
4. Close program.
5. Delete directory.
I just saved the company 679K (your quote) and sued your ass for fraud.
If I hired a mechanic to check out my engine, and he sayed I used the wrong brand of oil, and I must replace my engine, Thats fraud.
Common sense people, Any Sys-Admin, IT/IS person would know how to check out a program and figure how to uninstall it.
BTW we use seti@home to burn in our Sun servers, even our big 10K clusters. Great way to burn in the million dollar hardware complexes before we go live with customers.
--
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. Albert Einstein (1879 - 1955)
Sun cpus if bad, crash during the first couple of weeks, (most likely) with cache or parity errors, thats why you burn them in...
We never run seti@home on live production machines, just burn them in on pre-production machines, read the post again.
Exactly, the guy didnt install software on banking machines, he used uni desktop boxen. And if he did install S@H on production boxes he would be fired, not thrown in jail.
No, you make them vice-president. Everybody knows that asses are in the back, genitals are in the front.
--
Never knock on Death's door.
Ring the doorbell and run
(He hates that).
Dump the IRS - http://www.fairtax.org
And, speaking as an ex-State o' GA employee working at a university... boy is he screwed. But, it could be worse. He could have tried to buy supplies that weren't under state contract, or done something else that is outlawed under the state's antediluvian purchasing policies for computer equipment.
--
Never knock on Death's door.
Ring the doorbell and run
(He hates that).
Dump the IRS - http://www.fairtax.org
OK, heres what bites my giblets... At 3 very large universities, i recall all of them having some idle process program runing at all times. Be it RC5, Seti, or what have you, the point is it appears that doing this is commonplace. Hell, stuff like this was my kind of dream (mine was to outsource all the lab computers to companies for distributed 3d rendering. few thousand computer all chugging away at night, OH YEAH!). He should not be fired, and if he is convicted, the suits in all universities will start doing an uneccessary crackdown on their IT departments because of some FUD. And beleive me, they WILL do it, even though they wont understand what tey are doing. Also, by my estimates, to use up .59cents a second by way of rc5... i think he'd need some 10,000 computers or more... more likely the bandwidth was being eaten up by napster..
gg thx
"Stuff... In my home!? NEVER!" - Zim on Invader Zim
"I want the toilet seat!" - Little Dog on Two Stupid Dogs
Did he? Then, you must also think that personal web surfing at work is "unauthorized" and you never do it. Yeah, sure you don't. Just remember next time you're doing it, you are engaging in theft from your company and, according to your own theorizing, you can and should be sent to jail and fined for that theft.
Also, remember that your employer may choose to wait 2 years to prosecute you. Keep lookin' over your shoulder, bub.
mp
"The secret to strong security: less reliance on secrets." -- Whitfield Diffie
This is exactly the satanic of abuse of power which drives otherwise sane people off the deep end and do evil things like Mr. Tim. McVeigh did. My suggestion to our friend is simple. Go and see a Neutral Power and apply for asylum. Make sure that as many people as possible in the mainstream news media know exactly and truthfully what you have done. You will have no trouble getting employment in the Free World if you can actually do what you were employed to do by your erstwhile employer.
I live in one of many areas (small town, central IL) where both residential and business lines are charged a per minute rate as well as a per/connect rate. In the city I used to live in (Urbana, only about 1 hour East of my present abode), the business line only paid per connect. That's how my dedicated dial-up connection was so affordable - it was online almost 24x7, but it only made 15-20 calls in a month. It made me feel good to be abusing the phone company, but made me feel bad to get calls at 8AM (college student, sleep until 10 normally) asking to talk to the "owner of the business". The tradeoff was acceptable.
BTW, I had a whole bunch of computers runing dnetc at the college that used to employ me. I didn't get sued. Know how? I asked permission. Then I installed the clients anyway. ;)
The text of the finger (so people can stop /.'ing dnet :D) ->
/home/nugget
::
0 6 for details
nugget@distributed.net
[distributed.net]
Login: nugget
Name: David McNett
Directory:
:: 09-Jul-2001 00:15 (Monday)
Well, since it's hit slashdot and I'm getting lots of mails asking if
we're aware of the situation, I thought I'd post a plan explaining
distributed.net's perspective on David McOwen and the State of Georgia.
http://slashdot.org/article.pl?sid=01/07/08/21532
distributed.net can confirm that at least some part of what's being reported
is accurate. We were subpoenaed for information relating to Mr. McOwen's
participation in the RC5-64 project and supplied that information as
requested. We also spoke at length with representatives of the prosecution
to make sure they understood the actual impact of the dnetc software on
the machines and networks in question.
However, part of the subpoena restricts us from commenting on the details
of pending litigation. Especially since we do not know the details or
circumstances of the alleged activity, we do not want to do anything which
would endanger either party's position in this case. We trust that the
community understands our position in this matter.
In the more general sense, not commenting at all on the specifics of this
case, it is never a good idea to run the distributed.net client software
on computers you don't own or administrate. In the four years or so that
we've been in operation we've been dragged in to a handful of situations
where people have lost their jobs, positions, and scholarships by thinking
that forgiveness would be easier to obtain than permission. Nobody,
especially distributed.net, wants to see this happen.
It's important to keep in mind that the literal resource consumption of
the client (which is as close to "zero" as can be) is often not the only
factor important to a business. The existence of prize money with the
RC5-64 project is discomforting to many organizations. One tactic which
has proven to be very effective is to provide an affidavit that you will
donate any winnings to a charity if a client you installed on a company
or university machine finds the winning key. In many cases, this has been
key to a participant receiving permission to run the client on non-owned
resources.
Another frequent stumbling block is with service and support contracts
which prohibit non-certified software running on workstations or servers.
Your university or employer may risk losing support on their equipment if
software is installed that hasn't been explicitly mentioned in the support
agreements.
The bottom line is, always get permission first. It might not be as
difficult to get permission as you think. And if you can't get permission,
don't install the client.
We hope for a speedy and just resolution to this case, whatever that
outcome should be, and that we never have to be involved in another one.
--
Delphis
Delphis
I know quite a few Sun employees who use AOL at home simply because through some deal via iPlanet, Sun offers them free AOL accounts... And besides that, after having to spend hour after hour after hour figuring this that and the other out, it wouldn't seem that suprising that some IT people would want to come home and just double click an icon and have it just work.
Member status is a poor indicator of credibility and/or character, especialy if the status is based on number of posts. Some of the Anandtech members get to where they are by blindly agreeing with the topic ("Yep, sounds good to me"), throw posts into every 'For Sale' thread ("'bump!'"), or throw in their baseless opinions ("SBLive is suck!" eom). You'll have a better idea of a member's credibility by searching for the threads he/she's contributed to.
Even at 5 cents a second, that would be how many computation units to use $415,000 worth of bandwidth? This is RC4, not SETI. SETI is more of a bandwidth hog (I know, I run 2 SETI processes at home connected via the same 28.8k I browse slashdot with). RC4 hardly uses any since all it needs to return is the work unit start, number of keys, the result, and any ID information. Then it gets a new work unit of about the same complexity and goes to work.
I could see how they can say the CPU time might cost that. But I sense they are twisting the facts to posture for some kind of bigger settlement or plea agreement. It could also just be gross incompetence on the part of the lawyer(s) there (and we know that never happens, right).
now we need to go OSS in diesel cars
Bob: "Hello, this is Bob over in the State Attorney's office. Is this the state internet network accountant?"
Tom: "Yes it is. How can I help you?"
Bob: "I'm doing investigations on a case here, and I need to know how much the internet costs. Do you have this information?"
Tom: "Do you need the cost of a specific circuit?"
Bob: "I don't know what you mean by circuit. I'm only interested in the cost of the internet."
Tom: "Well, there are a lot of cost factors involved. For example there are costs for leases and depreciations for the routers and the servers. Then there are the circuit costs for the state network. And the costs for connecting into the actual internet itself, like our OC-192 core connections."
Bob: "So are these connections what makes the internet work?"
Tom: "Yes, they are. Is that what you are interested in?"
Bob: "I think so. What are we paying for that?"
Tom: "Do you need the exact amount? I'd have to get all the paperwork together and figure it up and get back to you tomorrow."
Bob: "Just an estimate for now. A ballpark figure is good enough. We'll ask for copies of the paperwork when we're ready to go to court on this."
Tom: "OK, well last month we budgeted somewhere around 1.53 million dollars for the internet connections."
Bob: "Great! Thanks! That's exactly what I need to know."
now we need to go OSS in diesel cars
Sadly true. In Anderson, IN a couple years ago, the media got ahold of a tidbit about a man who had been busted for DWI, and had just received his six hundred and twenty-something conviction for that crime. Seems that the harshest penalty laid down for this guy was loss of his license.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Assuming they find it, and want to come after you for stealing processor time, your fscked.
If you fess up, then there is every chance they will go after you anyway.
If you do nothing and they find it, they go after you...
Your only real option would be to break in and remove the software, or hack in and do it remotely.
Good luck.
Reality has a liberal bias
If it's not your box, don't run the client.
// EvilJohn
// Java Geek
Less Talk, More Beer.
Actually, YOUR analogy isn't quite right; more like You hired Me to pick up your car and on the way I listened to the radio. This consumed power unnecessarily; since the power comes from gasoline, I cost you money.
It's like people at work that think they have a "right" to not have their email or web usage monitored. You're using someone elses resources, you have to follow their rules. If you don't like it, don't use it.
Hmmm....a little cut, a little paste, and voila!
It's like people at work that that they have a
"right" not to have their bathroom breaks webcast. You're using someone elses toilet, you have to follow their rules. If you don't like it, don't use it.
So...having made my point (I hope) that employers DON'T have carte blanche to do what they like to employees simply because the employees are on their property, the question then becomes where to draw the line. That I leave as an exercise for the reader
I've been there and I know people from there. I'm somehow not at all surprised. :-)
-Wintermute
Testing 4,302,216,663,924,736 keys using CPU cycles that would otherwise have dissipated as heat - how expensive is that? One keyblock is 132 bytes, and a keyblock can contain as many as 2^33 keys, so that many keys represents as few as 500,843 bytes of data traffic in either direction, over a span of two years.
They're a bunch of ignorant dorks if they think this represents a 59 cent per second hit on their network.
the story is true. look on page 3 or 4 of the anandtech thread to see a reply from nugget@distributed.net.
complex
Actually.. they can ignore it for up to SEVEN years and then do what they want. :)
It's called the statute of limitations.
Magnwa
Oh. Nevermind. It was a hypothetical.
he was using a full T1's worth of bandwith
Urm. Say AGAIN? Or is somebody confusing megakeys per second with kilobits per second?
I don't call that getting off scott free.
Heck, even when my users do something like that, against policy, I don't request to have the fired.. perhaps I would if they repeatedly and blatantly ignored me and did it, and were jerks about it.
Yes, they aren't his computers; that's obvious. Yes, he should have know better. And as you and everyone else agrees, 15 years in prison and a million bucks (or whatever) is friggin rediculous.
Remember,though, it has to go to court, where it won't be hard in this day and age to make them show how this cost them so much.
determine that from? That he didn't care?
He made a MISTAKE, as MANY young people do.
And he's not saying he didn't do anything wrong.
He's saying that having a felony charge on his record, paying a half million in fines and doing 15 years is NOT right. And I have to agree.
You attitude seems to be strange: If you break the law, any law, you should be thrown in prison for 15 years and not whine about it?
Are you an idiot? Do you know nothing about computers? :-)
Fix one machine and then duplicate it, these were lab machines. Remind me not to hire this guy $90K indeed
"The last thing I want to do is deal with a bunch of people who want something."
"The last thing I want to do is deal with a bunch of people who want something."
Major Major
Ok, I'm a GA resident, and I'm also a student at a GA university. I am also the head of a student organization, and was recently on several faculty committees that dealt directly with state funds for the university. One thing that I have learned in the past year, is that you don't do squat with university computers or technology without clearing it with the proper authorities first.
This past year, the IT dept. learned that several faculty and staff members had Napster installed on their computers. They learned of this when professors brought in their computers complaining of lack of disk space, and they found out that the grad assistants had installed Napster and proceeded to fill up the hard drives with MP3's. While that in of itself cost money and time for the IT tech's to get rid of the software and "repair" the computer, the bandwidth used to download those files also came from a very limited connection. So between the illegality of the music, and the cost of the download, IT announced that all computers with Napster must have the software uninstalled within 2 weeks of the notice.
In any case, IT argued that these are state computers, not the property of the faculty or staff that use them. So basically, this guy IS screwed if he did not get permission. That's all there is to it.
Sometimes I doubt your commitment to Sparkle Motion.
1. Click on the little cow icon in tooltray.
This only works if the client hasn't been installed as a service. Then the client is invisible and you need some more clicks to deinstall it.
Mr. dillon rinker, you are an asshole.
/dev/nul - it was applied to the radio.
You assertion is completely invalid.
The power comes from the alternator.
Instead of the excess power being diverted to
The gasoline is consumed in the internal combustion used to power the driveshaft which propels the vehicle. A series of belts are used to derive power off of this via the alternator - which powers the electrical system (and AC).
Do you know how long an FM radio can run off of a pair of AA (1.5 V) batteries? The radio power in no way harms the system - the power would have been sent to ground, just like the unused bandwidth of the messages of the RC5 client would have gone unused.
.
So...having made my point (I hope) that employers DON'T have carte blanche to do what they like to employees simply because the employees are on their property, the question then becomes where to draw the line. That I leave as an exercise for the reader
The difference is most employees sign employee contracts that say they will not misuse the resources provided by an employer, followed by a description of what constitutes misuse.
Your example would only apply if your employment contract said "Employees may be filmed while taking a crap and said film may be broadcast without any further consent from the employee".
The difference is the average employment contract says "You will not misuse company resources, the penalty for which is disciplinary action (such as termination)".
On the other hand, the average University computer policy is "Misuse of computer equipment may make you liable for prosecution". At least that's what I remember all the uni computer systems saying on login when I was at uni.
I assume they wouldn't be suing him if he'd asked whether he could install this and use their bandwidth. So he's got no one to blame but himself.
It's like people at work that think they have a "right" to not have their email or web usage monitored. You're using someone elses resources, you have to follow their rules. If you don't like it, don't use it.
I really hope you work in manual labour, because if you work with computers you're running a huge scam on any employers.
Some basics.
1) If they determined the computers who untrustworthy now they'd pay one junior tech to install Windows, that's 20 minutes. They'd do one install of any needed application, maybe 40 minutes, if we assume a lot of programs. Then they'd ghost it, burn the image, and ghost it onto the other terminals. Figure 10 minutes per station, but it's parallizable, burn multiple copies, have multiple techs working. At ~12 minutes (rolling in some overhead to make the math pretty) per terminal, that's 5/hour, for maybe $4 each at a junior tech's likely wage. Multiply that by 200 and you've repaired all the machines for $800...
2) If you did hire a security consultant, he'd only need to look at one machine to determine if there was a problem. He'd then pass it off to the junior techs mentioned in #1.
3) The university isn't selling bandwidth, they're claiming it was stolen. That means they can only claim their cost. As shown in many posts, this cost is just a few dollars.
4) The RC5 client isn't any more likely to become a security hole than Scandisk. It doesn't listen for an outside connection so it's a whole lot different than the type of thing you're thinking of.
5) The dnet client doesn't slow down the machines it's running on, that's the whole point in running it at IDLE priority, it only runs when the machine isn't doing anything, and it consumes about 2.5MB of memory, all of which is easily swapped out for a higher-priority process. (I saw benchmarks that showed the computer performing exactly the same with and without the RC5 client running.)
Sheesh.
As I said, I really hope you don't represent yourself as a computer expert.
Yea, forget about killers and rapists et al, lets get this guy and be sure to make him suffer! What crap, I think someone has toooo much time on their hands here. I wish people would get their priorities straight and go after the violent felons.
-Xen
So all I have to do is write a web page saying that my online rights were violated, and slashdot will post it? 50 here I come!
</troll>
Seriously, whether this story is true or not, I wish there were some sort of higher standard for supporting evidence.
Slashdot 's editors are dickheads
Has anyone tried to confirm this story? It sounds more than suspicious. The user doesn't have a profile, doesn't have any elevated status (which may mean the account has just been created), and he publically released his "attorney's" name and phone number? Sounds more like a prank to me than a cry for help.
When, exactly, did he have time to drink?
You don't download keys, you download key blocks. Each key block is like 1k or something and has enough keys to keep a computer going for several hours.
ReadThe ReflectionEngine, a cyberpunk style n
I wonder if Georgia thinks "k" means "kilobytes".
I don't see in the FAQ any mention of how much network bandwidth an RC5 client can use, particularly with the speed of processors two years ago.
Oops. Down on page four of that Forum is a comment from Distributed.Net that Georgia did subpoena them and Georgia was informed of the resources used by Distributed.Net. So Georgia should have the proper technical information.
Yep! LoD! I forgot all about them. I vaguely remember the whole deal, but that was about the time got into 2600 magazine, the internet was still largely academic and.. well, nevermind.. Goddamn I feel old.
If you were me, you'd be good lookin'. - six string samurai
No shit, I meant to put that in there. And, to think that RC5 only uses the network when it's transmitting finished blocks and receiving new work. Man, I wonder who's getting a kickback here.. :)
If you were me, you'd be good lookin'. - six string samurai
59 cents per *second* in data traffic? for RC5? WHOA..
.25/hour, .004/minute, and even less per SECOND. And I get a lot of use out of my machine, other than cracking RC5.
I run RC5. It runs 24/7. Let's figure it out:
1500 for the system (homebuilt)(let's say 3 year lifespan, that's 500/year, or about $42/month.. I paid cash for the components)
my *total* electicity bill: 80/month
ISP + cable TV: 60/month
So, that's $182/month, a bit over $6/day in a 30 day month,
Anyone remember when the h(cr)acker stole some AT&T documents (was that Mitnick?) and AT&T priced the documents at something like half a million bucks (although it was listed in their document catalog for like $30)?
So, basically, the "cost" they incurred is bullshit, the jail time is fucking ridiculous (we can't even keep murderers in jail that long), god I'm sick of shit like this.
Yes, they weren't his computers. He should be fired. However, the fine and proposed sentence time is a gross misrepresentation of justice. Can't the State of Georgia go arrest some of them child pornographers the Government keeps talking about instead?
If you were me, you'd be good lookin'. - six string samurai
That way, more people would read it, and that way there'd be a large drop in the RC5 and OGR rates on Tuesday with everyone madly uninstalling their DNet clients from all the machines they've installed it on at work.
I'm betting that the RC5 rate drops noticably this week.
This messageboard post looks as much like an alarmist hoax as anything I've ever seen ("please contact my lawyer at his AOL address", and "this is not a rumor"), but....
I ran the distributed.net client on every computer in every lab in the high school where I teach two years ago, myself. But I got permission first.
The client is only running in my lab now, but I've still got permission. And in the unlikely event that we win, the $2000 goes to "Leander High School Computer Science Department". ;)
Though it doesn't come anywhere near justifying a $0.59/sec cost, I can see people being upset if the admin kept machines on when they otherwise would have been off (e.g. spring break) solely to crack a few more RC-5 blocks. Electricity ain't cheap. OTOH, with proper proxying, bandwidth for d.net is negligible.
If this story is true, the school system is most likely just upset about having software installed on their system without their knowledge (1) which drained system resources (albeit not many) and (2) whose primary purpose had no perceived value for the district (to prove how poor government encryption was at that time/the geek factor/to win money).
Graham "Teach" Mitchell, computer science teacher, Leander HS
Neato. So companies should prosecute users for using unaproved backgrounds, or screensavers as well. What if a user sets their screensaver to 3d pipes instead of blank? Tell me is this a felony or just a misdaemenor? How do we calculate $$/CPU cycles again? Ohh don't forget time on the graphics card. And lets not just have companies fire people they don't like, lets make it possible to prosecute every former employee for something as nebulous as "stealing computer time", that way they can be blackmailed long after they leave the employer.
add a , sorry...
I'm suspecting that:
bandwidth in kbytes/sec
is being confused with:
keyrate in kkeys/sec
as shown on this graph.
Does anyone have any idea how keys translate into messages?
Otherwise law enforcement turns into a for-profit business where the goal isn't to deter crime or protect society.
Welcome to the new world.
http://www.faqs.org/faqs/law/lawful-arrest/
http://www.aclunc.org/opinion/001027-seizure.ht
http://www.libertarianworld.com/Property-Seizur
3. Under the Kansas Asset Seizure and Forfeiture Act, the seizing authority is not required to prove that the money seized was a result of conduct which gave rise to the forfeiture.
This quote was found here: http://www.kscourts.org/kscases/ctapp/2000/200007
Once you get through some of this material, you'll see where this is going.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power.
this becomes an abuse of the law and of law enforcement.
No, you missed the point. This is all about a proscecutor for the State of Georgia justifying 18 months of his time and his waste of State resources. He must recoup these costs for the State or else it's his carreer and life that will be on the line.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power.
So where do I go to sue the fuckers that spam me and cost *me* money. I am not a state, I'm a frickin' person. There's probably millions of dollars used in downloading spam (at least in Ireland with pay per minute Internet which is your only option really). A win in this case could be dangerous precedent for Universities that have large bandwidth with SETI clients and so on. Sort of like Napster as well (can't remember the links though when those Unviersities banned it).
Anyway I've lost track.
Acting stupid isn't much fun when there's someone around who knows better
I originally thought they did some combination of handwaving and fudging with substituting average costs for marginal costs -- but then I did the math.
$0.59/second is $2124/hour.
I mean, there is prosecutorial zeal and all that, but really this would be an absurd figure to put even to an inexperienced jury. You could pay somebody to set fire to a fairly nice computer every hour at that rate, or pay for the equivalent of a T1 of bandwith in under half an hour.
Also, note that this amounts to a claim of 195 hours "stolen", which seems pretty small if this guy was in charge of configuring a large number of computers.
Perhaps the figure being asserted was 0.59 CENTS/hour, and 19,500 hours "stolen". Assuming a a hundred machines working the eighteen off hours every day, this works out to about ten or eleven days operation; or perhaps it was ten machines for a hundred days.
0.59 cents per hour is $21.24/hour, which also seems like a more presentable figure, although still quite high. This might be a standard rate for an hour of computer time quoted on grants, assuming that normally this is dominated by operator costs, and throwing in an indirect cost rate of 25-30%. I know this is unfair in this situation but I assume this wouldn't matter much to a sufficiently unscrupulous prosecutor, whereas being laughed out of court would.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
One night, I was taking care of some e-mail using Pine at around 12:30 AM. I closed my e-mail client, dinked around for a little in the shell, logged out, and went to bed at around 12:40 AM. (It was an early night for me.) The following morning, I checked my e-mail. I had in my inbox, eleven times, the following note. I paraphrase, but the tone is the same.
The messages had all been sent right before I logged out and took my dnetc instances with me. However, I quickly put an end to that script right then and there. My roommate and I got a pretty good laugh out of it, too.
For more information, click here.
A couple of years ago I was part of the IBM distributed.net team. I wasn't even working at IBM when I recieved this message.
Folks, if you're no longer part of the IBM distributed.net team,please ignore this.
Folks, my manager just told me some disturbing news and asked me to take some actions so she wouldn't have to reprimand/fire me. Apparently an employee in Raleigh was just fired, and as part of the investigation by an IBM attorney the fact that the employee was involved in running the distributed.net client was discovered. Apparently because the team is NOT approved by IBM management (it never has been, in case you didn't know) and distributed.net offers a cash prize, employees are NOT allowed to use IBM equipment to participate in distributed.net.
Since my name is listed as the team contact, I was asked to do some things. Basically, remove IBM's name from the team information. I've done that. So the team is now called "Team #817" until someone comes up with something better. BTW, if anyone else wants to be the team contact, let me know.
As individuals, I suggest you cover your own butts on this one. If you're using IBM equipment, please don't tell me, just stop.
Traditional BS from a large corp. Idiots, they will pay millions on advertising but the free advertising of being one of the better ranked Distributed.net teams isn't worth violating a twisted interpretation of the 'ethics' policy.
Throw a hundred random poor but innocent black people into the legal system and see how many of them come out the other side free. I bet maybe 40% if the judges were awake during the trials. Accuse them of drug dealing and I bet you could lock up 70% without even trying.
Our legal system is broken and useless unless you are rich or a republican.
War is necrophilia.
Well, now I know why the network was so slow when I was at the University of Georgia!
--RJ
That's why, as I said originally, the laws against distorting evidence in order to create a proseuction case out of blue smoke and mirrors need to be rigorously enforced.
/.
/. If the government wants us to respect the law, it should set a better example.
The cases are not similar. Fabricating evidence in a criminal prosecution (the original premise was that the prosecutors would deserve a reprimand for "falsifying financial figures to achieve a felony prosecution") is a far more serious crime than anything McOwen is accused of doing.
/.
/. If the government wants us to respect the law, it should set a better example.
Reprimanded, shreprimanded. It should achieve their own felony prosecution.
/.
/. If the government wants us to respect the law, it should set a better example.
Female Prison Rape in NY
So if I run one quick program on someone else's machine, something that doesn't affect anyone measurably at all, that's evil? Are you a fundamentalist... no wait, you must be.
Female Prison Rape in NY
This is bogus. A single dnet client cannot cost 59 cents a second, and neither can a single email. I'm 99% sure it's a troll.
Female Prison Rape in NY
It's prolly just a scam to get us all to spam the e-mail address: cdjoyner66@aol.com
I know what the Internet is, what the hell is this Interweb business?!
I was about to post a followup to my own followup, saying that my tone may have (upon retrospect) been a bit sharp. But then I saw your post, so this post now bears double duty...
Sweet! IBM is sounding cooler and cooler all the time. I distinctly recall the Apple TV advertisement that ran once during the '84 Olympics, announcing Macintosh, and portraying IBM as the Big Brother (1984, get it?). I guess IBM has been undergoing some revamping of their corporate culture.
And at the same time, SGI -- who was one of the neatest places to work at -- says they're killing off their employee's website. Bummer.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
You know, actually, that doesn't strike me as so bad...
*straight face*
Well, mostly. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Okay, so maybe the penalty is a little steep, but how many times are we going to rehash the same damn story on slashdot? (Oh yeah, I forgot that the collective attention span here lasts abou- hey, look, shiny things.)
It's very simple, folks:
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
First Law of Slashdot: Every extreme example must be countered by an equally-extreme counterexample.
*sigh* Of course not. Clearly every employer who doesn't have their heads shoved up their own arse -- and even some that do -- recognize that some company time/resources will be lost for purposes of morale. Reading slashdot is like setting aside part of an unused cubicle for a small fridge and a coffee machine, or getting a phone call from the SO to remind you to pick up milk on the way home. No, they aren't strictly work activites, and no, they don't bring in immediate revenue (or whatever).
(The number of people who like to point this out every time the topic comes up disturbs me. What's required is good judgement. My boss doesn't care if I use the web to look up movie times for that evening, but running my own MP3 streaming radio station from my office would be out of line.)
And I repeat: yes, I agree the penalty is too steep. I just don't think the guy should get off scot-free in the name of science.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I don't recall the legal term, but I believe ignoring a trespass for an extended period of time implies acceptance.
So, yes, they had their 7 years to file suit, but only if they had it ordered stopped earlier.
I think you're starting to see his point. We are very close to such a thing, if not already there in some areas.
--Remove chicken to e-mail
Yeah, and you never read slashdot at work?
:-) In fact my boss approves of it. He says I will even get a raise when my karma reaches 100!
I do
The only stipulation is that I have to get the moderators to post their names under my comments so that he knows they aren't fake.
A dingo ate my sig...
In a University? give me a break!
Sorry, but the action shout be in some proportion to the case in question, meaning:
Those were probably machines, most networked together and accessible for any student who wishes to log in and has some networkwide account (i'm assuming from other Universities). In these circumstances it's near impossible to have high security projects on those machines. All in all, in university networks availability is more important than security.
The process you describe is hence inappropriate to the case. The RC5 client doesn't even have known security holes, so the additional security risk due to the running clients is very low, regarding the environment (students that access the machines without getting some lecture about security, for one). So if you consider risk due to running an application with no known security holes high enough to make all that sanitizing necessary, most universities should probably sanitize their computers on a weekly basis.
The most sensible course of action (and what probably happened) was simply deinstalling the client on the machines and be done with it.
I don't know, how much of a 'worst case' scenario you want to make out of it, i simply think you're taking it a bit far there. Anyone could make that bill even higher by saying, that all Work done on those Computers in the past two years is to be considered compromised, all of it has to be done from scratch, and billing wor all that worktime and the costs of delayed projects (like you seemed to hint at with that accountant example in another post). Noone will do that, it's simply not realistic, but it can be used to calculate arbitrarily high damages.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Feh. Does it look like I care if I'm being redundant? Or off topic?
In mathematics, one does not understand things, one merely gets used to them.
--VonNeumann
The people who wig out about 100% cpu usage seem to be the ones who have no concept of the 'nice' command and scheuling priorities. Plus, since ps doesn't take any appreciable CPU, they assume you are hogging it as they see 100%.
I had a similiar experience (from the user end) except that they didn't approach me at all, and users claimed that I made DNS break. No, I wasn't running it on a DNS server... nice +20'd, ran only at odd hours...
He had full disgression on the software installed.
There is no such word as "disgression", fool.
Believe nothing you hear and only half of what you see. I think what you read falls somewhere in between those two.
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
Him
1. He installed unauthorized software on machines
2. He stood to make financial gain out of this act
3. He should be berated for this action.
Them
1. 59 cents per second for data traffic? I don't think so.
2. Was this a well thought out action, or just a political/knee jerk reaction ?
3. 15 years in prison? !! Why, this man hasn't harmed others in this action - apart from his future employment prospects (I wouldn't employ him)
4. This happened 2 years ago, wouldn't it be just easier to forgive and forget?
I also did something similar, although I was in the UK, and at uni, my account got frozen, and I had difficulty persuading them to give me an account for my final year. My point is common sense prevailed, I was berated, and understood the whys and wherefores, I should of known better.
Even though I only ran it over a weekend over all the uni's unix boxen I could find, by Monday Afternoon my account was frozen. I wasn't sued or expelled for my minor indiscretion, just had to apologize.
This will be another point to add to my "Why I shouldn't move to the USA" list. Goddamn Americans, I'm glad we gave you independance
damn right :-)
But not better language it seems :-)
Hell you cannot even spell COLOUR right.
I could see billing the guy for the difference in electrical use between a sleeping machine and a machine running RC5. In CA, nowadays, that's probably not an insignificant amount. Perhaps his employer was budgeting for the Energy*Star savings on those computers?
A $500K fine is ridiculous, and 15 years has *GOT* to be unconstitutional under the 8th amendment.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
It's akin to a government office being budgeted too much money to build a highway, so they use the remainder on strippers. (Okay, so it's an over-the-top analogy; work with me here.)
What makes you think that's over the top? Government agencies will spend money on ANYTHING at the end of the fiscal year just to make sure their budget doesn't get cut.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
I work for the state of Ga too, and we'd probably end up having to patch up some kind of certif for all of the SCO servers... Of course, all of our MS stuff is compliant, so There! >:)
Kintanon
Check out JoshJitsu.info for Brazilian Ji
I was going to install a bunch of that type of clients in a computer lab at a university. This seems a tad excessive, doesn't it?
As long as you have permission to run it, no problem.
I wonder how this will affect distributed.net's overall keyrate. I'll bet there are tons of clients installed on school/work machines without permission. When word of this gets out it'll scare a lot of people enough to remove any traces of the client.
Ummm...is embezzlement a serious crime? Yup. That's why it's a felony.
Remember the story of the accounting software guy who transferred fractional pennies to his account? Nailed.
How about that poor smuck who ran "New Era Investments"? Got 25 years for running a pyramid scam. Nobody died or was even physically hurt. On the same page, two time murderer received the same sentence. What's wrong with this picture?
Using computer resources that don't belong to you and costing them money? Probably wouldn't have been an issue until the theft reached the level of "grand larceny". At that point, it became a felony. If someone "stole" 1/2 million from me (material or services) I'd want their ass locked up as well.
This is not a government issue. Its about doing something you're not supposed to and getting caught. Then, its time to pay the piper.
Amazing how many people seem to think that using somebody elses resources for unauthorized fun or profit is not a big deal. Then again, 1 out 5 kids todays (in the US) can't tell you what July 4th is about or even what country we sought our independence from. And, worse still, 1 out of 10 can't even tell you who the first president of the United States was (Abraham Lincoln...right?)
If our kids are this ignorant, then no wonder they think stealing computer time isn't a crime.
Of course, isn't it our state run school systems that are supposed to impart this knowledge? Maybe the gov't is at fault after all. Must be a conspiracy.
RD
Clearly, you must be one of the brain-fscking dead HS school students with no concept of history or law. You must have grown up in the "if I think it so...it must be so" world. Let's pray you're sterile. If not, grab a pair of sissors and do it yourself.
Learn the law, asshole. As soon as you start using company resources against policy, you are potentially violating the law. When it is unauthorized and costs them money (as is a network connection to the internet) its theft. Plain and simple.
The point is, there has to be a policy in effect. Employees are responsible for understanding the applicable policies (e-mail, network usage, etc.) These are promulgated via an employee manual, by law, at corporations. If there is no acceptable usage policy, then they guy has a fighting chance. But, I'd venture that there is a catch-all clause that covers theft of services or something like that. In the end, he will most likely lose.
If they (MIS) installed it on your computer, then there it should be okay to run it provided you are doing so lawfully and it wasn't put there by mistake. Thus, most screen savers aren't considered a threat (unless you run them on an NT server where they consume 100% CPU time and drag your systems to a crawl...seen it..it sucks).
Thinks like RC5 and Seti@home have alternative configurations that would allow them to run all the time, when idle, or as a screen saver.
Next, then consume bandwidth. This is minor in most cases.
Finally, they potentially expose the network to the outside. You have to worry about rouge versions of the program (or even improperly designed programs), theft of passwords from the remote system and a slew of other security related concerns that could compromise your network.
Having seen the havoc a simple napster client caused by telling the whole world about our IP, I've seen thousands of attempts to garner access to our systems via telnet and ftp. Not just port scans, mind you, but real attacks. The activity increased exponentially when Napster was first responding to the legal order.
I view Napster as one of the biggest security concerns for a business because it turns the client into a server. It is now an employment terminating event (via acceptable usage policy) to run unauthorized network endabled programs on our systems. Our employees now check with the authorized use of software or obtain permission from MIS before installing anything new.
If they want to run something unauthorized, they can run it at home on non-company owned systems. Until their compromised system affects my systems, I don't really care what they do on their personally owned systems.
Given that it's a University System, I suspect that any normal user in that system isn't allowed to use it for "for profit" purposes. Carnegie Mellon (to use an example I'm more familiar with) has an explicit "University Computers are a shared resource and may not be used for for-profit purposes." Obviously if you're doing work for the university, it's exempted... but RC5 clearly violates that. Computing Services freezes your account if they find you violating the terms of services, and there are some people who (on their spare time) go around mortis'ing nohup'ed RC5 clients...
yours,
yours,
kbs
... finding any qualified personnel with that kind of attitude. You know, there are too many great career opportunities outside of the banking world, and no self-respecting geek will put up with your microsofto-sadistic tendencies for too long. One day, you'll be stuck with an entire staff of VB programmers, all incapable of designing a secure system... and eventually your sorry bank will be ass-raped by a bunch of thirteen year old script kiddies.
Say no to software patents.
I am the network admin here at Avonside Girls' High School in Christchurch, New Zealand.
Here's our RC5 ranking
I could be in the same sort of position as this gentleman, having done 13M blocks in 2 1/2 years in this job. My only difference is that we were on a flat-rate internet connection at the time I started.
-- Criggie
Yeah, right, more like inciteful.
You can take the license agreement and shove it, yeah, way up there. Next time you do something stupid, remember what you just said here, and go to your local police station and ask to be put in jail for 15 years.
Mod the parent down, it's total bullshit.
geez, the things people mod up these days, 15 years for d.net and he's got no one to blame but himself? yeah, and people should be executed for singing happy birthday publicly and not paying the appropriate royalties...
Sticking feathers up your butt does not make you a chicken - Tyler Durden
That's pretty insulting. The slashdot crowd is not nearly so bad as yo... hey, check this out, sweet!!
Seriously, the problem is the fact that the punishment is about the equivalent of executing someone for smoking in a no-smoking section.
Do you want to go to jail the next time you check out a non-work-related website while at work, or any similar infraction? Because, that is what this amounts to.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Well... my rc5 output isnt even visible on my mrtg of course... only 3 puters cracking at home ;)
Not even the keymaster would use enough bandwidth to even lag anything above modem afaik...
Has anyone considered that this is likely just a hoax? Doesn't it seem a little odd to just see this pop up on a message board?
/. crew have probably fallen for a random, stupid net hoax.
I think the
That's a tautology of sorts. They'd be charging the guy for the costs involved in charging him.
This is the only hit on "mcowen" a seach on the state of GA website brings up.
Correct me if I'm wrong but, I cannot imagine ANY means of connecting to the internet being THAT expensive.
Even if you'd use a dialup, and dial long-distance with that to boost, the costs would not be even close to 59 cents per second. (which is 59x60x60=$2124 per hour!!!)
How did they come up with those figures ?!?
That's my favorite line in your post. Can I quote you out of context elsewhere?
Edith Keeler Must Die
Was there anything in the terms of service (to borrow and AOL term) that prohibited using such a client? Is not, then f them.
I mean serious...if they gave you access to the computers (meaning you didn't hack into a bunch of University servers and install the client, which I suppose you could have done) then they have no business charging you for transfer fees. You have to agree to something before you owe a bill. If they told you "shut down the client or pay X per MB transferred" that would be a legal contract. They can't retroactively apply charges that you never agreed to pay.
Not to mention, a single warez dood trading ISOs or VCDs will chew up a years worth of RC5 traffic. I do hear about any of them getting slammed with this kind of ludicrous charge, although plenty lose their connections.
- JoeShmoe
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
In a University or other state-run institution, the primary purpose is to maximize taxpayer value.
He did not have permission to install RC5, and doing so did nothing for the University or the taxpapers- thus it was wrong. As it turns out, it was also illegal.
You say that you dismiss 'my Admin Staff' for installing 'unapproved software on systems regardless of reason'. I find it difficult to take advice from a manager who consistently misspells 'professional'.
I do not deploy Linux. Ever.
Remember, these are TAXPAYER DOLLARS that an audit will be burning through. Just because there are a few nutsacks in government doesn't mean that you should penalize the taxpayers.
anyone got proof of this one?
this is where your 'traditional' media outlet - hegemonic or not - has the leg up on slashdot - they would have called the AG's office for confirmation before running an item like this.
-renard
$0.59/s would mean approx. $64,000/month 24/7. Id like to have the kind of connection that could buy! Kiwaiti
Member of the Legion Of Microsoft Haters
"Regardless of the bandwidth costs - say it only cost 59 a day - it's still money that the school/state wouldn't have had to pay if he'd done his job (and only his job)."
Actually, the cost matters a great deal. The difference between 59 cents a day and 59 cents a second is over $50,000 a day. The statute under which he is charged probably (haven't looked it up) specifies a minimum dollar amount to make it a felony. Almost certainly over $1000. At 59 cents a day he would hav more than 4.6 bandwidth-years before he got to $1000.
I suspect that his best bet is to argue the facts: Not that he didn't do it but the dollar amount "taken" doesn't amount to a felony. Good luck.
Q:How many libertarians does it take to stop a Panzer division? A:None. Obviously market forces will take care of it.
Possibly, but the style of each of his posts is strikingly similar. Karma Whore? You betcha.
-Legion
Oh, *boohooo* you're living in an evil ignorant society, you can't do anything about it and we should all feel sorry for you and ourselves. We're all doomed. *waaaaaaa*
Wake up, wipe off your tears and don't victimize yourself. Even playing quake is more risk to security and waste more bandwidth. You don't fire someone even for that. You set up rules and talk to the person(s) involved. If you should be fired for rules that wasn't written, how are you supposed to be doing your work? Sometimes even the best sysadmin needs password cracking tools, or educate himself in those areas. And please spare us for your crocodile tears.
- Steeltoe
http://www.debunkingskeptics.com/
The problem with the 'background task' argument is that breaking RC5 is not necessarily the best use to which those cycles can be put.
The nature of the program is that it will prioritize itself down if other programs are in use. On this, the 'best use' argument falls apart. Effectively, the only argument against this on the task-level is wear-out of the CPU. A very tough point to prove damages from. People actually use these sort of programs to "burn in" new hardware. And he WAS administering the computer.
Is it a federal offence to win prizes using a browser at work too now? A fitting symbolic punishment would be to fine him the prize money, since it's not that much. If I were his superior I would just ask him to uninstall it and not install such programs anymore (he was probably underpaid anyways). Talking often works wonders, maybe they should try that next time. Some people just take life too seriously, and then they die.
- Steeltoe
http://www.debunkingskeptics.com/
This is a facetious lawsuit. Any lawsuit launched by a big corporate (and US universities are some of the worst) will destroy the life of any normal human being who is targeted - even if they win. OTOH, they won't see a penny in damages, because the lawyer's bills alone will be enough to bankrupt the guy.
So why are they doing it ? There's no real reason why anyone can complain about an RC5 client, and in the vast noise of shop-at-work and corporate pr0n surfing, it's invisible. Secondly, it's an admin's to install RC5 and VirtuaGirl clients (on a sacrificial machine), because you can guarantee that a user somewhere will do it, and it's best to be forewarned about it.
I don't understand this at all, and I can only assume (with my paranoid hat on) that there's more to it than we're hearing.
...and of course, any admin's real power comes from the web proxy logs, and his boss' visits to farmsex.net (Hi Mike ! Still attending church regularly ? Still have that .25 IP address ? Still being a total bastard to your staff ?)
I would like to thank everyone who voted for this post and helped make it the top post in this thread. I would also like to thank the academy and John Katz for being so annoying that I have to come to /. everyday to see what stupid topic he is expounding on today.
Thank you all.
People who bite the hand that feeds them usually lick the boot that kicks them
Track down a copy of the acceptable use policies from the time you worked there and see if they prohibit the installation of unauthorized software. Also, did anyone help you do this and was your supervisor aware of this? You need to start tracking down other employees that you may have told about this. You need to show that it wasn't against their internal policies or that it wasn't kept a secret from the rest of the organization.
People who bite the hand that feeds them usually lick the boot that kicks them
yeah, my public georgia high school was pretty crappy in the way of computers/computer classes. and ours wasn't the worst, there were schools even deeper in the backwoods, not to mention the ones here in downtown atlanta. I'm a computer science major now, and a majority of my peers actually had programming classes available to them in high school. but don't trash ga too much, the lottery has done wonders for the educational system.
This client doesn't download the keys, it downloads parameters to a block of keys. It then iterates through the keys within that block. The difference is me typing "All the numbers between 1 and 1 trillion" and me typing all the numbers between 1 and 1 trillion.
-no broken link
Minus the bandwith, and that seems to be the main issue here.
I read slashdot for the articles.
1. Did he have permission to install/run the client on the computers? We don't have a solid answer to this one, but I would suspect a court would find the answer was yes. The school employed him to administer the computer. In liu of giving him explicit instructions, they were relying on him to A) Stay within the bounds of the law (eg, no illegal copies of software) and B) use his best profesional judgement on the best way to admin the machine. So, assuming they didn't place some more restrictive guidelines on him I don't see how they can complain much about him installing / running the software, from a permission point of view.
2. Did he have the right to use the network resources that he did? Clearly, these cost the university money, and so there is an issue here. Again, I suspect the problem will come down to guidelines. A univeristy that provides students access in the dorms and doesn't prohibit (not prevent, prohibit) things like, oh viewing porn, playing online games, accessing stock quotes (unless in a finance class) etc etc etc would have a hard time complaining about someone running rc5.
Bottom line, they cannot apply selective standards, even more so when they are government sponsored. If there was something in writing that applied to all that covered this, or if there were specific instructions given to him, then he's screwed. If, on the other hand they simply have the general "don't do anything illegal" clause, they are going to have to try and fall back to the "using the computers for something other than learning", and that's a dangerous path for them to walk down. If they go down that road with this guy fairness would demand they crack down on many other activities by many other people (including, probably, reading this article, unless the person is a computer admin or a law student) and would find themselves in a position they don't want to be in.
Oh yeah, $0.59/second? What is that crap? I suspect their actual cost is under 1/100 of a cent per second, if that.
his employment contracts would spell this out and give him a document to sign stating that he understood the security policy - this is legally construed as a warning and no further is neccesary unless specified in the policy (and i bet its not)
In the real world of employment in MIS we dont send warning letters to mom - we just sack you and if we have to we sue you.
"Sanity is an illusion of the diseased mind"
Agreed totally
i would have sacked him - that simple - then again i dont hire sysadmins with god complexes so maybe i wouldnt have hired him.
as an MIS manager its this simple - my environment, my rules, my way, the highway - your choice.
"Sanity is an illusion of the diseased mind"
Those of you who are in school or not employed in a corporate role should pay attention to this message that is being given - not just by me - when you work for any employer (and a University is an employer - if you get paid to do it then you are employed) you have a duty of trust - a large amount of power is being placed in your hands - power over confidential information and files - user accounts - financial records and much more.
This trust exists as your employer expects you NOT to make changes to his mission critical systems without following proper procedures and permissions - most organisations call it change control.
Even if you are employed as a SysAdmin you dont automatically inherit the right to do what you see fit - you are expected to behave within the guidelines the organisation expects you to work in and not act outside of them.
Thats whats wrong here - the person in question may have done this in the best of intentions - he may not have caused damage BUT he was trusted not to do this sort of thing (and believe me he would have been) and he did it - end of story - fired - learn a lesson.
Does he deserve to go to Jail - IMHO no
Does he deserve a fine - IMHO not that much
But he commited the act in a State which has laws and they believe he broke those laws by his actions.
This is what we call consequences.
What he did was what we call unproffesional
the rest is a matter of perspective - unfortunatley the state and the university have a different perspective to him.
I have said before i have a policy of dismissing any of my Admin Staff who install unapproved software on systems regardless of reason. Someone emailed me and called me an asshole.
Well the fact is i have never sacked anyone because none of my staff have ever betrayed the trust i have in them - i work in a banking environment and this sort of behaviour just would not happen - the reason is they are all proffesionals.
The conclusions from this should be obvious
"Sanity is an illusion of the diseased mind"
MIS manager in banking enviromnment
Yous installed Seti@Home on any of MY servers i would take great pleasure in slowly cutting off your balls with a plastic knife.
I can guarantee you one thing - you would never ever work in any position of trust in any IT capacity for any major bank ever again - thats the sad think - how easy people piss their careers up a wall.
singwitch is right - the troll is YOU
"Sanity is an illusion of the diseased mind"
pray
seriously - call someone you know and trust and ask them to remove it OR call your boss and admit it but be nice and ask him to remove it. This is much smarter than letting them find it.
Of course there is NO business reason why this is here but whats he going to do fire you ? most companies wont take legal action without a good reason.
OH if this HAS caused damage you are screwed.
"Sanity is an illusion of the diseased mind"
Aaron Blosser lost his job at US West and had his computers seized by the FBI two years ago for doing the same thing. Well, almost the same thing: Blosser actually thought that he had permission (IIRC he asked the computer administrators but not the network administrators), while it doesn't sound like David McOwen even tried to get permission.
Oh, and as for that 59 cents/second... I don't believe it for a moment: That would work out to somewhere around 18 billion dollars of damages. More likely the actual figure is 59 cents per day.
Tarsnap: Online backups for the truly paranoid
According to the State of Georgia, one single Distributed.net client costs 59 cents per second in datatraffic.
First, let me start by saying that they're on crack as far as this goes. Maybe it uses that much for the rare second it actually uses the network, but even then, they're getting raped by their bandwidth provider.
Of course, what this guy failed to recognize is that access != permission. Just because you have access to a computer doesn't mean you can do whatever you please with it.
This was just stupid, but they're WAY off on the damages. As for the jail time, they're probably equally off base. Heck, if the math finally works out to less than $1000 worth of bandwidth, he probably cannot even get jail time.
Some people have a way with words, and some people, um, thingy.
Time to take it off my Uni machines? ;-)
What would be the proper way for that person to cover his/her ass?
Karma: Bored. (Thinking about resurrecting the "Anyone else is an imposter" joke.)
xoxo,
Andy
--
Taking action in a large organization without a signed CYA document is playing with fire. If somebody higher up decides your action was wrong, you are doomed. It's your word against theirs, and they'll have the lawyers and monomania to bury you.
Never take a risky action in a corporation without considering how it will sound in front of a Federal jury or Congressional committee. "So, Mr. McOwen, are you're telling us that you were converting these computers to your own use to win a $1000 prize?"To a jury of bums, rednecks, and career Taco Bell cooks, that $1000 prize will be damning. Ditto for newspapers and blood-n-depravity TV news shows.
It means one thing. The vindictive career academic bureaucrat who is going to send McOwen to the federal pen hadn't yet noticed. Now he has. It's a statistical thing, maybe they'll never notice, maybe the evidence will be gone before they notice, maybe they'll be too busy frying someone else, etc. Without the ass-covering paper trail, you're rolling dice. So? The humorless gentlemen in the dark polished cars, wearing nice suits and ray ban sunglasses don't give a flying fuck that the situation is bad. All they care about is the documentary evidence that *you* made it measureably worse. You do if you're a career state-employed academic bureaucrat. Any one of 'career', 'state-employed', 'academic', or 'bureaucrat' would be bad news. Put them all together and it's a deadly situation. The person carrying out this campaign against McOwen is certainly clueless, likely vindictive, likely monomaniacal, and *committed*. Once a person like that starts a campaign, they'll push it as far as possible. They won't know when to give up. Overall it hurt the situation, by driving the spook traitors underground and forcing them to use more subtle means to frustrate crypto. Onerous crypto controls are still in place, and the traitors are still mostly successful at preventing widespread deployment of crypto. It would arguably have been better to continue with 40-bit DES, and let the electronic pearl harbor force Congress to clean house at the NSA. Offtopic, but... WEP is an impressive accomplishment. They actually managed to design a cryptosystem that has cipher- and key-exchange-independent insecurity (the 24-bit initialization vector). Hmm...you're probably right. I'm not sure why I thought they did a proper recovery. (Although my list of expenses is a pretty good reason to get permission before you screw with hundreds of machines.)If they really did just make up this numbers, the case could blow up in their faces. For McOwen's sake I hope it does.
This is where I disagree. It's kind of like a delivery man. During the day, the truck is *HIS*. He can pick his own routes, make a detour for a customer who is in a huge hurry, bend the traffic regulations, and generally do whatever it takes to get the job done. He job is a big one, and he therefore has a lot of leeway to make autonomous decisions. Suppose he wants to take the truck home at the end of the day to move a sofa. If he takes 10 seconds to get the boss's permission, taking the truck is perfectly OK.If he doesn't get permission, he has just hitched his fate to another person's mercy. In a small company where they've been friends for years, the boss might later tell him how glad he was that he went ahead and took the truck. At a larger company, the boss might admonish him not to do it without asking in the future and drop the matter. Or the boss might call the police and report it stolen, and prosecute it as grand theft.
Personally, I think that what McOwen did was absolutely wrong, but I also would have made the reaction proportional to the actual harm, which was fairly small. Suing someone into oblivion and getting them sent to prison is simply not good business.
If it's your job to use them that way, you just do it. However, if there is a person who could say no, and you don't ask, you have done something wrong. Sadly, no. In a criminal case it is not necessary to prove substantial monetary damages, it is merely necessary to prove that the person did something they had not been given permission to do. If we can give people life sentences for agriculture (specifically, three strikes growing of cannabis sativa), then convicting an admitted vandal who was trying to win a $1000 prize is a piece of cake. If you allow fear to govern your actions, you are letting the enemy dictate your actions. It's funny, but I am also being serious. The Internet search engines are already starting to correlate information with specific people. I expect syntax-aware indexing to start being used within a few years. You'll be able to search on something like "name(John Smith) employed_by(Foo University) keywords(employed)". When you can do a good background search routinely, this sort of highly public announcement will be a Bad Thing. The prosecutor is actually a good point of approach, if you can get him in touch with a clueful expert.Anyway, I understand what you're saying, I just think it's McOwen's fault for not establishing a paper trail showing permission. This isn't the first time I've heard of this sort of thing, either. I saw an almost identical case in the Ars Technica forums a while back, although it was a smaller amount (on the order of $10k IIRC, and no criminal case). I ought to write a web page about this problem: "The Young Male Sysadmin's Guide To Not Going To Prison".
-- ;-)
Kuro5hin.org: where the good times never end.
Let's also remember that we don't know what basis that $0.59/minute cost includes. The perpetrator was very vague on this, probably in an attempt to shift blame to the victim. It may include the aggregate cost of several items:
Come on, people. Walking into a building full of hundreds of computers and personally compromising the security of each one at its console is *stupid*. It's like trying to rob a police station.
-- ;-)
Kuro5hin.org: where the good times never end.
(I was actually being *extremely* conservative on the recovery costs. Many devices, like motherboards, BIOSes, and video cards use field-programmable flash devices. To fully recover from a compromise, you'd have to replace them all. Would probably be cheaper to just scrap the equipment and buy new stuff.)
-- ;-)
Kuro5hin.org: where the good times never end.
By security analysis, I meant that you had to check the machine for signs of malicious use. Compromised machines are frequently used as jumping off points for attacks on other systems, and you have to fix those systems too.
Each machine must be suddenly power cycled off to preserve evidence, and it's hard drive must be physically removed and read out. Most organizations are too lazy to do this (probably including the bozos in Georgia), but if you want security, it's what you have to do.I should have made it clearer in my comment that I was exploring the worst-case costs of recovering from a compromise, the moral being that sysadmins should be utterly paranoid. A lot of this probably doesn't apply in David McOwen's case, since the 'victims' seem to have a severe case of recto-cranial inversion. It'll be interesting to see the details when they are made public.
-- ;-)
Kuro5hin.org: where the good times never end.
Look at your disagreement with my post: you were able to directly argue against particular points of mine. You didn't have to untangle half-formed, vaguely qualified statements. It went 'clear statement, clear counterargument'. In fact, it is obvious that you were approaching it from the angle of a practial admin who isn't overly concerned about security and assurance, while my POV was known-good security and certifiable quality.
Security is having confidence that every bit on the hardware comes from a known, approved source. You lose that when you install an untrusted program, and the only way to regain it is to delete everything and start from scratch. A false analogy. A better analogy would be if you hired a mechanic to change the oil in your street-legal drag racing car with a $30,000 racing engine, telling him to only use Mobil synthetic oil, and he used olive oil instead. Maybe the engine wouldn't be hurt by it, but you don't have to put up with maybes. You are *owed* confidence that the engine is in a certain state. He'd be buying you a new engine, and compensating you for the loss of use. When confidence is the commodity of interest, you don't take chances. OTOH, if you installed S@H on a live banking server 'just because', they'd beat you to death with CAT5, even if you have admin privileges.-- ;-)
Kuro5hin.org: where the good times never end.
OTOH, we don't know what machines McOwen used -- the AnandTech story was too vague. If they were semi-public computer labs that were ghosted at the start of every day, the damages would be minimal. Nobody could reasonably expect such machines to be particularly secure, and therefore the damages for insecurity would be minimal. It all depends on the circumstances -- McOwen could be getting off easy, or he could be royally screwed. Hopefully /. will post more details soon.
First off, it seems to not be a university that this occurred at. I don't know how we got that meme going...Besides which, any school large enough to have dozens of computers has a budget of several million dollars a year. It has accountants who must produce accurate numbers or they'll have to shut down. It has payrolls that have to be met on strict deadlines. It has confidential information that will cost millions if it is improperly disclosed. The school's few millions of dollars may be piddly compared to Chase-Manhattan, but that money is *very* important for the school.
Try being late for payroll at even an elementary school. The teachers, teacher's union, school administrators, board of education, city politicians, and press will hold a competition to see who can hand your head to you on a silver platter the fastest.A university is even worse. Try making a department head miss a publication date for his paper in Science. The police detectives won't even be able to find your body, it having already been run through the particle accelerator one atom at a time.
-- ;-)
Kuro5hin.org: where the good times never end.
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines. Many a machine has been brought to its knees because of some weird interaction between the installed packages.
A competent professional would *never* risk his client's machines for an unnecessary program.
And what the fuck does that have to do with this discussion? The question is whether he had permission, not whether he would have had a good justification if he had asked for permission.And even if that was our discussion, brute-force cracking RC5 is a stunt. It doesn't do a damn thing for security.
Are you an idiot? Do you know nothing about computers? Diligent recovery from this compromise would involve 1) backing up all data on the compromised hard drives, 2) formatting them, 3) reinstalling them from scratch, 4) sanitizing all the backed-up data, 5) and reinstalling all the backed-up data. Assuming a $150/hour sysadmin, three labor hours per machine, and 200 machines, that's a direct recovery cost of $90k.Then you've got all the people who will be sitting around with their thumbs up their asses while their machines are offline. Assuming an average downtime of 1 week, an average employee salary of $25k/year, and an overhead rate of 100%, that's an indirect recovery cost of $192k.
Then there's the investigation cost. Assuming a security expert at $500/hour, and an analysis time of 30 min/machine, that's an investigation cost of $50k.
Then there's the legal costs. Because of the severity of the compromise, and the threat to the University's IP, a top-notch law firm specializing in insider sabotage will be needed. Assuming the law firm charges 80 hours @ $200/hour, that's a legal cost of $16k.
Then there's the prosecution cost. I have no idea what DAs, judges, and courts charge, but it's gotta be a lot.
That's a total of $348k for direct and simple indirect losses.
Then there's interest. It will probably take the Uni about three years to get a judgement for the losses. At the standard 25% rate for unsecured credit, that's a net interest of 95%, which will bring the final judgement to $679k.
Then there's the potential reputation cost to the university. Insider sabotage of the IT infrastructure makes tech and biotech firms very antsy, and less likely to engage in lucrative contracts with the Uni. Likewise for alumni support. The damages from this are pretty much unlimited; if the fates are against you it could run to tens of millions of dollars.
It's their bandwidth and they can sell it for whatever price they want. It's up to you to ask for the price before you start appropriating it.But that's irrelevant. The $0.59/min figure is almost certainly an aggregate number. They added up the total losses, divided them by the duration of the compromise, and that was the number.
It will not. Competent professionals help the client accomplish their mission. If they have ideas for new mission objectives, or even for cool charitable projects that don't really accomplish much, they discuss it with the boss. They *don't* run off and reconfigure hundreds of pieces of high tech equipment for their own whimsy. Bullshit. Sysadmins *never* have the right to turn hundreds of the institution's machines into zombies for their own pet projects. The reason sysadmins have wide latitude in decisions is because *that's what it takes to accomplish the mission*, and not because the machines are part of their personal toy chest. Hardly. It's vandalism, plain and simple. The alterations he performed obviously had no relevance to the organization's mission, they had a potential serious deleterious impact on the mission, and he deliberately chose not to ask permission when doing so would have required little time or effort. The law is the least of his problems. Not only did he recklessly fuck over hundreds of his client's machines, he whined about the client's consternation on the Internet. For the rest of his life, any time a prospective employer does a web search on him this story will show up in all its tawdry glory.I propose a new phrase for the Internet lexicon: "Pulling a David McOwen". It will be the Darwin Award of Career Limiting Moves. Example usage:
-- ;-)
Kuro5hin.org: where the good times never end.
Vintage computer games and RPG books available. Email me if you're interested.
The lawyer has an AOL email account? If that's true, this David guy should be thrown in jail for choosing such a lawyer to defend a computer related case, but some how, I don't think it smells quite right. Troll? Has anybody tried emailing the State of Georgia people in question? Maybe the State of Georgia courts to see if such a case has been filed?
Vintage computer games and RPG books available. Email me if you're interested.
Just not anything that needs a constant web connection
The d.net client needs to connect to the server only about twice a day if you have it download 12 hours worth of work at once.
Will I retire or break 10K?
Are you an idiot? Do you know nothing about computers? Diligent recovery from this compromise would involve 1) backing up all data on the compromised hard drives, 2) formatting them, 3) reinstalling them from scratch, 4) sanitizing all the backed-up data, 5) and reinstalling all the backed-up data. Assuming a $150/hour sysadmin, three labor hours per machine, and 200 machines, that's a direct recovery cost of $90k. Then you've got all the people who will be sitting around with their thumbs up their asses while their machines are offline. Assuming an average downtime of 1 week, an average employee salary of $25k/year, and an overhead rate of 100%, that's an indirect recovery cost of $192k.
I was very upset by this comment(the whole post really) at first, but I calmed down a little when I realized that you're obviously just on crack. If my dog pooped on your front lawn, would you send me the bill to have the entire house torn down, ground dug up, new sod laid down, and new house built? And then the bill for the time you spent having all this done? Or would you just make me clean it up (or in this case, make me pay the cost of someone else cleaning it up)?
Have you never heard of "Uninstall"? It works really well, trust me.
So, like you say: Assuming a $150/hour sysadmin logging in as administrator on 200 machines and un-installing one program, let's say that takes 3 minutes per machine (maybe he's a slow typist!) and then an extra 2 because they're spread out over campus or something.
That's 1000 minutes. 2 days. A waste of a $150/hour sysadmin's time, if you ask me. I'd do it for a tenth that.
And ya can quote me.
Synergy is your friend
I laughed my a$$ off when I saw that!
thnx for the add humor
How much is your data worth? Back it up now.
Q: Did he have permission from the school to install the software?
Yes: They can't touch him.
No: Stick a fork in him; he's done.
Regardless of the bandwidth costs - say it only cost 59 a day - it's still money that the school/state wouldn't have had to pay if he'd done his job (and only his job).
He's hysterical: "...the future of all that use the Internet and computers is at stake."
The future of all people who install bandwidth-sucking apps on equipment that belongs to someone else, perhaps.
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
I wonder what the statue of limitations is for this type of crime in Georgia. It is possible they may get the first year thrown out...
By contrast, more than a few companies have hot spare buildings. You heard that right: If, one day, the office should cease to exist, everyone may go to another.
The hotspare building where I work is called The Trace, and it is a nice bar several blocks from here. Whenever the power fails for more than an hour, we frequently migrate to our hot spare.
Chances are Georgia has a WAN connecting schools via 128Kbps ISDN (remember this started 2 years ago) and then a gateway with a T1. To save money, they probably were being billed in a 90th or 95th percentile for usage. So the excess bandwidth used all day by many computers constantly downloading new keys and uploading results may have been enough to break them out of their billing tier into another, more expensive tier. Anyone who is familiar with the school district have any insider perspective on their LAN/WAN configuration?
He did "administer" the machines.
It's one thing to be an acadamian at the school installing software on a bunch of computers you have access to, it's quite another to be paid to configure computers for the institution and go about installing something you don't have permission to.
Now, I don't think installing the RC5 cow is in any way beneficial to the school, but in this case it was his job to decide what software to install on the computers. What about defragmentation software for NT 4? Or intrusion detection systems for linux? If my experience with system administrators at schools is any indication, they are the last word on what software gets installed on the machines.
So whom was he supposed to ask for permission?
"Thank you everyone,
For the guy that thinks it's a hoax simply contact the Georgia State Attorney's Office or the Georgia Bureau of Investigation, the lead Agent in charge of the year and half investigation that he said it took him to determine that running this Distributed.net client is a felony offense as outlined by the Computer administrators at the school and the State is Bob Stanley, the GBI office number is 770-987-9168.
The Law Firm of my Lawyer is 770-564-1600. My Attorney is David Joyner
The charges are from the 1999 Georgia Computer Crime code book Volume 14 Title 16-9-91 to 93 Pages 669 to 672.
David"
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
--
...or am I missing something?
"distributed.net does not condone the unauthorized use of its software on any computer system. You may not run any distributed.net software on a system unless you own the system or have received permission from the owner to run distributed.net software. Running the client on a machine without authorization will result in your removal from the project and will disqualify you from winning. "
As well as from the FAQ
Q: What shouldn't I use to participate?
A: You shouldn't run the client on any machine that you do not own or administer.
Maybe he should have asked before putting it on, ya think?.
Are you talking? It may be a little anal, but it's still wrong if it actually falls under the category of violating terms of use. Granted, I'd probably have the same reaction but the bottom line is- think twice before you do something that could even be remotely wrong.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
flamebait? That is offtopic if anything at all. He was commenting on not closing his HTML tag. Yeesh.
What would be the proper way for that person to cover his/her ass?
Move to Mexico
Just because it CAN be done, doesn't mean it should!
While I can't find anything yet on the website for the State of Georgia AUP or TOS, I do know that most govt agencies have you sign a form wherein you acknowledge that they can put you in the pen. and fine you oodles of dollars for theft and such. Well, unless the poster had WRITTEN and SIGNED approval to install RC5, he is probably in for a world of hurt.
Text of subject's post from Anandtech is pasted below:
This is David McOwen, dmcowen674@aol.com. I need everyone's help that possibly can. I worked at a school system 2 years ago that is part of the State of Georgia and was the configurator of the computers. They are now prosecuting me for Felony conviction with up to 15 yrs in prison and wanting $ 415,000. They are saying the Dnet client costs 59 cents per second for the Internet transmissions! If you or you know anyone that can help please contact my lawyer Mr. David Joyner at cdjoyner66@aol.com , phone number of the Law Firm 770-564-1600 . Beside my life and my family, the future of all that use the Internet and computers is at stake. Don't let them turn the good of computers into something so terrible. If it was so terrible it should be taken away from the world and not prosecuting one individual. People were panicking about rumors of the Govt tacking on a 5 cent surchange to supplement the Postal service because E-mail is taking away from their business and now the State of Georgia is saying E-mail costs 59 cents per second and this is not a rumor!
Also we need to know if anyone in the United States or the world has been prosecuted for this. We need to know for sure that they are setting this dangerous precedent, making me an example and everyone is next. They did not give me an opportunity to just turn the client off, they also said that there was no harm done after they turned it off. How can they call it a felony then and looking for nearly half a million dollars! Please help in any way that you can, whether by E-mails or any other support.
Thank you
mrgoat
'Hail Eris, baby, hail Eris...pfffffffttt.' *cough* 'Yeah.'
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines. Many a machine has been brought to its knees because of some weird interaction between the installed packages.
Wouldn't that description pretty much describe a Microsoft OS?
Everytime you look at porn a devil gets their horns.
what the heck is getting into companies(schools) these days! it was probably some fluk that they even found it at all! and really is that much bandwidth really a problem.. this istaking it to the extreme.. you could look at a lot of this this way and it would blow them way out of perportion..
You state a cost of 3 hours per machine to "sanitize" and a cost of 1/2 hour per machine for a security analysis. Huh? One or the other are necessary, not both. Examine one machine, then ghost out a new image using ghost multicast. Not 3.5 hours per machine.
Sounds like you bend over a bit too much.
My 2p...
./), then people should riot in the streets, um, I mean write a letter to maybe a judge or their Mom or something, you know, take like, a stand.
I think they should lose in court if they can't say they Warned him - at least once. Otherwise, a company - or a government! - can make you liable for all sorts of rules that they make and simply do not promulgate. Any court in the land ought to throw this out; and if they do not (I hope to hear updates on this, yeah, even here in
Good God, look at the time.
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
Perhaps we should impose a stiff fine for trolling posts like yours?
Different Case. The guy you're talking about shut off sendmail, a deliberate action on his part. Did it cause the major problems before or after he stopped sendmail?
Firethorn
I don't read AC A human right
Funny - I did it for a while as an undergrad - and we were very resourceful. Most schools I've visited make a buck go a long way - more than most places in industry.
Stated is the Max penalty for that class of crime, what he is really subject to is completely dependent on the Jury decision to 1st Convict, and 2nd Award. Research Computational Cycles charged to any project at a major university (or typical corporation by MIS dept) are fully burdened and ouch a bit. In this case I can well imagine that those resources could have been used by a paying research project had the machines been conscripted into a distributed cluster envirionment instead. With holding the resources to boost personal stats is theft. Had he enrolled the stats under the school name a lot less could be said.
Why is it being brought up 2 years after the crime? Seems a bit odd that if it hurt them so bad, they would have fired him and sued him right away. Sounds like they're just looking for some money
ok, maybe its an insaine ammount of money to sue for. I don't think the bandwidth costs are nearly that much.
BUT, You did use there computers without permission. If you had permission, this would not be happening. So, my friend, your SOL. You should have thought about your famliy and life 2 years ago when you did this.
BTW: This is not flame bait, this is seriously what I think. Please, don't mod me down for no apparent reason.
until (succeed) try { again(); }
until (succeed) try { again(); }
And the 59 cents a second claim is utter, utter CRAP.
Yep. If they're in Georgia, they probably have to buy their bandwidth through these folks. Given the price of a T1 from them, It comes out to under $3/hr, which includes 1/12 of their annual charge. That comes out to about five cents per second.
--
Freeper Logic
Write and call. I am not a Georgia resident, so my voice may not have much weight. But I would encourage Slashdot readers who are Georgia residents to write to your state elected officials.
The state of Georgia is prosecuting this guy, and the state can drop its case at any time. Your elected state officials are very sensitive to public opinion, and it's not like they have a lot to gain by seeing this poor fellow "brought to justice," so they may be perfectly willing to admit a mistake and walk away with minimal PR damage.
Don't be rude, and make sure you double-check the facts first, but it might not hurt to suggest that some investigative reporter at a local television station might find the story interesting.
Caveats:
The heart has reasons that reason does not understand. - Jacques Bènigne Bossuet
Not for security it doesn't. Security is a matter of knowing where every program on the machine came from, and knowing that no uncertified programs have even been run on the machine. It is solely a matter of trust...
Spoken from the POV of the rule-rigid. Symanticly you are flat-wrong. Why would you trust your Oracle ODBC driver or copy of winsock.dll more or less than Dnet? Dnet is as known and understood as either Oracle or M$ wares - what makes you sure there isnt some trojan code on one of your 'certified' binaries? Give me a break, Dnet only does what it reports - as much as anything else - and there is no reason to think-otherwise. Your argument would have made sense in a universe where RC5 was Sub7 - in this one, the reality is, it is not.
BTW, what 'certified' you to be the All Knowing Sage of Securtiy? Your whole post is really in left field - do you have an MBA?
To fully recover from a compromise, you'd have to replace them all. Would probably be cheaper to just scrap the equipment and buy new stuff
Are you on drugs? A troll? These were commonly-available, general use computers - with accessible cases and (*gasp*) disk drives - do you think this is the control-room for a nuclear missle or a office computer? Your argument would have made sense barely in the former installation.
It is my contention that you're a jackass. The duties of system administrators are to support computer systems, so that people can use them, not to participate in research (with the possible exception of research directly related to supporting the systems, e.g. setting up a dev box to test a new version of some software package).
The fact that this guy had root on these boxes is irrelevant. The fact that this guy worked at an academic institution is irrelevant. Actually, most of the facts you bring up are irrelevant.
Bottom Line: This guy used widespread company resources for a purpose not explicitly related to his job duties, and in doing so created a potential security violation. Does he deserve to be fined millions of dollars and spend the rest of his life in jail because of it? I would say no. But you seem to be stubbornly insisting that he did nothing wrong in the first place, and that is the basis of my contention that you're a jackass.
-Poot
Damn, well I understand he did something wrong but I really don't see how it could cost them $0.59/sec and 15 years in jail? Drug trafficers, drunk drivers, child abusers, etc. don't even spend half of that time in prison.
I guess money is more important than human life.
Yeah, and you never read slashdot at work? Don't be so quick to jump on this guy, unless you are so scrupulous that you never use a work computer to send email to your girlfriend, book a plane flight home, or check the weather.
sulli
RTFJ.
Only a few years in jail?
He nearly commited the the biggest crime of all times - with that much computing power, he could've almost converted pi to binary
What he did was totally illegal and unethical but half a million and 15 years?
If this was a private civil lawsuit even a half million is redicolously expensive. Did the school really lose that much money from this evil hacking program out to destory the world. Ohh the horror!
Sometimes these school districts love power trips. I remember someone who almost got expelled for clicking the file menu when the teacher told him not to. It turns out she considered it hacking. Amazing that doing something without permission in an authoritive way is the same as ruining school property. His parents threatened to sue and he did recieve any punishment after that. I hear all sorts of horror stories from school districts here on slashdot. I also remember reading stories of linux 2 years ago here on slashdot in which the interviewer asked several admins about it and the one from a school district mentioned that he would fire the individual and seek criminal charges???
Anyway, back on topic I believe this indiviudal has a good chance of appeal. I believe he does need to pay a fine or perhaps some minimal jail time for installing unathorized programs, but what he is being nailed for is inappropriate. I bet the attorney general heard the words encyyption and cracking and assumed he was trying to crack into their systems and ruin property. He probably did not really understand what RC5 is and what its used for. The user also could of been charged as an example to scare students on why you should not hack or crack on school property.
http://saveie6.com/
Excessive, but not unwarranted.
A few years ago, when I was in college, I stuck it to some idiot for doing the same thing (might have even been MD5). It's the one and only time I reported someone for abusing the systems (yes, I approached him nicely the first time). He was a regular undergrad running it on every available machine in the CS department. It was nice'd, but it still managed to peg the CPU and slow down interactive use on all the machines by quite a bit. Very annoying; nobody has the right to monopolize computer time on public systems at the expense of everyone else. Use your own.
Actually, come to think of it, I wonder why they sued the poor guy with his Distributed.net node instead of those mass-marketing digital ass-sores that have been clogging the Internet for so long.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Given the number of posts querying the apparently excesive penaalty; IMHO this is worth a few + mod points to clear the matter.
troodon.net
The rediculous amount of damages claimed is for a good reason (at least from the universities point of view). They know that they're not going to ever collect nor see that kind of penalty in place. But faced with that sort of claim, most lawyers advise their clients to bargain it way down... It's easier to win a court case claiming 2000$ damages against you than it is 500,000$. Dollars to donuts, you'll see this bumped WAY down to no jail time and (max) 20,000$ dollars fine, and most likely less than that. Bahumat
"To pass through the jungle; silence, courtesy, ferocity, as the occasion demands." -- Kamau, "Proper Passage"
ok lets assume a month has 30 days.
.59c - i dont know exact figure... here is what calc gives out: 7.71604938271604938271604938271605e-4
let assume a t1 costs 2K per month (used to be typical).
here is the math:
24 hours in a day.
30 days a month.
720 hours in a month.
43200 minutes a month.
2592000 seconds a month.
(2000/2592000)= *NOT*
so - obviously these people are fscking lunatics.
Some dumbass here (unspecified major computer company) decided that the seti@home setup for linux would work great on our x-terms and installed it on a buttload of them, it worked great, until the Unix admins here found out what was taking up all those cpu cycles on our mainframes............
"Laws are like sausages, it is best not to see them being made" Otto Von Bismarck
Wow... You're a complete Ass! LOL
Japan has the death penalty.
And you're not sorry. You're practically chortling with glee.
--- On the other hand, you have five fingers.
It wasnt any one persons bandwith in the first place. It was a computer lab not personal computers and if the user didnt know the program was running then maybe they should gain some intelligence before they try to use a computer.
Make it idiot-proof and someone will build a better idiot.
The audit alone should cost a few million...
Burn Hollywood Burn
I was going to install a bunch of that type of clients in a computer lab at a university. This seems a tad excessive, doesn't it?
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
This situation seems to be about the same, he basically did no harm (the GIMPS client is very well behaved, and I can't think that the Dnet would be much worse), but it basically boiled down to the fact that he didn't have permission. What seems to be different is that this guy is facing huge criminal charges, I don't recall that Aaron faced any jail time or fines, but was still slapped around by the FBI (mostly out of cluelessness) for a long time.
That said, I hope and pray the thugs prosecuting this case are called out and shown to the public clearly for what they are. Or else we are all in serious danger.
CEE5210S The signal SIGHUP was received.
When they try to say he was competing for a $50,000 prize, it would be good for the defense to point out the expected value of his prize (as of that day) was $50,000/129,251, or approximately thirty-nine cents.
CEE5210S The signal SIGHUP was received.
Whoops. My bad. Make that $2,000/129,251, or approximately one and a half cents.
CEE5210S The signal SIGHUP was received.
I hope you never use the bathroom at work, unless you don't mind being monitored. It's their resources and their time.
CEE5210S The signal SIGHUP was received.
Just what I like about the States - incredibly harsh penalties, right out of line with the rest of the western world.
Because remember, it's been proven through 3000-odd years of history that locking people up for ages in response to their offence rehabilitates them REALLY effectively, AND deters others. NOT!
Then again, I don't see how else the US could maintain such a diverse conglomeration of people without what I call the 'democratic equivalent of military rule' - summary justice, the right to revenge (death penalty includes a lot of this), harsh unwavering enforcement - except it's done by a judiciary rather than a military.
I used to think liberalisation was bad, that it eroded society's 'moral framework', until I realised that in the moral world morals are totally subjective and irrelevant to government and the judiciary.
-Nano.
Let's hope he never booked an airline ticket online or he'll have hell trying to get bail.
"Yer honour, we have proof of the defendent repeatedly trying to flee the crimescene."
hee hee.
-Nano.
`where people think that the moon landings were fake, but that television wrestling is for real'
Funny thing is, here in Georgia, we say this about the people in Alabama. I wonder, who do they tell 'stupid' jokes about in Poland?
Seriously, I've lived here almost 30 years now (childhood in Pennsylvania), and I'm still appalled by the culture of insularity and ignorance that dominates in this part of the U.S.
Doesn't it?
I mean, maybe it's not, but the language just reads like a lot of SPAM I receive.
Well short of having any formal documents to confirm this guy's story, we can make a pretty good guess at this guys truthfullness. First off this guys stats are throught the roof for about a year and he is still at spot #94 for all time RC5 crackers. It would take quite a few p3's to crack as many blocks in 1999 as this guy did, at least 50-150. These stats drop drastically about after July 2000 which certainly supports his story about getting caught. Second, no one has come forward to refute his story. I'm sure that the email address which was posted that correlates to the RC5 stats is being flooded with email full of questions relating to the post. Third, the member in the forum who posted was of "member" status not "junior" status which gives more credibility to this being an actual fact rather than some dumb joke. Keep in mind that none of this is concrete evidence it merely supports the story given to us.
Real Networks, Netscape, et al, have lots of $$ to throw at lawyers if need be. This poor schmuck doesn't (yet).
/.ers should be doing our part to help him. Does he deserve a swift kick in the ass? Yes. Does he deserve 2x the amount of time in Prison that murderers get? Hell no.
Has anyone seen/heard of a legal defense fund yet? I only ask because this is a *Very Bad* precedent to set, and we
When an admin is not allowed to manage his/her network as they see fit, they are no longer an admin, but a technician.
---
nuclear presidential echelon assassination encryption virulent strain
nuclear presidential echelon assassination encryption virulent strain
Whizzmo
0.59 may sound like a lot, but how many machines are we talking about here ? I used to run a distributed program on my laptop, buy my wattage went from 15-30 Watts just by running the client. If enough machines are involved the electricity could easily eat up 0.59/sec. (15 watts X #machines gets large real fast)
Moral of the story. DO NOT play with computers that you do not own, DO NOT play with computers that you are responsible, but do not own, DO NOT play with computers that pass in front of you in an open lab... I imagine the state is asking for a large sum, but will settle out of court for much less, now will that article get /. ? I doubt it
- Lady burned her legs with hot coffee - 2 million $ (was at a McD*nalds shop)
- Guy got lung cancer by voluntarily incorporating toxic substances (cigarettes) - 7 billion $
- Ten year old boy got inprisoned for helping his sister doing pee-pee
- You can always get jailed for having an old empty beer can in the back of your car, even if you're completely sober and it was left by your brother you picked up after a party
- Foreigners who got charged aren't allowed to contact their embassies for legal assistence
- You invented legal nonsense like software patents or the DMCA.
- You are the last of the industrialized countries which still has the death penalty.
- and now *this*
Dear Americans,don't tell your living in a country which is still a modern democracy. It ain't. From the european viewpoint, you're getting closer and closer to countries like China or Iran.
Sorry I have to say this...
here is the guys rc5 output click
The post is kind of vague as to how specific his job duties were, and if he was just doing a bad job at his position, or whether he was in violation of his described duties. I would imagine a state agency hiring a sysadmin/IT person, would put some clause in regarding malicious or unapproved software.
"Just explain them what the correct definition of hacking. Writing or altering sourcecode or system-settings e.g. programming. Cracking on the otherhand is illegal. I'm a hacker, but I've never broken the law. I agree that he misused the means given to him but 500000$ and 15 years among hard criminals. Anyone should be able to see what's wrong. (Well obviously not lawyers, but then again ...)"
Of course, eductating the courts is the answer, but unfortunately, the courts are under NO obligation at all to listen to us. Keep in mind, most judges are older people, who didn't grow up with computers.
When Gen X gets old enough to become politicos and judges (almost there), things may start to improve.
=== The price of freedom is eternal vigilance
"He will never get 15 years / $500000 in fines. He will however, go through hell defending himself and getting off with an approprate punishment. He completely deserves it too. Using other peoples computers and bandwidth (reguardless of how little they will be affected by it) for your own personal gain is just plain evil."
Don't be too sure. Most judges know more about nuclear physics than they do about how computers and networks REALLY work.
And pretty much ALL you have to do to fuck someone in the courts is to call them a "hacker". As 2600 found out in the DeCSS case. Doesn't matter what the merits of your defense are once that label is thrown out like red meat to the judge. Of course, having a corrupt and/or incompetent fool like Kaplan for a judge didn't help.
=== The price of freedom is eternal vigilance
David, I hate to be one to go against the grain of popular opinion that this court case is all about a threat to personal freedom to use the internet and computers. The fact is, the computers and internet bandwidth belong(ed) to the State of Georgia. There are a lot of employers who have specific written policies about the use of their computers and internet service for employees personal business or fun. If Georgia has such a policy in place, then David broke the rules. Granted, $.59/minute is probably well over the top; and i was once a heavy RC5 user myself. But the fact remains that David may well have violated your employers rules regarding acceptable use of their property. I would: * Check to see what policies may have been published at the time of the violation(s). * Try to make the best deal with them possible if he was, in fact 'out of bounds' aloha, dave price - davep@support-one.com - 303-378-9053
My understanding of the situation (flawed though it may be) is this. The entire point of these background clients is to use a small amount of bandwidth at long intervals and to use only unused processor cycles to preform calculations. Now then... if we assume this to be the case (if I'm wrong on this please ignore the rest of this comment) then the defendant has not used any significant amount of bandwidth that the prosecutor wasn't allready paying for anyhow (broadband like this is a flat charge, not by the bit right?) and he's not taking processor cycles away from anything else right? So, really, how can they claim any monitary damages? It seems to me that this can be equated with raiding the shredder waste bins for paper scraps for making paper mache or something.
This has been another useless post from....
Killfile(TGK)
No trees were killed in the creation of this post. However, many electrons were inconvenienced.
Look into this: E-rate was probably paying for the connection at the school anyway. If so; how can they try to recoup costs for something that they don't pay for! -ted
Gee, maybe quake will run fast on our mission-critical servers.....what an idiot.
Maybe I should go back to some of the places I worked at and remove all the seti clients I left running. I left quite a few at a University that I worked for and I guess they could run for years.
Sure, just get the attribution right, that would be Barbara Bush.
Feel free to send a copy to my parole officer.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I would not rely on that as a defence argument. There are many academic programs that run in background mode to snarf up otherwise spare cycles. Physicists have lattice gauge calculations, Geant simulations, meteorology, there are lots of biologists with gene sequence data to crunch.
Unfortunately most of those programs are also designed to have minimal impact on the other users of the machine. Just because a program is at a low machine priority does not mean it is not important to someone. The crack program will take cycles from other distributed applications.
Probably the best approach is to turn the question arround and assert that running batch jobs in spare CPU cycles is a standard academic practice and that a competent sysadmin should have the knowledge and experience to run such programs on their system.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
The problem with the 'background task' argument is that breaking RC5 is not necessarily the best use to which those cycles can be put.
The issue of authorization is the weak point in the State case. Running a codebreaking program falls pretty squarely within the normal run of academic persuits. The fact that a prize is offered does not necessarily mean that the enterprise is 'for profit'. All sorts of prizes are offered for academic research. In the case of the RSA cryptography challenge prises they were started by Ron Rivest so that he did not have to spend half an hour reading each day about the latest factoring scheme people had thought up. Peter Trei later suggested to Jim Bizdos that there might be other challenges that would be somewhat more fun and relevant.
Best chance of getting the case thrown out is likely to be demonstrating a that running a crack program is considered acceptable academic behaviour at most universities.
I don't see the terms of service giving the prosecution much help. They are so broad that they could be read to permit or prohibit practically any behavior. The defence get the benefit of the ambiguity, not as some slashdotters appear to believe the prosecution. Nobody is disputing that the guy was authorized to use the equipment, the issue is whether the specific use made was authorized. That is a very subjective question, hardly one that should be at the center of a criminal prosecution.
The reason we had to start putting up the terms of service notices was that without them the courts would not even allow prosecutions of people who broke into computer systems to abuse them in the most malicious ways you can think of.
Still the guy has only himself to blame, you go to live and work in a mickey mouse state that only gave up the swastika (oops sorry symbol of the slavers side in the civil war) on its state flag with great reluctance, you expect the type of legal system portrayed in Stir Crazy and My Cousin Vinny.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
thats a load of BS. lets work this out. My university's net connection is about $600k/year (I'm assuming $50k/mo for an OC3). thats ~$1650 per day. thats $69/hr. = ~$1 per minute. about 2c per second. If you factor in the increased power drawn by the CPU (lets say 10 watt-hours per hour), that is still WAY short of 59 cents per second
My server
member is actually not a very high status though - its the 2nd level, I believe.
My server
Admittedly, you end up in a position of incredible hypocrisy, given that you've thrown a guy in jail for 15 years for something you're now implementing everywhere, but what the heck, evil overlords aren't above a little above a little self-serving hypocrisy... If one man suffers so that you can write off a huge amount of expenses as charity, what difference does that make? We have one cool evil mastermind in the D.A.'s office in Georgia here folks..;)
Well, maybe that's a little too far-fetched and Machiavellian an idea to actually originate from any gov. institution, outside of the intelligence agencies. But it brings up a wonderfully Machiavellian idea for a counter-suit if the fee is upheld...
First, if you live in Georgia as head of an IT department, bring up the idea of charitable contributions via usage of comp. resources to one of your company lawyers and your CEO. Then, if the lawyer thinks the idea is a possible, your CEO gives assent to the idea, and if you're feeling generous to the world in general, go through the motions of filing paperwork and other legal expenses, and go to the work of installing/setting up acual clients. This first time around, make reasonable claims on actual expenses.
After you've gotten the hard work out of the way, start claiming charitable contributions based on the results of the original lawsuit Georgia filed. You'll either get the fee assessment overthrown, in which case this McOwen guy can use your case results in an appeal of his case, or the fee assessment holds, and you get to save your company potentially millions in taxes at the end of the year! Either you get the good karma of helping a guy avoid cruel and unusual punishment, or you get a nice bonus from your company! Win-win situation all around, folks!
All the fun of twisty-minded plans w/ the self-righteous glow of good works... is there any better combination?
-----
IANASRP- I am not a self-referential phrase
-----
-----
IANASRP- I am not a self-referential phrase
-----
email: proprietary becomes free, org to com
1. Every professor running "SETI" should be included in this lawsuit
2. Unless this guy was NUMBER ONE, their own network management would have sniffed this out long ago, which makes me wonder what is REALLY going on that that don't know about ;)
3. The software in question isn't cloaked
4. Unless he was the ONLY administrator even a junior admin (ie, another employee) would know about it
5. Admins are in tight with the professors -- surely somone on staff knew and implicitly approved of this
6. The state is frankly full of shit when it comes to bandwidth pricing and couldn't possibly legitimately price "per minute" rates for data -- that is ridiculous -- what are they on? Circuit-switched cellular?
7. This is a school right? A learning institution? The bad PR alone will cost them more than they would ever hope to gain.
Unless this guy locked all the passwords on the boxes its ridiculous to think he is "ultimately responsible" for this. He had superiors (well, bosses anyway), and some form of peer review.
Shit, just think of the number of vanilla installs of most Unices out there trying to pull down netnews, and worse, the ones that are succeeding
I sure hope its a hoax -- i'd hate to have to add Georgia to my "wish it would slide into the ocean" list ;)
Old age and treachery almost always overcome youth and skill.
Ga Attorney General: Whatya listening to Fred. Deputy Ga Atty General: Rush, this internet is cool. Ga Atty General: Yea, Rush is so right. Deputy Ga Atty General: I'm with ya.
What is pirate software? Software for inventory of stolen treasure?
I wonder what happened to a few of the first that were charged under that law.. If my faulty memory circuts are synapting correctly, LKO (Lord Kalvin of Otherwhen) and Gimli basically facing the same threat. Although I think they were given an option out of prison time by going to work for the state to help keep the rest of the cybernauts from putting up our multiplayer Star Trek games..
It's been years but it makes me wonder who else from that place and time are sitting around on /. ...
Let's see...
LKO, Gimli, Black Knight, Dr. Who, Corwin, Rigel, Lizzard, Shorty, Steve S., Pegasi, Karen
sigh, too many years. Does anyone else (even from other areas) remember the FUGS (Forum User Gatherings)
Did you know that even the "nicest" linux processes, as the d.net client is, consume at least 10% of the processing time? I find that annoying.
The reason is the lack of a real IDLE scheduling facility in the linux kernel. I waited for this feature since I first run the d.net client, but it never has been implemented.
Hopefully this will happen sometime in the future. But until then, even the d.net client costs quite an amount of cpu resources.
Not Meta-modding due to apathy.
Ok.
Please charge me 50c a second.
For my traffic.
Please !!!
Of course, you will provide the same service as my University, which is directly connected to RENATER-2, the Biggest European Link to the US, and is on the Gigabyte brandwith site ?
OK. 50c a second. We have a deal !!!
Imagine the traffic for 400 PC used by students ?
8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Using other peoples computers and bandwidth (reguardless of how little they will be affected by it) for your own personal gain is just plain evil.
Personal gain? You mean distributed.net PAYS you for your computer time? Gee... all this uni bandwidth I'm not using, and I could be making money... Last time I checked, distributed.net didn't pay for processor time - so it was more of a charitable act than for personal gain.
Does anyone have any idea whether this guy is being sued or charged? Because I can't see how he can be threatened with prison, unless he's charged with a criminal act. I can't see the criminal act here - he's used a lot of their resources, but he hasn't profited from it in any way, so it's not fraud. He presumably was given internet access as part of his job, so it's not theft. He's wasted a fair bit of the school's money, but unless you're a company director, I don't think that's considered a crime.
And the 59 cents a second claim is utter, utter CRAP. I didn't think distributed.net was particularly bandwidth hungry - it just downloads keys. It's CPU hungry - which is why I took it off my computer (CPU hungry -> lousy FPS).
--This post is about truth, beauty, freedom, and above all things, Karma
-- This post is about truth, beauty, freedom, and above all things, Karma
I would recommend boxers. Some people like to go with briefs, but whatever you do stay away from those boxer-brief things. Never compromise!
So how much bandwidth does a typical RC5 client use? This is what half the people here want to know.
I think the problems here are these: 1) distributed.net can be configured to take also the non-idling cycles. 2) Distributed.net offers money prizes. 3) He didn't have permission, pure and simple. Main problem probably is the money prizes, he used unauthorized computertime to have a chance making money. It's like someone loans your power tools to break into liquor store to rob the till.
No, the prosecution intended to, has already and insists on continuing to do real harm to the system admin, his finaces, his legal status, his emotional state and his reputation. They are far more guilty than the accused but they will argue that they shouldn't be blamed for doing there job while they will not extend the same provisions to the accused.
I can not see that the accused has caused any harm to the state of Georgia, it's computers, finaces, reputation or anyone in the state. The same can not be said about the DA in this case.
Is he in prison, or working for your stockbroker firm? (Or the hardware company?) (Or the University of Illinois?)
For a good time, click here
You're not by any chance sharing an Internet connection, are you? Just because you're limited to a single IP address doesn't mean you have to share userid's, too.
Secession is the right of all sentient beings.
By overshooting with such an insane amount, the university will not have credibility in court. I bet even a demented old judge wold be sharp ewnough to send these guys packing. Rc5 uses very little network bandwith. A CPU needs several minutes to process a single key.
He must have pissed someone off, or paranoid pointy-haired beancounters must have gone totally berserk at Georgia.
I bet that if we calculated the dollar cost for the network bandwidth of his rc5 clients, it'll be around the average for a student's surfing budget. I bet my 2 pennies that a download of cnn's homepage including banner ads and graphics, consumes enough bandwith to do a week's worth of rc5 transfers for a handful machines.
-- Another senseless waste of fine bytes.
The school district I'm in seems to be utterly clueless. It took them 2 days to figure out that someone had turned off TCP/IP protocol on a bunch of the routers. They were bay networks POS things (just sending a blank UDP packet to them shut them down), and the sysadmin didn't seem to know how to type "enable ip base" (BTW, he should have looked at the logs and seen my telnet command "disable ip base")
I think that school districts are both authoritative and ignorant. This makes them danegerous if you get caught.
D/\ Gooberguy
Karma: Meh (Mostly from meh.)
I thought about installing the distributed.net clients on my school at the time, it was only 30 PC's, but still. I'm on the guy's side, it wasn't like he was using the Chemistry rooms to build bombs or anything, he's furthering security and privacy for everyone else. Plus, like other people have pointed out, the amount of bandwidth he used is so miniscule compared to all the porn people download at school. I say give him $415,000 and everyone give him a big round of applause.
Just explain them what the correct definition of hacking. Writing or altering sourcecode or system-settings e.g. programming. Cracking on the otherhand is illegal. I'm a hacker, but I've never broken the law. I agree that he misused the means given to him but 500000$ and 15 years among hard criminals. Anyone should be able to see what's wrong. (Well obviously not lawyers, but then again ...)
Look a monkey!
I agree, but the state attorney, will probably have to try to educate them on technology to convince them that this misuse of trust is worth a 500.000$ fine and 15 years in jail. So the question will be: who's going to educate the obviously misinformed state attorney.
Look a monkey!
the sad fact is that if he'd raped someone on campus, or stolen university property (like a computer) it would either get hushed up or he would have gotten a slap on the wrist.
-d.
--
Slashdot: When News Breaks, We Give You The Pieces
FreeBSD for the impatient.
http://www.2600.com/secret/sj/sj-cyberlaw.html
or Google for 911 Steven Jackson Games Bellsouth.
Copy machine: Ask your boss's permission to reproduce your pr0n collection on the color copier sometime.
Writing utensils, I'll give you that one. If you think that's analagous, though, I'll trade you my Bic for your workstation.
I want to get drunk with Hoagy Carmichael and
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
Our bandwidth thief has not served any time, as yet, and is being threatened with maximum penalties; the dimensions of his crime are being amplified by inflated bandwidth costs and the duration (2 years) of his violation.
I doubt if he will serve as much time as he is being threatened with; it's possible, and to be hoped, that he will not serve time at all.
Sure, the legal system is messed up, but the comparisons you're making aren't really valid, at least not yet.
Of course, John Sinclair *did* get 15 years for two joints...
I want to get drunk with Hoagy Carmichael and
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
Next time, he should try Publishers Clearing House.
I want to get drunk with Hoagy Carmichael and
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
This is Georgia we're talking about. The appropriate cliche is "inbred rednecks" and they're usually barefoot. ;)
Seriously, we are talking about 2 years of "personal phone calls" from every computer on the school network, and this guy was no longer working there when it was discovered (its not even clear to me whether he was an actual employee, or a "contract worker"), so presumably it would've gone on indefinitely. The two don't really compare.
I want to get drunk with Hoagy Carmichael and
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
So much for his chances in the geek lotto.
I want to get drunk with Hoagy Carmichael and
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07
my aunt's friend was murdered, and the killer only served 7 years in jail. a guy steals otherwise wasted computer time and they want to give him 15 years? is this the same as killing two people or something? sometimes i just get fed up with the world.
sig? uhh, umm, ok
After all this time, I still get a giggle out of the torment that site draws from so many people. Their webmasters need to be sainted. Fortunately, most of my friends who I've sent to that site "get it", but it's still a gas to watch the folks who don't.
Just where did you see me say it was or wasn't? I was commenting on goat, not your post. Yes, it was in the wrong bleedin' end of the thread. Calm down, no one wants you to anonymously burst a vessel.
I'm a student at Georgia Tech and it was made pretty clear to us when we were registering and moving in to our dorms that use of the networks for personal profit were prohibited. In the Computer and Network Usage Policy it states that Computing facilities, services, and networks may not be used in connection with compensated outside work nor for the benefit of organizations not related to Georgia Tech. It goes on to discuss incidental use of the systems and networks but this does not sound incidental and because there was a prize offered I assume it would fall under compensated outside work.
The actual RC5 packets are tiny. The few hundred bytes of data in them is enough for representing something like 2^23 keys (forgot exactly how many).
Slashdot has fallen for the oldest trick in the online scam book and has posted a story believable by only the most inexperienced net users. Why would he discredit himself by associating the email tax hoax with his story? Why would you need to say "This is not a rumor!" if you were talking about a true story.
Don't let them turn the good of computers into something so terrible. If it was so terrible it should be taken away from the world and not prosecuting one individual. People were panicking about rumors of the Govt tacking on a 5 cent surchange to supplement the Postal service because E-mail is taking away from their business and now the State of Georgia is saying E-mail costs 59 cents per second and this is not a rumor!
Frank
And you don't put people in jail for being asses. You make them president.
I haven't run an RC5 client for about 2 years now, but if I remember correctly there was something the license / terms of use / whatever that said you're not allowed to use it on computers you don't have permission to install it on.
I assume they wouldn't be suing him if he'd asked whether he could install this and use their bandwidth. So he's got no one to blame but himself.
It's like people at work that think they have a "right" to not have their email or web usage monitored. You're using someone elses resources, you have to follow their rules. If you don't like it, don't use it.
--
If you've ever paid attention to how the American Law system generally (not 100% of the time, but most of the time) works, it sort of goes like this.
The State files a case against someone (or something), and they find every possible penalty they can lay on that person as possible. Generally, they do this to scare the crap out of the defendents to make them more willing to either settle out of court, or plea bargin to get a reduced sentence.
However, many state legislatures have been getting ticked at the judical system for behaving like this, so they've been writing up mandatory sentancing (Florida specifically has this sort of stuff in response to gun abuses).
My guess is that this case is the prior. Usually, the judicial system doesn't do everything the state demands. The courts are (sort of) good about that.
---
You didn't ask your employer's permission to use your employer's computer for non-work-related activities.
/. for instance. Everyone who has their bosses' explicit permission to read and post to /. please raise their hands. I thought so. Or how about checking personal e-mail on your lunch break? Or checking out the (non geek) news sites during down-time?
I would agree with you in the literal sense. Yes, of course he was using resources that he didn't have permission to use. However, stop and consider this from the perspective of your average Joe on the job.
How many of us don't use our computers for non work related activities? Take
Fact of the matter is, this man is guilty, in a technical sense. But, if cases like this start to gain momentum, who knows how many companies we'll have suing their workers for non-work related internet usage.
Chris Canter
He didn't have permission to use their bandwidth. He stole it. How would everyone here feel if someone wrote a program that would use our bandwidth/processor power without our consent? So what if he only used a small portion of their network, bandwidth, etc. They can charge whatever they want for their services. THEY OWN THEM! How much money would YOU want for your bandwidth? If someone was using my computer/bandwidth and possibly slowing down my work, I sure as hell would want some compensation.
you reap what you sow
Sorry if a strong opinion trips your internal troll alert. YHBT in that case.
Anyway, if he wins the rc5 contest, he will get $2000 (or 1k if he is on a team...). Plus the increase in lateral penile dimensions coming from all of those keys he was crunching. Installing the client on a boatload of State owned computers to increase his keyrate and chances of finding the winning key is wrong. He does not own those computers and he had no business installing the client on them.
Distributed.net has a clear policy that says that they will not tolerate this shit either. All of the keys cracked on those machines, as well as the ones cracked legitimatly on his own machine will no longer be credited to him.
You are right, however, in that he is not in the same category as kiddie porn freaks or pirates. He deserves a FAIR penalty which I think I said in my original post. (Checking back I see that I said appropriate).
It's sad that I get branded a troll by people because my opinion is unpopular.
Geekizoid: The Small Shiny Things Network ©
Gobble a dick!
Disbarrment would be appropriate.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
this != embezzlement You == moron If it's idling, it costs you the same as if it's running something. If you can't comprehend that simple fact, PLEASE don't breed. Now if he was keeping computers switched on when he was told not to you might have a point. I'm guessing that's not the case though...
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
It's just like when you spot a fly buzzing annoyingly around the room doing nothing really and you still wanna smash it just for the sake of smashing, so grabbing your trusty doublebarreled friend you blast away both room, house and fly. Some people don't know when to stop...
Anataka suki desu. Itsumo. Itsumademo.
heh... I love how d.net is so on-the-ball that they have already blocked access to the linked CGI. They know their bandwidth! =)
501 Not Implemented
My Attorney and I are overwhelmed by the public outpouring. I am obviously not a lawyer nor a writer. My Attorney advised me about the 59 cents per second is not totally an Internet connection charge but somehow all part of the restitution of damages they are seeking.
A public execution? Evil men (and women) like this David McOwen must be stopped at all costs.
This does not quite make sense based on what I know about Georgia law and I am trying to verify the facts. We have a number of experts on computer law here and the case has attracted our attention. In general, contributing computer time to academic pursuits other than one's own is permitted or even encouraged, and while I can understand management saying "don't do it," I can't understand a prosecution or lawsuit for doing it. -- Michael Covington, University of Georgia
Title 16-9-91 Title 16-9-92 Title 16-9-93
This is a criminal case with the State of Georgia. Looking over these, I think he's in trouble. There is some truly scary language, like "victim expenditure" and "Such crime occurs at great cost to the public, since losses for each incident of computer crime tend to be far greater than the losses associated with each incident of other white collar crime;". It appears that legally the prosecution can ask for not only penalties, but also restitution for all of the cleanup expenses on the computers. It's also interesting to note that they are asking for the maximum penalty.