Slashdot Mirror
Georgia Sues RC5 User For $415,000
jeroenb writes: "David McOwen posted a message to the Anandtech forums saying the State of Georgia is prosecuting him for using their computers for RC5 while he was configurator of the computers at a school system 2 years ago. Apparantly they want him in jail for 15 years and have him pay almost half a million dollars! According to the State of Georgia, one single Distributed.net client costs 59 cents per second in datatraffic. "
First thing to do, find out how much bandwidth a dnet client uses to crack N keys, and deduce how much bandwidth was actually used. Then you can show what the actual bandwidth cost was, this will be a much smaller number than $400k. Then you need to find out what kind of contract they have to pay for the bandwidth. If it's unmetered, you can probably show that the effective cost of the usage was $0.00, as it certainly didn't use enough bandwidth to require a connection upgrade.
Secondly, you'll need an expert witness familiar with process scheduling to explain why the dnet client doesn't reduce the computing power of the machines, and thus there was no cost incurred by diminishing the value of the machines for their intended use.
Lastly, beg, borrow and steal enough money to pay for a truly talented lawyer. Hopefully with some luck, the prosecutor on this case will be making coffee for the rest of his life.
--
I am not a lawyer. I may once have thought to become one, but I have since been a technologist and a cryptographer. But I do not appreciate what Mr. McOwen is being accused of, and here are my thoughts on the matter:
====
To state that this case deserves to get thrown out of court -- with the prosecuting attorneys being reprimanded for falsifying financial figures to achieve a felony prosecution -- is not only a reasonable statement, it's possibly an obvious one. I have five arguments from which I draw these conclusions:
First, Mr. McOwen's terms of employment were easily open ended enough to consider this a valid use of network resources.
Second, University policy clearly granted Mr. McOwen permission to administer the machines as he saw fit, as long as he did so "fairly and in accordance with University policy."
Third, Mr. McOwen was acting in due diligence against billions of dollars in yearly national liability from a weak computer security environment.
Fourth, the Prosecution's numbers cannot be justified in any way, shape, or form.
Fifth, the very prosecution of this case creates a grave chilling effect against the ability for computer administrators to successfully maintain the systems they are charged with.
1) The exact job specifications of Mr. McOwen's employment were not and literally could not be set in stone; his basic task was to administer the systems according to the precepts of the site they were deployed. In this case, the site was an educational institution. Educational institutions, as opposed to even corporate workplaces, exist as nodes of "basic research" and "collaborative and non-profit volunteerism". Surely, it is not inconcievable that given the extraordinarily high degree of public works that universities are known for, that he might have come to the reasonable conclusion that installation of software that contributed to a public good (the global improvement of cryptographic quality) would be a fair extension of the mission of the university.
2) The University of Georgia's computer security policies, available at http://www.uga.edu/compsec/summary.html , clearly give Mr. McOwen wide latitude to administer systems however he saw fit. It states, "Those who administer computers and network facilities shall perform their duties fairly, in accordance with University policies." As this is the primary document describing University policies with respect to computer security, it stands by itself as a sufficient source of guidance for Mr. McOwen. Users are admonished that they "...shall take full responsibility for messages that they transmit through the University's computers and network facilities"; such responsibility refers specifically to "fraud, harassment, obscenity, and the like." Surely the analysis of simple numbers does not rise to the level of obscenity! There are admonitions against Trojan Horses and computer virii, yet both tools exist to procure access where none existed before--Mr. McOwen was granted his access legitimately. Indeed, the university specifically defines Trojan Horses in a detailed guide available at available at http://www.uga.edu/compsec/use.html : "A Trojan horse is a program with a hidden, destructive function, or a program designed to trick users into revealing confidential information such as passwords." There was nothing hidden about the RC5 code, and as for destructiveness, few would argue it is destructive to a computer to ask it to compute! Though there is a mention against "cracking", it is specifically in reference to the cracking of computers--Mr. McOwen was analyzing a code specifically authorized and designed to be analyzed. Even if he had been running a genuine system cracking utility, the detailed rules specifically authorize system administrators to do so. Mr. McOwen even actively complied with the requirement to give higher priority to users with more important work by running software that immediately yielded resources requested to any other software that requested them. Given the degree to which Mr. McOwen explicitly complied with university regulations, it is difficult to see the validity of this case.
3) Statistics have shown a multi billion dollar a year loss to the country from insufficient encryption and computer security systems. Such damage is often either concentrated or traced from machines with inadequate network security. University machines, almost always under-administered and very often forced to be publically accessable due to the academic requirements of students (one could not expect a place of higher learning to be as firewalled as the FBI!), often either directly experience financial damage or indirectly contribute to theoretical litigation expenses from being used as "jumping off points" for larger attacks. By contributing to the global awareness of the dangers of insufficient security, David expressed a degree of "due diligence" towards solving a problem the university was contributing to. Such due diligence constitutes a legitimate usage of system resources as a mitigating factor in any future litigation, much as active and genuine safety research mitigates against gross negligence in product liability circumstances.
4) No actual damage can be substantiated by the prosecution. The RC5 software, far from being heavy on network traffic, is a class of code known as "embarassingly parallelizable". In other words, the system consumes extraordinarily little network traffic for the amount of processing it does. Such processing is often done on systems with only intermittent modem connectivity; the university posessed a network connection several hundred times faster with permanent connectivity. It is beyond even the pale of conception that any communication from the RC5 system did, could have, or might have been predicted to cause any form of lesser service to any other network service. Indeed:
Suppose the school spent $200,000 on their internet connection yearly, for a single T1 interface capable of transfering one million, five hundred and fifty four thousand bits per second. Suppose the "damage" lasted over two years. This would place an upper cap of damages still at but $400K, and this would be presuming that the attack consumed the entire sum total of network resources. No such claim is being made. Lets assume that each transmission consisted of sixteen thousand bits every two days, and there were a hundred machines participating. These remain ballpark figures, but they're useful for illustrating the utter lack of direct damage. Over two years, those one hundred machines would exchange 584,000,000 bits.
This seems significant, until one realizes that the network as described posessed capacity to carry approximately 97,130,880,000,000 bits. The RC5 system, as it were, used up all of 0.0006% of the network capacity.
0.0006% of $400,000, incidentally, comes out to about $2.40.
5) Prosecution of Mr. McOwen would have a drastic chilling effect on the ability of computer administrators to do their work. When something as trivial as a pocket change's worth of network bandwidth can lead to felony prosecution, it becomes too risky to do much of anything. Mr. McOwen's judgement on the matter was trusted, and even if--in retrospect--management would have made separate selections, it's a questionable matter whether he could have fairly predicted that. His actions were questionable even as a offense worthy of termination, given the wide berth that system administrators require to be effective and the vast freedoms inherent in the academic environment. They'd be laughed out of any civil court in the country, and the fact that they've reached criminal court--at the felony level, which would deprive Mr. McOwen of his freedom, his voting rights, and even his ability to simply procure employment--is a grave insult.
This case should be thrown out of court, and the defendant's legal fees covered in full. Nobody should be allowed to abuse the power of the court in this manner.
Yours Truly,
Dan Kaminsky
Certified Information Systems Security Professional
For the support of the organization, not for his own personal amusement, and most assuredly *not* for an effort to win him a prize.
:-)
It is my contention that his personal goals and the mission of his company were not in conflict, and furthermore the odds of him actually winning the prize, remote enough(even with whatever rank he managed to achieve), the prize small enough, and the actual distribution of that profit distributed enough that for all intents and purposes the value of that prize goes to zero.
In terms of the prize itself, his probabilistic share probably didn't add up to the price of a can of Mountain Dew. That's a Red Herring and you know it.
That a university is publicly oriented does not give its employees license to do whatever they think is in the public interest. A university is a corporation, just like any other, and the use of its resources must be approved by management.
First of all, you're wrong. A university is not a standard corporation any more than a political party is, particularly not a university established as a branch of the government! The explicitly avowed dedication to academic freedom means a hell of alot.
Second, I haven't seen a single shred of evidence to state that he himself didn't have the discretionary authority to decide to run this software. Administrators were exhorted to behave in a manner compatible with the values of the university; as I noted, the RC5 system was extraordinarily compatible with the values as they were laid down, down to relinquishing CPU upon request.
In fact, if one examines the documents linked in the previous post in depth, one finds an extraordinary amount of power given to system administrators -- so much, in fact, that "management" sees the need to specifically warn administrators not to be overly or overtly malicious towards students. This seems to me an implication that sysadmins had an extraordinary amount of autonomy over the systems they deployed.
Whether or not you feel this is a good thing for management or even a professional thing for Mr. McOwen, the implication that the systems were under his discretionary control is quite clearly there.
He wasn't a consultant, sigwinch. He was one of the operators.
Incidentally -- these machines were going for some time, with no complaints being rendered for quite some time. This means a couple things:
1) Other admins who noticed either approved, yielded to McOwen's discretionary authority, or were able to remove it themselves. Any way you slice it, the time he was granted helps, not hurts his position. (By contrast, a genuine attack usually *hurts* a network, causing reasonably quick corrections.)
2) Management either approved, or itself issued little low-level discretionary authority. In other words, management ordered the sysadmins to keep things running. If the sysadmins extracted more value from the sunk costs, and it was (reasonably) within the mission of the university -- so be it.
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines.
Yeah, welcome to Winamp, Windows Media Player, RealPlayer, Yahoo Messenger, and Windows itself.
Give be a break. The majority of university networks are so riddled with out of date daemons and unfirewalled ports it's ludicrous to suggest a single daemon with no known polling vulnerabilities is going to outweigh it. (By contrast, simply spoofing Winamp's update page is enough to destroy it.)
And what the fuck does that have to do with this discussion? The question is whether he had permission, not whether he would have had a good justification if he had asked for permission.
The question is if he had to ask. My point is that the burden is on the university to show he actually did need to ask, because he was clearly acting within the bounds laid out in the rules the school made public in a position that demands a large amount of autonomy.
Remember, that you would have made a different choice is irrelevant; the question is whether he had the right to make such a choice. In my mind, the fact that so much time passed between his use of university resources and his eventual shutdown means that quite a few people knew of this incident and one person elected to express discretionary priveledge and can him. That's fine--it happens--but you don't send someone to jail for it.
And even if that was our discussion, brute-force cracking RC5 is a stunt. It doesn't do a damn thing for security.
Silly. You have no idea how much Cracking DES did, do you? Do you have any idea how significant the EFF's DES Cracking book was in making sure AES happened, and in forcing 3DES to be the standard of the day?
Do you understand how recent it was that the federal government was saying it would take a foreign government inordinate and unrealistic amounts of time and money to crack even one DES key?
Do you realize how many algorithms, *today*, still depend on 40 bit RC4? Most SSL sites -- that travesty that is 802.11 WEP -- the garbage is everywhere.
Are you an idiot? Do you know nothing about computers?
Ask this again two weeks from now.
Diligent recovery from this compromise would involve...
a lot of things that didn't happen. At all. Even in the slightest.
You can't charge for damages that didn't occur. It's like filing a suit for your own wrongful death because somebody coughed next to you and they might have had TB--first of all, you ain't dead, second of all, they didn't have it!
Competent professionals help the client accomplish their mission. If they have ideas for new mission objectives, or even for cool charitable projects that don't really accomplish much, they discuss it with the boss. They *don't* run off and reconfigure hundreds of pieces of high tech equipment for their own whimsy.
I claim this did help with the mission, and that it was reasonable for McOwen to believe this was within his assigned powers. If his interpretation was at odds with that of the administration, perhaps he deserved to lose his job -- but this doesn't even pass the giggle test for felony hacking. They were HIS BOXES. He had a legitimate accounts, probably even root accounts and did things that were *arguably* legitimate.
Sysadmins *never* have the right to turn hundreds of the institution's machines into zombies for their own pet projects.
Oddly enough, who do you go to if you have a project that could really use a few hundred machines? You go to management, they look at you funny and tell you to go to the guru to decide whether or not to do it.
In most places with vast amounts of computing resources, there's usually a sysadmin at the top of the pile choosing what goes where--and if there's nobody on top of everything, like there aren't at most understaffed universities, everyone who has legitimate acccess is expected to legitimately use it--however they see fit, as long as they follow the rules.
Hardly. It's vandalism, plain and simple. The alterations he performed obviously had no relevance to the organization's mission, they had a potential serious deleterious impact on the mission, and he deliberately chose not to ask permission when doing so would have required little time or effort.
I provided extensive documentation showing the compatibility of this project to the university mission. I don't need to show it's absolutely correct -- merely that it's plausible.
Whatever deleterious effect you mention *didn't happen*, and as far as I can tell hasn't *ever* happened. Complete lack of precedent for a deleterious effect has an effect in a courtroom, you know.
The law is the least of his problems. Not only did he recklessly fuck over hundreds of his client's machines, he whined about the client's consternation on the Internet.
If the prospect of a decade of prison rape wouldn't make you run screaming like a horror movie prom queen into whatever abandoned warehouse of an online forum you could find -- you're a stronger man than I.
For the rest of his life, any time a prospective employer does a web search on him this story will show up in all its tawdry glory.
Oh, this is much better than a felony conviction. It don't say, "Have you ever been mentioned on Slashdot" on the employment forms, you know
I propose a new phrase for the Internet lexicon: "Pulling a David McOwen". It will be the Darwin Award of Career Limiting Moves.
Heh. Doctors play God, admins play BOFH. Both make mistakes, but the latter almost never kills anyone. Strip root, maybe. Strip down, though? For "hacking" his own machines?
He ran rc5, not rm -rf. He used computers to compute, not to destroy. He yielded processor when needed, rather than hog it to the exclusion of all others.
Felony hacking my ass, and *everybody* knows it.
I do feel for the prosecutor, though. I don't think he realizes how badly he's being used.
--Dan
www.doxpara.com
However, part of the subpoena restricts us from commenting on the details of pending litigation. Especially since we do not know the details or circumstances of the alleged activity, we do not want to do anything which would endanger either party's position in this case. We trust that the community understands our position in this matter.
In the more general sense, not commenting at all on the specifics of this case, it is never a good idea to run the distributed.net client software on computers you don't own or administrate. In the four years or so that we've been in operation we've been dragged in to a handful of situations where people have lost their jobs, positions, and scholarships by thinking that forgiveness would be easier to obtain than permission. Nobody, especially distributed.net, wants to see this happen.
It's important to keep in mind that the literal resource consumption of the client (which is as close to "zero" as can be) is often not the only factor important to a business. The existence of prize money with the RC5-64 project is discomforting to many organizations. One tactic which has proven to be very effective is to provide an affidavit that you will donate any winnings to a charity if a client you installed on a company or university machine finds the winning key. In many cases, this has been key to a participant receiving permission to run the client on non-owned resources.
Another frequent stumbling block is with service and support contracts which prohibit non-certified software running on workstations or servers. Your university or employer may risk losing support on their equipment if software is installed that hasn't been explicitly mentioned in the support agreements.
The bottom line is, always get permission first. It might not be as difficult to get permission as you think. And if you can't get permission, don't install the client.
We hope for a speedy and just resolution to this case, whatever that outcome should be, and that we never have to be involved in another one.
The penalty *IS* the point. This proposed penalty is not just "a little steep". At face value, this easily appears to be cruel and unusual punishment. 15 years in jail? Give me a break. When drunk drivers who put *lives* at risk don't get that sort of time, much less financial penalty, (especially on a first offense!), this becomes an abuse of the law and of law enforcement.
59 cents per *second* in data traffic? for RC5? WHOA..
.25/hour, .004/minute, and even less per SECOND. And I get a lot of use out of my machine, other than cracking RC5.
I run RC5. It runs 24/7. Let's figure it out:
1500 for the system (homebuilt)(let's say 3 year lifespan, that's 500/year, or about $42/month.. I paid cash for the components)
my *total* electicity bill: 80/month
ISP + cable TV: 60/month
So, that's $182/month, a bit over $6/day in a 30 day month,
Anyone remember when the h(cr)acker stole some AT&T documents (was that Mitnick?) and AT&T priced the documents at something like half a million bucks (although it was listed in their document catalog for like $30)?
So, basically, the "cost" they incurred is bullshit, the jail time is fucking ridiculous (we can't even keep murderers in jail that long), god I'm sick of shit like this.
Yes, they weren't his computers. He should be fired. However, the fine and proposed sentence time is a gross misrepresentation of justice. Can't the State of Georgia go arrest some of them child pornographers the Government keeps talking about instead?
If you were me, you'd be good lookin'. - six string samurai
First Law of Slashdot: Every extreme example must be countered by an equally-extreme counterexample.
*sigh* Of course not. Clearly every employer who doesn't have their heads shoved up their own arse -- and even some that do -- recognize that some company time/resources will be lost for purposes of morale. Reading slashdot is like setting aside part of an unused cubicle for a small fridge and a coffee machine, or getting a phone call from the SO to remind you to pick up milk on the way home. No, they aren't strictly work activites, and no, they don't bring in immediate revenue (or whatever).
(The number of people who like to point this out every time the topic comes up disturbs me. What's required is good judgement. My boss doesn't care if I use the web to look up movie times for that evening, but running my own MP3 streaming radio station from my office would be out of line.)
And I repeat: yes, I agree the penalty is too steep. I just don't think the guy should get off scot-free in the name of science.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Track down a copy of the acceptable use policies from the time you worked there and see if they prohibit the installation of unauthorized software. Also, did anyone help you do this and was your supervisor aware of this? You need to start tracking down other employees that you may have told about this. You need to show that it wasn't against their internal policies or that it wasn't kept a secret from the rest of the organization.
People who bite the hand that feeds them usually lick the boot that kicks them
From the horse's mouth:
His apps ran in the background, but consumed so much CPU time that the entire directory assistance system slowed down to the point where it was unusable.
Nope. Actually the directory assistance system was slow before Blosser installed the software and after the software was removed; US West simply decided to use him as a scapegoat for their problems.
That's how he was discovered, the 411 system crashed, and sysadmins traced the apps back to him.
Again, no. The software was detected (by the network people who hadn't already given permission for it) when they suddenly noticed lots of traffic to entropia.com going through their proxy servers.
Tarsnap: Online backups for the truly paranoid
What would be the proper way for that person to cover his/her ass?
Karma: Bored. (Thinking about resurrecting the "Anyone else is an imposter" joke.)
The lawyer has an AOL email account? If that's true, this David guy should be thrown in jail for choosing such a lawyer to defend a computer related case, but some how, I don't think it smells quite right. Troll? Has anybody tried emailing the State of Georgia people in question? Maybe the State of Georgia courts to see if such a case has been filed?
Vintage computer games and RPG books available. Email me if you're interested.
This is the typical reaction I would expect from Slashdot.
/was/ fired for this. That would be the typical employer reaction. The problem here is that Georgia's Attorney General's office obviously knows nothing of computers or technology. Im sure that whomever is prosecuting this case was presented with the facts in a manner that would portray David McOwen as a 'hacker.' (He put a virus on your computers that cracks encryption!). Needless to say, however, this did not hurt the school district in the slightest. Noone noticed for 2 years. That says something about just how transparent Distributed.net clients are.
///precedent///.
Okay, so maybe the penalty is a little steep
Yeah, maybe. Even if you assume they bought 200 computers for 1500$ each, he was using a full T1's worth of bandwith and that the computers in qestion are all now broken beyond repair, the fine alone still outweighs the cost to purchase completely new computers. This is without mention of the prison term. Regardless of whether or not he's sentenced to that term - or even convicted - the danger here is the precedent that this sets.
You didn't ask your employer's permission to use your employer's computer for non-work-related activities.
Nor did you, I suspect, when you posted to Slashdot last week Thursday, Tuesday, and Monday. We all use our work computers for non-work-related activities. We all don't goto prison for it.
He
The danger is in the
signature smigmature
- James
While I can't find anything yet on the website for the State of Georgia AUP or TOS, I do know that most govt agencies have you sign a form wherein you acknowledge that they can put you in the pen. and fine you oodles of dollars for theft and such. Well, unless the poster had WRITTEN and SIGNED approval to install RC5, he is probably in for a world of hurt.
Text of subject's post from Anandtech is pasted below:
This is David McOwen, dmcowen674@aol.com. I need everyone's help that possibly can. I worked at a school system 2 years ago that is part of the State of Georgia and was the configurator of the computers. They are now prosecuting me for Felony conviction with up to 15 yrs in prison and wanting $ 415,000. They are saying the Dnet client costs 59 cents per second for the Internet transmissions! If you or you know anyone that can help please contact my lawyer Mr. David Joyner at cdjoyner66@aol.com , phone number of the Law Firm 770-564-1600 . Beside my life and my family, the future of all that use the Internet and computers is at stake. Don't let them turn the good of computers into something so terrible. If it was so terrible it should be taken away from the world and not prosecuting one individual. People were panicking about rumors of the Govt tacking on a 5 cent surchange to supplement the Postal service because E-mail is taking away from their business and now the State of Georgia is saying E-mail costs 59 cents per second and this is not a rumor!
Also we need to know if anyone in the United States or the world has been prosecuted for this. We need to know for sure that they are setting this dangerous precedent, making me an example and everyone is next. They did not give me an opportunity to just turn the client off, they also said that there was no harm done after they turned it off. How can they call it a felony then and looking for nearly half a million dollars! Please help in any way that you can, whether by E-mails or any other support.
Thank you
mrgoat
'Hail Eris, baby, hail Eris...pfffffffttt.' *cough* 'Yeah.'
Any browser that show the ALT text when the pointer is hovered over images will show you that he registered on AT forums in Oct '99 when they were created. Also, read the thread. One member named Russ has already contacted the attorney's office and has offered help. In case you didn't know, Russ is the maintainer of the TA Cube account, which is seventh overall in in the RC5 contest. Russ is very involved in RC5, and I would assume he knows what he's talking about. Finally, read the guy's RC5 stats. Note that he's 94th overall but his current keyrate is only about 1000 kkeys/s compared to his overall of over 55,000. The PCs he lost are probably the ones he's being sued over. I don't think this is a hoax at all.
Of course, even if Georgia is getting terrible rates on bandwidth, say $20/GB, he'd have to be using 29MB/second to be costing them that much. I'm pretty sure that no d.net configuration could possibly use up that much bandwidth.
That's the "enhanced" version of the dnet client that cracks RC5 and mirrors cdrom.com as well.
The audit alone should cost a few million...
Burn Hollywood Burn
As far as I can tell, that statement only exists in the /. writeup on this story. In the message on the bulletin board that started this, he only says that they claimed that d.net was costing them 59 cents/second. No mention of how many clients he was running (being the "configurator of the computers" he must have had access to more than one machine :)
And further down that thread, someone responds to him:
"Wow, you were outputing over 60k/day at peak time. That's around 400-600 P2-300's power, 2 years ago"
I can't remember what a reasonable RC5 rate is anymore, but that doesn't sound like the output of a single client, even if that estimate is outdated by two years.
Of course, even if Georgia is getting terrible rates on bandwidth, say $20/GB, he'd have to be using 29MB/second to be costing them that much. I'm pretty sure that no d.net configuration could possibly use up that much bandwidth.
Living better through chemicals
The post is kind of vague as to how specific his job duties were, and if he was just doing a bad job at his position, or whether he was in violation of his described duties. I would imagine a state agency hiring a sysadmin/IT person, would put some clause in regarding malicious or unapproved software.
"So where do I go to sue the fuckers that spam me and cost *me* money. I am not a state, I'm a frickin' person. There's probably millions of dollars used in downloading spam (at least in Ireland with pay per minute Internet which is your only option really). A win in this case could be dangerous precedent for Universities that have large bandwidth with SETI clients and so on. Sort of like Napster as well (can't remember the links though when those Unviersities banned it)."
Very interesing suggestion, as what this guy is accused of is more or less what spammers do, especially the ones who exploit open relays.
Maybe if we started calling spammers "hackers" the courts would start assfucking them like they do to anyone who gets branded with that name.
I believe this guy deserves to be punished, but what he did was at WORST a misdemenor. He deserves at worst a fine and/or community service.
The fine and punishment the prosecutors are going for are TOTALLY out of porportion to the crime. There are drug dealers and people guilty of VIOLENT crimes like assault who get FAR less.
=== The price of freedom is eternal vigilance
"He will never get 15 years / $500000 in fines. He will however, go through hell defending himself and getting off with an approprate punishment. He completely deserves it too. Using other peoples computers and bandwidth (reguardless of how little they will be affected by it) for your own personal gain is just plain evil."
Don't be too sure. Most judges know more about nuclear physics than they do about how computers and networks REALLY work.
And pretty much ALL you have to do to fuck someone in the courts is to call them a "hacker". As 2600 found out in the DeCSS case. Doesn't matter what the merits of your defense are once that label is thrown out like red meat to the judge. Of course, having a corrupt and/or incompetent fool like Kaplan for a judge didn't help.
=== The price of freedom is eternal vigilance
The problem with the 'background task' argument is that breaking RC5 is not necessarily the best use to which those cycles can be put.
The issue of authorization is the weak point in the State case. Running a codebreaking program falls pretty squarely within the normal run of academic persuits. The fact that a prize is offered does not necessarily mean that the enterprise is 'for profit'. All sorts of prizes are offered for academic research. In the case of the RSA cryptography challenge prises they were started by Ron Rivest so that he did not have to spend half an hour reading each day about the latest factoring scheme people had thought up. Peter Trei later suggested to Jim Bizdos that there might be other challenges that would be somewhat more fun and relevant.
Best chance of getting the case thrown out is likely to be demonstrating a that running a crack program is considered acceptable academic behaviour at most universities.
I don't see the terms of service giving the prosecution much help. They are so broad that they could be read to permit or prohibit practically any behavior. The defence get the benefit of the ambiguity, not as some slashdotters appear to believe the prosecution. Nobody is disputing that the guy was authorized to use the equipment, the issue is whether the specific use made was authorized. That is a very subjective question, hardly one that should be at the center of a criminal prosecution.
The reason we had to start putting up the terms of service notices was that without them the courts would not even allow prosecutions of people who broke into computer systems to abuse them in the most malicious ways you can think of.
Still the guy has only himself to blame, you go to live and work in a mickey mouse state that only gave up the swastika (oops sorry symbol of the slavers side in the civil war) on its state flag with great reluctance, you expect the type of legal system portrayed in Stir Crazy and My Cousin Vinny.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/