Slashdot Mirror
Oregon Supreme Court Declines To Hear Schwartz Case
merlyn writes "The Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority on this eight-year-long case, well known to many
sysadmin and Perl hacker alike. Details at my fors-announce posting." If you're not sure what that means, you probably want to read at least this site which offers a straightforwardly partisan look at the complicated case of Intel vs. Schwartz as well as Schwartz's own page; it's a strange world where programmers and sysadmins can be convicted for seemingly innocent activities.
What exactly was he charged with doing? While I'm not familiar with the case I know that as an employee you are paid to perform certain services for your employer and to respect their property. The employer and the law draw the line in the sand and an employee should keep any experimentation not having to do with work onto their home network. I would personally get written permission before doing anything that can be construed as illegal or suspect on my employer's network.
...cracking passwords an innocent activity?
You know... most everyone I know who has followed the case seems to agree that the only reason you got in trouble to begin with was because of your inability (some call it emotional ignorance) to communicate properly with the admins within Intel.
Still, all in all, I believe you've managed to do well for yourself. Written a couple of books, entrenched in the perl community, regular magazine article contributer, etc. You should feel lucky that you did not do any time in "pound you in the ass" Club Fed. You *should not* feel that somehow it's your god given right to have this little blight on your history removed (and to be honest, do you know *anyone* of any note or repute that doesn't have a bit of netorious past?).
So, just get over it, continue to pay off your legal bills (and that's really that this appeal is about, right?) and get on with your life.
Certainly the law is far too broad, but this is merely a side effect of the drafters not having any idea how it might be applied. I wouldn't go so far as to say the drafters had no technical knowlege (because I have no idea if they did) but certainly they had only a vague idea of what specific crimes that cover within the legislation.
That said, Randall should have been more careful and Intel should Intel should have acted more wisely. Certainly a contractor messing with a client's password file without security consulting requiring 'complete network access and authority to alter' should have such things explicitly spelled out in his contract. It is truly disappointing though, to see that the appeals court will have the final say in this matter.
--CTH
--Got Lists? | Top 95 Star Wars Line
Ok, so in Oregon it is a crime to "unlawfully, knowingly and without authorization alter a computer and computer network." The obvious solution here (for people working on computer networks in Oregon) is to obtain written permission from the appropriate authorities before altering a computer and/or computer network. Print up forms with the full text of the appropriate laws and give them to the appropriate people. Whenever you need to do anything, request permission in writing. If they complain, have them provide authorization in writing for performing specific common tasks at the discretion of the individual, but keep requiring written authorization for anything else. If the law really is as broad as it is being described, there is too great a risk of prosecution to do otherwise, especially if you deal with security testing. Either get permission or don't do it - there's no sense putting yourself at risk to do something that the network's owner probably won't care about anyway.
Sounds like a bad legal decision and it reflects poorly on Intel. But one thing to keep in mind: workplaces are all about politics. People who play their cards right seem to be able to get away with murder. People who hack and don't shmooze, on the other hand, are very vulnerable. If you are of the latter persuasion, do things completely by the book and get permission for anything even remotely out of the ordinary in writing.
Unless specificly authorized in his capacity as a consultant he never should have touched the password file.
As a consultant you may be in the situation, on a daily basis, that you have access to information which is not yours to do anything with. Thats the nature of the beast, don't screw with it.
As a consultant I have access to data on the customers of my clients. That data is confidential. Unless specificly using the data for testing I have zero right to that data. Even if it is in the database I have access to, and available to me based on my access privledges.
Having access to data doesn't mean you have the right to that data.
I think America isn't any better than China as far as my profession of programming is concerned. Sure we have a few more civil liberities, but the way lawy enforcement works here still stamps out any dissant agianst the 'masters in the house'.
A few more civil liberties? Yeah, and China has a few more people than Luxembourg.
The government is just a lacky for corporations these days, as the Adobe, intel, and other cirus shows. DMCA, anti-terror, and other acts are just smoke screen for control of the populis.
Correct. The government is largely a puppet for big money, but don't kid yourself to believing that the U.S. and China are comparable. Last time I checked, people didn't get put into labor camps and tortured for doing spiritual aerobics, falun gong, nor did they get tortured and imprisoned for 33 years because they were vocal about their believe that their country should be free.
I'm planning on moving to a nation that's 'worse' in many eyes already. I know their aren't any utopias, but hell if I'm not going to look for options. They want to take away my guns, computers, and now my 'inalienable rights'.
If you're planning on moving to China, be prepared for some nasty shit, and don't ever tell anybody what you really think about anything, lest you be whipped into the local police station and beaten until you admit to being 'an impererialist running dog trying to subvert the glorious motherland.'
It makes me sick to think about it all. I have black hair so I should get hassled. I have knowelge so I should be arrested. I have a dissanting opinon maybe I'll be hung.
You shouldn't get hassled on the basis of your hair color (maybe you mean 'attention'). Tech knowledge they respect; just don't have any 'political' knowledge: that's rewarded with torture if it isn't 'correct' political knowledge. And you'll keep your dissenting opinion to yourself, if you know what's good for you.
For years now we have been reading comments about What Randal Should Have Done.
It's easy to be critical from a distance. But before you're too smug in your assessment, walk a mile in his shoes, or in today's terms, sit for an hour at Randal's shell prompt. Many of us do every single day.
Randal was doing pretty much what many sysadmins do as an ordinary matter of course: secure and protect the systems they are responsible for. It's the job they're hired for, you know?
I've always felt that this amounted to a personality clash that spun out of control, bruised the ego of an Intel senior PHB, and then completely escaped from reality when it was referred as a criminal matter to the local gendarmerie.
Unless you live in or next to Washington County, Oregon, as I do, it may be hard to understand the pressure that develops when the local cops get a call from the largest employer in your area and the most powerful company in the state.
I remind everyone here that Randal was an Intel contractor with a one-line contract that basically ended up being interpreted in a completely arbitrary way.
Randal would be the first to say he did some things that weren't wise, but there was never any intent of illegality or damage to his client, the mighty Intel Corporation.
Intel has rightly gotten a big old black eye over this entire episode, at least among those who bother to learn the details, and at least as far as I know has not repeated this stupidity.
Randal has managed to keep going, dealing with an onerous legal case, the threat of jail, an extraordinarily out of whack fine, and daunting legal costs.
The Oregon law that all this hooked on is widely regarded as badly written and prone to misuse (I've written some Oregon law in my time, not in this particular area, and it's easy to see how this happens in the legislative process).
The gross sense of disproportion is the lesson I have learned from this sorry episode. It is sobering for any of us who take on sysadmin duties under any circumstances. As security becomes an ever more complex and consequential issue, that is a lesson everyone should take seriously. Just because you are doing the best you can, all of us have our flaws. What protection do you have if someone decides to settle a grudge with you and have the full weight of an ill-defined law and an immensely powerful legal apparatus thrown on you?
Good luck to Randal. He handled this with a lot more diplomacy and good cheer than many of us would probably have mustered.
--------
Bill Gates Is My Evil Twin.
Eight years later and Randall's still trying to get the blot off of his record and get his money back. (Thank goodness the highly rated comment that said noone would hire him is completely misinformed!)
Yet, the Intel VP who picked 'pre$ident' for his password and shared it with his secretary, thus compromising secure information, in violation of company policy ("knowingly and without authorization," as the Oregon law says) is not in court at all. Same law. Same crime.
"Oh, but that law's not too vague. It's only intended to be used against bad people, and the judges will make sure of that."
Secession is the right of all sentient beings.
As a student at Oregon State University (go Beavs) I had the opportunity to listen to Schwartz explain the situation in which he was currently a victim. There is no doubt in my mind that his behavior was professional and responsible. He was doing a favor, volunteering his time and clock cycles, to improving a gaping security hole. It is the responsibility I would hope for from any professional.
To be condemned for his behavior sends a message to all that security problems should be ignored to be exploited later by the truly dangerous, rather than exposed by the people whose job it is to improve the security of his and his peer's domains.
I was glad to have heard him speak to us, and I think this man is certainly not the criminal he is accused. Rather than condemn him, we, as a community that believes in improving security and protecting systems, should support him in his endeavor to beat a law that was inappropriately inaugurated on him.
With regard to the criminal law, though, the law in Oregon appears flawed in the sense that there appears to be no suggestion that Mr. Schwartz cracked the password file for any other reason than to test the security of the system. There appears to be no motive to steal, or kill, or cover up evidence of a non-computer related crime.
You effectively have a law here which was framed with the external intruder in mind, which when applied to an internal user - one employed to work on the computers of the company - fails the test of reasonability.
Speaking personally, my experience with computer consultants is that playing around with technology and doing things with company systems that they are not supposed to is just what they do, at least the good ones. It is the nature of the beast.
"Well, put a stake in my heart and drag me into sunlight."
This case ended exactly as it should have