Oregon Supreme Court Declines To Hear Schwartz Case

merlyn writes "The Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority on this eight-year-long case, well known to many sysadmin and Perl hacker alike. Details at my fors-announce posting." If you're not sure what that means, you probably want to read at least this site which offers a straightforwardly partisan look at the complicated case of Intel vs. Schwartz as well as Schwartz's own page; it's a strange world where programmers and sysadmins can be convicted for seemingly innocent activities.

conspiracy

[nukey56]

after this resolves, im going to assume that the press is going to start using "perl" as a buzzword synonomous with hacker, cracker, and the like. now, we all know microsoft would much rather have us use something other than perl to do our business, and this is the perfect chance for them to accomplish their next step in global takeover.

next, they're going to confuse the word perl with the oyster-rock pearl, and all fisheries will have to follow pearl-free sanctions on their oyster catches.

Re:Seemingly innocent activities?

[doooras]

cracking with intent to do harm is definately not an innocent activity. If it is done with good intentions that in no way cause problems, perhaps it is not so evil.

example... if the government hired someone to crack al qaeda systems it would be considered patriotic, or maybe even heroic by some. there would be very few people considering this a felony.

this is just an example of someone doing something that the people with the $$$ doesn't like, and using the "justice" system to their advantage.

Right, except..

[mindstrm]

He didn't break into anything.

He ran a brute force crack against some password files that he *did* have legit access to, if I remember correctly. That's ALL he did.

Re:Right, except..

You say hes guilty becuase management didnt specifically say he could. Ever place a picture as your desktop background? Did you get written authorization to?

Doing so loads an image into the frambuffer, consuming (trivial) amounts of memory and slowing down system redraw and thus speed. However trivial the differance, that's unauthorized use of computing cycles. Much like the guy fired for installing SETI like software as a screensaver.

The quaNtitative differance doesn't matter legally. The quaLitative nature of changing the desktop without specific written autotrization is being viewed the same as installng SETI sw or performing IO operations on a file you were given specific access to, if only by default.

In other words, this is guilty until proven innocent. If you have dont have a problem with him being labelled guilty, because "technically, he _did_ do it" remember that nowadays we're all guilty of something. Or as Mr. Eastwood said in Unforgiven after a mans murder was justified with the phrase "he had it coming..."

"We've all got it coming"

Something to think about.

Re:Right, except..

[Hexi-Mage]

In a radical departure from most Felony crime definitions, this one doesn't require showing any damage or criminal intent (both absent in this case). In this Computer Crime law, legislators replaced the usual criminal intent element with a "...for personal gain" clause. In an amazing feat of legal gymnastics, this clause was apparently satisfied by Mr. Schwartz' open admission that he expected his employer (Intel, the victim) to appreciate and reward his unauthorized efforts to help improve their security. Thus, his intent to help the 'victim' was key to successfully making a felon of him.

While it's clear that Mr. Schwartz made mistakes, and that they are particularly obvious mistakes in today's atmosphere, they were mistakes well within the bountries of socially positive 'common practice' in earlier times.

When 'wizards' saw or suspected a problem on any system that they were associated with, and it was within their power to 'fix' it easily, they did so, regardless of whether it was their job or not. They were rarely chastised and often praised for behaving this way.

There are several practical lessons every computer professional in Oregon should learn from this case:

1) The Computer Crime law is so broad that it's easy to violate unintentionally, and avoiding doing so at all costs may sometimes conflict with what you see as the best interests of your employer. In these cases, pull back emotionally a bit and think what the real consequences are to you personally. If policy doesn't let you do a good job, let management know. If they don't care after you've explained it a few times, document your concern and then let it go.

2) Stay beyond even the appearance of impropriety. If you're doing something that may look weird, let potential witnesses know in advance what you're up to. If you don't actively communicate, and it looks like a crime, your employers will probably call the police instead of asking directly for an explaination. Once the police are called, you start losing. The least damage you can hope for is some professional embarassment, and the mess can accelerate quickly into complete disruption of life and career. It's much easier to avoid raising unfounded suspicion than to quell it once it's been raised.

3) Remember that, ultimately, the police work for more for the prosecutor than 'the truth'. Their job is not to find the truth, it's to collect as much evidence as possible that you're guilty, whether you are or not. Once they start looking at you like a suspect, shut up. Don't try to explain what really happened without consulting a lawyer. Mr. Schwartz freely answered all their questions which, taken out of context, supported his conviction.

4) If case goes to court, realize that all the jury needs to hear is "blah blah blah, computer crime" and they'll convict, even if they don't understand a word of it. If you feel like crying, read the transcript of the prosecutors case devolving from mild incoherence into a completely meaningless string of buzzwords, and still getting a conviction.

http://www.rahul.net/jeffrey/ovs/cs2.html

The real unanswered (and mostly unaddressed) question left over from the Intel/Schwartz case is: Why did Intel continue to push for prosecution, once it became clear they had over-reacted? Possibly just for CYA (cover your ass-ets). Intel security freaked when they noticed randal was running the 'crack' program (a standard tool for both good guys and bad guys). They called the police, who got a warrant and searched Schwartz' residence for signs of IP theft (there were none). Intel representatives went in with the officers and helped with the search, which was argueably improper. At that point 2 things probably became clear: Schwartz wasn't up to anything nefarious, and Intel might have legal exposure for damaging Schwartz' reputation and wandering into his house on the coattails of the police. Since it was never revealed who at Intel decided to press for prosecution, we'll probably never completely understand their motivations.

I know how he feels

[GombuMstr]

I know exactly how he feels this is currently happening to me. One of the charges was dropped in the prelimary hearing. The owner of the server learned the hard way that permissions/Logon banners/Policies are critical if you want to prove that the person did not have permission. I read his case thoroughly when I was first charged and found some items that were the same.

America, why bother?

[Mongoose]

I'm not posting this as an AC b/c this is _my_ opinon, so don't read further if you feel you may be offended by grammar, content, and spelling...

I think America isn't any better than China as far as my profession of programming is concerned. Sure we have a few more civil liberities, but the way lawy enforcement works here still stamps out any dissant agianst the 'masters in the house'.

The government is just a lacky for corporations these days, as the Adobe, intel, and other cirus shows. DMCA, anti-terror, and other acts are just smoke screen for control of the populis.

How much longer can America keep going? America only has a military and an economy going for it -- and one of those is faultering. I can't believe the government recommending "go out and buy" to "save the economy". Capitialism isn't a one sided equation -- companies should suffer for poor investments and managment. ( The Enron's, S & L's, etc )

I'm planning on moving to a nation that's 'worse' in many eyes already. I know their aren't any utopias, but hell if I'm not going to look for options. They want to take away my guns, computers, and now my 'inalienable rights'.

It makes me sick to think about it all. I have black hair so I should get hassled. I have knowelge so I should be arrested. I have a dissanting opinon maybe I'll be hung.

Schwartz used bad judgement, nothing more.

[Schwarzchild]

IIRC from one of his web sites he pretty much describes all of the events that led up to his being arrested. He is honest about the fact that his contract at Intel's Supercomputer division was about to expire and he was trying to find a reason for them to continue to keep him employed and he decided to use their weak computer security as a reason for them to continue to use him as a contractor. Unfortunately, he wasn't an admin and he didn't get permission to crack the passwords. So when the admin found out that Schwartz was running Crack he informed the security guys at Intel.

Also IIRC it seemed like Intel management wanted to handle it differently than Intel Security which called up the Sheriffs office, I think, to have Randal arrested.

IMHO he only used really bad judgement and is obviously not a cracker bent on maliciousness.

I think it's too bad that the courts came down as hard as they did on him. At least he's not still in prison.

All the more reason to buy AMD...

[bani]

Companies like Intel who pursue such ill-advised prosecution should not be financially rewarded for their misbehaviour.

Buy AMD instead of Intel. Tell everyone you know to buy AMD instead of Intel. If you are in a position to influence purchasing decisions, make sure it is AMD.

The only message these companies are going to understand is one that hits them in the pocketbook.

BTW, the same goes for Adobe.

Re:and since when is...

> ...cracking password an innocent activity?

Well the answer to that is when the cracking is not being done to secure access to the systems in question.

Having a key to a safe shouldn't be a problem. Opening the safe and removing contents is a problem.

I have been in very much the same situation as this in the UK. Although I was not running crack myself a friend of mine was, and was using my account to do so. His interest in doing so was mere curiosity to see what percentage of passwords could be cracked.

At no time were any of these cracked accounts used for anything and as far as I can tell from the reports neither did Randal.

This point was what resulted in my case being dismissed.

Cracking passwords is a potentialy suspisious activity and Randal was bloody stupid for doing it on company machines but until the accounts are used this should not be a crime.

Intel is a bizarre company to work for

[Naum]

One of my good friends here in Phoenix worked for them for several years in a contract programmer deal. A neighbor of his was a high ranking executive at Intel also. The guy [the neighbor] was an avid golfer and developed a friendship with another golfer and they would hit the greens frequently together, even sharing a frothy beverage after a round. A few months later, this executive is dismissed, arrested and tossed into the pokey for disclosure violations. It turns out that the his alleged golf "buddy" was a Intel paid spy - and that he mentioned in casual conversations results of some chip tests (at least according to my friend's neighbor's story ...) - and that was the nail that did him in. I forget the exact bail but it was a serious deal.

Of course, one can retort that this blurb is entirely anecodotal and without hard empirical evidence. Nevertheless, others who have worked for Intel are full of interesting anecdotes themselves, albeit not as serious as the story in the previous paragraph.

Re:Innocent Activites?!

[sinnergy]

Well, that's certainly one way to look at it, isn't it. However, things aren't that simple. You and I both know that. Anyone who has had the opportunity to hear his side of the story in person knows it goes a little deeper than that. I had the privelage of hearing him speak at Ic0n hear in Cleveland earlier in the year and again at Phreaknic in Nashville.

Yeah, he isn't completely blameless and he doesn't claim to be. However, he's being railroaded on some serious charges. If you know the laws he was tried under you know how vague and broad in scope they could be. Under those laws and a liberal interpretation, I would be unable to effectively do my own job.

So, in short, let's look at both side of the story here. I encourage anyone who will dismiss Schwartz right off the bat to hear his side of the case.

He's a pretty nice guy, to boot. A hacker's hacker, if you will.

Re:Breaking into systems is not a minor infraction

[DarklordJonnyDigital]

Ted, I appreciate your opinion, but there is a real difference between physical property and a computer system.

A couple of years ago in newsgroups such as comp.sys.amiga.games and alt.emulators.uae we used to get frequent requests for ADFs (the Amiga equivalent of console 'ROMs') of old Amiga games. While some people (including myself) saw no harm in effectively 'pirating' a ten-year-old game which is no longer on sale, a few of the more fanatic Amigans would argue that theft is theft, regardless of the circumstances. "After all," they would argue, "Would you like it if I walked into your house, drank your beer and drove off with your car?"

A little logical reasoning can see the flaw in this argument. The point is that while accessing a computer system without authorisation is indeed as much of a crime as any other, it's not the exact same thing as physical tresspassing or theft, and can't be treated exactly as such.

Think of it this way: The law in America, I believe, says that if a guy walks onto your property without permission, it's a crime, period. What happens if my dog runs into your garden, and I run in to remove my dog from your property before he runs all over your prize flowerbed? The law says I've committed a crime, when I've actually done you a favour.

Now, what happens when a guy accesses some data on your computer via a security flaw in your system, which you didn't intend to give him access to? Yes, it's a crime... but does that necessarily mean it's a bad thing? On one hand, he could destroy valuable data on your computer if he wanted. On the other, he might simply e-mail you and advise you to download a security patch for your operating system.

In any case like this, the most important thing is not whether a person commits a crime - it's whether they actually do anything wrong.

Re:Oh Please

[Matts]

Randal tried to tell Intel execs to change their passwords to be more secure. They didn't, and said it was a non issue.

Randal was merely proving his point, when he found out the vice president's password was "pre$ident", and many other insecure passwords.

But is it a hanging offense?

[Rog7]

This has already been discussed to death but I'll put my $0.02 in.

Schwartz is an ass, who also happens to be a good tech. writer. Personally I think the folks at Intel should have de-listed him from their list of contractors on the first incident and notified his employers at O'Reilly, who also should have terminated any contracts due to breach of trust.

Indeed, that's the situation: breach of trust and breach of security. Perhaps theft in the case of password files, but not to the degree of felony charges. Does stealing a key or card-key usually result in anything more than petty thief charges unless further thefts occur??

Any reprimands/punishments should not have gone further than his employement.

Re:Seemingly innocent activities?

[xenobyte]

Excuse me?! - "The stupidity of the SETI project"?

Why on Earth would you call that project "stupid"? - It is a very serious project conducted by accredited scientists for a very worthy purpose, and if you can't see that, I'd venture as to call you "stupid" as well... But this discussion belongs elsewhere.

As to the case at hand, I think the important issue here is what the intent was. Schwartz did not intend to steal anything, nor did he intend to do any harm.

In matters of violence the issue of intent is central and there's a lot of difference between intentionally causing harm and accidentially causing harm. In this case there's no intent to cause any harm whatsoever and no accidential damage was done either. In other words, the matter is entirely disciplinary and a matter of breached rules and policies.

Taking this to a criminal level is a tragic farce that only shows the humourless attitude of the prosecuting parties involved and the utter arrogance of the Intel management.

Yes, Schwartz probably should be fired because of what he did because the company policy is clear on the use of password cracking tools. But a criminal prosecution is overkill and a testimony to the utter lack of knowledge of both the technology, the law and the principles on which it is built.

I agree with your suggested punishment though... :-)