Slashdot Mirror
Oregon Supreme Court Declines To Hear Schwartz Case
merlyn writes "The Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority on this eight-year-long case, well known to many
sysadmin and Perl hacker alike. Details at my fors-announce posting." If you're not sure what that means, you probably want to read at least this site which offers a straightforwardly partisan look at the complicated case of Intel vs. Schwartz as well as Schwartz's own page; it's a strange world where programmers and sysadmins can be convicted for seemingly innocent activities.
What exactly was he charged with doing? While I'm not familiar with the case I know that as an employee you are paid to perform certain services for your employer and to respect their property. The employer and the law draw the line in the sand and an employee should keep any experimentation not having to do with work onto their home network. I would personally get written permission before doing anything that can be construed as illegal or suspect on my employer's network.
He didn't break into anything.
He ran a brute force crack against some password files that he *did* have legit access to, if I remember correctly. That's ALL he did.
...cracking passwords an innocent activity?
You know... most everyone I know who has followed the case seems to agree that the only reason you got in trouble to begin with was because of your inability (some call it emotional ignorance) to communicate properly with the admins within Intel.
Still, all in all, I believe you've managed to do well for yourself. Written a couple of books, entrenched in the perl community, regular magazine article contributer, etc. You should feel lucky that you did not do any time in "pound you in the ass" Club Fed. You *should not* feel that somehow it's your god given right to have this little blight on your history removed (and to be honest, do you know *anyone* of any note or repute that doesn't have a bit of netorious past?).
So, just get over it, continue to pay off your legal bills (and that's really that this appeal is about, right?) and get on with your life.
I know exactly how he feels this is currently happening to me. One of the charges was dropped in the prelimary hearing. The owner of the server learned the hard way that permissions/Logon banners/Policies are critical if you want to prove that the person did not have permission. I read his case thoroughly when I was first charged and found some items that were the same.
Certainly the law is far too broad, but this is merely a side effect of the drafters not having any idea how it might be applied. I wouldn't go so far as to say the drafters had no technical knowlege (because I have no idea if they did) but certainly they had only a vague idea of what specific crimes that cover within the legislation.
That said, Randall should have been more careful and Intel should Intel should have acted more wisely. Certainly a contractor messing with a client's password file without security consulting requiring 'complete network access and authority to alter' should have such things explicitly spelled out in his contract. It is truly disappointing though, to see that the appeals court will have the final say in this matter.
--CTH
--Got Lists? | Top 95 Star Wars Line
If the government hires a hacker or cracker to perform his skills against a foreign enemy it's called intelligence operations or information warfare. Just like the US Government hires tens of thousands of young Americans to kill others. That's why those in the armed forces don't get charged with murder when they drop bombs.
Randall Schwartz was doing some shit that Intel didn't like. It also happened to be illegal. Intel asked him to stop. They asked him nicely. He didn't, and Intel had him prosecuted. Randall Schwartz made his own bed.
Flame on.
The middle mind speaks!
Some background from the other side: an affidavit from one of the Intel folks is here:
e lrep.txt
http://www.lightlink.com/spacenka/fors/police/int
Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).
Personally, I'm not at all surprised that they threw the book at him.
I'm not posting this as an AC b/c this is _my_ opinon, so don't read further if you feel you may be offended by grammar, content, and spelling...
I think America isn't any better than China as far as my profession of programming is concerned. Sure we have a few more civil liberities, but the way lawy enforcement works here still stamps out any dissant agianst the 'masters in the house'.
The government is just a lacky for corporations these days, as the Adobe, intel, and other cirus shows. DMCA, anti-terror, and other acts are just smoke screen for control of the populis.
How much longer can America keep going? America only has a military and an economy going for it -- and one of those is faultering. I can't believe the government recommending "go out and buy" to "save the economy". Capitialism isn't a one sided equation -- companies should suffer for poor investments and managment. ( The Enron's, S & L's, etc )
I'm planning on moving to a nation that's 'worse' in many eyes already. I know their aren't any utopias, but hell if I'm not going to look for options. They want to take away my guns, computers, and now my 'inalienable rights'.
It makes me sick to think about it all. I have black hair so I should get hassled. I have knowelge so I should be arrested. I have a dissanting opinon maybe I'll be hung.
Ok, so in Oregon it is a crime to "unlawfully, knowingly and without authorization alter a computer and computer network." The obvious solution here (for people working on computer networks in Oregon) is to obtain written permission from the appropriate authorities before altering a computer and/or computer network. Print up forms with the full text of the appropriate laws and give them to the appropriate people. Whenever you need to do anything, request permission in writing. If they complain, have them provide authorization in writing for performing specific common tasks at the discretion of the individual, but keep requiring written authorization for anything else. If the law really is as broad as it is being described, there is too great a risk of prosecution to do otherwise, especially if you deal with security testing. Either get permission or don't do it - there's no sense putting yourself at risk to do something that the network's owner probably won't care about anyway.
As I understand it, the "cracking" in this case was a test to verify that people were following the password policy that the company's management had published. The only way you can possibly verify that such a policy is being followed is by running a password cracker against the password file(s).
What the company was saying, in effect, was "Yes, we have a policy, but if anyone attempts to verify that we are following it, we will have them arrested and tried for criminal activity."
The Oregon courts seem to agree with this.
Meanwhile, of course, the word has probably gotten out to the real criminal types that Intel is actively making sure that there are no internal audits of the safety of their passwords. It doesn't take a genius to figure out the likely consequences of this.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Also IIRC it seemed like Intel management wanted to handle it differently than Intel Security which called up the Sheriffs office, I think, to have Randal arrested.
IMHO he only used really bad judgement and is obviously not a cracker bent on maliciousness.
I think it's too bad that the courts came down as hard as they did on him. At least he's not still in prison.
"sweet dreams are made of this..."
Companies like Intel who pursue such ill-advised prosecution should not be financially rewarded for their misbehaviour.
Buy AMD instead of Intel. Tell everyone you know to buy AMD instead of Intel. If you are in a position to influence purchasing decisions, make sure it is AMD.
The only message these companies are going to understand is one that hits them in the pocketbook.
BTW, the same goes for Adobe.
Sounds like a bad legal decision and it reflects poorly on Intel. But one thing to keep in mind: workplaces are all about politics. People who play their cards right seem to be able to get away with murder. People who hack and don't shmooze, on the other hand, are very vulnerable. If you are of the latter persuasion, do things completely by the book and get permission for anything even remotely out of the ordinary in writing.
Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority
I'm sure merlyn/Mr. Schwartz has allready discussed this with his council, but of course the supreme court can take the case and over-rule the state court, the plaintive cries of certain states rights activitists notwithstanding. That's not going to happen, which basically means we need a political solution.
Individuals in Oregon can contact their governor individually, although such petitions are, unfortunately, unlikely to work.
Some form of organised lobbying - from an oregon based trade organisation of engineers or programmers, mayhap? (I'm a biologist) - might successfully generate a pardon, or at least get the law struck from the books. Certainly, I think it's a legitimate avenue for such an association to act, since the oregon computer crime law (which I can't find under that title but which is somewhere here) obviously opens its membership up to wanton and unjustified prosecution.
Although Intel is likely to announce that it's a criminal trial and Intel cannot drop charges, we could bring pressure to bear on Intel. I only buy AMDs anyway, but a threatened slashdot-sponsored boycott, if everyone on slashdot is as convinced of his fundamental innocence as I am, might scare them a little.
More than likely the poor slob is screwed.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Unless specificly authorized in his capacity as a consultant he never should have touched the password file.
As a consultant you may be in the situation, on a daily basis, that you have access to information which is not yours to do anything with. Thats the nature of the beast, don't screw with it.
As a consultant I have access to data on the customers of my clients. That data is confidential. Unless specificly using the data for testing I have zero right to that data. Even if it is in the database I have access to, and available to me based on my access privledges.
Having access to data doesn't mean you have the right to that data.
I'm sorry, but at first blush what he was doing would not seem inocent to anyone. He was cracking passwords, and sent out some VPs password to other people. He was also not a fully employee and didn't authorization to do what he was doing.
He may not have meant any harm by what he did. And when you look closer you can see that. But what he did does not seem innocent in any sense of the word.
Yeh, now mod me flamebait like that first post AC. God forbid we should go against the Editors
(btw, sorry this post hasn't been spellchecked. I'm away from home and my spellchecker)
autopr0n is like, down and stuff.
Cracking terrorist systems is not a fair analogy. Mr. Schwartz did the cyber-equivalent of forcibly entering a locked room in his employer's building with a sign on the door that says "Authorized Peronnel Only", just so he could get his email quicker.
I do believe the court overreacted in the penalty phase of the trial. IMO, it should have been more like a B&E conviction. Mr. Schwartz' cooperation and apparent minimal moral terpitude (he admitted he knew it was wrong) should have earned him some mercy from the court.
The lesson here for the rest of us: "You have the right to remain silent". Once you're in an interrogation, the cops are hardly ever your friends. Those cops screwed him just like Sipowicz does his "skellz" every day.
cat
The hyperlink in the story to the overview of the Schwartz case is responding, "User over daily limit".
Use the mirror here.
Intel v. Schwartz
Intel's Prosecution of Randal Schwartz
Cybersalem|
 Press|
 What can you do?|
 
Kevin Mitnick on Hacking
Note:
The Open Letter to Intel closed to new signatures
on October 4, 1999.
Thanks to all who have signed!
Geek Kahuna Goes Bad?
It began prosaicly enough.
Randal Schwartz, who I knew from Usenet and his
very successful books on the Perl language,
was on business in Silicon Valley and agreed to meet me at
Frankie, Johnnie & Luigi Too,
an Italian restaurant in
Mountain View CA, to offer me advice for a program I was
writing.
It might seem surprising
that Randal would agree to take time
from a hectic schedule two weeks before going on trial to give
what amounted to free consulting to a stranger.
However, those who
have been interested in the Perl language for a while
know that Randal
is a legend for his generosity.
Actually, I didn't know Randal was going on trial in two weeks.
I had heard rumors that he had some sort of legal difficulties
(a civil suit I assumed) which involved Intel.
I'd known many people with matters before the
courts, some close personal friends,
and few liked to discuss them.
Therefore it was not until
Randal had fielded my Perl questions, the talk
turned to minor chit chat and Randal unexpectedly proved
willing to discuss the matter that
I discovered the person I was drinking beer with
was looking at fifteen years in a few days, and, if convicted,
would have the biggest legitimate reputation by far of
any computer criminal.
I didn't necessarily credit the story he told me -- every
accused felon tells you it was all a misunderstanding, and
they are almost always just plain guilty.
Neither, I must confess, do I have unquestioning faith in
all the conclusions D.A.'s draw.
Days later, an Oregon Jury convicted Randal of
three felonies.
Randal Schwartz was, in the eyes of the law, a
Geek Kahuna Gone Bad,
the first.
Especially eerie about the Schwartz matter
was the silence surrounding it.
This clearly was a very significant case, far more so than
some which have drawn a lot of attention.
Randal Schwartz was either
the most dangerous computer criminal ever,
or something was terribly amiss, I had to know which.
That night I put the project I had discussed with Randal
on a shelf, where it remains.
"Feel free to stop dancing around the issue
any time you like and
tell me what this is all about."
On July 25, 1995, a Washington County jury in Hillsboro, Oregon
convicted Randal Schwartz of three felony counts:
Count 1: Randal did
between November 1, 1992 and November 1, 1993,
"unlawfully, knowingly and without authorization alter a computer and
computer network consisting of Intel computers Mink and Brillig".
Count 2:
Randal did between August 1, 1993 and November 1, 1993,
"unlawfully, and knowingly access and use a computer
and computer network for the purpose of committing theft of the Intel SSD's
password file".
Count 3: Randal did,
between October 21, 1993 and October 25, 1993,
"unlawfully, knowingly
access and use a computer and computer system for the purpose of committing
theft of the Intel SSD individual user's passwords."
"Look, son, Randal may be a what you call a Geek Kahuna,
but the law is the same for him as everyone else."
Actually, Randal was not tried under the usual criminal
laws, but Oregon's Computer Crime law.
Uses of this law are rare.
I can discover only two convictions under it since 1991,
and in one there was no trial.
The purpose for a separate Computer Crime Law
was to avoid having bad guys escape on technicalities,
something its drafters felt that
even an extensive revision of traditional criminal law would allow.
This they accomplished by making it a felony
to knowingly do anything
"unauthorized" on a computer.
Unusually for a law with severe penalties,
there is no requirement to show the defendant caused or intended
any harm.
All that is necessary is to show
that the proper authority did
not like whatever was done.
The first count is that, pure and simple --
Randal putting a
program on an Intel computer which Intel did not like.
The "stolen" property of the second and third counts
was never removed from Intel's premises, Intel was never
deprived of any of the economic benefit of the
property, and no evidence was presented
Randal intended to do either of these things.
These "thefts" consist entirely, again, of doing things
which Intel decided afterwards
it did not like and which it claims that Randal
was not allowed to do -- this time with
password files involved.
Criminal laws with wide applicability and severe
penalties are a feature of totalitarian states, and
may be a necessary evil in free ones.
In Randal's case, where he was trying to be helpful
and caused no harm,
the potential evil in applying such a law
is far more apparent than its necessity.
At the least,
a free society asks that a serious crime
genuinely reflect one of its serious concerns,
and not simply be a tool the powerful can use
against the powerless whom they find obnoxious.
A good test of this can be made when a powerful
individual breaks the law.
But for computer crime, which is complex and
technical, such tests are
available only as a matter of luck, since
the powerful decide who gets investigated.
However, we have such a stroke of luck in this case.
An Intel VP confessed on the stand to a more serious
infraction of Oregon's computer crime law.
And the Washington County D.A.'s office,
which so eagerly talked tough when facing the
powerless Randal,
has observed a demure silence on this topic.
The defects in the law should easily have
been enough to prevent
this case ever coming to trial, and made discussion of the rest
of this matter moot.
But at each step of the way, as one person or another faced
the prospect of telling Intel "no", they chose instead to
praise the Emperor's fine new suit.
Some Highlights from the Ongoing Farce
No evidence that Intel disapproved of Randal's behavior
exists, except as remembered after the decision
was made to prosecute him.
Not so much as a hand-written note indicates anyone had a
problem with Randal beforehand.
Lest those testifying for the prosecution,
all of whom had financial interests in the good will of Intel,
forget Intel's concern in this matter,
an Intel Security person sitting at table next to the prosecutor
served as a convenient reminder.
Intel was heavy-handed in making its presence felt throughout.
The police prepared the search warrant at Intel premises,
three Intel employees helped search Randal's house,
and one helped police interrogate Randal.
This interrogation produced the prosecution's "best" evidence:
police statements that put the words of a full confession
in Randal's mouth.
Indeed they claim Randal confessed to a history of hacking
everyone he had done business with.
(All these other "victims" provided witnesses for the defense,
and Randal was charged with none of this activity.)
The police claim to have memorized Randal's highly technical
statements with the aid of a few "cryptic" notes,
and reproduced them accurately later at the station.
It is hard to overstate what an incredible
feat of memory this is.
Det. Lilley, who produced the more complete statement,
didn't know what the word "directory" means in computer lingo.
Mere mortals with similar backgrounds would have found it
impossible to follow the discussion,
much less memorize it verbatim.
In other contexts, Intel had previously
authorized Randal to commit both the acts
allegedly unauthorized in this instance:
cracking passwords and building a gateway to the Internet.
Randal was well aware of the steps a computer criminal usually takes
to avoid detection of his activities and took none of them.
As I go through the records in this matter, more and more
startling and troubling material continues to come out.
It is as if this case was an entry in a contest to see
how much misbehavior could be squeezed into a case where nobody
was shot or beaten.
I document my progress into this shambles in the
Letters from Cybersalem.
The Letters From Cybersalem
CS0: Announcement.
Obviously, the letter which announced the series.
CS1: Disclosures and Disclaimers.
My connections
to Intel and Randal, and various other things which need to
be said. Nothing stunning IMHO, but you have a right to know and
to judge that for yourself.
CS2: Wizard Prosecutions: Then and Now.
A comparison of the quality of
the prosecution in the Salem, Massachusetts of 1692 and
the Hillsboro, Oregon of 1995.
Witchcraft prosecutions have declined sadly in the last
300 years.
CS3: The Unindicted: Ed Masi.
It is so easy to make a case for the crime of which
Randal was convicted,
an Intel VP testifying against Randal made a
full confession under oath on the stand.
It's all here.
CS4: Shocked, Shocked.
Randal's "crime" caused no harm, which is perplexing
since harm is basic to both the legal theory and lay
intuition of what "crime" means.
The policy infraction to which Ed Masi confessed
is shown to have quite likely caused real and serious harm to Intel.
CS5: Leadfinger.
This imbecility is not without its literary appeal.
A nicely Kafkaesque touch is added by the reluctance of the
Intel nabob who ordered Randal nailed to identify himself.
Of course, nobody forced him to come forward.
CS6: Unlearn Perl in 41 days!
Rich Cower of Intel security, adds to the list of
remarkable intellectual feats performed on behalf of the
prosecution. On June 13, 1995, he answers most questions about
Randal's Perl scripts with assurance, but passes on others
until he can look at the code.
41 days later he testifies under oath he does not know Perl.
CS7: The Essential Cower.
As Network Security Expert at Intel,
Cower played quite a role in the case.
He was present at the search,
participated in Randal's interrogation,
was an expert witness and
as State's Expert sat next to the prosecutor
for the whole trial.
CS8: What Does Familiar Mean?
However, this Intel "expert", when shown the seminal
work in modern network security, Cheswick and Bellovin,
does not recognize the cover.
CS9: Shortcut to Expertise.
An examination of Cower's background and qualifications,
as revealed in his testimony.
CS10: Too Stupid for Their Own Good?
Randal's local paper was
The Oregonian,
already notorious for ignoring the Packwood scandal.
It heaped abuse on Randal and the whole
"computer programming subculture"
during the trial.
I recommend anyone planning to work as a programmer
in Oregon read this one.
CS11: Oregon Employees have No First Amendment Rights
Unbelievable?
That is Judge Nachtigal's ruling.
Read it.
CS12:
Oops! There Goes Another Personal Right
Judge Nachtigal also discovered that the law
allowed "silly" (her word) prosecutions,
which in the D.A.'s words
show his "office must have an awful lot of time on their hands".
These are forbidden by the due process protections of the
14th Amendment,
but Nachtigal finds that
"we may want that authority there with computers",
and the charges against Randal stand.
CS13: The Confidence of the Public
This one is entirely uncommented quotes.
Here are some snippets.
The prosecutor: "I don't represent Intel."
The judge: "Not yet."
The detective: "We could probably use two or three more people".
The Associated Press:
"Intel Corp. is handing the local police $100,000 to have two
detectives concentrate their computer theft efforts
at the company."
CS14: Moore's Lawlessness
It would be surprising if Intel's heavy-handed contempt for the law
were unique to this case.
As Tim Jackson's new book shows, it is not.
An Open Letter to Intel
We wish to express our strong objection to the prosecution of
Randal Schwartz and Intel's role in it. We believe it necessary
that Intel repudiate the criminal charges made against Randal in
Oregon v. Schwartz, refund any "restitution" paid based on those
charges and offset the costs of Randal's defense against them.
This is the minimum that fairness requires since what happened
was at worst a policy breach and since Randal also suffered loss
of income, loss of reputation and a good deal of anguish.
The full list of signers
The current signature count, with subtotals by country
Signers whose names you might recognize
Comments made by the Signers
The Open Letter closed to new signatures on October 4,
1999. Thanks to all the over 2000 signers!
Links
To get an auto-reply giving Randal's own statement, and
discussing how you can contribute to his Legal Defense Fund, send
an empty message to
Randal's Defense Fund mail daemon
.
Steve Pacenka maintains
the Friends of Randal Schwartz website
,
which is dedicated to archiving all relevant materials from
all sides of this issue.
There is also
Randal's award-winning website
.
How come he gets an award and I don't?
You can subscribe to
the fors-discuss mailing list,
by sending a empty message to
join-fors-discuss@telelists.com.
There is also
fors-announce,
a moderated announcement list for Randal's case.
This can be subscribed to by
sending a empty message to join-fors-announce@telelists.com.
Press Coverage
I want to thank this site's host ISP
A2I (rahul.net).
for its steadfastness and generosity.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
One of my good friends here in Phoenix worked for them for several years in a contract programmer deal. A neighbor of his was a high ranking executive at Intel also. The guy [the neighbor] was an avid golfer and developed a friendship with another golfer and they would hit the greens frequently together, even sharing a frothy beverage after a round. A few months later, this executive is dismissed, arrested and tossed into the pokey for disclosure violations. It turns out that the his alleged golf "buddy" was a Intel paid spy - and that he mentioned in casual conversations results of some chip tests (at least according to my friend's neighbor's story ...) - and that was the nail that did him in. I forget the exact bail but it was a serious deal.
Of course, one can retort that this blurb is entirely anecodotal and without hard empirical evidence. Nevertheless, others who have worked for Intel are full of interesting anecdotes themselves, albeit not as serious as the story in the previous paragraph.
AZspot
For years now we have been reading comments about What Randal Should Have Done.
It's easy to be critical from a distance. But before you're too smug in your assessment, walk a mile in his shoes, or in today's terms, sit for an hour at Randal's shell prompt. Many of us do every single day.
Randal was doing pretty much what many sysadmins do as an ordinary matter of course: secure and protect the systems they are responsible for. It's the job they're hired for, you know?
I've always felt that this amounted to a personality clash that spun out of control, bruised the ego of an Intel senior PHB, and then completely escaped from reality when it was referred as a criminal matter to the local gendarmerie.
Unless you live in or next to Washington County, Oregon, as I do, it may be hard to understand the pressure that develops when the local cops get a call from the largest employer in your area and the most powerful company in the state.
I remind everyone here that Randal was an Intel contractor with a one-line contract that basically ended up being interpreted in a completely arbitrary way.
Randal would be the first to say he did some things that weren't wise, but there was never any intent of illegality or damage to his client, the mighty Intel Corporation.
Intel has rightly gotten a big old black eye over this entire episode, at least among those who bother to learn the details, and at least as far as I know has not repeated this stupidity.
Randal has managed to keep going, dealing with an onerous legal case, the threat of jail, an extraordinarily out of whack fine, and daunting legal costs.
The Oregon law that all this hooked on is widely regarded as badly written and prone to misuse (I've written some Oregon law in my time, not in this particular area, and it's easy to see how this happens in the legislative process).
The gross sense of disproportion is the lesson I have learned from this sorry episode. It is sobering for any of us who take on sysadmin duties under any circumstances. As security becomes an ever more complex and consequential issue, that is a lesson everyone should take seriously. Just because you are doing the best you can, all of us have our flaws. What protection do you have if someone decides to settle a grudge with you and have the full weight of an ill-defined law and an immensely powerful legal apparatus thrown on you?
Good luck to Randal. He handled this with a lot more diplomacy and good cheer than many of us would probably have mustered.
--------
Bill Gates Is My Evil Twin.
Randal is totally innocent.
If I found out that someone who was not a sysadmin or security analyst was running a password cracker on my systems, I'd be very pleased.
Lets face it, it's a pain in the ass to setup passwords crackers, and if a "White Hat" Hacker decides to break into my mailserver, he's really doing me a service.
As an example of similar activity, just the other day I found a man trying to unlock my mailbox with a screwdriver by prying the door off. I was actually comforted by the gesture, since I can now send a bug report to the post office and request that they install a stronger door.
Conformity is the jailer of freedom and enemy of growth. -JFK
I was looking forward to meeting Randal at the "Learning Perl" class in portland, but he was sick. Thou a nice guy named Tad McClellan tought the class. We talked about Randal for a few minutes. Randal just used bad judgement, but there was never criminal intent.
I really hate how the laws are using this non-violent, non-profit hacking as a crime. He should of been fired for breaking company policy, but a crime? He didnt steal anything, a password file was used on a company computer to run crack, he was planing to use it for the good of the company.
I wish I owned a large enough company like microsoft or oracle, I could use my business and political weight to bring attention to matters like this. If Bill Gates announce he was moving all his companies from Oregon because of the way they treat thier citizens, maybe Randal would get a pardon. Look how Adobe called the FBI and they acted, the government supports the larger companies.
Is it me, or is the laws and poltical dealings of of our Goverment piss you off? If it wasnt for 911 goverment reform would be taking place. But now its Terrorist threats and cyber laws.
I better watch what I say, freedom of speech seems to be a passing fad.
Crackers are bad enough. Password stealing crackers who put INLINE SOUND on thier webpages should be shot.
-- I Am Not A Terrorist.
I recently read an article in The Oregonian (newspaper) that said politicians are seriously looking at Oregon's court system; they've made some rather unpopular rulings lately. As I recall the issue the article discussed was regarding a ballot measure that voters passed, but the state Supreme Court ruled unconstitutional, because in the eyes of the court, the ballot measure combined two seperate issues on the same measure, which is illegal (as it should be, IMHO), but the two issues really didn't look like they were unrelated at all.
Sorry I don't remember the details, but anyway, don't think everyone in Oregon agrees with the courts on this sort of thing.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Of course, just after I hit Submit, I found the link to the article:
Rulings may put Oregon courts on trial next year
The article is dated 11/26/01 and the only keep one month available for free online, so that link may expire soon.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Hear hear. I've been in this position and I always have asked, too.
...
Not because I live in the state of Oregon but because it is the right thing to do (and my knowledge of right and wrong far predate the law in question).
I think the major problem with Randal was that Intel had no idea of what he was actually doing, found out, freaked out. Freaki
ng out was a reasonable response.
The fact that the freaking out resulted in a criminal charge and conviction is unfortunate. Washington County (where Intel's Oregon facilities are located) is far, far more conservative than Multnomah County (where Portland, OR is mostly located). In Multnomah County some sort of non-criminal solution would've been the result, most likely.
The Appeals Court and Supreme Court, though, don't rule on whether or not the conviction is "reasonable" but whether or not the conviction meets the test of law.
That's not unreasonable, that's how judicial review is meant to work. The law as written is unreasonable, but not unconstitutional and therefore no constitutional grounds for overturning the conviction exist. There's no doubt about the evidence, so there's no evidenciary grounds for overturning the conviction.
So
1. Randal sinned in a relatively minor way, but sinned nonetheless.
2. Intel and a hard-assed Washington County prosecutor decided to go after him in a major way (makes you wonder about past interactions, doesn't it? I would think that a single well-placed manager could've derailed this train if she'd thought Randal deserved grace).
3. The law doesn't violate the Oregon or Federal Constitution (nor your state's, most likely). Therefore the Court of Appeals and Supreme Court, whatever their private view of the overreaction resulting in his conviction, have no basis for overturning it. (of course, they may actually want him to burn at the stake, but we don't know that, the Oregon Supreme Court is actually fairly liberal).
Comment removed based on user account deletion
Eight years later and Randall's still trying to get the blot off of his record and get his money back. (Thank goodness the highly rated comment that said noone would hire him is completely misinformed!)
Yet, the Intel VP who picked 'pre$ident' for his password and shared it with his secretary, thus compromising secure information, in violation of company policy ("knowingly and without authorization," as the Oregon law says) is not in court at all. Same law. Same crime.
"Oh, but that law's not too vague. It's only intended to be used against bad people, and the judges will make sure of that."
Secession is the right of all sentient beings.
A couple of years ago in newsgroups such as comp.sys.amiga.games and alt.emulators.uae we used to get frequent requests for ADFs (the Amiga equivalent of console 'ROMs') of old Amiga games. While some people (including myself) saw no harm in effectively 'pirating' a ten-year-old game which is no longer on sale, a few of the more fanatic Amigans would argue that theft is theft, regardless of the circumstances. "After all," they would argue, "Would you like it if I walked into your house, drank your beer and drove off with your car?"
A little logical reasoning can see the flaw in this argument. The point is that while accessing a computer system without authorisation is indeed as much of a crime as any other, it's not the exact same thing as physical tresspassing or theft, and can't be treated exactly as such.
Think of it this way: The law in America, I believe, says that if a guy walks onto your property without permission, it's a crime, period. What happens if my dog runs into your garden, and I run in to remove my dog from your property before he runs all over your prize flowerbed? The law says I've committed a crime, when I've actually done you a favour.
Now, what happens when a guy accesses some data on your computer via a security flaw in your system, which you didn't intend to give him access to? Yes, it's a crime... but does that necessarily mean it's a bad thing? On one hand, he could destroy valuable data on your computer if he wanted. On the other, he might simply e-mail you and advise you to download a security patch for your operating system.
In any case like this, the most important thing is not whether a person commits a crime - it's whether they actually do anything wrong.
This has already been discussed to death but I'll put my $0.02 in.
Schwartz is an ass, who also happens to be a good tech. writer. Personally I think the folks at Intel should have de-listed him from their list of contractors on the first incident and notified his employers at O'Reilly, who also should have terminated any contracts due to breach of trust.
Indeed, that's the situation: breach of trust and breach of security. Perhaps theft in the case of password files, but not to the degree of felony charges. Does stealing a key or card-key usually result in anything more than petty thief charges unless further thefts occur??
Any reprimands/punishments should not have gone further than his employement.
As a student at Oregon State University (go Beavs) I had the opportunity to listen to Schwartz explain the situation in which he was currently a victim. There is no doubt in my mind that his behavior was professional and responsible. He was doing a favor, volunteering his time and clock cycles, to improving a gaping security hole. It is the responsibility I would hope for from any professional.
To be condemned for his behavior sends a message to all that security problems should be ignored to be exploited later by the truly dangerous, rather than exposed by the people whose job it is to improve the security of his and his peer's domains.
I was glad to have heard him speak to us, and I think this man is certainly not the criminal he is accused. Rather than condemn him, we, as a community that believes in improving security and protecting systems, should support him in his endeavor to beat a law that was inappropriately inaugurated on him.
..don't work for Intel.
Eventually, Intel will have to settle for sysops of much less ability than Randall Schwartz, and they'll be owned by every J. Random script kiddie in the world.
Then, when they go forth into the job market trying to find someone who will do what a decent sysadmin should do (like, say, run crack against their passwords files and alert people with lame PW's like "pre$ident"), they'll hear "gee, I'd like to take your money and help you guys, but it's just too dangerous."
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Comment removed based on user account deletion
(Look at my friggin' nickname, I just had to say it).
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Once in a while, we run up against a person who truly and arrogantly believes that ability to do something equates to permission. Perhaps the notion is also somewhat childlike as well.
I'm not sure why exactly, but I get flashbacks to movies like "Lawnmower Man."
I understand the giddy feeling of power some of us have over the people we work for -- they don't fully understand what we do, what we know or what we're capable of. We're wizards, magicians and gods. SOMETIMES the power goes to our heads and the case with this guy is NOT unique.
The unfortunate side effect of being a wizard/magician/god is that people will fear us as well as admire us. The current trends in legislation prove it. Much of it amounts to "you're guilty because we suspect you of it."
Even I went through my "script kiddy" phase... had more than one internet account/connection pulled out from under me due to suspected hacking activities. Luckily, that's the worst that happened to me and I learned my lesson in life.
I can't agree with the "witch hunt" atmosphere used in the judicial systems at the moment. If they want to create special laws for handling "cyber crimes" then do so by using judges and juries capable of handling these cases! Don't expect laypeople to be able to understand what it is they are judging in this case. And when it comes to the notion of "jury of peers" I can certainly see where the system is failing to address what a peer is in this case.
They aren't stupid -- the situation is geared to give the prosecution the edge where ignorance and fear is the weapon used against the accused. But that does deny the accused of a fair trial doesn't it? How can this important issue be brought out into the open and corrected?
One big lesson from this for big companies like Intel and Adobe is that having your problems discussed on Slashdot is VERY costly.
I've read a lot of the posts, and they have the effect of making Intel seem less like an interesting place to work. The good people may just not apply in the future, and that may mean that nothing will stop Intel's decline.
Bush's education improvements were
The Yahoo page requires cookies and other junk in order to be able to be displayed, while Randall's own archive does not.
Brad Knowles
http://daily.daemonnews.org/ -- if you're not
With regard to the criminal law, though, the law in Oregon appears flawed in the sense that there appears to be no suggestion that Mr. Schwartz cracked the password file for any other reason than to test the security of the system. There appears to be no motive to steal, or kill, or cover up evidence of a non-computer related crime.
You effectively have a law here which was framed with the external intruder in mind, which when applied to an internal user - one employed to work on the computers of the company - fails the test of reasonability.
Speaking personally, my experience with computer consultants is that playing around with technology and doing things with company systems that they are not supposed to is just what they do, at least the good ones. It is the nature of the beast.
"Well, put a stake in my heart and drag me into sunlight."
Excuse me?! - "The stupidity of the SETI project"?
:-)
Why on Earth would you call that project "stupid"? - It is a very serious project conducted by accredited scientists for a very worthy purpose, and if you can't see that, I'd venture as to call you "stupid" as well... But this discussion belongs elsewhere.
As to the case at hand, I think the important issue here is what the intent was. Schwartz did not intend to steal anything, nor did he intend to do any harm.
In matters of violence the issue of intent is central and there's a lot of difference between intentionally causing harm and accidentially causing harm. In this case there's no intent to cause any harm whatsoever and no accidential damage was done either. In other words, the matter is entirely disciplinary and a matter of breached rules and policies.
Taking this to a criminal level is a tragic farce that only shows the humourless attitude of the prosecuting parties involved and the utter arrogance of the Intel management.
Yes, Schwartz probably should be fired because of what he did because the company policy is clear on the use of password cracking tools. But a criminal prosecution is overkill and a testimony to the utter lack of knowledge of both the technology, the law and the principles on which it is built.
I agree with your suggested punishment though...
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
>get permission to crack the passwords. So when
>the admin found out that Schwartz was running
>Crack he informed the security guys at Intel.
In other words, intel security was a lot better than this wannabe suspected . . .
hawk
I think there is a problem in applying this attitude, which is found in personal emotions about one's property, to corporate-owned equipment which is professionally maintained. If I saw someone pissing on my car, I would be angry. In fact, even seeing a stranger sitting on the hood of my car sends the blood rushing into my face. This is a mammalian reaction to protect personal territory.
As an employee of a large corporation, if I saw someone pissing on the wall of one of our buildings, I would feel no such outrage. Maybe mild irritation. Likewise, if I owned stock in IBM I would not have territorial feelings about IBM's assets. So the attempt to link corporate assets emotionally to personal assets remains unconvincing. In fact, it highlights the shaky ground on which the idea of the corporate citizen is built.
One problem with this case is that it hinges on the simple-sounding idea of the property owner deciding what gets done with "his" property. Which might make sense when you take your shirts to the dry-cleaner - you want them cleaned and pressed, not cut up and made into a quilt. Although I doubt the dry-cleaner would be convicted of a felony even if he did that.
But when you work for a big corporation, the will of the "owner" is expressed in a diffuse way. Nobody you deal with really has authority to speak for the corporation (only an officer of the corporation can do that.) Therefore, you are reduced to interpreting conflicting demands, one of which could be a corporate policy manual. My approach has been to deliver what my boss wants, and disregard the other expressions of corporate will. I count on my boss to protect me against anyone I offend. But what if my boss gets hit by a truck? Am I liable to be prosecuted for violating some obscure "corporate policy" I never read?
I would guess that the growth of Linux in the enterprise mostly occurred secretly in direct violation of corporate policy. Should the sysadmins who helped that growth be thrown in jail?
I am not denying that the case against Randal may have some merit. But you are making the issues far too simple.
I'm not sure, but I think the answer is twofold. 1) Randal's arrogant attitude had pissed of someone in Intel security, and 2) Intel investigators semi-legally entered Randal's dwelling to search for Intel IP, which they didn't find. At that point, they were on shaky ground legally and needed to pursue the case to retroactively justify their entry.
To put it differently, the investigation gathered huge momentum based on Randal's previous reputation, the password cracking, and Intel's paranoia about IP theft. When the initial focus of the investigation fizzled, the energy had to go somewhere.
The above is just guesswork based on the fragments of the case I've seen over the years.
So if you work for a big corporation and one day you go to building 275 because you heard it has a better cafeteria than building 106, you should be arrested for trespassing. Because you weren't specifically authorized to enter that building. "But my access card worked; doesn't that mean I'm authorized?" Tam-Lin: "No: Even if I leave my front door unlocked..."
Your idea, which sounds reasonable applied to a house, doesn't work in a corporate environment.
And generally speaking I am allowed to open the unlocked door of a business during business hours and walk in. The assumption is that if it's unlocked it's open for business. A business is not a home.
You were nor arguing with me. I told you to cut out the analogies, somebody else was arguing on the thread with you.
You may not realize this but on public forums like this different people may join the thread and make comments. you should look at the names before you shoot off your mouth perhaps.
War is necrophilia.
Comment removed based on user account deletion
Really? What if I am an authorized employee? OK, that's the obvious case. What if I work for a firm installing/repairing communications wiring (been there, so this is from reality)? Since the customer has requested us to do work on his premises, I assume I have the right to enter whatever spaces are necessary, regardless of such signs. Of course there are exceptions, like this sign:
(From memory). So it comes down to judgement. In the real world (non-computer) if the intruder's judgement is incorrect, the worst that will happen is an angry phone call to his boss.
What really bothers me is the naive idea that a corporation has a unified will and intent, like a person. A corporation is an umbrella over a collection of departments, divisions and egos. It's quite common for a contractor to receive conflicting instructions from different people within the same organization. Usually accompanied with "Do NOT listen to the other guy. I am the only one authorized to make this decision." One of the hard parts of contract management is convincing contractors (such as Electrical Contractors) to listen to YOU, and not to some random guy, however convincing. "Why didn't you finish the pulls on the fifth floor?" "This guy told us the plans were wrong, that they were re-issuing them. He was wearing a suit!"
God bless the organization where responsibility is clearly divided. Having seen the opposite, I'm not impressed by the clarity of the "Authorized Employees Only" sign.
And no, I am not saying that Randal was the victim of conflicting corporate drives. I am saying that your simple response is naive.
Oh? Officers of the corp. can, and do, delegate authority to other employees. I worked for a corporation, and was directly respnsible for people being arrested due to misuse of copporate property, yet I was never an officer. It's absurd to say that only an *officer* can determine proper use of company property.
Therefore, you are reduced to interpreting conflicting demands, one of which could be a corporate policy manual.
No; you simply go to HR and ask them to clarify the company policy. Of course, some may find it morally *convenient* to remain ingnorant.
My approach has been to deliver what my boss wants, and disregard the other expressions of corporate will. I count on my boss to protect me against anyone I offend. But what if my boss gets hit by a truck? Am I liable to be prosecuted for violating some obscure "corporate policy" I never read?
Well, yes. Assuming you're an adult, you're expected to take resonable steps to ensure that your actions are consistent with company policy.
Claiming that a corporate entity is too nebulous a concept to apply conventional ideas about property rights is just a cop-out. It's really quite simple: if something doesn't belong to you, then *ask* before you use it. Ask your boss; ask human resources. How hard can that be? The downside is that you might not be told what you want to hear; maybe *that's* the real problem.
Java is the blue pill
Choose the red pill
I thought I made it pretty clear that I do what my boss wants. As for your suggestion of asking HR, are you seriously advocating that when my boss tells me to install Linux and Apache on an old PC, I should call up some HR person and ask for permission? I have never had a boss who would be pleased with that behavior.
I'd still like to hear your answer to this: How do you think Linux entered the Fortune 500 IT world? Do you think some sysadmin called up HR one day, patiently explained what an operating system is, and requested permission to install a new OS on an old computer? In my experience it was done quietly, and by the time upper management found out, it was already proving its value. Linux was tolerated retroactively, not pursued proactively. Do you think those pioneering sysadmins should go to jail?
You made it clear that you believed that there may be no clear expression of corporate will. You said you do what your boss asks, but that it may conflict with some other policy. If you have doubts about what you're asked to do, then it's up to you to a) ask your boss to clarify what is wanted, and b) check that it is consistent with company policy.
If your boss asks you to wipe every harddrive and install Linux, I doubt you would do it. I suspect you understand claiming "My boss said to do it" does not always carry much weight. Ultimately, *you* are responsible. Most companies do not try to nail people for honestly following specicic instructions given by a boss who one would resaonably expect to know company policy.
As for your suggestion of asking HR, are you seriously advocating that when my boss tells me to install Linux and Apache on an old PC, I should call up some HR person and ask for permission? I have never had a boss who would be pleased with that behavior.
It depends. If you have reason to believe that your boss is not really authorized to ask you to do something, then you need to cover your ass. There are tactful ways of doing this, but the bottom line is that you need to excercise some judgement, and not blindly follow orders. Would your boss get mad if you asked him or her to confirm that installing Linux was OK, and would not put you at any risk? Would your boss prefer a zombie robot slave?
Linux was tolerated retroactively, not pursued proactively. Do you think those pioneering sysadmins should go to jail?
Jail? All depends, but that's unlikely unless there was deliberate damage. I've "secretly" installed Linux at work, but I knew I had some leeway about what I could do with old PCs. If I had any reasn to believe that doing so was a violation of company poilcy, and did it anyway, then I would deserve what I got.
Most people are not hired to be pioneers. That's just life. If you want to be a pioneer, start your own company and take your own risks.
I'd still like to hear your answer to this: How do you think Linux entered the Fortune 500 IT world?
I have no idea, but maybe it was first installed by somebody who simply had permission. Really, it's not so farfetched, though it's a less romantic notion that the idea of clandestine, underground freedom fighters risking jail to further OSS.
You seem to insist on an oversimplified world where any ambiguity absolves you of responsibilty.
Java is the blue pill
Choose the red pill