Slashdot Mirror
Oregon Supreme Court Declines To Hear Schwartz Case
merlyn writes "The Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority on this eight-year-long case, well known to many
sysadmin and Perl hacker alike. Details at my fors-announce posting." If you're not sure what that means, you probably want to read at least this site which offers a straightforwardly partisan look at the complicated case of Intel vs. Schwartz as well as Schwartz's own page; it's a strange world where programmers and sysadmins can be convicted for seemingly innocent activities.
...cracking passwords an innocent activity?
You know... most everyone I know who has followed the case seems to agree that the only reason you got in trouble to begin with was because of your inability (some call it emotional ignorance) to communicate properly with the admins within Intel.
Still, all in all, I believe you've managed to do well for yourself. Written a couple of books, entrenched in the perl community, regular magazine article contributer, etc. You should feel lucky that you did not do any time in "pound you in the ass" Club Fed. You *should not* feel that somehow it's your god given right to have this little blight on your history removed (and to be honest, do you know *anyone* of any note or repute that doesn't have a bit of netorious past?).
So, just get over it, continue to pay off your legal bills (and that's really that this appeal is about, right?) and get on with your life.
*shrug*
Randall Schwartz was doing some shit that Intel didn't like. It also happened to be illegal. Intel asked him to stop. They asked him nicely. He didn't, and Intel had him prosecuted. Randall Schwartz made his own bed.
Flame on.
The middle mind speaks!
Some background from the other side: an affidavit from one of the Intel folks is here:
e lrep.txt
http://www.lightlink.com/spacenka/fors/police/int
Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).
Personally, I'm not at all surprised that they threw the book at him.
Ok, so in Oregon it is a crime to "unlawfully, knowingly and without authorization alter a computer and computer network." The obvious solution here (for people working on computer networks in Oregon) is to obtain written permission from the appropriate authorities before altering a computer and/or computer network. Print up forms with the full text of the appropriate laws and give them to the appropriate people. Whenever you need to do anything, request permission in writing. If they complain, have them provide authorization in writing for performing specific common tasks at the discretion of the individual, but keep requiring written authorization for anything else. If the law really is as broad as it is being described, there is too great a risk of prosecution to do otherwise, especially if you deal with security testing. Either get permission or don't do it - there's no sense putting yourself at risk to do something that the network's owner probably won't care about anyway.
Also IIRC it seemed like Intel management wanted to handle it differently than Intel Security which called up the Sheriffs office, I think, to have Randal arrested.
IMHO he only used really bad judgement and is obviously not a cracker bent on maliciousness.
I think it's too bad that the courts came down as hard as they did on him. At least he's not still in prison.
"sweet dreams are made of this..."
Sounds like a bad legal decision and it reflects poorly on Intel. But one thing to keep in mind: workplaces are all about politics. People who play their cards right seem to be able to get away with murder. People who hack and don't shmooze, on the other hand, are very vulnerable. If you are of the latter persuasion, do things completely by the book and get permission for anything even remotely out of the ordinary in writing.
Unless specificly authorized in his capacity as a consultant he never should have touched the password file.
As a consultant you may be in the situation, on a daily basis, that you have access to information which is not yours to do anything with. Thats the nature of the beast, don't screw with it.
As a consultant I have access to data on the customers of my clients. That data is confidential. Unless specificly using the data for testing I have zero right to that data. Even if it is in the database I have access to, and available to me based on my access privledges.
Having access to data doesn't mean you have the right to that data.
I'm sorry, but at first blush what he was doing would not seem inocent to anyone. He was cracking passwords, and sent out some VPs password to other people. He was also not a fully employee and didn't authorization to do what he was doing.
He may not have meant any harm by what he did. And when you look closer you can see that. But what he did does not seem innocent in any sense of the word.
Yeh, now mod me flamebait like that first post AC. God forbid we should go against the Editors
(btw, sorry this post hasn't been spellchecked. I'm away from home and my spellchecker)
autopr0n is like, down and stuff.
The hyperlink in the story to the overview of the Schwartz case is responding, "User over daily limit".
Use the mirror here.
Intel v. Schwartz
Intel's Prosecution of Randal Schwartz
Cybersalem|
 Press|
 What can you do?|
 
Kevin Mitnick on Hacking
Note:
The Open Letter to Intel closed to new signatures
on October 4, 1999.
Thanks to all who have signed!
Geek Kahuna Goes Bad?
It began prosaicly enough.
Randal Schwartz, who I knew from Usenet and his
very successful books on the Perl language,
was on business in Silicon Valley and agreed to meet me at
Frankie, Johnnie & Luigi Too,
an Italian restaurant in
Mountain View CA, to offer me advice for a program I was
writing.
It might seem surprising
that Randal would agree to take time
from a hectic schedule two weeks before going on trial to give
what amounted to free consulting to a stranger.
However, those who
have been interested in the Perl language for a while
know that Randal
is a legend for his generosity.
Actually, I didn't know Randal was going on trial in two weeks.
I had heard rumors that he had some sort of legal difficulties
(a civil suit I assumed) which involved Intel.
I'd known many people with matters before the
courts, some close personal friends,
and few liked to discuss them.
Therefore it was not until
Randal had fielded my Perl questions, the talk
turned to minor chit chat and Randal unexpectedly proved
willing to discuss the matter that
I discovered the person I was drinking beer with
was looking at fifteen years in a few days, and, if convicted,
would have the biggest legitimate reputation by far of
any computer criminal.
I didn't necessarily credit the story he told me -- every
accused felon tells you it was all a misunderstanding, and
they are almost always just plain guilty.
Neither, I must confess, do I have unquestioning faith in
all the conclusions D.A.'s draw.
Days later, an Oregon Jury convicted Randal of
three felonies.
Randal Schwartz was, in the eyes of the law, a
Geek Kahuna Gone Bad,
the first.
Especially eerie about the Schwartz matter
was the silence surrounding it.
This clearly was a very significant case, far more so than
some which have drawn a lot of attention.
Randal Schwartz was either
the most dangerous computer criminal ever,
or something was terribly amiss, I had to know which.
That night I put the project I had discussed with Randal
on a shelf, where it remains.
"Feel free to stop dancing around the issue
any time you like and
tell me what this is all about."
On July 25, 1995, a Washington County jury in Hillsboro, Oregon
convicted Randal Schwartz of three felony counts:
Count 1: Randal did
between November 1, 1992 and November 1, 1993,
"unlawfully, knowingly and without authorization alter a computer and
computer network consisting of Intel computers Mink and Brillig".
Count 2:
Randal did between August 1, 1993 and November 1, 1993,
"unlawfully, and knowingly access and use a computer
and computer network for the purpose of committing theft of the Intel SSD's
password file".
Count 3: Randal did,
between October 21, 1993 and October 25, 1993,
"unlawfully, knowingly
access and use a computer and computer system for the purpose of committing
theft of the Intel SSD individual user's passwords."
"Look, son, Randal may be a what you call a Geek Kahuna,
but the law is the same for him as everyone else."
Actually, Randal was not tried under the usual criminal
laws, but Oregon's Computer Crime law.
Uses of this law are rare.
I can discover only two convictions under it since 1991,
and in one there was no trial.
The purpose for a separate Computer Crime Law
was to avoid having bad guys escape on technicalities,
something its drafters felt that
even an extensive revision of traditional criminal law would allow.
This they accomplished by making it a felony
to knowingly do anything
"unauthorized" on a computer.
Unusually for a law with severe penalties,
there is no requirement to show the defendant caused or intended
any harm.
All that is necessary is to show
that the proper authority did
not like whatever was done.
The first count is that, pure and simple --
Randal putting a
program on an Intel computer which Intel did not like.
The "stolen" property of the second and third counts
was never removed from Intel's premises, Intel was never
deprived of any of the economic benefit of the
property, and no evidence was presented
Randal intended to do either of these things.
These "thefts" consist entirely, again, of doing things
which Intel decided afterwards
it did not like and which it claims that Randal
was not allowed to do -- this time with
password files involved.
Criminal laws with wide applicability and severe
penalties are a feature of totalitarian states, and
may be a necessary evil in free ones.
In Randal's case, where he was trying to be helpful
and caused no harm,
the potential evil in applying such a law
is far more apparent than its necessity.
At the least,
a free society asks that a serious crime
genuinely reflect one of its serious concerns,
and not simply be a tool the powerful can use
against the powerless whom they find obnoxious.
A good test of this can be made when a powerful
individual breaks the law.
But for computer crime, which is complex and
technical, such tests are
available only as a matter of luck, since
the powerful decide who gets investigated.
However, we have such a stroke of luck in this case.
An Intel VP confessed on the stand to a more serious
infraction of Oregon's computer crime law.
And the Washington County D.A.'s office,
which so eagerly talked tough when facing the
powerless Randal,
has observed a demure silence on this topic.
The defects in the law should easily have
been enough to prevent
this case ever coming to trial, and made discussion of the rest
of this matter moot.
But at each step of the way, as one person or another faced
the prospect of telling Intel "no", they chose instead to
praise the Emperor's fine new suit.
Some Highlights from the Ongoing Farce
No evidence that Intel disapproved of Randal's behavior
exists, except as remembered after the decision
was made to prosecute him.
Not so much as a hand-written note indicates anyone had a
problem with Randal beforehand.
Lest those testifying for the prosecution,
all of whom had financial interests in the good will of Intel,
forget Intel's concern in this matter,
an Intel Security person sitting at table next to the prosecutor
served as a convenient reminder.
Intel was heavy-handed in making its presence felt throughout.
The police prepared the search warrant at Intel premises,
three Intel employees helped search Randal's house,
and one helped police interrogate Randal.
This interrogation produced the prosecution's "best" evidence:
police statements that put the words of a full confession
in Randal's mouth.
Indeed they claim Randal confessed to a history of hacking
everyone he had done business with.
(All these other "victims" provided witnesses for the defense,
and Randal was charged with none of this activity.)
The police claim to have memorized Randal's highly technical
statements with the aid of a few "cryptic" notes,
and reproduced them accurately later at the station.
It is hard to overstate what an incredible
feat of memory this is.
Det. Lilley, who produced the more complete statement,
didn't know what the word "directory" means in computer lingo.
Mere mortals with similar backgrounds would have found it
impossible to follow the discussion,
much less memorize it verbatim.
In other contexts, Intel had previously
authorized Randal to commit both the acts
allegedly unauthorized in this instance:
cracking passwords and building a gateway to the Internet.
Randal was well aware of the steps a computer criminal usually takes
to avoid detection of his activities and took none of them.
As I go through the records in this matter, more and more
startling and troubling material continues to come out.
It is as if this case was an entry in a contest to see
how much misbehavior could be squeezed into a case where nobody
was shot or beaten.
I document my progress into this shambles in the
Letters from Cybersalem.
The Letters From Cybersalem
CS0: Announcement.
Obviously, the letter which announced the series.
CS1: Disclosures and Disclaimers.
My connections
to Intel and Randal, and various other things which need to
be said. Nothing stunning IMHO, but you have a right to know and
to judge that for yourself.
CS2: Wizard Prosecutions: Then and Now.
A comparison of the quality of
the prosecution in the Salem, Massachusetts of 1692 and
the Hillsboro, Oregon of 1995.
Witchcraft prosecutions have declined sadly in the last
300 years.
CS3: The Unindicted: Ed Masi.
It is so easy to make a case for the crime of which
Randal was convicted,
an Intel VP testifying against Randal made a
full confession under oath on the stand.
It's all here.
CS4: Shocked, Shocked.
Randal's "crime" caused no harm, which is perplexing
since harm is basic to both the legal theory and lay
intuition of what "crime" means.
The policy infraction to which Ed Masi confessed
is shown to have quite likely caused real and serious harm to Intel.
CS5: Leadfinger.
This imbecility is not without its literary appeal.
A nicely Kafkaesque touch is added by the reluctance of the
Intel nabob who ordered Randal nailed to identify himself.
Of course, nobody forced him to come forward.
CS6: Unlearn Perl in 41 days!
Rich Cower of Intel security, adds to the list of
remarkable intellectual feats performed on behalf of the
prosecution. On June 13, 1995, he answers most questions about
Randal's Perl scripts with assurance, but passes on others
until he can look at the code.
41 days later he testifies under oath he does not know Perl.
CS7: The Essential Cower.
As Network Security Expert at Intel,
Cower played quite a role in the case.
He was present at the search,
participated in Randal's interrogation,
was an expert witness and
as State's Expert sat next to the prosecutor
for the whole trial.
CS8: What Does Familiar Mean?
However, this Intel "expert", when shown the seminal
work in modern network security, Cheswick and Bellovin,
does not recognize the cover.
CS9: Shortcut to Expertise.
An examination of Cower's background and qualifications,
as revealed in his testimony.
CS10: Too Stupid for Their Own Good?
Randal's local paper was
The Oregonian,
already notorious for ignoring the Packwood scandal.
It heaped abuse on Randal and the whole
"computer programming subculture"
during the trial.
I recommend anyone planning to work as a programmer
in Oregon read this one.
CS11: Oregon Employees have No First Amendment Rights
Unbelievable?
That is Judge Nachtigal's ruling.
Read it.
CS12:
Oops! There Goes Another Personal Right
Judge Nachtigal also discovered that the law
allowed "silly" (her word) prosecutions,
which in the D.A.'s words
show his "office must have an awful lot of time on their hands".
These are forbidden by the due process protections of the
14th Amendment,
but Nachtigal finds that
"we may want that authority there with computers",
and the charges against Randal stand.
CS13: The Confidence of the Public
This one is entirely uncommented quotes.
Here are some snippets.
The prosecutor: "I don't represent Intel."
The judge: "Not yet."
The detective: "We could probably use two or three more people".
The Associated Press:
"Intel Corp. is handing the local police $100,000 to have two
detectives concentrate their computer theft efforts
at the company."
CS14: Moore's Lawlessness
It would be surprising if Intel's heavy-handed contempt for the law
were unique to this case.
As Tim Jackson's new book shows, it is not.
An Open Letter to Intel
We wish to express our strong objection to the prosecution of
Randal Schwartz and Intel's role in it. We believe it necessary
that Intel repudiate the criminal charges made against Randal in
Oregon v. Schwartz, refund any "restitution" paid based on those
charges and offset the costs of Randal's defense against them.
This is the minimum that fairness requires since what happened
was at worst a policy breach and since Randal also suffered loss
of income, loss of reputation and a good deal of anguish.
The full list of signers
The current signature count, with subtotals by country
Signers whose names you might recognize
Comments made by the Signers
The Open Letter closed to new signatures on October 4,
1999. Thanks to all the over 2000 signers!
Links
To get an auto-reply giving Randal's own statement, and
discussing how you can contribute to his Legal Defense Fund, send
an empty message to
Randal's Defense Fund mail daemon
.
Steve Pacenka maintains
the Friends of Randal Schwartz website
,
which is dedicated to archiving all relevant materials from
all sides of this issue.
There is also
Randal's award-winning website
.
How come he gets an award and I don't?
You can subscribe to
the fors-discuss mailing list,
by sending a empty message to
join-fors-discuss@telelists.com.
There is also
fors-announce,
a moderated announcement list for Randal's case.
This can be subscribed to by
sending a empty message to join-fors-announce@telelists.com.
Press Coverage
I want to thank this site's host ISP
A2I (rahul.net).
for its steadfastness and generosity.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
There's a good summary at the SANS Institute site. Schwartz did three different things: (1) installed a backdoor in a firewall, (2) did an unauthorized password scan, and (3) used one of the passwords he obtained through this scan to log into a system to which he should have had no access. He then copied the /etc/passwd file off that last machine, apparently to run an attack against it, as well.
Even a cursory review of the documents in the case make it clear that he wasn't framed, that he actually did the things he was charged with, and that at least one of the activities with which he was charged was not only unauthorized, but had been explicitly forbidden by his managers. He had been ordered to take his gateway down at one point. He did so, waited a few days, and then brought an equivalent service up on the same machine under a different name. (See this site for some more details.)
In my opinion, what he did was certainly grounds for dismissal, and almost certainly technically criminal. That said, I think the district attorney was unwise to pursue the case against Schwartz, since the damage done to his reputation just on the basis of what is clearly the case would have been punishment enough. Even without the convictions, no major site will ever touch him again: security geeks are dangerous, and the last one you need is one that won't obey the policies about what he or she may attack at any given time.
For years now we have been reading comments about What Randal Should Have Done.
It's easy to be critical from a distance. But before you're too smug in your assessment, walk a mile in his shoes, or in today's terms, sit for an hour at Randal's shell prompt. Many of us do every single day.
Randal was doing pretty much what many sysadmins do as an ordinary matter of course: secure and protect the systems they are responsible for. It's the job they're hired for, you know?
I've always felt that this amounted to a personality clash that spun out of control, bruised the ego of an Intel senior PHB, and then completely escaped from reality when it was referred as a criminal matter to the local gendarmerie.
Unless you live in or next to Washington County, Oregon, as I do, it may be hard to understand the pressure that develops when the local cops get a call from the largest employer in your area and the most powerful company in the state.
I remind everyone here that Randal was an Intel contractor with a one-line contract that basically ended up being interpreted in a completely arbitrary way.
Randal would be the first to say he did some things that weren't wise, but there was never any intent of illegality or damage to his client, the mighty Intel Corporation.
Intel has rightly gotten a big old black eye over this entire episode, at least among those who bother to learn the details, and at least as far as I know has not repeated this stupidity.
Randal has managed to keep going, dealing with an onerous legal case, the threat of jail, an extraordinarily out of whack fine, and daunting legal costs.
The Oregon law that all this hooked on is widely regarded as badly written and prone to misuse (I've written some Oregon law in my time, not in this particular area, and it's easy to see how this happens in the legislative process).
The gross sense of disproportion is the lesson I have learned from this sorry episode. It is sobering for any of us who take on sysadmin duties under any circumstances. As security becomes an ever more complex and consequential issue, that is a lesson everyone should take seriously. Just because you are doing the best you can, all of us have our flaws. What protection do you have if someone decides to settle a grudge with you and have the full weight of an ill-defined law and an immensely powerful legal apparatus thrown on you?
Good luck to Randal. He handled this with a lot more diplomacy and good cheer than many of us would probably have mustered.
--------
Bill Gates Is My Evil Twin.
Randal is totally innocent.
If I found out that someone who was not a sysadmin or security analyst was running a password cracker on my systems, I'd be very pleased.
Lets face it, it's a pain in the ass to setup passwords crackers, and if a "White Hat" Hacker decides to break into my mailserver, he's really doing me a service.
As an example of similar activity, just the other day I found a man trying to unlock my mailbox with a screwdriver by prying the door off. I was actually comforted by the gesture, since I can now send a bug report to the post office and request that they install a stronger door.
Conformity is the jailer of freedom and enemy of growth. -JFK
I was looking forward to meeting Randal at the "Learning Perl" class in portland, but he was sick. Thou a nice guy named Tad McClellan tought the class. We talked about Randal for a few minutes. Randal just used bad judgement, but there was never criminal intent.
I really hate how the laws are using this non-violent, non-profit hacking as a crime. He should of been fired for breaking company policy, but a crime? He didnt steal anything, a password file was used on a company computer to run crack, he was planing to use it for the good of the company.
I wish I owned a large enough company like microsoft or oracle, I could use my business and political weight to bring attention to matters like this. If Bill Gates announce he was moving all his companies from Oregon because of the way they treat thier citizens, maybe Randal would get a pardon. Look how Adobe called the FBI and they acted, the government supports the larger companies.
Is it me, or is the laws and poltical dealings of of our Goverment piss you off? If it wasnt for 911 goverment reform would be taking place. But now its Terrorist threats and cyber laws.
I better watch what I say, freedom of speech seems to be a passing fad.
Crackers are bad enough. Password stealing crackers who put INLINE SOUND on thier webpages should be shot.
-- I Am Not A Terrorist.
Of course, just after I hit Submit, I found the link to the article:
Rulings may put Oregon courts on trial next year
The article is dated 11/26/01 and the only keep one month available for free online, so that link may expire soon.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Hear hear. I've been in this position and I always have asked, too.
...
Not because I live in the state of Oregon but because it is the right thing to do (and my knowledge of right and wrong far predate the law in question).
I think the major problem with Randal was that Intel had no idea of what he was actually doing, found out, freaked out. Freaki
ng out was a reasonable response.
The fact that the freaking out resulted in a criminal charge and conviction is unfortunate. Washington County (where Intel's Oregon facilities are located) is far, far more conservative than Multnomah County (where Portland, OR is mostly located). In Multnomah County some sort of non-criminal solution would've been the result, most likely.
The Appeals Court and Supreme Court, though, don't rule on whether or not the conviction is "reasonable" but whether or not the conviction meets the test of law.
That's not unreasonable, that's how judicial review is meant to work. The law as written is unreasonable, but not unconstitutional and therefore no constitutional grounds for overturning the conviction exist. There's no doubt about the evidence, so there's no evidenciary grounds for overturning the conviction.
So
1. Randal sinned in a relatively minor way, but sinned nonetheless.
2. Intel and a hard-assed Washington County prosecutor decided to go after him in a major way (makes you wonder about past interactions, doesn't it? I would think that a single well-placed manager could've derailed this train if she'd thought Randal deserved grace).
3. The law doesn't violate the Oregon or Federal Constitution (nor your state's, most likely). Therefore the Court of Appeals and Supreme Court, whatever their private view of the overreaction resulting in his conviction, have no basis for overturning it. (of course, they may actually want him to burn at the stake, but we don't know that, the Oregon Supreme Court is actually fairly liberal).
Actually, the Oregon Supreme Court's ruling in the case that you're mentioning was eminently reasonable. The measure on the ballot *clearly* addressed separate issues, and the Oreogn Constitution is veyr clear on the issue.
We have one of the most liberal constitutional amendment amendment procedures in the country. All you need is 50% + 1 vote to change it.
If the right (or the left, though the right has been the side playing the game) wants to put multiple issues under a single ballot measure, all they need to do is to pass a Constitutional Amendment by a 50%+1 vote margin to rewrite our Constitution to allow it.
The reason why this is important is that they put up tax-cutting measures that then have unrelated stuff tacked on in a single ballot measure. They hope that the promise of lower taxes will attract enough votes to pass the ballot measure regardless of whatever else they stuff into it.
I personally think that those who write my state's Constitution were wise to specify that every initiative ballot measure must address one, and only one, issue. (it is incredibly easy to put a ballot measure up here, popular democracy at its best, the least we can ask is to be given one question at a time to vote on).
(Look at my friggin' nickname, I just had to say it).
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
>get permission to crack the passwords. So when
>the admin found out that Schwartz was running
>Crack he informed the security guys at Intel.
In other words, intel security was a lot better than this wannabe suspected . . .
hawk