Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oregon Supreme Court Declines To Hear Schwartz Case

Posted by timothy on from the merry-christmas dept.

merlyn writes "The Oregon Supreme Court declined to hear my case, leaving standing the unfavorable decision of the Oregon Appeals Court as the final authority on this eight-year-long case, well known to many sysadmin and Perl hacker alike. Details at my fors-announce posting." If you're not sure what that means, you probably want to read at least this site which offers a straightforwardly partisan look at the complicated case of Intel vs. Schwartz as well as Schwartz's own page; it's a strange world where programmers and sysadmins can be convicted for seemingly innocent activities.

12 of 327 comments (clear)

  1. and since when is... by Anonymous Coward · · Score: 5, Insightful

    ...cracking passwords an innocent activity?

    You know... most everyone I know who has followed the case seems to agree that the only reason you got in trouble to begin with was because of your inability (some call it emotional ignorance) to communicate properly with the admins within Intel.

    Still, all in all, I believe you've managed to do well for yourself. Written a couple of books, entrenched in the perl community, regular magazine article contributer, etc. You should feel lucky that you did not do any time in "pound you in the ass" Club Fed. You *should not* feel that somehow it's your god given right to have this little blight on your history removed (and to be honest, do you know *anyone* of any note or repute that doesn't have a bit of netorious past?).

    So, just get over it, continue to pay off your legal bills (and that's really that this appeal is about, right?) and get on with your life.

  2. Re:What is the case about? by rendler · · Score: 5, Informative
    http://www.mega.nu:8080/batf/www.boogieonline.com/ revolution/science/schwartz.html:

    While working as a consultant with multinational microchip manufacturer Intel Corporation, Schwartz set up two ways of checking his Intel email via the Internet, and in an attempt to verify the security of one of Intel's computers, he ran the "crack" password-guessing program on an Intel password file. Intel considered the Internet access a security breach, and the password crack to be theft of sensitive information.

    In March 1994, Schwartz was indicted on three felony counts of computer crime under Oregon state law. He was convicted in July 1995, and sentenced in September 1995 to 5 years probation, 480 hours of community service, and 90 days jailtime (which may be dismissed for excellent behavior). Intel is also seeking $72,000 restitution. Schwartz has spent over $130,000 on his legal defense, most of it his own money, with additional contributions from individuals and organizations on the Internet.

    --

    *shrug*
  3. Oh Please by Laplace · · Score: 5, Informative

    Randall Schwartz was doing some shit that Intel didn't like. It also happened to be illegal. Intel asked him to stop. They asked him nicely. He didn't, and Intel had him prosecuted. Randall Schwartz made his own bed.

    Flame on.

    --
    The middle mind speaks!
  4. Innocent Activites?! by gclef · · Score: 5, Informative
    You must be joking. He was caught cracking the passwd file for Intel and O'Reilly without their permission. His activities were anything but innocent.

    Some background from the other side: an affidavit from one of the Intel folks is here:

    http://www.lightlink.com/spacenka/fors/police/inte lrep.txt


    Basically, he cracked more than one companies passwd file without permission...one of them was a company he'd been dismissed from earlier (he was still logging into their machines and was cracking their passwd file,too).

    Personally, I'm not at all surprised that they threw the book at him.

    1. Re:Innocent Activites?! by sinnergy · · Score: 5, Interesting

      Well, that's certainly one way to look at it, isn't it. However, things aren't that simple. You and I both know that. Anyone who has had the opportunity to hear his side of the story in person knows it goes a little deeper than that. I had the privelage of hearing him speak at Ic0n hear in Cleveland earlier in the year and again at Phreaknic in Nashville.

      Yeah, he isn't completely blameless and he doesn't claim to be. However, he's being railroaded on some serious charges. If you know the laws he was tried under you know how vague and broad in scope they could be. Under those laws and a liberal interpretation, I would be unable to effectively do my own job.

      So, in short, let's look at both side of the story here. I encourage anyone who will dismiss Schwartz right off the bat to hear his side of the case.

      He's a pretty nice guy, to boot. A hacker's hacker, if you will.

  5. Don't do anything without written permission by mttlg · · Score: 5, Insightful

    Ok, so in Oregon it is a crime to "unlawfully, knowingly and without authorization alter a computer and computer network." The obvious solution here (for people working on computer networks in Oregon) is to obtain written permission from the appropriate authorities before altering a computer and/or computer network. Print up forms with the full text of the appropriate laws and give them to the appropriate people. Whenever you need to do anything, request permission in writing. If they complain, have them provide authorization in writing for performing specific common tasks at the discretion of the individual, but keep requiring written authorization for anything else. If the law really is as broad as it is being described, there is too great a risk of prosecution to do otherwise, especially if you deal with security testing. Either get permission or don't do it - there's no sense putting yourself at risk to do something that the network's owner probably won't care about anyway.

  6. Re:The law is too broad, but Randall should have.. by topham · · Score: 5, Insightful

    Unless specificly authorized in his capacity as a consultant he never should have touched the password file.

    As a consultant you may be in the situation, on a daily basis, that you have access to information which is not yours to do anything with. Thats the nature of the beast, don't screw with it.

    As a consultant I have access to data on the customers of my clients. That data is confidential. Unless specificly using the data for testing I have zero right to that data. Even if it is in the database I have access to, and available to me based on my access privledges.

    Having access to data doesn't mean you have the right to that data.

  7. Overview Mirror by corby · · Score: 5, Informative

    The hyperlink in the story to the overview of the Schwartz case is responding, "User over daily limit".

    Use the mirror here.

  8. Re:What is the case about? by YU+Nicks+NE+Way · · Score: 5, Insightful

    There's a good summary at the SANS Institute site. Schwartz did three different things: (1) installed a backdoor in a firewall, (2) did an unauthorized password scan, and (3) used one of the passwords he obtained through this scan to log into a system to which he should have had no access. He then copied the /etc/passwd file off that last machine, apparently to run an attack against it, as well.

    Even a cursory review of the documents in the case make it clear that he wasn't framed, that he actually did the things he was charged with, and that at least one of the activities with which he was charged was not only unauthorized, but had been explicitly forbidden by his managers. He had been ordered to take his gateway down at one point. He did so, waited a few days, and then brought an equivalent service up on the same machine under a different name. (See this site for some more details.)

    In my opinion, what he did was certainly grounds for dismissal, and almost certainly technically criminal. That said, I think the district attorney was unwise to pursue the case against Schwartz, since the damage done to his reputation just on the basis of what is clearly the case would have been punishment enough. Even without the convictions, no major site will ever touch him again: security geeks are dangerous, and the last one you need is one that won't obey the policies about what he or she may attack at any given time.

  9. What's the problem here? by duffbeer703 · · Score: 5, Funny

    Randal is totally innocent.

    If I found out that someone who was not a sysadmin or security analyst was running a password cracker on my systems, I'd be very pleased.

    Lets face it, it's a pain in the ass to setup passwords crackers, and if a "White Hat" Hacker decides to break into my mailserver, he's really doing me a service.

    As an example of similar activity, just the other day I found a man trying to unlock my mailbox with a screwdriver by prying the door off. I was actually comforted by the gesture, since I can now send a bug report to the post office and request that they install a stronger door.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  10. Innocent my left ass-cheek by ilsa · · Score: 5, Funny

    Crackers are bad enough. Password stealing crackers who put INLINE SOUND on thier webpages should be shot.

    --
    -- I Am Not A Terrorist.
  11. Re:The law is too broad, but Randall should have.. by dhogaza · · Score: 5, Informative

    Hear hear. I've been in this position and I always have asked, too.

    Not because I live in the state of Oregon but because it is the right thing to do (and my knowledge of right and wrong far predate the law in question).

    I think the major problem with Randal was that Intel had no idea of what he was actually doing, found out, freaked out. Freaki
    ng out was a reasonable response.

    The fact that the freaking out resulted in a criminal charge and conviction is unfortunate. Washington County (where Intel's Oregon facilities are located) is far, far more conservative than Multnomah County (where Portland, OR is mostly located). In Multnomah County some sort of non-criminal solution would've been the result, most likely.

    The Appeals Court and Supreme Court, though, don't rule on whether or not the conviction is "reasonable" but whether or not the conviction meets the test of law.

    That's not unreasonable, that's how judicial review is meant to work. The law as written is unreasonable, but not unconstitutional and therefore no constitutional grounds for overturning the conviction exist. There's no doubt about the evidence, so there's no evidenciary grounds for overturning the conviction.

    So ...

    1. Randal sinned in a relatively minor way, but sinned nonetheless.

    2. Intel and a hard-assed Washington County prosecutor decided to go after him in a major way (makes you wonder about past interactions, doesn't it? I would think that a single well-placed manager could've derailed this train if she'd thought Randal deserved grace).

    3. The law doesn't violate the Oregon or Federal Constitution (nor your state's, most likely). Therefore the Court of Appeals and Supreme Court, whatever their private view of the overreaction resulting in his conviction, have no basis for overturning it. (of course, they may actually want him to burn at the stake, but we don't know that, the Oregon Supreme Court is actually fairly liberal).