Slashdot Mirror

← Back to Stories (view on slashdot.org)

McOwen Case Settled

Posted by michael on from the hardly-any-bloodshed dept.

ewilts writes: "Back in July, you ran a story about David McOwen, a computer adminstrator at DeKalb Technical College in Georgia, who was being charged for installing SETI software on school computers. This case has now been settled. See also the EFF press release on McOwen's web site." Update: 01/18 16:11 GMT by M : It was software from distributed.net, not SETI.

9 of 286 comments (clear)

  1. Seems reasonable by Derkec · · Score: 3, Informative

    This generally looks like a reasonable settlement. The monetary damages are a bit dissapointing, though. Remember to ask permission (and get that permission in writing) when you make large, questionable, changes to the systems you are responsible for.

  2. Already in Slashback by UCRowerG · · Score: 4, Informative

    This story has been convered in a recent Slashback article: here.

  3. Re:$2100 and 80 hours community service by Hougaard · · Score: 4, Informative

    Distributed.net

    He ran the dnetc.exe client on a ton of school PC's in Georgia.

    The funny thing, is that it took several "security experts" a lot of work to figure out what dnetc.exe actually was :)

  4. It wasn't SETI@home! by jonnythan · · Score: 5, Informative

    A lot of people seem to be under the impression that the client he was running was SETI@home and was therefore innoculous.

    Well, he was running some distrubuted.net-type decryption client where he would have WON MONEY had he been the one to find a key.

    Not so humanitarian and innoculous now, is it?

    Years in prison and a $400,000 fine are extremely way beyond reason, but I can see how this was a crime as he stole company resources for personal gain.

    The $2100 fine does seem reasonable as I think he would have won $2000.

  5. Re:Powerful implications by anthony_dipierro · · Score: 5, Informative

    Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will.

    The case was settled out of court. Absolutely no precedent was set.

  6. Distributed.net trojans and worms by melquiades · · Score: 4, Informative

    Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

    ...or opening up a security hole.

    Every piece of software installed present a potential threat. Did it come from a reliable source? Does it have security flaws? Obviously, there has a be a reasonable balance between maintaining security and giving users the flexibility they need to do their jobs. I get very irritated when a company won't let me install software I need -- or just want! -- on my desktop at work.

    This balance tips increasingly in favor of security as if installation is (1) on a server, (2) on a production server, (3) on a lot of machines. Maintaining that balance is a sysadmin's job. And this guy was definitely not doing his job.

    All that said, aren't criminal charges just a little out of line? He should just have been professionally reprimanded, or maybe fired. But a lawsuit?

    1. Re:Distributed.net trojans and worms by Leto2 · · Score: 3, Informative

      I'd like to point out that it is not the distributed.net software that has a hole. _If_ you have your computer misconfigured and allow write access to shares over the internet, worms and trojans will find your way into your computer. Unfortunately, some moron thought it would be funny to use the distributed.net client as payload for his malicious worms. Just to clear things up. Ivo distributed.net abuse@d.net officer

      --
      <grub> Reading /. at -1 is like driving through Cracktown in a convertible that is stuck in 1st
  7. Re:He got off easy... by Katharine · · Score: 3, Informative

    The statute he was charged under, the "Georgia Computer Systems Protection Act" can be found at http://www.clark.net/pub/rothman/gacode.htm

    My guess is that he was accused of "appropriating" the computers at the school, which the Act defines as "computer theft." But as I read the Act, it sounds like using one's work computer to visit a non-work-related website without one's employer's permission would also qualify as the crime of "computer theft," even if it were on your own time. In fact, it might be arguable that using one's work computer on one's own time to write a letter to one's congressman could be "computer theft" as defined under the Act, if your boss didn't give you permission to do it.

    Take a look at it, it is pretty interesting reading . . .

  8. McOwen Was Warned by futuresheep · · Score: 3, Informative
    McOwen was warned several times by his superiors about running the client:

    SecurtyFocus

    Financial Motive Alleged

    Willard says that McOwen was singled out for prosecution partly because he had ignored his supervisor's warnings. "In this case, Mr. McOwen was expressively prohibited by his superiors from downloading these programs and was informed on many occasions by his supervisors to stop downloading programs," said Willard. "They were aware that he was doing it and he had gone in and cleaned it up on numerous occasions." Joyner insists McOwen received no such warning.

    Prosecutors also claim that McOwen had a financial motive for volunteering the school's machines. McOwen was a top producer on distributed.net for "Team AnandTech," a group sponsored by a hardware forum site which is still the second ranking contributor to the RC5 research project. A $1,000 prize goes to the individual contributor who recovers the RC5 encryption key. "McOwen placed a program on computers, that in his estimation would benefit him personally, including computers that has sensitive student financial and identity information without authorization," says Willard. "There is concern about the program itself compromising or providing the basis to compromise sensitive personal or financial information, there is the matter of Mr. McOwen's unauthorized activities on this computer, and finally there is the point that there was misappropriation of state property."

    He was warned several times, and the software had repeatedly been uninstalled. This isn't the only article I've read that discussed this fact. I may not agree with the charge or the penalty, but he should have been fired for ignoring his supervisors continued requests.