Slashdot Mirror

← Back to Stories (view on slashdot.org)

McOwen Case Settled

Posted by michael on from the hardly-any-bloodshed dept.

ewilts writes: "Back in July, you ran a story about David McOwen, a computer adminstrator at DeKalb Technical College in Georgia, who was being charged for installing SETI software on school computers. This case has now been settled. See also the EFF press release on McOwen's web site." Update: 01/18 16:11 GMT by M : It was software from distributed.net, not SETI.

29 of 286 comments (clear)

  1. Powerful implications by C4v3_7r0ll · · Score: 4, Interesting

    Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will. As a sysadmin for a large media congolmerate, I find it more and more difficult to simply administer my systems because all the suits want to know every move I make three weeks in advance. This decision simply adds an element of criminality to an already bad situation.

    1. Re:Powerful implications by swordgeek · · Score: 4, Insightful

      Hacking in??? What version of the case did you read?!

      He installed unauthorised and inappropriate software. Same thing could have happened if he'd installed Quake, but only played it during off hours.

      Regardless of the end goal (research?), SETI is effectively entertainment software from the client side. It serves no useful function for the company whose machines he ran it on.

      He deserved and got a slap on the wrist. Not a bad settlement all round.

      --

      "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
    2. Re:Powerful implications by BlueUnderwear · · Score: 3, Interesting
      Regardless of the end goal (research?), SETI is effectively entertainment software from the client side. It serves no useful function for the company whose machines he ran it on.

      Just like dnetc, it serves the useful purpose of measuring the load of the machine. Just observe how much CPU time it takes: that's the amount not needed by anything else. However, smart people call it idle, rather than dnetc in order not to needlessly scare the suits ;-)

      --
      Say no to software patents.
    3. Re:Powerful implications by zangdesign · · Score: 4, Insightful

      It might be helpful to think of the sysadmin as more of a caretaker of the system, rather than as an absolute master of the machine. Owen's job (as I understand it) was to maintain the systems in a running state to provide computing services to faculty, staff, and students. While this occasionally includes installing software, it does not include installing software that is not necessary to the mission of the school.

      The presumption that he was the absolute master of the machines was in error. In this case, the System Administrator's job was not to set policy, but rather to advise. You would do well to clarify whether this is the administration policy with whatever company you work for.

      Owen's got lucky - and probably got about what he deserved for screwing around with state equipment.

      --
      To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
    4. Re:Powerful implications by mccalli · · Score: 4, Insightful
      ...the precident set here is that sysadmins can no longer choose to install software at will.

      And thank god for that.

      Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

      Cheers,
      Ian

    5. Re:Powerful implications by the_2nd_coming · · Score: 3, Insightful

      fine, I understand that he is nor the master of the machine, but for not following company policy, you lose your job, not get prosecuted (unless you steal office supplys ;-)) costing a company money by loss of bandwidth is waising resources, not stealing.....you get fired for making personal copies at the copier, not prosecuted for theft, and in this case, HACKING!!!

      --



      I am the Alpha and the Omega-3
    6. Re:Powerful implications by Erasmus+Darwin · · Score: 5, Insightful
      "how the heck can you charge a sysadmin with hacking into a system that they have full privleges to in the first place?"

      Having full system access (such as 'root' on a *NIX box) does not always translate into having full authority (i.e. direct permission from real humans) to do all actions that are permitted by that level of access. The anti-hacking law he was charged under most likely has a clause about using a computer system in excess of the user's authority.

      For example, while a sysadmin may have root access to a system that he must maintain, he may not necessarily be permitted to use that access to snoop through the VP's mail spool. Similarly, a McDonald's employee that has the restaurant keys so he can lock up at night is still trespassing if he abuses those keys to throw a wild party there at 4am. Finally, it's still car theft if a chauffer decides to just drive away with the car that he's got full physical access to.

      What it all boils down to is how explicitly defined the sysadmin's authority was in this matter.

    7. Re:Powerful implications by InsaneGeek · · Score: 4, Interesting

      But there's installing software to do work which paid for the servers; and then there is installing software that actually is a detriment to the same servers trying to do work. It's almost the equivalent of seeing that your company has lot's of bandwidth free to their customer T3's and the servers aren't that loaded... why not put out our own free porn website.

      "Suits" as you say should want to know every move you make on a production system, there deffinetly is a need for change control. Ebay supposedly used to run pretty free and open, and had frequent crashes & outages; they brought a guy in and put in proper procedures, change control, etc. and their reliability increased exponentially. It is a big pain in the ass, I'll be the first to admit it, but so is documentation, getting up from your desk to go pee, etc. but it *is* needed.

    8. Re:Powerful implications by anthony_dipierro · · Score: 5, Informative

      Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will.

      The case was settled out of court. Absolutely no precedent was set.

    9. Re:Powerful implications by DaveWood · · Score: 4, Funny

      Yeah - that's definitely worth a 30 year vacation at a Georgia penitentiary. Those jails are kind of crowded though, so they might have to release some rapists and child murderers early to make room for him.

      "How's prison going?"
      "Let's just say I'm not getting the respect a sysadmin deserves!"

      (What I'd like to see is 30 year jail terms for the executive corps at Enron, let alone all of the auditors at Andersen who destroyed documents instead of auditing. Funny how it doesn't work that way...)

      --
      We're on the road to Tycho.
    10. Re:Powerful implications by Lumpy · · Score: 4, Interesting

      and the last thing I need is to have a solution forced down my throat from a moron in change control or at the NOC that has no clue about how my division does business or how to even impliment security.

      I have a server that is NOT on the domain and has NO trusts to any other machine or network, it houses the SQL server and data files for one of our most important systems... billing. now I get the idiot from corperate telling me I have to set up a trust with his computers so that some bean counter can log in and view data... no not a login for this person but an entire trust so that every fricking user in this corperation that is logged in can let their outlook virii try and attack my server.

      Luckily, I have a upper sales management person that can override this IT weenie. Until the Corperate IT department can guarantee that the server will not be attacked because of the trust it will not be a part of the network.... and as we all know, you CANT guarentee anything.

      everything in my buildings has fared off the last 5 rounds of virii without even a hiccup. the rest of corperate had major downtime and re-infections. On a conference call about the last virus and how it caused downtime, we were the ONLY office to report that we had no problems... enough to convince my boss to ignore anything that corperate tries to add to the system or block me from changing.

      The job of the sysadmin/netadmin is to give the sales force and all other employees the tools they need to make the company money, it is not there to feed the oversized egos of corperate level power freaks.

      --
      Do not look at laser with remaining good eye.
  2. Seems reasonable by Derkec · · Score: 3, Informative

    This generally looks like a reasonable settlement. The monetary damages are a bit dissapointing, though. Remember to ask permission (and get that permission in writing) when you make large, questionable, changes to the systems you are responsible for.

    1. Re:Seems reasonable by Restil · · Score: 3, Insightful

      I don't think its unreasonable at all. While I think that what he did was more of a fireable offense rather than a legal one, there's still no doubt that what he did was wrong, and that it cost the company money to root out the problem and correct it.

      Remember, when this whole thing started, the company was under the impression that there was some program leaking out information. They thought that this was MUCH more serious than a simple distributed program. And when they went
      running to law enforcement, this was their original complaint.

      As we saw in the Adobe case, just because the complaintant backs down, that doesn't mean the government will. Once you choose to press charges, its out of your hands. This isn't a civil case. Parties in a civil case can settle their differences any way they want and only need to go to court if they can't. This was a criminal case, and while a criminal case is somewhat hurt by the loss of cooperation by the "victim" it does not mean they have to stop prosescution.

      I would prefer that the EFF and the community at whole give more attention to those cases where people aren't actually guilty of anything. Not where someone did something wrong and everyone else is just overreacting. Certainly, I don't agree with the initial time he was facing, but if he had been doing his job correctly he never would have had this problem in the first place.
      Show some responsibility people!

      -Restil

      --
      Play with my webcams and lights here
  3. Re:He got off easy... by the_2nd_coming · · Score: 3, Insightful

    he should have been just ired then.....saying he HACKED a system that he had full administrative rights to is rediculous....its like calling the police on your house keeper for breaking and entering even though she has a key and is contracted to do work in your house.....if she was having parties then you fire her, you can not get her on breaking and entering.

    --



    I am the Alpha and the Omega-3
  4. Already in Slashback by UCRowerG · · Score: 4, Informative

    This story has been convered in a recent Slashback article: here.

  5. Re:$2100 and 80 hours community service by Hougaard · · Score: 4, Informative

    Distributed.net

    He ran the dnetc.exe client on a ton of school PC's in Georgia.

    The funny thing, is that it took several "security experts" a lot of work to figure out what dnetc.exe actually was :)

  6. Re:$2100 and 80 hours community service by Darkness+Productions · · Score: 4, Insightful

    Actually, he was running RC5. The problem the school had with this is that with RC5, there is a change (albeit a very limited one) that you could win money. He had not stated that he would give the money to the school...

    Read about it here:
    http://arstechnica.infopop.net/OpenTopic/page?a=tp c&s=50009562&f=122097561&m=1110950822
    http://arstechnica.infopop.net/OpenTopic/page?a=tp c&s=50009562&f=122097561&m=7450963242&r=5150986242 #5150986242
    http://forums.anandtech.com/messageview.cfm?catid= 39&threadid=518510&start=1
    http://forums.anandtech.com/messageview.cfm?catid= 39&threadid=518184 This was widely discussed among many of the more well known distributed computing teams. Check it out.

    --
    Glen
    Track your fuel economy
  7. Punishment. by AnalogBoy · · Score: 5, Funny

    Now, of course, he gets off light from the government.. but jeeze, think of the internet traffic charges he's gonna rake up from being slashdotted. YOU MEAN HEARTLESS PEOPLE! Have you no decency? Give the man a break.

  8. It wasn't SETI@home! by jonnythan · · Score: 5, Informative

    A lot of people seem to be under the impression that the client he was running was SETI@home and was therefore innoculous.

    Well, he was running some distrubuted.net-type decryption client where he would have WON MONEY had he been the one to find a key.

    Not so humanitarian and innoculous now, is it?

    Years in prison and a $400,000 fine are extremely way beyond reason, but I can see how this was a crime as he stole company resources for personal gain.

    The $2100 fine does seem reasonable as I think he would have won $2000.

    1. Re:It wasn't SETI@home! by SirSlud · · Score: 5, Interesting

      >he stole company resources for personal gain

      I hope you're not at work today! You're stealing bandwidth and CPU power to post to slashdot, for the personal gain of .. well, posting to slashdot!

      Honestly, what, you wanna start counting electrons .. which ones make my company how much money, and which ones lose?

      distributed.net does have a goal that benifits those who believe in privacy and ecryption. it's not some sort of time-sharing scam or anything. in fact, if anything, distributed.net has a far higher likelihood of affecting our world (while we're still alive) than the seti project. like, sure, if his college didn't want it, I understand .. but to have been criminally charged instead of simply reprimanded? thats simply ludicrous. i'm liable to believe that someone in georgia does not believe in high encryption and privacy ..

      --
      "Old man yells at systemd"
  9. 59 cents / second?? by ch-chuck · · Score: 4, Insightful

    Wow! I'm sitting on a friggin' gold mine. Who in their right mind would ever pay upwards of $35 for ONE MINUTE of time on a PC?? You can buy a good system that's paid for itself in just one hour of time!! Lets see, going by the usual inflated legal dollers, this 1.5Ghz P4 I've been burning in for the last two weeks has just wasted $713,000. boggle.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  10. Fire 'em by rjamestaylor · · Score: 5, Interesting
    ...the precident set here is that sysadmins can no longer choose to install software at will.

    Perhaps it's a precedent for telling sys admins to stick to their jobs and keep the best interests of their employers in mind when installing software. This isn't about "sys admins choosing" it's about the appropriate use of someone else's property.

    When I discovered that a developer had installed SETI on my co's production ecommerce servers ("but I nice'd it!") I had the loser fired -- after disabling the software. Am I against SETI? No (nor am I "for" it; I don't care). But the purpose of our servers, bandwidth, etc., is not racking up points in the SETI project.

    Now, we have other servers that are intended for fun and exploration. But our production servers?

    --
    -- @rjamestaylor on Ello
  11. Re:Powerful implications - Indeed! by ackthpt · · Score: 5, Funny
    This decision simply adds an element of criminality to an already bad situation.

    <Cut to courtroom somewhere in the USA>

    Defendant: "...and then I installed the application on all the computers."

    Prosecutor: "You did this, fully aware that it was vulnerable and subject to attacks, which may paralyze the company email system, compromise data, or worse?"

    Defendant: "Yes."

    Gallery: *GASP*

    Prosecutor: "And what was this application?"

    Defendant: "MS Outlook."

    The prosecutor, appearing struck, glances at a shadowy figure in the gallery who bears some resemblance to John Ashcroft in a trenchcoat and fedora, the figure quickly draws a finger across his throat and the prosecutor recomposes himself.

    Prosecutor: "Your honor, the prosecution humbly requests all charges be dropped and that the defendant be released!"

    --

    A feeling of having made the same mistake before: Deja Foobar
  12. So how do we continue our function? by nurb432 · · Score: 4, Interesting

    So this means that before i install anything, good or bad, that i must *explain* each and *every* piece of code, and clear it with the people that entrust me with their network and am paid to be the expert on, and responsible for its upkeeep? What if i install VNC, antivirual update, research software for a better network, prety much anything they decide they dont like that day.. i goto jail? Seems to me our ablity to even do our jobs has just been limited drastically. Sure, wholesale personal use is wrong, but the way it sounds now im libel if managemnts mind changes tomrrow on anything.....

    --
    ---- Booth was a patriot ----
  13. Distributed.net trojans and worms by melquiades · · Score: 4, Informative

    Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

    ...or opening up a security hole.

    Every piece of software installed present a potential threat. Did it come from a reliable source? Does it have security flaws? Obviously, there has a be a reasonable balance between maintaining security and giving users the flexibility they need to do their jobs. I get very irritated when a company won't let me install software I need -- or just want! -- on my desktop at work.

    This balance tips increasingly in favor of security as if installation is (1) on a server, (2) on a production server, (3) on a lot of machines. Maintaining that balance is a sysadmin's job. And this guy was definitely not doing his job.

    All that said, aren't criminal charges just a little out of line? He should just have been professionally reprimanded, or maybe fired. But a lawsuit?

    1. Re:Distributed.net trojans and worms by Leto2 · · Score: 3, Informative

      I'd like to point out that it is not the distributed.net software that has a hole. _If_ you have your computer misconfigured and allow write access to shares over the internet, worms and trojans will find your way into your computer. Unfortunately, some moron thought it would be funny to use the distributed.net client as payload for his malicious worms. Just to clear things up. Ivo distributed.net abuse@d.net officer

      --
      <grub> Reading /. at -1 is like driving through Cracktown in a convertible that is stuck in 1st
  14. Re:He got off easy... by Katharine · · Score: 3, Informative

    The statute he was charged under, the "Georgia Computer Systems Protection Act" can be found at http://www.clark.net/pub/rothman/gacode.htm

    My guess is that he was accused of "appropriating" the computers at the school, which the Act defines as "computer theft." But as I read the Act, it sounds like using one's work computer to visit a non-work-related website without one's employer's permission would also qualify as the crime of "computer theft," even if it were on your own time. In fact, it might be arguable that using one's work computer on one's own time to write a letter to one's congressman could be "computer theft" as defined under the Act, if your boss didn't give you permission to do it.

    Take a look at it, it is pretty interesting reading . . .

  15. McOwen Was Warned by futuresheep · · Score: 3, Informative
    McOwen was warned several times by his superiors about running the client:

    SecurtyFocus

    Financial Motive Alleged

    Willard says that McOwen was singled out for prosecution partly because he had ignored his supervisor's warnings. "In this case, Mr. McOwen was expressively prohibited by his superiors from downloading these programs and was informed on many occasions by his supervisors to stop downloading programs," said Willard. "They were aware that he was doing it and he had gone in and cleaned it up on numerous occasions." Joyner insists McOwen received no such warning.

    Prosecutors also claim that McOwen had a financial motive for volunteering the school's machines. McOwen was a top producer on distributed.net for "Team AnandTech," a group sponsored by a hardware forum site which is still the second ranking contributor to the RC5 research project. A $1,000 prize goes to the individual contributor who recovers the RC5 encryption key. "McOwen placed a program on computers, that in his estimation would benefit him personally, including computers that has sensitive student financial and identity information without authorization," says Willard. "There is concern about the program itself compromising or providing the basis to compromise sensitive personal or financial information, there is the matter of Mr. McOwen's unauthorized activities on this computer, and finally there is the point that there was misappropriation of state property."

    He was warned several times, and the software had repeatedly been uninstalled. This isn't the only article I've read that discussed this fact. I may not agree with the charge or the penalty, but he should have been fired for ignoring his supervisors continued requests.

  16. Re:This is but a symptom of our ongoing decline by Erasmus+Darwin · · Score: 3, Insightful
    "By giving that person a housekey you have granted them access to your premesis. By definition they cannot be tresspassing."

    You've granted them physical access. You have not, however, granted them absolute permission -- you've granted them conditional permission to enter your house to perform their job duties, and you've explicitly denied permission for them to be in your study at all. By definition, trespassing has to do with going where you don't have permission to be, rather than going where you don't have access to -- you can trespass on an empty lot that lacks physical access control but has signs specifically denying you permission to go there.