McOwen Case Settled

ewilts writes: "Back in July, you ran a story about David McOwen, a computer adminstrator at DeKalb Technical College in Georgia, who was being charged for installing SETI software on school computers. This case has now been settled. See also the EFF press release on McOwen's web site." Update: 01/18 16:11 GMT by M : It was software from distributed.net, not SETI.

Powerful implications

[C4v3_7r0ll]

Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will. As a sysadmin for a large media congolmerate, I find it more and more difficult to simply administer my systems because all the suits want to know every move I make three weeks in advance. This decision simply adds an element of criminality to an already bad situation.

Re:Powerful implications

[swordgeek]

Hacking in??? What version of the case did you read?!

He installed unauthorised and inappropriate software. Same thing could have happened if he'd installed Quake, but only played it during off hours.

Regardless of the end goal (research?), SETI is effectively entertainment software from the client side. It serves no useful function for the company whose machines he ran it on.

He deserved and got a slap on the wrist. Not a bad settlement all round.

Re:Powerful implications

[zangdesign]

It might be helpful to think of the sysadmin as more of a caretaker of the system, rather than as an absolute master of the machine. Owen's job (as I understand it) was to maintain the systems in a running state to provide computing services to faculty, staff, and students. While this occasionally includes installing software, it does not include installing software that is not necessary to the mission of the school.

The presumption that he was the absolute master of the machines was in error. In this case, the System Administrator's job was not to set policy, but rather to advise. You would do well to clarify whether this is the administration policy with whatever company you work for.

Owen's got lucky - and probably got about what he deserved for screwing around with state equipment.

Re:Powerful implications

[mccalli]

...the precident set here is that sysadmins can no longer choose to install software at will.

And thank god for that.

Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

Cheers,
Ian

Re:Powerful implications

[Erasmus+Darwin]

"how the heck can you charge a sysadmin with hacking into a system that they have full privleges to in the first place?"

Having full system access (such as 'root' on a *NIX box) does not always translate into having full authority (i.e. direct permission from real humans) to do all actions that are permitted by that level of access. The anti-hacking law he was charged under most likely has a clause about using a computer system in excess of the user's authority.

For example, while a sysadmin may have root access to a system that he must maintain, he may not necessarily be permitted to use that access to snoop through the VP's mail spool. Similarly, a McDonald's employee that has the restaurant keys so he can lock up at night is still trespassing if he abuses those keys to throw a wild party there at 4am. Finally, it's still car theft if a chauffer decides to just drive away with the car that he's got full physical access to.

What it all boils down to is how explicitly defined the sysadmin's authority was in this matter.

Re:Powerful implications

[InsaneGeek]

But there's installing software to do work which paid for the servers; and then there is installing software that actually is a detriment to the same servers trying to do work. It's almost the equivalent of seeing that your company has lot's of bandwidth free to their customer T3's and the servers aren't that loaded... why not put out our own free porn website.

"Suits" as you say should want to know every move you make on a production system, there deffinetly is a need for change control. Ebay supposedly used to run pretty free and open, and had frequent crashes & outages; they brought a guy in and put in proper procedures, change control, etc. and their reliability increased exponentially. It is a big pain in the ass, I'll be the first to admit it, but so is documentation, getting up from your desk to go pee, etc. but it *is* needed.

Re:Powerful implications

[anthony_dipierro]

Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will.

The case was settled out of court. Absolutely no precedent was set.

Re:Powerful implications

[DaveWood]

Yeah - that's definitely worth a 30 year vacation at a Georgia penitentiary. Those jails are kind of crowded though, so they might have to release some rapists and child murderers early to make room for him.

"How's prison going?"
"Let's just say I'm not getting the respect a sysadmin deserves!"

(What I'd like to see is 30 year jail terms for the executive corps at Enron, let alone all of the auditors at Andersen who destroyed documents instead of auditing. Funny how it doesn't work that way...)

Re:Powerful implications

[Lumpy]

and the last thing I need is to have a solution forced down my throat from a moron in change control or at the NOC that has no clue about how my division does business or how to even impliment security.

I have a server that is NOT on the domain and has NO trusts to any other machine or network, it houses the SQL server and data files for one of our most important systems... billing. now I get the idiot from corperate telling me I have to set up a trust with his computers so that some bean counter can log in and view data... no not a login for this person but an entire trust so that every fricking user in this corperation that is logged in can let their outlook virii try and attack my server.

Luckily, I have a upper sales management person that can override this IT weenie. Until the Corperate IT department can guarantee that the server will not be attacked because of the trust it will not be a part of the network.... and as we all know, you CANT guarentee anything.

everything in my buildings has fared off the last 5 rounds of virii without even a hiccup. the rest of corperate had major downtime and re-infections. On a conference call about the last virus and how it caused downtime, we were the ONLY office to report that we had no problems... enough to convince my boss to ignore anything that corperate tries to add to the system or block me from changing.

The job of the sysadmin/netadmin is to give the sales force and all other employees the tools they need to make the company money, it is not there to feed the oversized egos of corperate level power freaks.

Already in Slashback

[UCRowerG]

This story has been convered in a recent Slashback article: here.

Re:$2100 and 80 hours community service

[Hougaard]

Distributed.net

He ran the dnetc.exe client on a ton of school PC's in Georgia.

The funny thing, is that it took several "security experts" a lot of work to figure out what dnetc.exe actually was :)

Re:$2100 and 80 hours community service

[Darkness+Productions]

Actually, he was running RC5. The problem the school had with this is that with RC5, there is a change (albeit a very limited one) that you could win money. He had not stated that he would give the money to the school...

Read about it here:
http://arstechnica.infopop.net/OpenTopic/page?a=tp c&s=50009562&f=122097561&m=1110950822
http://arstechnica.infopop.net/OpenTopic/page?a=tp c&s=50009562&f=122097561&m=7450963242&r=5150986242 #5150986242
http://forums.anandtech.com/messageview.cfm?catid= 39&threadid=518510&start=1
http://forums.anandtech.com/messageview.cfm?catid= 39&threadid=518184 This was widely discussed among many of the more well known distributed computing teams. Check it out.

Punishment.

[AnalogBoy]

Now, of course, he gets off light from the government.. but jeeze, think of the internet traffic charges he's gonna rake up from being slashdotted. YOU MEAN HEARTLESS PEOPLE! Have you no decency? Give the man a break.

It wasn't SETI@home!

[jonnythan]

A lot of people seem to be under the impression that the client he was running was SETI@home and was therefore innoculous.

Well, he was running some distrubuted.net-type decryption client where he would have WON MONEY had he been the one to find a key.

Not so humanitarian and innoculous now, is it?

Years in prison and a $400,000 fine are extremely way beyond reason, but I can see how this was a crime as he stole company resources for personal gain.

The $2100 fine does seem reasonable as I think he would have won $2000.

Re:It wasn't SETI@home!

[SirSlud]

>he stole company resources for personal gain

I hope you're not at work today! You're stealing bandwidth and CPU power to post to slashdot, for the personal gain of .. well, posting to slashdot!

Honestly, what, you wanna start counting electrons .. which ones make my company how much money, and which ones lose?

distributed.net does have a goal that benifits those who believe in privacy and ecryption. it's not some sort of time-sharing scam or anything. in fact, if anything, distributed.net has a far higher likelihood of affecting our world (while we're still alive) than the seti project. like, sure, if his college didn't want it, I understand .. but to have been criminally charged instead of simply reprimanded? thats simply ludicrous. i'm liable to believe that someone in georgia does not believe in high encryption and privacy ..

59 cents / second??

[ch-chuck]

Wow! I'm sitting on a friggin' gold mine. Who in their right mind would ever pay upwards of $35 for ONE MINUTE of time on a PC?? You can buy a good system that's paid for itself in just one hour of time!! Lets see, going by the usual inflated legal dollers, this 1.5Ghz P4 I've been burning in for the last two weeks has just wasted $713,000. boggle.

Fire 'em

[rjamestaylor]

...the precident set here is that sysadmins can no longer choose to install software at will.

Perhaps it's a precedent for telling sys admins to stick to their jobs and keep the best interests of their employers in mind when installing software. This isn't about "sys admins choosing" it's about the appropriate use of someone else's property.

When I discovered that a developer had installed SETI on my co's production ecommerce servers ("but I nice'd it!") I had the loser fired -- after disabling the software. Am I against SETI? No (nor am I "for" it; I don't care). But the purpose of our servers, bandwidth, etc., is not racking up points in the SETI project.

Now, we have other servers that are intended for fun and exploration. But our production servers?

Re:Powerful implications - Indeed!

[ackthpt]

This decision simply adds an element of criminality to an already bad situation.

<Cut to courtroom somewhere in the USA>

Defendant: "...and then I installed the application on all the computers."

Prosecutor: "You did this, fully aware that it was vulnerable and subject to attacks, which may paralyze the company email system, compromise data, or worse?"

Defendant: "Yes."

Gallery: *GASP*

Prosecutor: "And what was this application?"

Defendant: "MS Outlook."

The prosecutor, appearing struck, glances at a shadowy figure in the gallery who bears some resemblance to John Ashcroft in a trenchcoat and fedora, the figure quickly draws a finger across his throat and the prosecutor recomposes himself.

Prosecutor: "Your honor, the prosecution humbly requests all charges be dropped and that the defendant be released!"

So how do we continue our function?

[nurb432]

So this means that before i install anything, good or bad, that i must *explain* each and *every* piece of code, and clear it with the people that entrust me with their network and am paid to be the expert on, and responsible for its upkeeep? What if i install VNC, antivirual update, research software for a better network, prety much anything they decide they dont like that day.. i goto jail? Seems to me our ablity to even do our jobs has just been limited drastically. Sure, wholesale personal use is wrong, but the way it sounds now im libel if managemnts mind changes tomrrow on anything.....

Distributed.net trojans and worms

[melquiades]

Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

...or opening up a security hole.

Every piece of software installed present a potential threat. Did it come from a reliable source? Does it have security flaws? Obviously, there has a be a reasonable balance between maintaining security and giving users the flexibility they need to do their jobs. I get very irritated when a company won't let me install software I need -- or just want! -- on my desktop at work.

This balance tips increasingly in favor of security as if installation is (1) on a server, (2) on a production server, (3) on a lot of machines. Maintaining that balance is a sysadmin's job. And this guy was definitely not doing his job.

All that said, aren't criminal charges just a little out of line? He should just have been professionally reprimanded, or maybe fired. But a lawsuit?