Randal Schwartz's Charges Expunged

After 13 years, Randal Schwartz has had his conviction expunged. In effect, legally it never happened. If you haven't heard about this one before, my take is that as a contractor at Intel, Randal did some over-zealous white-hat cracking free-of-charge; this embarrassed some people in management (he pointed out that their passwords were terrible) and management then chose to embarrass themselves further by having him convicted of a felony under an 'anti-hacking' law. More info can be had from the Friends of Randal Schwartz.

Congratulations

[Ron+Harwood]

Congratulations to Randal - it's nice to actually read a good news story with regards to the legal system.

Re:Congratulations

[A+beautiful+mind]

13 years of fighting doesn't sound especially pleasant. I can't imagine what Randall had to go through to get his name cleared.

Re:Congratulations

[jc42]

... if you keep fighting, eventually justice can work for "the little guy."

Well, maybe, but what I always find interesting in cases like this is: How much money did it cost?

All too often, when the "little guy" wins, he's also bankrupt.

Anyone know what the bill was for all this legal action?

Re:Congratulations

[merlyn]

"He installed backdoors at 3 companies"

Objection! Assumes facts not in evidence, your honor!

Sustained.

Re:Congratulations

[merlyn]

I'll never claim that I wasn't stupid. It's not my job to get you to like me. The point of my case is to pay attention to the mistakes I made, because a lot of people have told me that they either have or could have made similar mistakes. Maybe some of you are so perfect that you wouldn't. Good for you. But don't be so quick to judge that nobody would be that stupid then. Please.

Re:Congratulations

[Mikkeles]

Justice delayed is justice denied. This is not a feather in the cap for the justice system.

Its about damned time this was cleared.

[Almost-Retired]

Congratulations Randall, its great news to hear that the legal system actually works once in a while.

--
Cheers Gene

Re:Its about damned time this was cleared.

[1010110010]

Are you fucking serious? After 13 years? You call that working?

Legally Never Happened

[vux984]

Except that it did.

And all the effects can never be erased.

For example any "lists" he's been added to over the last 13 years will not be updated to reflect his new 'never was a criminal' status. Be it terrorist watch lists, no fly lists, FBI persons of interest list, or whatever else, not to mention his prints will remain in the system, etc, etc.

Re:Legally Never Happened

[hansamurai]

perl will take care of this...

@files = ("terrorist_watch_list.txt", "no_fly.doc", "fbi_persons_of_interest_list.ppt");
foreach $file (@files) {
        unlink($file);
}

Re:Legally Never Happened

[belmolis]

Uh, actually, this program doesn't do the right thing. Surely the right thing to do is not to delete the files but to remove Randall's name from them. Some people deserve to be on those lists.

Re:Legally Never Happened

[merlyn]

I never lost my right to vote. Only four states do that, not Oregon.

I can probably still get out of jury duty, since I now have a bias about criminal convictions. {grin}

I can't possess firearms yet. I have to apply to the BATF separately. I plan on doing that, but it's not yet in progress.

If you're going to blow the whistle

[Profane+MuthaFucka]

The best way to pass out embarassing information is anonymously. Burn some CD's with the info and leave them around randomly, in places untraceable to you.

Don't touch the CD's with your fingers.
Destroy the CD burner when you're done.
Buy the CD burner secondhand at a garage sale. Pay cash.
Steal the CDs from a college student.
Don't leave the CD in a place where there's a camera.

What else. Help me out here.

Rely on someone else to find the data and spread it around. No need to get yourself into trouble. Have some Common Sense. Do you know what I am speaking of?

Re:If you're going to blow the whistle

[Matt+Perry]

I didn't realise this was blowing the whistle; I thought it was part of any good IT department employees job. That is to ensure all passwords, more so management passwords, are as secure as possible.

He wasn't an employee of Intel. He was a contractor hired to do a specific job which wasn't checking for password security.

Ditto; FBI can still see it

[mekkab]

and Randall still can't get a clearance without being upfront about it.
Basically it means he can tell a police officer he's never been arrested and doesn't need to disclose it on a non-clearance employment application or any "low grade" background check like rentin an apartment.

With that out of the way, Randal has helped me out on comp.lang.perl (right before it went moderated) so ... Good on ya, Randall!

Expungement is the sealing of a criminal record

[viking80]

Expungement is the sealing of a criminal record so it is not publicly available. The consequence might be that you can deny you have a criminal record, but it is quite different from a pardon, which is forgiveness of a crime and the penalty associated with it.

Re:Ditto; FBI can still see it

There was a PDF file linked on the http://www.lightlink.com/spacenka/fors/Friends of Randal Schwartz site states:

IT IS FURTHER ORDERED that the clerk of the Court shall forward a certified copy of this Order to all law enforcement agencies mentioned in the Court's file, including the following:
A. The Federal Bureau of Investigation, and
B. The Oregon State Police, and
C. The Oregon State Corrections Division, and
D. The Arresting Agency, Portland Police Bureau. So the FBI can't use it against him. The PDF file is a copy of the expungement order from the court.

Re:Whither $68k?

[krbvroc1]

At the federal level, it depends on the president. Clinton was fairly liberal with his pardons. Bush is tight with his. Whoop dee do.

Most of the 'controversial' pardons are granted the last day of office, so there is not enough data to compare the current president and former. Report back in 2008 when there is more data.

How's that for revisionist history?

[tji]

The slashdot crowd has a short memory.. This is not a simple issue of "embarassing the management", as the summary states. In fact, in all the original writeups, I don't remember ever hearing executive passwords being an issue. The issues were egregious violations of corporate security policy, and basic logic:

- His position at Intel was not involved in security, intrusion detection, or other areas that might actually call for "white hat hacking" as part of the job function. He was a contractor, not an Intel employee, which I'm sure made Intel even more concerned about his security violations.

- He had installed backdoors on Intel machines, which allowed him to access the Intel network from outside the company.

- He took passwd files and ran cracking tools against them to break other users passwords.

- Not only was he cracking password files from Intel organizations, he was using Intel systems to crack password files from other companies, including O'Reilly and Associates.

See this writeup for information from the person involved in shutting him down.

Whether this was "white hat" hacking could be debated. In any case, it was fucking stupid. Bypassing network security for an inbound back door?!? Cracking password files from other companies on Intel computers?!? These are just stupid moves, which anyone should expect to get fired for doing.

Re:How's that for revisionist history?

[merlyn]

"His position at Intel was not involved in security, intrusion detection, or other areas that might actually call for "white hat hacking" as part of the job function.".

Wrong, I was a systems and network administrator. According to job description, that's part of the job.

Re:How's that for revisionist history?

[merlyn]

The password was "pre$ident". Yes, president, with the s changed to a dollar sign. Which "crack" found.

Re:Moral Of Story: CYA

[kcbrown]

No, the real moral of this story, and others like it, is simple:

• Don't bother testing the security of a system unless you're forced to use that system to store, in unencrypted form, information you care about.
• If you are forced to use such a system (and thus to test its security), perform all your tests in such a way that there's no way they can be traced back to you.
• If you find security holes, the only action you should take is to minimize your use of the system. Under no circumstances should you actually tell management about the security holes unless you have, signed and in writing, authorization to perform the security testing. If you have such authorization, make sure you store copies of it in safe places. Even so, with today's fucked up legal environment, it's entirely possible that their lawyers would be able to get said document stricken from the evidence record on some sort of legal technicality, which means that even if you have ironclad proof that you were authorized to perform the security testing in question, you might not be able to use it.
• If you absolutely must tell someone, make sure it's someone you can absolutely, positively trust with your life. Because that may be what's on the line (well, at least part of it, because we're talking about jail time here, and inmates love fresh nerd meat).

The bottom line is that corporate management doesn't give a shit about the actual security of their system. They only care about the illusion of security, and they'll bring their full wrath against anyone who dares shatter that illusion.

Let them have their illusion. If they ever get seriously 0wn3d, as is likely (it's only a matter of time), you can laugh your ass off at them, because it'll be evil people getting the shaft from other evil people. But today there is nothing but a whole lot of pain for the good guys in the world. Welcome to the real world, where evil usually wins in the end thanks to the world's inherent tendency towards chaos. You can try to fight it if you want, but you'll probably lose, so why bother? You're probably better off just keeping your own affairs in order and letting the others get fucked up the ass for their stupidity.

Re:Whither $68k?

[merlyn]

First, the amount in dispute was less than $5K. Second, the lower court just reaffirmed what they said before. In other words, no net change. So yes, I still paid roughly $68K in restitution, at the end of the day.

Re:Ditto; FBI can still see it

[Wavicle]

and Randall still can't get a clearance without being upfront about it.

As someone who has gone through a security background check, worked at Intel and read the decision of the appeals court: I would be fairly surprised if Randal was able to get a security clearance even even if no conviction had occurred. The undisputed portions of the case suggest that Randal lacked an ethical barrier between him and either his curiosity about things for which he did not have access or his desire to gain respect by demonstrating his skill. This was 13 years ago maybe he has changed, I don't know.

Whether his intentions at the time were noble or not: he logged onto a system for which he knew his account should have been deleted; he ran a gate program on the system (after previously being told to stop running a gate on other systems); he cracked one of the passwords to someone with higher access on the system; he then logged on to the system using the cracked user's account; he transferred the password file to another machine; he ran crack on this other machine; he turned up 35 weak passwords; he said nothing; he left for a while to teach a class; he came back; he still said nothing; he re-ran crack on another faster machine (this is apparently what eventually got him caught).

Randal claims he did all this to re-gain respect at Intel's supercomputer division. I have no reason to doubt this is honest. The fact that he so freely gave so much information to the police suggests to me that he was trying to convey that he had no intention of harming Intel's business. However it is very, very bad judgment. Now if you were the agent assigned to his security background check, looking to see if his character demonstrates a likelihood of compromising sensitive information, even unintentionally, what would you think?

Re:Ditto; FBI can still see it

[doom]

I would be fairly surprised if Randal was able to get a security clearance

I was once working as an engineer at a secure facility, where one of my friends explained to me that he had never actually planned on working there. He figured he'd let them pay them while the background check was in progress, but never expected to actually be cleared (the interview with the Feds went something like Q: "So what about all these hits of acid they found in your refrigerator?", A: "Well, they were there.")

But they did indeed give him a clearence, I would infer because they concluded he wasn't vulnerable to blackmail on the point, and so on.

And I have to say that the opinion of "someone who has gone through a security check" isn't terribly authoritative, unless you were turned down for having a similar background to Randal's.

Depends on the check - and why they need you

[cheros]

At a sufficiently high level, a security check is not something you 'fail' or 'pass' - it's simply a risk assessment that clarifies to those that are planning to use your services which areas of risk they need to manage. It's not a tick box process that HR does over lunch - it takes months of investigative work. There is a simple way to get through that: do. not. lie.