Forgot your password?
typodupeerror
The Courts Government News

McOwen Case Settled 286

Posted by michael
from the hardly-any-bloodshed dept.
ewilts writes: "Back in July, you ran a story about David McOwen, a computer adminstrator at DeKalb Technical College in Georgia, who was being charged for installing SETI software on school computers. This case has now been settled. See also the EFF press release on McOwen's web site." Update: 01/18 16:11 GMT by M : It was software from distributed.net, not SETI.
This discussion has been archived. No new comments can be posted.

McOwen Case Settled

Comments Filter:
  • by C4v3_7r0ll (551132) <cave_troll@prontomail.com> on Friday January 18, 2002 @11:56AM (#2862437)
    Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will. As a sysadmin for a large media congolmerate, I find it more and more difficult to simply administer my systems because all the suits want to know every move I make three weeks in advance. This decision simply adds an element of criminality to an already bad situation.
    • This decision simply adds an element of criminality to an already bad situation.

      only in the state of georgia, and any other state that has some stupid hacking law like this.....how the heck can you charge a sysadmin with hacking into a system that they have full privleges to in the first place? that is like saying a cleaning crew is breaking and entering a place that gave them a key so they could do their work at night.
      • by swordgeek (112599) on Friday January 18, 2002 @12:06PM (#2862519) Journal
        Hacking in??? What version of the case did you read?!

        He installed unauthorised and inappropriate software. Same thing could have happened if he'd installed Quake, but only played it during off hours.

        Regardless of the end goal (research?), SETI is effectively entertainment software from the client side. It serves no useful function for the company whose machines he ran it on.

        He deserved and got a slap on the wrist. Not a bad settlement all round.
        • Regardless of the end goal (research?), SETI is effectively entertainment software from the client side. It serves no useful function for the company whose machines he ran it on.

          Just like dnetc, it serves the useful purpose of measuring the load of the machine. Just observe how much CPU time it takes: that's the amount not needed by anything else. However, smart people call it idle, rather than dnetc in order not to needlessly scare the suits ;-)

      • by zangdesign (462534) on Friday January 18, 2002 @12:12PM (#2862565) Journal

        It might be helpful to think of the sysadmin as more of a caretaker of the system, rather than as an absolute master of the machine. Owen's job (as I understand it) was to maintain the systems in a running state to provide computing services to faculty, staff, and students. While this occasionally includes installing software, it does not include installing software that is not necessary to the mission of the school.

        The presumption that he was the absolute master of the machines was in error. In this case, the System Administrator's job was not to set policy, but rather to advise. You would do well to clarify whether this is the administration policy with whatever company you work for.

        Owen's got lucky - and probably got about what he deserved for screwing around with state equipment.

        • fine, I understand that he is nor the master of the machine, but for not following company policy, you lose your job, not get prosecuted (unless you steal office supplys ;-)) costing a company money by loss of bandwidth is waising resources, not stealing.....you get fired for making personal copies at the copier, not prosecuted for theft, and in this case, HACKING!!!
          • If your work is at a company, but McOwen (my mistake earlier) did not work for a company - he worked for the State of Georgia. Government does not function like a corporation. Perhaps it might be better if it did, perhaps not.

            Be that as it may, the state has different rules than a company. Wasting resources can be legally defined as stealing depending on who's doing the defining. Consider: the school is given a certain amount of bandwidth to use for educational purposes as defined by the state. Any use outside of those purposes costs the state money and they do not recieve a portion of that service for which they paid. McOwen chose to use some of the bandwidth for other than state-allowed purposes, which is misappropriation.

            Which is theft.

            Note the use of the word "chose". He may not have thought about it much beforehand, other than technical issues, but he did choose to install the software. It didn't just suddenly appear on the computers. He chose to go outside policy.

            Now, I will agree that what the state originally asked for as punishment was too harsh - we need to save such penalties for actual hackers (in the pejorative sense of the word), but some punishment for misappropriation of public resources is definitely in order, which he received.

            Misappropriation happens all the time in state government, some well-intentioned, some not, even in some cases unintentional. McOwen happened to get caught - that's all. The law does not allow for excuses and it shouldn't; otherwise, everyone would have some sort of "dog ate my homework" for every crime committed and we would cease to function as a society. The law also does not allow ignorance as an excuse. It is incumbent on each individual to be aware of the laws of the State.

            In short: McOwen was wrong, he got his punishment and system administrators had better start getting some clarification on exactly what company policy is toward installing software. A non-state corporation could start looking at such "trangressions" as misappropriation.

            No sysadmin is safe tonight.
      • by Erasmus Darwin (183180) on Friday January 18, 2002 @12:36PM (#2862736)
        "how the heck can you charge a sysadmin with hacking into a system that they have full privleges to in the first place?"

        Having full system access (such as 'root' on a *NIX box) does not always translate into having full authority (i.e. direct permission from real humans) to do all actions that are permitted by that level of access. The anti-hacking law he was charged under most likely has a clause about using a computer system in excess of the user's authority.

        For example, while a sysadmin may have root access to a system that he must maintain, he may not necessarily be permitted to use that access to snoop through the VP's mail spool. Similarly, a McDonald's employee that has the restaurant keys so he can lock up at night is still trespassing if he abuses those keys to throw a wild party there at 4am. Finally, it's still car theft if a chauffer decides to just drive away with the car that he's got full physical access to.

        What it all boils down to is how explicitly defined the sysadmin's authority was in this matter.

    • by Fjord (99230)
      There is no precedent set because it wasn't a judgement, it was a plea. All the judge did in this case was approve the plea, and laws are not made by the DAs office.

      Still at the same time, I very much dislike the aspect of the justice system that scares innocent people (or at the very least people who are not in the wrong) into accepting a sentance because they are afraid and do not want to fight. Oh well.
    • by mccalli (323026) on Friday January 18, 2002 @12:13PM (#2862572) Homepage
      ...the precident set here is that sysadmins can no longer choose to install software at will.

      And thank god for that.

      Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

      Cheers,
      Ian

      • And the suites are the ones doing the auditing, checking for possible changes and all that other stuff ? You know, back in the real world, sys admins are the ones who test things, install things and keep them running.
        • And the suites are the ones doing the auditing..

          Never mentioned a 'suit'. This is a straight technical advantage - see my earlier post about knowing your deployment environment [slashdot.org].

          You know, back in the real world, sys admins are the ones who test things, install things and keep them running.

          And developers are the ones who write the things that sysadmins keep running. And they need to know both their development environment and their target deployment environment. Sysadmins too - it is necessary to know what kind of 'sys' you're 'admin'ing, and unauthorised changes undermine that.

          Regarding your 'real world' comment, I have been a commercial developer for about ten years now. I've worked in a four-man company and also for some of the largest financial institutions in the world. This problem is universal - keeping tight control of your environments is essential.

          Cheers,
          Ian

          • All valid points but where's the counter argument? I think you missed the point of my post but judging by the boast at the end, again, you might have not...
          • This problem is universal - keeping tight control of your environments is essential.

            The problem with this response is that it simply sweeps the key issue under the rug. Who is this you who gets to decide everything? In many cases the admin who is keeping tight control of the machines is also at theoretical risk for this type of insane prosecution. Good admins were using the GNU tools before they were widely known to suits/managers. Good admins were automating with Perl before it shipped with any OS's. I realize that there are machines with very narrow, specific, important roles, machines on which the mix of software should be very explicitly nailed down. I've seen far more machines, however, on which the expectation is that auxiliary software (scripts, scripting languages, modules, monitoring software) will be installed by admins on an as-required basis. This is part of the process by which a normal organization learns about and tries new software and techniques.

            Of course the real, underlying point is that people are paid to deliver what their employer wants, whether it's explicitly specified or not. We all understand that someone can lose his job if he fails to deliver. But nobody should be criminally prosecuted for failing to comply with an employer's policy.
      • by melquiades (314628) on Friday January 18, 2002 @01:21PM (#2863057) Homepage
        Production systems are controlled environments - last thing you need is some unaudited, unexpected and unauthorised changes messing them up.

        ...or opening up a security hole [distributed.net].

        Every piece of software installed present a potential threat. Did it come from a reliable source? Does it have security flaws? Obviously, there has a be a reasonable balance between maintaining security and giving users the flexibility they need to do their jobs. I get very irritated when a company won't let me install software I need -- or just want! -- on my desktop at work.

        This balance tips increasingly in favor of security as if installation is (1) on a server, (2) on a production server, (3) on a lot of machines. Maintaining that balance is a sysadmin's job. And this guy was definitely not doing his job.

        All that said, aren't criminal charges just a little out of line? He should just have been professionally reprimanded, or maybe fired. But a lawsuit?
        • I'd like to point out that it is not the distributed.net software that has a hole. _If_ you have your computer misconfigured and allow write access to shares over the internet, worms and trojans will find your way into your computer. Unfortunately, some moron thought it would be funny to use the distributed.net client as payload for his malicious worms. Just to clear things up. Ivo distributed.net abuse@d.net officer
        • All that said, aren't criminal charges just a little out of line?

          Absolutely, and I disagree with criminal charges utterly. Misconduct perhaps, and I would consider this at minimum a discplinary matter and at maximum a firing, but there's nothing criminal about what was done.

          Cheers,
          Ian

      • by DaveWood (101146) on Friday January 18, 2002 @02:09PM (#2863399) Homepage
        Yeah - that's definitely worth a 30 year vacation at a Georgia penitentiary. Those jails are kind of crowded though, so they might have to release some rapists and child murderers early to make room for him.

        "How's prison going?"
        "Let's just say I'm not getting the respect a sysadmin deserves!"

        (What I'd like to see is 30 year jail terms for the executive corps at Enron, let alone all of the auditors at Andersen who destroyed documents instead of auditing. Funny how it doesn't work that way...)
      • Since when is okay to NOT allow system administrators to administrate their own software on the systems. They are system administrators. Installing software should be their own right, and the point of the fscking job!
      • by Lumpy (12016) on Friday January 18, 2002 @02:39PM (#2863584) Homepage
        and the last thing I need is to have a solution forced down my throat from a moron in change control or at the NOC that has no clue about how my division does business or how to even impliment security.

        I have a server that is NOT on the domain and has NO trusts to any other machine or network, it houses the SQL server and data files for one of our most important systems... billing. now I get the idiot from corperate telling me I have to set up a trust with his computers so that some bean counter can log in and view data... no not a login for this person but an entire trust so that every fricking user in this corperation that is logged in can let their outlook virii try and attack my server.

        Luckily, I have a upper sales management person that can override this IT weenie. Until the Corperate IT department can guarantee that the server will not be attacked because of the trust it will not be a part of the network.... and as we all know, you CANT guarentee anything.

        everything in my buildings has fared off the last 5 rounds of virii without even a hiccup. the rest of corperate had major downtime and re-infections. On a conference call about the last virus and how it caused downtime, we were the ONLY office to report that we had no problems... enough to convince my boss to ignore anything that corperate tries to add to the system or block me from changing.

        The job of the sysadmin/netadmin is to give the sales force and all other employees the tools they need to make the company money, it is not there to feed the oversized egos of corperate level power freaks.
      • No, curse the world for it. The sysadmins are supposed to be the ones who are competent enough to know what they're doing. And since when is management regularly in a position to understand these things? That's like letting lab monkeys pick there diet for an experiment. Note: for those of you watching the moderation scandal stories, the parent to this shot up 3 points in ahout 2 seconds...
        • ...since when is management regularly in a position to understand these things?

          Who mentioned management? Had a couple of responses now saying "does management know better?". My response had nothing to do with management. Think of a developer using a source control system - an environment is managed in small, incremental changes which are commited and baselined when known to be working. An entire computing environment can be handled in much the same manner.

          the parent to this shot up 3 points in ahout 2 seconds...

          Yeah, have to say I was rather surprised by that too.

          Cheers,
          Ian

    • Although he got off relatively light

      This is typical of many law enforcment efforts. If they want to save face, even though they know they screwed up, they get you to cop to a lesser plea.

      You have seen this in the recent ebook case, as well as in your typical negotiations with other infractions, such as traffic tickets.

      You also see the compulsion to save face in death row (and other) cases, where many prosecutors outright refuse to allow DNA testing that might prove a man innocent. It is like pulling teeth to get the tests done. Even though it is often a matter of life and death.

      "Saving Face" is obviously more important, even though it makes them look foolish.

      • Nah - I don't see it quite that way in this case.
        Yes, they screwed up in the sense that they tried pressing charges far in excess of what was sensible for the situation. (Prison time makes no sense at all for an offense of this sort.)

        Still, I think it makes sense to give the guy some community service and perhaps a small fine (which I'll leave up to others to argue the dollar amount on). It's not a case of the guy being completely innocent. The big dispute was over the severity of the punishment.

        It sounds to me like it turned out pretty much how it should have turned out. If he went to trial, I disagree with his lawyer that he'd be found innocent. It's one thing to load software on company machines because you believe it will aid in doing your job. It's another to load distributed network clients that secretly run in the background, merely to try to win online contests for providing the most processor time or hours of computing.....
    • Fire 'em (Score:5, Interesting)

      by rjamestaylor (117847) <rjamestaylor@gmail.com> on Friday January 18, 2002 @12:26PM (#2862660) Homepage Journal
      ...the precident set here is that sysadmins can no longer choose to install software at will.

      Perhaps it's a precedent for telling sys admins to stick to their jobs and keep the best interests of their employers in mind when installing software. This isn't about "sys admins choosing" it's about the appropriate use of someone else's property.

      When I discovered that a developer had installed SETI on my co's production ecommerce servers ("but I nice'd it!") I had the loser fired -- after disabling the software. Am I against SETI? No (nor am I "for" it; I don't care). But the purpose of our servers, bandwidth, etc., is not racking up points in the SETI project.

      Now, we have other servers that are intended for fun and exploration. But our production servers?

      • Re:Fire 'em (Score:2, Insightful)

        Perhaps it's a precedent for telling sys admins to stick to their jobs and keep the best interests of their employers in mind when installing software.

        Considering that the $2100 probably didn't even pay for the university's legal fees, this actually sends a message to universities that if they make such spurious lawsuits they'll lose more money than they make. Maybe the university will think twice next time, and reprimand and/or fire the kid without going through the legal system.

        • This was a criminal prosecution. $2100 and 80 hours of community service tends to be serious misdemeanor/low-end felony range.


          hawk

      • Re:Fire 'em (Score:2, Informative)

        by berck (60937)
        That's absolutely ridiculous. A niced process doesn't hurt anything, and if he had legitimate access to the server, and you had a problem with his using free clock cycles, you could simply have told him that was innapropriate and removed the software.
      • Re:Fire 'em (Score:2, Insightful)

        by The_Rook (136658)
        fine. fire the guy. that's the right way to handle this. but you didn't call the attorney general and have the guy arrested, did you? that would be an overreaction.

        now, if he installed a back door and used that to break into your system afterwards...
    • by ackthpt (218170) on Friday January 18, 2002 @12:35PM (#2862724) Homepage Journal
      This decision simply adds an element of criminality to an already bad situation.

      <Cut to courtroom somewhere in the USA>

      Defendant: "...and then I installed the application on all the computers."

      Prosecutor: "You did this, fully aware that it was vulnerable and subject to attacks, which may paralyze the company email system, compromise data, or worse?"

      Defendant: "Yes."

      Gallery: *GASP*

      Prosecutor: "And what was this application?"

      Defendant: "MS Outlook."

      The prosecutor, appearing struck, glances at a shadowy figure in the gallery who bears some resemblance to John Ashcroft in a trenchcoat and fedora, the figure quickly draws a finger across his throat and the prosecutor recomposes himself.

      Prosecutor: "Your honor, the prosecution humbly requests all charges be dropped and that the defendant be released!"

    • by InsaneGeek (175763) <.moc.skeegenasni. .ta. .todhsals.> on Friday January 18, 2002 @12:37PM (#2862749) Homepage
      But there's installing software to do work which paid for the servers; and then there is installing software that actually is a detriment to the same servers trying to do work. It's almost the equivalent of seeing that your company has lot's of bandwidth free to their customer T3's and the servers aren't that loaded... why not put out our own free porn website.

      "Suits" as you say should want to know every move you make on a production system, there deffinetly is a need for change control. Ebay supposedly used to run pretty free and open, and had frequent crashes & outages; they brought a guy in and put in proper procedures, change control, etc. and their reliability increased exponentially. It is a big pain in the ass, I'll be the first to admit it, but so is documentation, getting up from your desk to go pee, etc. but it *is* needed.
      • I'll be the first to admit it, but so is documentation, getting up from your desk to go pee

        Your company lets you get up from your desk to go pee? Wow, I want your job!
      • This is more a redirect of my earlier post, but...

        It ought to be the responsibility of the highest level SysAdmin to create these policies. Ebay is likely in a different position than most companies in that there IT system is there business, but for most corporations, the computers are a support system. Managers are supposed to be focused on things like marketing and budgets, etc. That is what managerial training is. Security policies are more on the technical side and ought to be decided by somebody who has the competance for it. Not to say that "suits" are incompetant, just to say that they are not usually proficient in IS.

    • by anthony_dipierro (543308) on Friday January 18, 2002 @12:50PM (#2862842) Journal

      Although he got off relatively light, the precident set here is that sysadmins can no longer choose to install software at will.

      The case was settled out of court. Absolutely no precedent was set.

  • It's a pretty steep fine for installing a non-malicious piece of software.

    It's not mentioned in the article, but it seems to me that the $2,100 figure was determined by picking an amount "just a little more than what he would have made had he won".
  • He got off easy... (Score:2, Informative)

    by Caball (58351)
    He didn't own the computers... they weren't his property. He had no right to install anything on those PC's that wasn't related to work. He got off easy.
    • he should have been just ired then.....saying he HACKED a system that he had full administrative rights to is rediculous....its like calling the police on your house keeper for breaking and entering even though she has a key and is contracted to do work in your house.....if she was having parties then you fire her, you can not get her on breaking and entering.
      • "its like calling the police on your house keeper for breaking and entering even though she has a key and is contracted to do work in your house"

        If said house keeper is rifling through the papers on my desk in the study which she was explicitly to stay out of, then it wouldn't be unreasonable for her actions to be considered at least trespassing. A key isn't a blank check.

        Of course, I'm not sure whether or not it would be considered breaking and entering, but that might not be the best analogy for hacking. If you remove all security from a computer, it'd still fall under hacking when someone enters the system, I believe. However, with breaking and entering, it seems like it would be questionable if someone left their front door unlocked. I think it boils down to there being more nuances to cover the physical crime of "being where you ain't supposed to be" while there's a vaguer notion for the digital equivilants.

        • If said house keeper is rifling through the papers on my desk in the study which she was explicitly to stay out of, then it wouldn't be unreasonable for her actions to be considered at least trespassing.

          Yes, that is unreasonable. It is also absurd.

          By giving that person a housekey you have granted them access to your premesis. By definition they cannot be tresspassing.

          Violating your privacy, yes. If you locked the drawer and didn't give them a key (they picked the lock, or scrounged the key from another drawer and opened it), then you might have a case for unauthorized access to whatever materials were locked up (breaking into a client's safe isn't legal). However, if you left those papers in an unlocked state, then you'll have to come up with some law other than tresspass or breaking-and-entering to prosecute them on. If there isn't one, and there may not be, then you still have the recourse of firing the offendor and suing for damages (if any).

          This case is nothing short of rediculous, and a primary example of one of the most fatal flaws in American justice: the fact that a person can be financially coerced into pleading guilty to something they did not do simply because the financial cost and potential risk of standing by their innocence is too great and their unjust accuser happens to hold all of the (financial and power) cards.

          America isn't going to be destroyed by bin laden and his idiot followers, but by lawyers, and governments, like this one. Indeed, if anything such acts of terror breath new life into decaying regimes, delaying the disunity and ultimate demise of a society whose legislative, judicial, and executive systems are so riddled with injustice and corruption that no significant social contract remains. Such a society is ripe for destruction from within, regardless of how draconian the secret police (FBI et al) may become, and this is but one of a myrid of symptoms to that affect.

          I was once asked the question as to whether I would prefer to live during the rise or decline of a civilization. I niavely answered that I would prefer the decline, because then I could enjoy the fruits of previous generations' labors while leading a decadent life of my own, without regard to the future. Now that I am in a position to actually observe the dysfunction and decline of my own culture, particularly of the democracy which makes it possible, I have discovered two truths: (1) decadence has nothing whatsoever to do with decline, contrary to popular puritan myth, but corruption and injustice are directly related and (2) decline isn't inevitable, but it is inevitable if the people are too lazy, or too distracted, to be vigilant and root out the injustice and corruption which is its primary cause.
          • "By giving that person a housekey you have granted them access to your premesis. By definition they cannot be tresspassing."

            You've granted them physical access. You have not, however, granted them absolute permission -- you've granted them conditional permission to enter your house to perform their job duties, and you've explicitly denied permission for them to be in your study at all. By definition, trespassing has to do with going where you don't have permission to be, rather than going where you don't have access to -- you can trespass on an empty lot that lacks physical access control but has signs specifically denying you permission to go there.

      • by Katharine (303681)
        The statute he was charged under, the "Georgia Computer Systems Protection Act" can be found at http://www.clark.net/pub/rothman/gacode.htm

        My guess is that he was accused of "appropriating" the computers at the school, which the Act defines as "computer theft." But as I read the Act, it sounds like using one's work computer to visit a non-work-related website without one's employer's permission would also qualify as the crime of "computer theft," even if it were on your own time. In fact, it might be arguable that using one's work computer on one's own time to write a letter to one's congressman could be "computer theft" as defined under the Act, if your boss didn't give you permission to do it.

        Take a look at it, it is pretty interesting reading . . .
    • The number of people who want to become doctors and nurses is declining, as more and more legal precendents are set to prosecute nurses and doctors when they make a mistake or error. Everyone makes mistakes. What this man had to go through, because of, at worst, an error in judgement, is rediculous. If we are all to be held criminally liable for wasting other people's money, time, etc ... shit, we'd all be in the slammer by now.
    • I'm sorry, but he was granted installation access rights to the machines that he used and his actions were not otherwise illegal (i.e. he wasn't cracking machines he did not have access to). Did he deserve disciplinary action from the company: yes, even to the point of firing him. Could there be a civil suit against him: possibly, but I would still argue no. Should criminal charges be laid: absolutely not, there was nothing criminal about his actions.

      If you hire someone, and give them the trust to install anything on your machines, and they screw up against your policy, go ahead and fire them. But don't press criminal charges. The Employee Handbook decribes the conduct you expect from employees, not the law. The law is made by the law makers.
  • Seems reasonable (Score:3, Informative)

    by Derkec (463377) on Friday January 18, 2002 @12:00PM (#2862465)
    This generally looks like a reasonable settlement. The monetary damages are a bit dissapointing, though. Remember to ask permission (and get that permission in writing) when you make large, questionable, changes to the systems you are responsible for.
    • While disappointing, it is almost definite that it would cost more for a competent attorney. I don't know how much the ACLU was covering the legal fees. Even if the comp it all, or he got a state defence and the ACLU was just feeding them cases, there is the lost wages and the risk of losing his current job to consider.

      The required community service is more disappointing to me. The guy was certainly in the wrong, but he isn't a criminal. Of course, if he likes doing community service, then it really isn't that big of a deal.
    • by Restil (31903)
      I don't think its unreasonable at all. While I think that what he did was more of a fireable offense rather than a legal one, there's still no doubt that what he did was wrong, and that it cost the company money to root out the problem and correct it.

      Remember, when this whole thing started, the company was under the impression that there was some program leaking out information. They thought that this was MUCH more serious than a simple distributed program. And when they went
      running to law enforcement, this was their original complaint.

      As we saw in the Adobe case, just because the complaintant backs down, that doesn't mean the government will. Once you choose to press charges, its out of your hands. This isn't a civil case. Parties in a civil case can settle their differences any way they want and only need to go to court if they can't. This was a criminal case, and while a criminal case is somewhat hurt by the loss of cooperation by the "victim" it does not mean they have to stop prosescution.

      I would prefer that the EFF and the community at whole give more attention to those cases where people aren't actually guilty of anything. Not where someone did something wrong and everyone else is just overreacting. Certainly, I don't agree with the initial time he was facing, but if he had been doing his job correctly he never would have had this problem in the first place.
      Show some responsibility people!

      -Restil
      • Many commenters have wondered why prosecution was involved rather than just a reprimand or dismissal. It's all a matter of degree. Here's an analogy that came to mind: making personal phone calls is usually against company policy (the phone is there for business use only, and so on), but everybody does it.

        If you make the occasional personal call, and don't make too many long-distance ones, nobody but the most anal-retentive employer will care.

        If you make so many calls that the cost starts to be an issue, you'll probably get a reprimand and may be asked for a reimbursement.

        If you spend all day calling 900 sex lines, you'll probably get dismissed.

        If you hack the company's PBX into running your own sex chat lines, the company's probably going to get the lawyers--and perhaps even law enforcement--involved.

        So if installing non-business programs across all machines in a network is something like the last case, then perhaps the employer's reaction wasn't terribly out of line.
  • Already in Slashback (Score:4, Informative)

    by UCRowerG (523510) <UCRowerG@yaho o . c om> on Friday January 18, 2002 @12:04PM (#2862503) Homepage Journal
    This story has been convered in a recent Slashback article: here [slashdot.org].
  • Jesus, folks, Our government needs a head dunking. 30 years for a benign program on a few machines, (I live near there, it isn't a large campus) as opposed to 6-10 for MURDER? Hot damn, he didn't kill anybody....let's just be really glad he got off "light"
    • "30 years for a benign program on a few machines, (I live near there, it isn't a large campus) as opposed to 6-10 for MURDER?"

      I believe you're comparing his maximum sentence against murder's average sentence, which is unfair. There's no reason to believe that he'd receive a sentence that long, after the court fully reviews the circumstances during trial and takes his (probably lack of) a criminal record into consideration. This is supported by the relative leniency (compared to 30 years hard time, at least) of the plea bargain.

      It's also possible that the prosecution tacked as many charges as possible on to the case, so that the court could choose which were appropriate. If they went exclusively with a hacking prosecution, for example, and the court decided that McOwen may have broken laws but not the hacking law, the prosecution fails despite some theoretical guilt on the part of the defendent. Given that computer crimes are a relatively under-prosecuted area, it's not unreasonable for the prosecution to cautiously guard against their (understandable) inexperience.

  • by mmaddox (155681)
    Being a native Georgian (southwest Georgian for that matter...Albany - a REAL backwater), and a comparatively savvy technogeek, I am filled with horror. These idiot lawyers are going to do everything they can to make a name for themselves in whatever context they consider important, intelligence be damned. Of course, if in doing so, they drag the name of Georgia back into the yeehaw days (Gawrsh, Goober, that there computey-thang shor is makin' them nekkid wimmens look purty an' all. Gimme a chaw.), they don't care.

    Georgia is full of intelligent, growing technologists - startups, academics, and all-around geeks. These barristers' motives are pure old-fashioned power plays, making a name for themselves and wielding power over those who don't respect them. Please don't consider all of us Georgians hicks; we geeks live in a meritocracy separate from these backwater jackasses we elect or appoint to office.
    • Why are you giving lawyers a bad rap? They need a client - if the school acted responsibly, they would not have pursued litigation... don't blame a lawyer for doing his best to represent their client...

      (IANAL)
      • Because lawyers (should) have the responsibility to not represent a client that is obviously wrong. If lawyers had morals we'd have less jaw dropping articles on /. about some poor geek who's getting the shaft.
        • I would lay the responsibility for frivolous lawsuits entirely on the plaintiffs. Not that lawyers aren't people too, with power-plays, publicity-craving, and greed... but I think they have much less responsibility for the number of lawsuits in the US than they are usually blamed for.

          Nobody holds a gun to anyone's head forcing them to go to a lawyer...
        • by EllF (205050)
          Actually, lawyers should *not* make that sort of moral decision. It is a right, granted in the constitution, for every citizen to be granted a fair trial. Part of our conception of a fair trial is the idea that the accused be represented by someone properly trained in the law. The solution you propose - having a lawyer say, "Nope, I think you're 'obviously wrong', and I won't offer you representation!" - flies in the face of that notion.

          A perfect example is a case like this. Regardless of how you, your brother, or the lawyer down the street *feel* about the alleged criminal (keyword: alleged), he is entitled to full and fair representation when his day in court comes. If, in the case of that trial, it comes to light that his basic rights have been violated (for example, he gave a confession after being beaten), it is the job of the lawyer to advise the judge of that fact. Why? Because we understand that certain aspects of our society - the "justice system", for example - supercede any act that one individual commits. A lawyer who acts on his moral sense instead of his professional sense in such a case ("this guy is a murderer, and despite the fact that he confessed under duress, I won't represent him because I don't like murderers") should not be a lawyer.

          Ultimately, we vest the power of judgement in a jury (or in some cases, a judge), not in our lawyers. Lawyers are like referees - they make sure that everyone is playing by the rules, and has an equal chance. We do this, presumably, because we understand that morality is a fleeting thing, and different from person to person. Occasionally that means that someone gets to raise a ridiculous case (such as this one!), but I'll take a lifetime of such cases if it means that I can get fair representation were I to be accused of a heinous crime.


          • Actually, lawyers should *not* make that sort of moral decision. It is a right, granted in the constitution, for every citizen to be granted a fair trial. Part of our conception of a fair trial is the idea that the accused be represented by someone properly trained in the law. The solution you propose - having a lawyer say, "Nope, I think you're 'obviously wrong', and I won't offer you representation!" - flies in the face of that notion.



            No it doesn't. This right is more than fulfilled by the public defender. That's why we provide them, fi you can't get a single private lawyer to believe you then there is obviously something wrong with your case.

  • Update - January 17, 2002 Georgia V McOwen Case closed!

    Electronic Frontier Foundation Media Release
    For Immediate Release: January 17, 2002

    Contact:

    Lee Tien
    Senior Staff Attorney
    Electronic Frontier Foundation
    tien@eff.org
    +1 415 436-9333 x102 (office), +1 510 290-7131 (cell)

    David Joyner
    Attorney
    Kenney & Solomon
    CDJoyner66@aol.com
    +1 770 564-1600

    Distributed Computing Prosecution Ends with Whimper Not Bang

    Georgia Man's Ordeal Ends

    San Francisco - David McOwen can finally see the light at
    the end of the tunnel. After about two years of facing the
    prospect of years in prison and more than $400,000 in fines
    and restitution, the former DeKalb Technical College systems
    administrator has accepted an offer by the state of Georgia
    that will bring his legal nightmare to an end.

    Since February 2000, McOwen has been the target of a
    "computer trespass" investigation and then prosecution. His
    crime? In 1998, he installed a distributed-computing client
    (like the SETI@home screensaver) on the college's PCs in
    order to participate in a distributed decryption contest. In
    early 2000, the school administrators threatened McOwen with
    criminal charges and called in the Georgia Bureau of
    Investigation. The threat of more than $400,000 in liability
    was based solely on the use of the school computers, valued
    at 59 cents per second.

    Under the terms of the deal, announced today, McOwen will
    receive one year of probation for each criminal count, to
    run concurrently, make restitution of $2100, and perform 80
    hours of community service unrelated to computers or
    technology. McOwen will have no felony or misdemeanor record
    under Georgia's First Offender Act.

    "David never should have been prosecuted in the first place,
    but we're glad that the state decided to stop," said Senior
    Staff Attorney Lee Tien of the Electronic Frontier
    Foundation (EFF). "This is a very good result for David. He
    very likely could have won if the case had gone to trial,
    but trials cost money and you never know what will happen."

    Tien explained that much of the case against McOwen turned
    on whether he had fair notice that installing the
    Distributed.net client software was prohibited. Under the
    Georgia computer trespass statute, criminal liability may
    only be imposed if the person uses the computer or network
    with knowledge that the use is unauthorized. "From what I
    can tell, the state would have had a hard time proving
    beyond a reasonable doubt that David knew he wasn't
    authorized to install the software," Tien said. "I can't
    help but feel that this was a face-saving deal for the
    state."

    "The state's claim of up to $815,000 for computer time seems
    to fit an old pattern that we've seen before," Tien said. In
    one of the first cases championed by EFF, a man faced years
    in prison for obtaining and publishing an internal BellSouth
    document initially valued at almost $80,000. The case was
    dropped after evidence was introduced that it was publicly
    available for $13.

    The issue raised by McOwen's prosecution isn't an isolated
    one, Tien added. Distributed computing is an important
    scientific tool that can harness the spare cycles of
    numerous personal computers into the virtual equivalent of a
    supercomputer. The SETI@home screensaver, for instance,
    allows computer users all over the world to aid in the
    search for extraterrestrial intelligence. Last year,
    however, the Tennessee Valley Authority banned the SETI@home
    program from its computers, declaring it a risk to computer
    security.

    While McOwen's legal problems appear over, they've taken a
    serious toll. He resigned from his job at DeKalb soon after
    the school threatened him. And he was fired from his next
    job at Cingular Wireless last August because of the bad
    publicity surrounding the case.

    EFF wishes to praise and give special thanks to David
    Joyner, McOwen's attorney at Kenney & Solomon, for all of
    his hard work. Thanks are also owed to McOwen's supporters
    at FreeMcOwen.com and MachineThoughts.com for publicizing
    the case and raising money for his legal fund.

    Legal defense fund for the McOwen case:
    http://forums.anandtech.com/messageview.cfm?catid= 39&threadid=593069

    About EFF:

    The Electronic Frontier Foundation is the leading civil
    liberties organization working to protect rights in the
    digital world. Founded in 1990, EFF actively encourages and
    challenges industry and government to support free
    expression, privacy, and openness in the information
    society. EFF is a member-supported organization and
    maintains one of the most-linked-to websites in the world at
    http://www.eff.org/
    • by ch-chuck (9622) on Friday January 18, 2002 @12:24PM (#2862647) Homepage
      Wow! I'm sitting on a friggin' gold mine. Who in their right mind would ever pay upwards of $35 for ONE MINUTE of time on a PC?? You can buy a good system that's paid for itself in just one hour of time!! Lets see, going by the usual inflated legal dollers, this 1.5Ghz P4 I've been burning in for the last two weeks has just wasted $713,000. boggle.
  • Punishment. (Score:5, Funny)

    by AnalogBoy (51094) on Friday January 18, 2002 @12:16PM (#2862589) Journal
    Now, of course, he gets off light from the government.. but jeeze, think of the internet traffic charges he's gonna rake up from being slashdotted. YOU MEAN HEARTLESS PEOPLE! Have you no decency? Give the man a break.
  • It wasn't SETI@home! (Score:5, Informative)

    by jonnythan (79727) on Friday January 18, 2002 @12:19PM (#2862611) Homepage
    A lot of people seem to be under the impression that the client he was running was SETI@home and was therefore innoculous.

    Well, he was running some distrubuted.net-type decryption client where he would have WON MONEY had he been the one to find a key.

    Not so humanitarian and innoculous now, is it?

    Years in prison and a $400,000 fine are extremely way beyond reason, but I can see how this was a crime as he stole company resources for personal gain.

    The $2100 fine does seem reasonable as I think he would have won $2000.
    • by SirSlud (67381) on Friday January 18, 2002 @12:31PM (#2862699) Homepage
      >he stole company resources for personal gain

      I hope you're not at work today! You're stealing bandwidth and CPU power to post to slashdot, for the personal gain of .. well, posting to slashdot!

      Honestly, what, you wanna start counting electrons .. which ones make my company how much money, and which ones lose?

      distributed.net does have a goal that benifits those who believe in privacy and ecryption. it's not some sort of time-sharing scam or anything. in fact, if anything, distributed.net has a far higher likelihood of affecting our world (while we're still alive) than the seti project. like, sure, if his college didn't want it, I understand .. but to have been criminally charged instead of simply reprimanded? thats simply ludicrous. i'm liable to believe that someone in georgia does not believe in high encryption and privacy ..
  • by nurb432 (527695) on Friday January 18, 2002 @01:07PM (#2862966) Homepage Journal
    So this means that before i install anything, good or bad, that i must *explain* each and *every* piece of code, and clear it with the people that entrust me with their network and am paid to be the expert on, and responsible for its upkeeep? What if i install VNC, antivirual update, research software for a better network, prety much anything they decide they dont like that day.. i goto jail? Seems to me our ablity to even do our jobs has just been limited drastically. Sure, wholesale personal use is wrong, but the way it sounds now im libel if managemnts mind changes tomrrow on anything.....
    • No, this means that as a trusted employee it's YOUR responsibility to make responsible descisions! Keeping all your machines on 100% CPU load and constantly degrading the network performance for no gain to the network itself are NOT responsible network admin descisions, pure and simple.
      • I don't think that in any way the guy should have had a huge fine or gone to jail over this. It's a firing offense, nothing more. He was wrong, I would have fired him. That would have been the end of it...
  • I thought you downloaded a file from SETI and mucked about with it for 20 something hours and then sent your findings back to SETI.

    How much bandwidth could that possibly take up?

    Further, there's money to be had? I thought I was just helping out.

    I have got to start reading the FAQs.

    Oh and as for the topic:

    I'd be POed too if someone was running crap on my systems. But I'd likely just have him remove it and force him to buy me an expensive lunch. Many of my business disputes are settled with the purchase of an expensive lunch.
  • McOwen Was Warned (Score:3, Informative)

    by futuresheep (531366) on Friday January 18, 2002 @03:11PM (#2863797) Journal
    McOwen was warned several times by his superiors about running the client:

    SecurtyFocus [securityfocus.com]

    Financial Motive Alleged

    Willard says that McOwen was singled out for prosecution partly because he had ignored his supervisor's warnings. "In this case, Mr. McOwen was expressively prohibited by his superiors from downloading these programs and was informed on many occasions by his supervisors to stop downloading programs," said Willard. "They were aware that he was doing it and he had gone in and cleaned it up on numerous occasions." Joyner insists McOwen received no such warning.

    Prosecutors also claim that McOwen had a financial motive for volunteering the school's machines. McOwen was a top producer on distributed.net for "Team AnandTech," a group sponsored by a hardware forum site which is still the second ranking contributor to the RC5 research project. A $1,000 prize goes to the individual contributor who recovers the RC5 encryption key. "McOwen placed a program on computers, that in his estimation would benefit him personally, including computers that has sensitive student financial and identity information without authorization," says Willard. "There is concern about the program itself compromising or providing the basis to compromise sensitive personal or financial information, there is the matter of Mr. McOwen's unauthorized activities on this computer, and finally there is the point that there was misappropriation of state property."

    He was warned several times, and the software had repeatedly been uninstalled. This isn't the only article I've read that discussed this fact. I may not agree with the charge or the penalty, but he should have been fired for ignoring his supervisors continued requests.

  • but decided against it. When I was working for the university we ghosted machines and we thought hmmm we could put SETI on all of them as they went out! Give the university a little credit, let it run in the bankground, and most of these machines went to individuals who would not come near to using all the speed of a 500 MHZ machine. However, we thought for a moment and said "Do we really want to risk it?" The obvious answer was no and that idea was filed away in the cylindrical file cabinet. Its good to use good judgement. He's lucky to not be doing time.

    HT
  • Ok, so being that I actually went to this school to learn C programming (making deans list a couple times), perhaps I should lighten up on my perspective of the usefulness of the EFF.

    Meaning this hits close to home for me. But the EFF is still a small organization and, like the ACLU, has little choice but to be very selective about taking on cases that are inherently helpful to promoting the EFF and their fund raising efforts.

    But I Still Think and Believe that there are more fundamental issues in regards to the Electronic Frontier as it applies to our freedoms, that really should be and need to be addressed.

    As the article seems to say, McOwen should never have been charged in the first place. This should be a good enough indication that there are more fundamental issues in need of addressing.
  • is not that his employer took action.

    I think we can all agree for the most part that, in a way, he should have known better.

    The scary part is that for something as minor as this, they tried to get him on 9 felony counts, facing 120 years in prison and something like a million bucks in fines/restitution.

Gee, Toto, I don't think we're in Kansas anymore.

Working...