Schwartz Case Upheld on Appeal 141
RichardtheSmith writes: "For those of you who followed the prosecution and conviction of Randal Schwartz back in 1995, you might be interested to hear that the Oregon Court of Appeals finally ruled on his appeal. The gist of it is that they upheld the three convictions, but overturned the approx. $70,000 restitution award to be paid to by Schwartz to Intel. There was also some language in the Court's decision holding out a ray of hope that a future appeal based on a slightly different legal tack could succeed. For background on this case look at the Friends of Randal
Schwartz website. Regardless of what you think about what Randal did, or whether it rose to the level of criminality (I certainly don't), it's certainly a fascinating and chilling tale."
Re:This is a serious blow (Score:1)
HTH
Re:What a bonehead (Score:1)
I don't buy for a minute that you were looking for holes... The list of similar types of stunts at other past employers (some contract employers with whom you no longer have a contract with) etc shows a pattern. You are the classic arrogant geek. "I CAN do it so who is the man to tell me not to."
You yourself, in numerous passages during the police interviews, state that you knew, full well, that what you were doing was both illegal and frowned upon by Intel.
So, we have an arrogant geek who feels justified doing what he has done because his internal set of standards for what is a hack hasn't been crossed. Well, got news for you partner. It isn't your definition of hacking that gets consulted when times like this occur.
Save the pity. Obey the policies of a contractor or leave but don't whine when someone catchs you twice and explicity tells not to do that again followed by another incident and your arrest. Please...
I have an idea for all you Linux/Perl/Unix geeks that think that somehow he should be deified because he used NIX tools on an Intel-owned box to show the man how bad his security was. Imagine he used non-nix tools and cracked passwords on a VALinux box as a contractor? Do you really think this story wouldn't be told differently on this forum? Imagine he was caught twice and told to quit and given a stern warning. Imagine he did it again. Imagine the story then.
Don't do the crime (and you yourself said it was a crime more than once) if you can't do the time.
Re:Intel uses (or used to use) Sun hardware? :) (Score:1)
Limerick (Score:1)
Fool me twice, shame on me
Fool me three times, go to court and get your socks sued off
Speaking as an ex-Intel employee... (Score:1)
I used to work as a contractor for Intel (a lowly "green badge" to the cognoscenti). While I didn't especially enjoy my time there, I don't really have any grudge against the company, and therefore no reason to embellish things. That disclaimer out of the way...
What Schwarz did was just plain stupid. The first thing any new Intel employee notices upon entering an Intel facility -- and I worked in the same campus Schwarz did -- is that Intel is VERY paranoid about security and intellectual property. They may do a shitty job of it, as Schwarz discovered, but they are nonetheless quite serious about it. I watched more than one person get chewed out just for not properly using copyright and trademark symbols in internal documentation, and getting access to additional resources of any kind involved quite a bit of time and red tape. Intel is terrified that "Intel intellectual property" (which may as well be one word the way it's used at Intel) will leak out to Sun or AMD or some other competitor. To play with that fear is foolhardy.
Nonetheless, I think it's pretty plain that Intel overreacted in this case, since Schwarz obviously had no malicious intent. But if you shove your arm in the bear cage and tweak the bear on the nose, you can't claim surprise if you draw back a bloody stump.
On an unrelated note: Intel is also terrified of having its intellectual property "contaminated" (their word) by the GPL. Employees must get permission to work on open source projects from their supervisors who must certify that the project is unrelated to the employee's work at Intel. (To be fair, they grant this readily most of the time.) Intel's main interest in Linux isn't as a competitor to Microsoft; it's as a competitor to Sun, since Linux is most often installed on Intel platforms. Ergo, if you're going to approach Intel about supporting an open source project, you should approach them in this light: how can my project harm Intel competitors? There's nothing sinister about it; Intel's interest in open source is purely business and entirely non-ideological.
Whats so fascinating or chilling about it? (Score:3)
1.) installed aprogram so that he could access two intel machines from a remote location
2.)copied a password file from a machine
3.) cracked the password file using a cracker tool
There are no legitimate reasons for doing any of these things, and it was clearly unauthorized use of the system. IOMNSHO, his punishment fit the crime perfectly, and there is nothing to debate here.
Re:This is a serious blow (Score:3)
Someone cracked my slash password.
I think it's ironic that you felt qualified to audit intel's password security, yet used a password of "slashdot" for your slashdot account.
Idiot.
--Shoeboy
Did You check the link? (Score:2)
From Intel's Prosecution of Randal Schwartz [lightlink.com] (linked from Friends of Randal Schwartz):
Some Highlights from the Ongoing Farce
Re:Intel uses (or used to use) Sun hardware? :) (Score:1)
Re:Criminal charges (Score:2)
Python
Re:Whats so fascinating or chilling about it? (Score:2)
Then you know nothing about computer security or the trails and tribulations of working on a network like Intels. Cracking password files is something SAs should do often if their OS doesn't include something like libcrack to prevent users from picking clueless passwords. 5 years ago, one of the many ways to secure a box, and a very effective one to boot, was to crack its password file and fix all the bad passwords.
If there is any crime at all here, its that no one else apparently in Intel was bothering to do this and it speaks volumes about Intels supposed InfoSec policies and how poor Intels security was.
Python
Re:128 Words (Score:2)
BTW, you might want to try some of the links in the story. They're informative; far more informative, to put it bluntly, than your post.
Re:Intel uses (or used to use) Sun hardware? :) (Score:1)
Not as embarassing as the screenshot of one Microsoft website that had given a Roxen [roxen.com] error message... Too bad I can't find that one right now, does anyone still have it? =)
Interesting... (Score:3)
The law in Oregon is wrong. It's far too broad. However, I'm going to have to support Intel on this. Schwartz should have told them what he was going to do, if he had no criminal intentions. By compromising the computers without forewarning, he put the rest of the company in not insignificant danger.
Yes, as it turns out, their system security was crap. That's not an excuse to go cracking it without warning them that you're going to do it.
Do I think he should go to jail for it? No. But I believe Intel's within their rights to fire him for it, and to demand compensation for fixing the mess. Had he only told them what he wanted to do (heck, call it a "security analysis by simulated break-in" even, if he really thought they wouldn't let him do it) the whole mess could have been avoided.
----------
Contradictory info... (Score:3)
I asked Randal why he was using the "CRACK" program to obtain passwords and asked if he realized that these passwords would access
the SSD system. Randal advised that he did realize this and that he wanted to get his E-mail quicker
Weird, eh? But check this out:
I asked Randal why he would need forty to fifty passwords and he said, "I needed them in case they caught me doing it and knew they would shut
me down so the more passwords I had, the longer I could continue doing what I wanted to do." Randal advised that he had the capability to do it and he knew he could do it. I asked Randal if this was wrong and in violation of Intel policy and Randal said, "Yes it is, but I knew I could do it anyway." Randal said that he wanted to do it because he wanted to be efficient in getting his E-mail very fast and he felt was important and when they shut him down, he wanted to continue doing what he was doing and since he had the capability to do it and knew he could do it, he did it without permission.
Well from that, what he himself said to a policeman, he comes across as a dirt-common script kiddie.
Re:This has been bothering me for quite some time. (Score:2)
BTW: Randall wasn't an Intel employee -- he was a contractor.
Re:The problem isn't the crime, it's the law (Score:2)
No. Pissing off the wrong people in *combination* with wrongdoing can send you to jail. Merely pissing off Intel drones wouldn't have meant a damn thing if Randall hadn't been cracking Intel computers at the time (a wrongdoing at least in Oregon).
Intel uses (or used to use) Sun hardware? :) (Score:2)
http://www.lightlink.com/spacenka/fors/police/inte lrep.txt [lightlink.com]
For the lazy, I take an excerpt below :)
The reason for making this report public is that it specifically mentions that Randal was using Intel resources to crack password files from at least one other company.
On Thursday, October 28, at 12:30 in the afternoon, I noticed an unusual process running on a Sun computer which I administer. Further checking convinced me that this was a program designed to break, or crack, passwords.
---
128 Words (Score:1)
So what's a pageview on /. going for these days? Andover must really be hurting for cash to resort to these "4 common items in your kitchen that can kill you - after the commercial"-type teasers.
Re:128 Words (Score:2)
In the meantime anyone with the slightest interest in effective communication would rather an article that contained within it's body some reference to the course case R.S. was involved in.
That's not telling you "what to think" nor do I see how you could confuse it with such (perhaps you're confusing this with some "issues" of your own?) Rather it's just common sense to give folks the basis upon which to judge if the article is likely to be of any interest to them before they go off clicking willy-nilly.
Re:Criminal charges (Score:1)
Wow, he impersonated people? He kicked people when they were down?
You're probably the most cowardly person I've *EVER* seen on slashdot.
Merlyn's account hijacked (Score:2)
To whomever did it: You're a great example of humanity. The guy just took it bending over again from the legal system, and you feel the need to play pre-pubescent 31337 haxx0r tricks to screw with him even more. Not that I expect the highest standard of decency from Slashdot trolls, but this *is* a real person you're impersonating.
He's a nice guy, and he's helped a lot of people. Not in a UNICEF or Amnesty International sort of way, but he's done his bit. Hell, if CmdrTaco read any of his O'Reilly books, he helped this place get made. That's irony.
But, in the end, this is "only Slashdot". I see amazing crap like this here, and I see amazing discussion here. Unfortunately, things like this are making me take this place less and less seriously.
Anyway, if you know Randal, you know this wasn't him anyway...
Merlyn's /. account has been hijacked (Score:3)
To whomever did it: You're a great example of humanity. The guy just took it bending over again from the legal system, and you feel the need to play pre-pubescent 31337 haxx0r tricks to screw with him even more. Not that I expect the highest standard of decency from Slashdot trolls, but this *is* a real person you're impersonating.
He's a nice guy, and he's helped a lot of people. Not in a UNICEF or Amnesty International sort of way, but he's done his bit. Hell, if CmdrTaco read any of his O'Reilly books, he helped this place get made. That's irony.
But, in the end, this is "only Slashdot". I see amazing crap like this here, and I see amazing discussion here. Unfortunately, things like this are making me take this place less and less seriously.
Anyway, if you know Randal, you know this wasn't him anyway...
Re:This has been bothering me for quite some time. (Score:2)
> them get along about as well as the Israelis and Palestinians.
Whether or not these are Randal's actual words, this is much the case: Intel is a place where the concept of a team rarely extends beyond the people who report to your immediate boss, & sometimes not even that far. (A very effective way to ensure one's continued future at Chipzilla is to eliminate your competition.) A screw-your-neighbor mentallity I have not seen in other workplaces.
And now for an OT question: is this Heidi Wall, whom the pseudo-Randall talks so much about, Larry Wall's daughter?
Geoff
This is a serious blow (Score:1)
This means the failure of all my precious hopes and dreams. Now that I am branded a convicted felon for life, there is no way Heidi Wall will ever go out with me.
Truly, this is a sad day, but perhaps it is for the best. Far too many hours have I spent daydreaming about Heidi instead of doing actual work. And it has been truly uncomfortable for me to talk to Larry about Perl when all I can think about is his hot little daughter.
More importantly, I think Larry and Tom found out about my attraction to Heidi (although I have been circumspect) and decided to cut me out of the royalties on the latest version of the Camel book. I could just be being paranoid here though, since Tom has alway hated me, and he has a strange, unholy control over Larry.
As much as it pains me to say it, I must admit that this is in Heidi's best interest too. Now that she has Shoeboy, why would she want a repulsive old man like me? I could never hope to compete with Shoeboy's wit, charm and gorgeous body. (I'm not gay, but damn, the dude is hot.) Shoeboy can make her truly happy, and I wish them the best.
One thing is for certain though, I'm recommending that no one ever work for Intel.
--Randal Schwartz
Re:Did You check the link? (Score:1)
I was stupidly naive. I had been rewarded in the past for finding "item 11" on the "1 to 10 list" and doing it. I was trying to do that here, both in setting up the mail gateway to read my Intel mail while I was offsite, and revealing how much the admins at SSD had lowered their standards since I had left that group a year earlier. Yes, neither of these were expicitly requested activities, but I also hadn't been explicity requested to type "ls". It was just a judgement call, bad judgement in hindsight.
So, I suffer from having been overenthusiastic in my job in an enviroment that had a hair trigger for anything out of the ordinary, and being prosecuted under a law that makes it a felony to change the background colors on a screen.
I had no criminal intent. I was just trying to do my job the best way I knew how. And for that, I've lost $300K and gained a permanent status as a triple-felon (unable to get expunged, by the way), not to mention the time and energy that have gone into this case for the past seven years that could have been directed toward something more productive. (Why do you think my name isn't on the third edition of the camel?)
This should have remained a civil matter. I'd not be whining (as much {grin}) if I'd merely lost the contract and gotten blackballed for performing acts that Intel believed were off-contract. But the law shouldn't have permitted this to be a criminal matter, and Intel shouldn't have optioned to take this to the police without willing to be fully responsible for the consequences. Recall also that Intel is the largest private employer in Oregon, and you'll see the inequity here; I bet if I had been working for a 10-person software house in Oregon that they'd not have gotten the attention of the DA.
Re:Such a lengthy appeal... (Score:1)
Yes, half my community service time was commuted to a fine. This was done by a judge on a letter from my probation officer, with the entire history of the case available to him. He had every option to say no, or to change the rate of hours-to-fine at something other than the conventional $5/hr. He accepted my probation officer's proposal as requested.
So, instead of doing 480 hours of service, I did 240, and paid a $1200 fine. With the judges approval. This is public record.
Re:Such a lengthy appeal... (Score:1)
So I continue the challenges not so much for me (although getting my weapons and free-travel rights back would be nice), but for my fellow Oregonians who are now even more at risk because of my case.
The money is not the issue. Yeah, I could always use a few extra bucks, but instead I've dedicated a significant amount of my income toward having justice show up in this case, rather than the confusion that has come out so far.
Re:What a bonehead (Score:1)
I'm not stupid. When I'm told "don't do this", I don't do it.
As for the "illegal" and "frowned upon", those came from the police reports. I'm still amazed at how much information they have in those reports that I didn't say, or said in a context that doesn't fit how the reports played them back.
They took about ten lines of cryptic notes from a two hour conversation. They had tape recorders in the car, they didn't use them. They had video cameras at the police station. They didn't use them. I'm told it's common practice to allow interrogators to "play loose".
As an example, please answer the question honestly:
If you can answer that with "no", you are in the minority, or have never worked for a large company. You mean you've never called a personal call on the PBX? That's against the corporate policy of every large company I've worked for, and yet every day, people are calling their wife, kids, doctor, car dealer, sports ticket vendor, etc.So I answered "yes" to that. Now how does it show up in the report: "Mr. Schwartz knowingly violated Intel policy".
Crap. How am I supposed to get a story across when things are taken and presented that far out of context?
That's the mess that this case is. I answered very honestly and broadly during the interrogation, but the only parts that were written down were the parts when taken out of context imply that I knew that I was harming Intel. Nothing of the sort. Just a bunch of out-of-context remarks by skillful interrogators.
Re:The problem isn't the crime, it's the law (Score:1)
I did some things that I was later told to stop, yes.
But please don't paint me as such a defiant fool.
Re:This has been bothering me for quite some time. (Score:1)
Re:128 Words (Score:2)
In the words of Jello Biafra, "Welcome to Oregon, land of tolerance." And to think I often dreamed of bringing Heidi here, and living a peaceful, Oregonian life together.
Re:128 Words (Score:2)
Re:DO NOT BELIEVE 9918 - IT'S A FORGERY (Score:2)
that have references to Heidi Wall, but the rest are mine.
Re:This is a serious blow (Score:2)
Re:This has been bothering me for quite some time. (Score:3)
I made the mistake of getting involved in helping a group of sysadmins in another division. This was a fatal error. Ordinarily I would not have suffered such a lapse in judgement, but I was busy thinking about that sweet, divine piece of blonde femininity, Heidi Wall, and wasn't thinking too clearly.
Re:Let them eat SPAM (Score:1)
5. No Discrimination Against Persons or Groups
The license must not discriminate against any person or group of persons.
Re:Info on the actual case... (Score:1)
Running crack against the passwords from machines that he should have known he was not supposed to have access to (belonging to a group he had been let go from) also seems quite foolish. It's not explicitly stated (as the gate case is), but presumably it was also against company policy to run crack without authorization.
Whether Randall likes it or not, what he was doing was obviously against the rules of his workplace, and unfortunately was also against the law. As they say, "ignorance of the law is no excuse". He is correctly convicted of the items alleged against him, as far as I can see, since there is no appearance that (as he claims) he actually had authorization from the responsible managers to try to crack those systems, and it is definitely the case that his "gate" was against the rules and he'd been warned about it once before doing it again.
If you think that the law should be changed, by all means, change it, but he's guilty as the statute is written.
I agree with Randall that the $70k levied against him is probably excessive, but on the other hand, what was the cost of the work that went into confirming that he did indeed ONLY do what he claimed? That's not always a trivial task.
Re:Contradictory info... (Score:1)
Re:Phew. (Score:1)
Common carrier status already doesn't apply. They removed a post containing Co$ material.
--
Re:An IRC Log for you (Score:1)
--
Wow. (Score:2)
Then, Tom Christiansen came and chewed them all out.
--
Re:funny you should say that (Score:2)
Caution: Now approaching the (technological) singularity.
Re:This is a serious blow (Score:1)
For the record, I have contacted Heidi, and she doesn't object to my actions on slashdot. So piss off.
--Shoeboy
Re:Boycott Intel (Score:1)
What a coincidence, so did most of the slashdotters responsible for that self same shrillness. You didn't think they'd actually back up their political beliefs with action, did you?
--Shoeboy
Re:DO NOT BELIEVE 9918 - IT'S A FORGERY (Score:2)
that have references to Heidi Wall, but the rest are mine.
Uh, you aren't going to press criminal charges against me, are you?
--Shoeboy
Re:Merlyn's /. account has been hijacked (Score:1)
Bullcrap. He may be a "nice guy", but he's a moron. He cracked into several different computers, and didn't even bother to cover his tracks (of course, if he had, he'd still get caught and the penalties would be even worse). No sympathy for the cracker morons.
running Crack on a box is not "illegal" (Score:1)
Comment on Randall's Personality (Score:2)
Geeks, especially ubergeeks, tend to have a perspective that they know better than their management how computers should be run. I think this is understandable, and makes sense from a geek point of view. As a geek and manager, I also understand the management point of view.
Frequently, conflicts arise between policy (management) and desire (geek). Management usually wins the war of words with their geeks, but it does not always win the war of intentions.
Randall fits a classic ubergeek profile, from reading his responses -- he apparently
A gateway allowing e-mail checking was a compelling application for him. It also would be a compelling application for someone intent on distributing Intel chip design secrets, worth multi-tens of millions. It's not hard to connect the dots, and see why they would prosecute so aggressively, from a different department than the one he worked in. Reading Mark(last name?)'s written comments in the FAQ are pretty illuminating -- he understands exactly what's happened; Randall's mostly do-gooder, some skirt-the-system work was noticed in a particularly sensitive venue in a particularly sensitive company. The rest was just bad bad news.
It fits a pattern that many geeks fall into to comply with the letter of a management law, and skirt the intent for their own convenience. I just call this bad judgment, not criminal intent. (Given the Oregon law, this is not even a valid point where he's being tried, but I believe it is probably personally important to him to make the distinction.)
In any event, regrets / congratulations on the decision, and may you overcome the giant in the end. Also, may your admin duties be either ratified by management, or subdued in the future!
Intel vs. Schwartz FAQ (Score:3)
Former Unv (Score:2)
--
Such a lengthy appeal... (Score:1)
-------------------------------------------
I like nonsense, it wakes up the brain cells.
Re: (Score:2)
Info on the actual case... (Score:5)
It took a while to find anything that actually said what this man was accused of doing. Finally, I dug into the newspaper articles refered on the "Friends of Randal Schwartz" site, getting this from the Dr. Dobb's link:
http://www.lightlink.com/spacenka/fors/press/ddj96 03.html [lightlink.com]
In his defense, Schwartz said that he was only trying to show Intel how inadequate its security system was. At the time, Schwartz was working under two Intel contracts: one to deploy DNS servers for the entire corporation, and another as a system administrator for some network-support machines. Since both contracts were running out, he'd hoped to generate a new contract to improve Intel's security. To that end, Schwartz ill-advisedly ran Crack, a commercially available password-breaking program that uses brute force to discover vulnerable passwords. His plan was simply to put together a proposal - based on real data - for improving Intel security. The sort of information he intended on presenting in the proposal included nearly 50 network passwords he'd discovered (including that of one ambitious vice president whose password was "pre$ident").
Before Schwartz could put his proposal together, however, an Intel employee noticed an unauthorized program was hogging computer time. Upon discovering Schwartz's Crack run, he notified security, and in the flip of a bit, Schwartz went from being an "independent consultant" to an "industrial spy." Even though management recommended that Schwartz simply be confronted because there was clearly no criminal intent at work (Schwartz ran Crack under his own login and didn't try to dissimulate his efforts), Intel's jackbooted security team (maybe needing to justify their jobs) opted to call in the sheriffs department.
Schwartz admits that he made a number of '"bone-headed" mistakes - not clarifying the rules about Internet access, not reporting the first cracked password, not immediately reporting the results of the run - for which he probably deserved termination. However, he also says that his actions "were motivated by my desire to give Intel the best possible value for the money they were paying me," adding that none of his acts were based on malicious intent. In summary, Schwartz said: "I am sorry that I caused Intel any grief or hardship, and that in hindsight, I should have been clearer about my intention and actions."
The upshot of all this is that Schwartz is in a financial bind. There's little chance he will ever work at Intel again, even though he has given the company five years of good measure. Nor is he likely to work at any company that agrees with Intel's beliefs about him. With dim employment prospects, Schwartz has so far spent about $135,000 on his defense. When it's all said and done, he will probably end up paying $160,000 before even considering appeals.
Website for support... (Score:1)
-Moondog
Re:128 Words (Score:1)
To the rest of slashdot, it's simply another example that big corporations don't think the same way as hackers.
What's "chilling" about it? (Score:1)
RANDAL'S SLASH ACCT. HACKED? (Score:1)
- technik
Not the real Randal! (Score:2)
Do not believe the rantings originating from #9918.
This is an unbelievable insult heaped upon the injury of losing.
Re:Contradictory info... (Score:2)
Re:The problem isn't the crime, it's the law (Score:2)
Re:This has been bothering me for quite some time. (Score:2)
Basically, Schwartz did one thing really wrong - he ran crack on the password file to check for bad passwords, and he didn't immediately report his results (or his intent to run crack in the first place).
As for copying files against instructions and stealing files, he basically had a
Really though - any decent sys admin worrying about security today gets clearance and runs crack, and forwarding email doesn't really seem like a crime - unless you are an over-ambitious security person at Intel.
Re:This has been bothering me for quite some time. (Score:2)
You are right - it is kinda dumb. However, hashed passwords are world readable on a system, and good passwords cannot be reasonably broken with crack. Security affects ALL users, and crack is a reasonable security tool. There is no evidence it was used to break into accounts.
As a different example, I sometimes portscan machines on which I have accounts. If there are gaping holes, I tell the administrator. Am I a criminal for portscanning machines because I am legitimately concerned for their security ? Is it less of a problem if I simply run `netstat -al` instead of `nmap -sT` ? My real concern is that my work is not interrupted because some admin set up a machine running an old version of BIND. Because then a re-install is required, and sometimes worse.
Copying password hashes that are world readable is not a crime. Forwarding email could be illegal at anal enough companies though... His other crimes (running crack, copying password hashes) are things any user with reasonable concerns could do, and require NO special access to machines ie: he uncovered no information that anyone with an account could not easily uncover.
Re:Intel uses (or used to use) Sun hardware? :) (Score:1)
No, instead, it raises more questions. (Score:1)
"What does Heidi Wall have to do with it?" is just one of those questions.
Actually, I hope your post didn't make any sense.
Phew. (Score:1)
Your "gay friend Jeff"? Gimme a break! (Score:1)
Criminal charges (Score:1)
Re:Info on the actual case... (Score:2)
Umm...if you had actually bothered to follow the first link in the /. post, and scroll down, you would have found this:
Find out more by sending mail to my Perl robot at <fund@stonehenge.com>. (The content of the message will be ignored. Be sure you have a valid e-mail return address.)
Following the instructions as indicated provides the necessary (albeit brief) detail. No need to continue lamenting about paucity of information.
Re:128 Words (Score:1)
Whenever someone starts to quote Jello, they lose me. Its almost as bad as quoting L Ron Hubbard, OMNI magazine or Whitney Strieber.
WTF? (Score:1)
I shouldn't have to click into the links and comments to figure it out. Would a sentence or two kill you?
Re:This has been bothering me for quite some time. (Score:1)
All valid points, but do recall a few others.
Schwartz was hired at least in part, to be concerned with system security. Trying to crack a system as a way of proving it is secure is exactly what this kind of job description includes.
Lots of people seem to forget that, including the manager who caused Intel to spend about $1.5 million assisting Washington County in the Prosecution. Whatever his actual crimes may be; his biggest crime was embarrasing a VP.
Check around and you'll find athat at intel, there is a near critical mass of "peter principle" management promotions, the scale of which is very truly awesome to behold. Musical chairs in management roles is simply awesome. I know one contractor who had FIVE different supervisors in one 90 day project.
So Randall is a contractor, whose responsibility includes making the system more secure. Most Slashdotters know that this is not an on off switch. It is a continum of less or more secure and the process of getting more secure involves very intense digging, testing and fixing and more testing.
Nobody says that Randall was not one of the best at this. So some manager decides to NOT renew his contract, probably just to prove that he had the authority. Randall tried to make the point that the job is far from done.
At the other end, there is his client, - Intel, not the PHB manager - who has genuine security problems.
So Randall has been working to make it better and he considers the job not finished. He can see the problems but the boss has said "I don't wanna know about that Iceberg - go away."
If you really cared about the company and their mission, what would YOU Do?
Nobody has said that Randall ever tried to anything other than document the problem.
Does he have an economic interest in a renewed contract? Absolutely, but there was NEVER any suggestion that what was done was for any expectation of gain other than another 90-day contract extension.
Put it another way: The guy you work for is walking down the sidewalk ahead of you and his wallet is about to fall out of his back pocket. You grab the wallet, and hand it to him, with appropriate explanation. Do you expect him to thank you or have you arrested?
Re:Whats so fascinating or chilling about it? (Score:1)
Ah, try again. In a criminal trial, somebody has to file charges.
Do not forget the $1.5 Million Intel spent assisting the Washington County DA in the prosecution.
a serious blow? wait until you get to prison! (Score:1)
[Suggested moderation: +1, Interesting. +1, Insightful.]
--
YARNTUP (Score:2)
--
Re:Boycott Intel (Score:2)
I find it highly amusing that as a "convicted felon", Randy is now more employable than when he was a "Perl hacker".
--
Jeff == Jeff Bates (Score:3)
Yes, I know that Hemos is married. In fact, I put up this site when it was first announced:
Enjoy!--
???? (Score:2)
Michael, get the feeling you are trying to avoid "editorialization flames", but a better description or link would be appreciated.
Wrong. (Score:2)
#2, #3 :
My former ISP often runs crack against their user space, looking for weak passwds.
this guy was a paid consultant of Intel. His error was FAILING TO GET PERMISSION from a superior, in writing, or having a contract that specifically granted him the right to nondestructively test corporate security.
He also exposed a VP's weak, potentially embarrassing passwd -- "pre$ident" -- which will get you fired in almost any corporation, just for political reasons.
He doesn't sound all that savvy to me, if he did not discuss his plans with a superior first.
Re:Whats so fascinating or chilling about it? (Score:3)
Well, he set up a tunnel so he could get his mail. Bad judgement.
2.)copied a password file from a machine
He was a sys-admin working for the firm at the time. SAs often have root, and are meant to be securing systems as part of their job-descriptions. This includes looking at files that normal users wouldn't need to go near.
3.) cracked the password file using a cracker tool
Standard thing for an SA to do. You don't want open accounts on your company's systems. Bad judgement to do it without telling your boss, but a common part of being an SA.
Consider, this happened six years ago. To put it in perspective:
Fifteen years ago there was virtually no internet. There was no concept of users having privacy over there files/email. SAs were managing complex, expensive machines, and protecting them from damage. SAs were considered the de facto owners of the machines. The major threats were internal malicious/naive users.
Ten years ago, privacy rights on computers were beginning to emerge. SAs no longer were expected to randomly read whatever they found. Big servers were still expensive machines, and SAs were experted to keep them secure: running crack and similar were routine activities. SAs were considered the de facto police of the machines. The major threats were unsecured dialins.
Five years ago, machines had become commonplace and cheaper than employees. SAs were considered de facto clerks. The major threat to systems had become external attacks based on weak passwords, and/or unsecured machines.
RS made the mistake of trying to fix new-style weaknesses with an old-timer mentality. Intel freaked when they saw an SA walking around a machine checking the locks (much like if you saw a cop testing the locks on an unoccupied house today.) RS made various statements to the police because he wanted them to understand that his activities were typical for SAs. Intel pressed charges, and corporate inertia took over: a Kafkaesque felony trial took place, where a mere year or two before, his consultancy would have been terminated without prejudice, because his professional style was compatible with Intel's environment.
Re:The problem isn't the crime, it's the law (Score:2)
Re:Not the real Randal! (Score:3)
Re:Website for support... (Score:5)
Because his schwartz is bigger than theirs, ofcourse!
--- Spaceballs, the tagline.
Re:This has been bothering me for quite some time. (Score:2)
Ok. So then when during the trial it became known that an Intel VP did something even naughtier a while back, one would think that this fine Oregon Computer Crimes Law would be immediately applied to him too, right? Hmmm... How odd, it wasn't. Also odd, in ten years, only two other people have been charged with violating that law. Maybe, just maybe, it's being used to target people on the whims of Intel and the like.
--
This has been bothering me for quite some time... (Score:2)
Schwartz copied files from one intel computer to another one... yes against instructions... and it is grounds for firing but not for criminal charges....
Can someone, who has spent more time on this, please explain to me how this could happen? I have been trying to understand this and I still can't...
The lesson to be learned... (Score:2)
I'm a consultant and free-lance writer, so I don't have any big-company bias. I've read all the links associated with this article, at least as much as I was able to in the limited time I devote to /. reading. So let's review the bidding, shall we?
Unlike other people of opinion on /., I disagree that the Oregon law as envisioned by the Oregon legislature is overbroad, but that the lax definition of terms is what makes the law appear overbroad. In this particular case, given the usual level of knowledge by state law enforcement in 1993 of matters computer, it's not surprising that the State of Oregon decided to prosecute. It was the use of this law in the first place by the prosecutors that leaves me cold. According to my own experiences, the proper place to prosecute this case would be in civil court, if Intel felt that it has sustained substantial loss because of Mr. Schwartz's actions.
Lessons to be learned
Your client is not your friend. Your client is not to be trusted to "do the right thing". Therefore, in all written consulting contracts, state that any disputes arising from the execution from the contract, including any alledged criminal conduct alledged by either party, shall first be submitted to arbitration.
If someone in your client company "asks you for a favor" insist that the employee write you a letter formally asking you to perform that favor. One of the gray areas in this case had to do with whether Mr. Schwartz had authorization to do what he did, so make sure you have sufficient proof that you as the contractor believed you had authorization. Such letters should be channeled through your primary contact.
If part of your contract involves tightening up security, ensure the contract includes clauses authorizing you to perform the operations required to test and measure security. Make sure this clause is as specific as possible. Name program names, if you have favorates. This is an amplification of the authorization point above.
Don't communicate with the company with a company-provided and -administered e-mail account, EVER. Your contract should specify that all electronic mail communications shall be sent to your personal e-mail account, and that only communications from your e-mail account shall be considered to be from you. Negotiate appropriate SMTP access for contracts involving on-site activities, and also get them to agree that traffic to and from your personal e-mail account is owned by you and not the company.
As much as possible, use your own equipment to perform work for your client. The only time you should use client-provided equipment is when there is no alternative; e.g. you have to use a proprietary ICE as part of your work. Consider renting equipment that you will use under your own name (reimbursed under invoice by your client) so that YOU, not the client, owns any data generated by the instrument or equipment. Alternatively, specify in your contract that you own all data until you have received payment from the client.
Your contract should also specify what use you may use of company computing resources, including network connectivity. Insist that you be able to use their resources for your e-mail, for Web browsing for the purpose of research, and for any other application that you feel necessary to perform your duty for your client company. If your contract calls for you to be on-site during specific hours, as opposed to being on site only when performing specific tasks, your contract should also specify that you may make reasonable recreational use of their network resources.
Ensure your contract identifies a single individual as your point of contact. Insist that all company requests be funnelled through that single individual. Even better, have the contract specify a primary and an alternate, with specifics as to when the alternate may take the place of the primary. Your reports on your activities goes to your primary (or alternate). Any delegation of contact responsibility needs to be in the form of a letter from your primary -- accept nothing less.
Disclaimer: I am not a lawyer, nor do I play one on stage or screen.
Re:Let us not forget... (Score:2)
employees and then start driving by their houses,
expect to get into trouble. The behavior is
DERANGED. This man needs psychiatric help.
C//
Nice name for a judge (Score:2)
What a bonehead (Score:3)
This guy was just plain STUPID! When somebody tells you to stop doing something, and then you continue doing it, then they tell you to stop again, and you resume doing it on another computer, and then you are reprimanded yet a THIRD time, and then you go "I'll show them!" and access things you shouldn't using somebody else's account, you'd damned well better be prepared to accept the consequences!
What a moron! So many chances to change his behavior, yet he totally refused to do so. If he didn't like their policies, he should have simply left.
Re:Contradictory info... (Score:3)
Have you ever talked to a police officer?
Did you notice how they decided not to record the conversation despite the availability of equipment in their car?
There's no particular reason to believe that any of that is what he said, especially when it so exactly fits the textbook profile of what is required in order to make a good, sticky confession.
Doesn't it seem a little incongruous that in other contexts Randal is a lucid, fairly sensible speaker, but just that one time, behind closed doors, he went off like a raving lunatic, setting out exactly every single element (including some quite fanciful) necessary to put himself in the worst possible light?
Surely you're not that naïve.
The problem isn't the crime, it's the law (Score:2)
The most disturbing thing is the restitution award, which was fortunately overturned. If someone breaks into your house that's bad, and it's punished, but not as harshly as if someone breaks into your house and actually steals or destroys your stuff. It's clear that Intel wanted to make an example of the guy, and poured money and effort into a prosecution which the police wouldn't have been capable of mounting on their own.
That bothers me. A lot.
There are no end of recent examples that merely staying innocent of wrongdoing is not sufficient to keep you out of jail, if you get unlucky or piss off the wrong people. Any new opportunities for putting people behind bars when they haven't noticeably harmed other citizens should be resisted on general principle. Do you really want the insane War on Some Drugs to be extended to Some Hackers? Friends, if this goes much further it's time to sell the computer and take up the violin.
Note to self: Always use "Preview" (Score:2)
Re:What's "chilling" about it? (Score:2)
Let's see, he stole some passwords which he didn't even use. That's worth $70,000 and 5 years of his life? You have one fucked up idea of "humane," my friend.
Re:Let us not forget... (Score:2)
I have read the paper, I have also corresponded with Jim Bell at length on other lists. He is in my opinion a dangerous and obsessive lunatic. Jim is not charged with 'writing a paper'. Anyone who relies on the articles by Declan McCullagh is hearing only the parts of the story that fit Declan's own anti-establishment nihilist politics.
The reason Jim is on trial is
He wrote an article about killing government officials
He wrote a series of letters to federal agents making unspecified threats
He admits to pouring a noxious chemical of some kind on the doormat of a federal agency
He attempted to obtain materials to make sarin gas
He was subsequently charged and plea bargained
After his release he compiled a list of government officials home addresses, and visited their houses to conduct surveilance.
Now that may be a weak case for conspiracy etc. However it iws misleading in the extreeme to claim that the government is prosecuting him for the Assasination Politics article alone, that Bell is an entirely detached academic observer who did not take any steps to attack government officials. The AP article is only one piece of evidence that demonstrates that Bell is a paranoid crazy who is very likely to kill someone. The fact is that Bell admitted in the previous case to going beyond talking about murdering government officials to actively planning attacks - albeit attacks well short of murder.
On the specifics of the paper itself, it was nothing more innovative than observing that Chaum's Digital cash coupled with an auction scheme would be a good way to hire hitmen. The scheme is pretty Rube Goldberg and has a number of problems, not least the fact that no US court is likely to consider the auction site as a legitimate exercise of the first ammendment, nor is any foreign government going to tollerate it. Beyond that as several cipherpunks have pointed out the scheme itself does not work since the hit man has no assurance that they would be paid the cash rather than an impostor. In fact if the board was set up it would be filled by the same federal agents who post the 'I solve problems' classifieds in soldier of fortune.
Re:This has been bothering me for quite some time. (Score:2)
Note the date. At that time shadow passwords were being denounced in much of the UNIX community as security through obscurity after all Moriss had written the gospel on the subject, trust in cryptography not access controls. The fact that Moriss was head of the NSA at the time the argument was going on was beside the point. I agree that the system admin should have used shaddow passwords, and at the time I was making that very argument. However the amount of shite we got for going against the weenie types was substantial, it is not surprising that the sysadmin was not running shaddow passwords at the time, in fact Sun may not even have supported them when the system was installed.
Let us not forget... (Score:2)
snippet taken from Wired article [wired.com]
other Wired article [wired.com]
Re:Let us not forget... (Score:2)
So whats the difference here? AGAIN have you read the document, if you haven't then please hold your comments because you'd look like an ass in all due respect.
funny you should say that (Score:3)
So even though you can get it online, (the jury list) it wouldn't matter to the judge he'll lock any media up for posting it.
Obtaining someone's address and driving by ther homes does not constitute a crime, they don't even have any proof he did it to begin with, so please read about the case before posting irrelevant information. If it were your life on the line, you would want people to know the truth if you were getting shafted, and help out by any means.
System Security (Score:2)
When I worked for Information Systems at my university, I discussed password security with my supervisor which led to a demonstration of L0phtCrack and a revision of our security policy. We occassionally use it to recover forgotten passwords on NT4 workstations. A year or so later, a pair of colleagues asked permission to run a security audit and test NT system security. After permission was granted they broke out the latest version of L0phtCrack and a few other tools, then demonstrated results to their supervisor. The climax of the demonstration was when one logged in to her workstation with her password. It seemed that few people were taking security seriously, including higher-ups (little surprise).
Anyway, their supervisor became extremely irate - she didn't mind them running the audit, but was incensed that they'd cracked *her* password. She terminated both of them on the spot. They were fired for doing their jobs. Go figure.
Anyway, about a week later when tempers had cooled (and work orders were piled sky-high) IS asked one of the guys to come back. In the interim my department hired him, for better pay and working conditions. He's one of the best techs I've ever worked with and we were lucky to get him. Needless to say, he declined to return to IS. The other guy wasn't asked back (conflict of personalities with his supervisor), but found a much better position the same day he was terminated - again, for higher pay and better working conditions.
I guess the moral of the story is that there's really no protection against getting canned. But if you do your job properly, things will turn out in the end.
Intel violated a basic trust (Score:2)
Why should you worry about this if you don't run Crack? Because there are lots of other mistakes and activities that could be misconstrued as illegal computer activity:
You have to be able to rely on your employer to behave reasonably even when you make a mistake. When it comes down to it, a company like Intel will be able to present enough evidence and experts in court to make just about anything look like illegal activity to a non-technical jury.
Intel didn't have enough of a clue to distinguish harmful activity from stupid mistake in this case. That means that if you are going to do anything non-trivial with software (like run Linux, run X11, run VNC, write scripts), given their past performance, there is a good chance that they will again behave in a haphazard and unpredictable way.
Working for Intel seems to expose you to the risk of getting a criminal record for a mistake. I don't think that's the kind of "benefit" I want from an employer. I'd look elsewhere for a job.