Intel v. Randal Schwartz: Why care?
Jeffrey Kegler
computer crimes, potentially carrying 15 years of prison, is simply a
hacker case, with an unfortunate twist. Randal is the well known
teacher and author of books on the Perl language. As Peter Lewis said
in the _New York Times_, "Much of the Internet's World Wide Web has been
built by programmers who got their start by reading his _Programming
Perl_ and _Learning Perl_ books."
Clearly, Randal was someone who should have known better. And in fact,
Randal would be the first Internet expert already well known for
legitimate activities to turn to crime. Previous hackers have been
teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick
never made any name except as a hacker. Never before Randal would
anyone on the "light side of the force" have answered the call of the
"dark side". Randal received a deferred 90 day jail term, 5 years
probation, and 480 hours community service. His legal fees have run
over $170,000 and a request for $71,000 in restitution awaits a ruling.
This is enough to make this case sad and troubling. However, a closer
look at Oregon v. Schwartz is more troubling.
1. Even taking the prosecution's case at face value, one is struck by
the minor nature of the charges, especially when contrasted with the
penalties. A charge against Randal was copying an Intel password file
from one Intel machine to another. No intent to take it outside Intel
or further use or misuse it was even alleged. Randal was convicted on
this count, which is a felony potentially carrying a 5 year jail
sentence. Like any felony, it also carries with it the loss of many of
the rights we take for granted. For example, Randal may not leave
Oregon, change residence or change employment, without prior permission
from his probation officer.
2. A second charge against Randal was also a felony with a penalty of
up to 5 years in jail. Randal, by his own admission, decrypted
passwords from the password file above mentioned. He says it was to
show their poor quality as passwords to his client, Intel. No other
intent was alleged, and the decrypted passwords never left Intel.
Randal was convicted of this count.
It is necessary to note that the first two counts were special "computer
crimes", specifically "knowingly access[ing] and us[ing] a computer and
computer network for the purpose of committing theft". As we will see
below, the prosecution did not show, and was not required to show, most
of what it must in order to convict ordinary, non-computer thieves.
Many of the missing elements are also essential to the ordinary, common
sense notion of what theft is.
3. A third charge (and Randal was convicted on all three counts against
him) was altering a computer without authorization. The facts behind
this charge are uncontested. Intel said and Randal admitted, he had
installed a gateway through Intel's firewall. Randal says he was did
this as part of his work for Intel. Nobody alleges the gateway caused
harm, or that Randal intended harm in running it.
4. Even to prove such trivial charges, the prosecution required
extraordinarily low standards of proof to make its case. The
presumption of innocence, and simple common sense, would seem to argue
that an employee or contractor is routinely presumed to have authorized
access to a company's computers unless there are reasons to think
otherwise. The alternative in today's world is to generate a mountain
of forms to authorize a day's work, or else require the employees to
operate without clear authorization and be subject to prosecution
whenever their employer is upset with them for other reasons. The
Nevada computer crime law requires the employee's presumption of
authorization to be overcome by "clear and convincing evidence to the
contrary". The Oregon law contained no such language, only the verb
"authorize" without any definition, and in effect, the court placed the
burden on Randal to prove he was "authorized".
5. Even if the burden of proving authorization is placed on Randal, the
evidence shows that he had good reason to believe he was authorized.
Randal's use of and advocacy of checking for weak passwords with crack
had long been known and approved of by Intel. Randal, in fact, was
perhaps the first person within Intel to follow this now accepted and
routine procedure. He had been sysadmin of the computers whose
passwords he was checking, at which time he found that checking for weak
passwords, by now Intel policy, had lapsed on some machines (or never
been done). When he moved on to other duties, he suspected that
password checking had lapsed again. If Randal's suspicions proved
correct this would be a serious problem not just for the weak set of
machines, but for all machines inside the same firewall with them. And
Randal's worries on behalf of Intel were well founded -- 48 of 600
passwords were weak. Randal had no reason to think his password
checking activities would surprise Intel, and every reason to think
Intel would benefit by and approve of his activities. Of course, nobody
at Intel ever told Randal not to check for weak passwords.
6. Randal's original reason for writing a gateway was a request from
Dave Riss's staff at Intel, who needed to access their data and E-mail
while at Carnegie Mellon. Riss approved the result and his group used
it for a time. Later, Randal was traveling extensively and performing
duties at Intel which required the same kind of access, as Intel knew.
Randal created a more secure gateway for this purpose. That Intel knew
and approved of Randal's use of gateway programs for his own duties is
shown by the evidence.
When two Intel employees were troubled by the security of the gateway
they asked Randal not to shut it down, but to change it to run more
securely. They checked Randal's changes and passed off on them. This
shows a proper concern about the security implications of gateways, but
it also shows that it was generally recognized at Intel that Randal was
allowed to and did run gateways.
There can be some misunderstanding about gateways and firewalls. Those
not in the field sometimes assume that where there is a firewall,
gateways are necessarily sinister -- that the only purpose of a gateway
is to subvert a firewall. This is simply wrong. Readers of Internet
E-mail these days who are behind a firewall (and that is practically all
of them) almost always get their E-mail via a gateway. Rare indeed is
the firewall that does not do its job in cooperation with several
gateways. And custom gateways are often created for special needs, such
as Dave Riss's requirement. Randal's gateway went through several
versions, each more secure than the previous. Unfortunately hackers
have also gotten more sophisticated so neither Randal or his co-workers
at Intel were ever able to take the security of his gateway for granted.
Those interested in more details on the history of Randal's gateway,
including the statements from all sides of the issue, may find them at
http://www.lightlink.com/spacenka/fors/. The full story is rather
complicated and not given here, but none of its twists and turns obscure
the basic facts. Randal is an expert in the safe construction and use
of gateways, and Intel recognized him as such. Randal's creation and
use of gateways was well known to Intel. Randal never received any
Intel reprimand about his use of gateways (or anything else for that
matter) until Intel Security and the police searched Randal's home and
found nothing. At that point it became convenient for them that Randal
be seen to have a record of criminal activity.
7. While the prosecution's case on authorization is very weak, that on
Randal's criminal intent is outright silly. No evidence was presented
that Randal caused harm or intended harm. There was no evidence that
Randal made any attempt to get Intel secrets, much less sell or misuse
them. But Randal did testify that he hoped his actions would be
appreciated by Intel and result in future business. The prosecution
called this hoped for future business "personal gain" and Randal's
motive for theft. The prosecution theory was that a transfer of data
entirely within a company, which does not deprive the company of the use
of that data or cause harm, and where not only no harm was intended but
where the "thief" expected the "victim" to learn of his action and
reward him for it, is a computer use "for the purpose of theft" and
worthy of 5 years in jail.
One must wonder why the prosecution was allowed a much lower standard
for convicting Randal than it would be allowed for those more ordinary
thieves who force us into the routine of checking that house, car, and
so forth, are safely locked up. But the prosecution was able to
hornswoggle judge and jury into believing that it could show one acted
"for the purpose of" theft, without showing one either committed theft
or intended to.
8. For the "altering without authorization" no intent element was
required. Crimes where the defendant's state of mind is not an issue
are common, but typical of these are traffic offenses. Almost always a
crime of any seriousness requires some finding of mental state. A
little reflection shows why this is. Imagine doing something sanely,
soberly, carefully, and without any suspicion you are breaking a law or
causing harm, only to find yourself facing many years in jail. It
hardly seems just and therefore serious crimes require a criminal at the
least demonstrate recklessness or disregard.
The jury found Randal guilt of a felony here. One suspects that had a
leaf blown into the jury room, it would have been marked guilty and
delivered to the bailiff. The judge reduced this count to a
misdemeanor.
9. Those genuinely interested in catching hackers will wonder how
Randal was caught. The answer is that he was found to be checking
passwords on a computer account issued to him. His account name was
used to look up his name, address and phone number in the personnel
files and this information was passed on to the police.
As anyone familiar with even the popular literature on computer hackers
knows, they have available and use many techniques to conceal their
activities. Basic among them is not working from their own account, but
using compromised accounts belonging to others. (This is why one checks
for weak passwords, as Randal was doing.) Password checking programs
and their results can be thoroughly disguised. It takes only a glance
at Randal's publications to realize that, had he made any attempt to
hide his actions, he would have been very hard to catch. And at the
trial, several Intel employees so testified.
That Randal's actions strongly indicate he didn't feel any need to hide
what he was doing and therefore must have felt that he was doing nothing
that he feared being discovered doing, must forcibly strike anyone even
slightly acquainted with hackers and the techniques for fighting them.
This does not seem to have been much noticed by Intel security or the
Washington Country D.A., however.
10. Intel is Oregon's largest private employer and largest single
taxpayer. Washington County, in which the case was tried, is where
every single one of these jobs is. Even slight changes in employment by
Intel can have a major effect on Washington County, and D.A., judge,
jury and witnesses all knew that.
11. Intel's influence on the prosecution was not subtly exercised.
Rich Cower was at once Intel's employee as its "network security
expert"; "State's Expert", a member of the prosecution team sitting at
the prosecutor's left; and an expert witness. Unlike the defense expert
witness, Cower was allowed to hear all the testimony. Cower himself
testified in rebuttal, after the defense's case had been presented. In
addition, an Intel lawyer attended large parts of the trial.
12. The prosecution's most damning evidence is the two police reports
which contain extensive confession statements attributed to Randal, and
which indeed show Randal careful to cover elements necessary to a full
confession. (The statements were not recorded, though the officers had
recording equipment in the police car.) The 10 minutes of statements
were culled from a 2 hour conversation with Randal during the police
search of his house. In fact, the police reports of Randal's statements
were the only evidence the police took away from the search. They found
no misappropriated data or physical evidence.
13. In order to obtain the search warrant, the police had to show they
had reason to believe a crime was being committed and that the evidence
was at Randal's house. (As mentioned, no such physical evidence was
found.) The officers refer for their belief a crime was being committed
to Mark Morrissey, but Mark has denied he made any such statement.
14. Charles Mann of _The Atlantic Monthly_ has seen a more current
version of the password file which Randal faced 5 years for copying on
three non-Intel sites out on the Internet. Mann, in order to protect
the sources for his forthcoming article on Internet Security, cannot say
how it got there, but is quite clear that Randal had nothing to do with
its misappropriation.
15. The Friends of Randal Schwartz maintains a Web site which archives
the available record from all sides on this issue:
http://www.lightlink.com/spacenka/fors/.
--
Jeffrey Kegler, Algorists, Inc.
jef...@algorists.com, http://www.best.com/~jeffrey
743 East El Camino Real #338, Sunnyvale CA 94087
Jeffrey Kegler
>Is there anyway this decision can be appealed at a higher court? Like
>the Supreme Court?
In theory. Randal has already spent $170K or so, and this is before
appeals. He has not decided if he can or will appeal.
As a practical matter, if senseless cases like this are going to be
brought, the recourse of an appeal helps little. Even taking the
prosecution's case at face value, Intel is using the criminal courts to
punish innocent infractions of its work rules. Most of us would be
ruined financially and otherwise, by the trial, much less a series of
appeals.
I think what's being shown here, is the inability of the Intel
management at Santa Clara HQ to control its people. Intel has no
incentive in getting it be known to prospective job applicants that
innocent and minor lapses in getting the right authorization to do one's
job can destroy one's career and life. The local security folks,
however, enhance their political clout. The point is definitely made
that as an Intel employee you don't want Intel security piqued at you.
In the wake of Oregon v. Schwartz it's clear who you have to watch out
for at Intel, and it is not Santa Clara HQ.
Intel central management seems unable to control this parochial
self-aggrandizement, even when it's at the expense and risk of the image
of central management. They just don't seem willing to take charge.
Ram Samudrala
the Supreme Court?
--Ram
m...@ram.org || http://www.ram.org || http://www.twisted-helices.com/th
She's blinding, I'm flying, right behind the rear-view mirror now.
Got the feeling, power steering, Pistons popping, ain't no stopping now!
--Van Halen
John K. Taber
I hate revisiting old issues. But here goes...
There are so many flaws with the notion of "computer crime" that I can
hardly keep myself civil. Crimes are specific ACTS. Compare "computer
crime" to "filing cabinet crime" to see the inherent absurdity of
the notion. The crime is THEFT or MURDER or FRAUD or whatever, whether
one uses a piece of paper, a chair, or a computer. Computer crime laws
confuse the instrument of the act with the act itself.
Yes, yes, yes. Some laws include the instrument of an act as an
enhancing factor in the seriousness of a crime. Assault with a
gun is more serious than assault with a pea shooter. Nevertheless,
it is the ACT that is prohibited, not the instrument.
Computer crime laws are fundamentally flawed in that there is no
requirement of showing harm or damage. I don't know all the details
of the Schwartz case, but from what I have read, Intel was NOT DAMAGED
in any way. In contrast, in most criminal law, there is the notion
that some degree of harm must occur before the act is criminal.
This is a fatal flaw that makes the law abusive. Basically, the entire
criminal machinery is brought to bear on an employee who has pissed off
his employer. This is a misuse of the justice system. And it is not
necessary. Companies have all the power they need to discipline
erring employees without bringing in the armed might of the state.
Intel could have given Schwartz a formal reprimand. Intel could have
fired him. Intel might even have sued him if there were a tort. From
what I understand from public sources, there was absolutely no need
to prosecute him on criminal charges.
Damn it! Would Intel like it if Unions were strong enough to write
criminal law then used it against Intel to jail the CEO? Criminal
law is just totally unsuitable for employer/employee relations. Isn't
that obvious?
There are many more objections, and I have made them formally. See
my papers in Computer/Law Journal (no I have no machine readable
copies).
1. "On Computer Crime: Senate Bill S. 240 _Computer/Law
Journal_; Vol 1, Winter 1979, No 3.
2. "A Survey of Computer Crime Studies" _Computer/Law
Journal_; Vol II, Spring 1980, No 2
You should be able to find copies through interlibrary loan.
I did my best as an individual to kill these damn laws in that time.
But I was only one person (John James gave me a lot of help and
encouragement) and could not be everywhere. At the time, the
trade press, the media, and the politicians had gone crazy on
computer crime.
They should be repealed. Every one of them is flawed criminal
law lurking in the penal codes like land mines.
--
John K. Taber
PGP Key fingerprint = B5 49 65 B5 42 54 14 D3 B4 9F B4 D3 AE 59 C2 A3
=======================================================================
The "work ethic" was originally not a prescription for happiness, but a
diagnosis of a neurosis. --Richard Todd in _Worth_
Rahul Dhesi
>I guess it's time for all sysadmins around the world to start using
>forms for every little change they make, and have it signed by management.
Only sysadmins at Intel. Not every company is as stupid.
--
Rahul Dhesi <dh...@rahul.net>
"please ignore Dhesi" -- Mark Crispin <m...@CAC.Washington.EDU>
Ram Samudrala
>In theory. Randal has already spent $170K or so, and this is before
>appeals. He has not decided if he can or will appeal.
I thought he said he would (in an e-mail I got). Anyways, I wasn't
clear when I wrote earlier. What i meant is: Is there any way
[instead of appealing] to open the case anew? Complete with a jury
and all? Perhaps even with a different case, where the new case
involves say charges against the police for fabricating (from all
accounts) Schwartz's statement?
--Ram
Minds that have nothing to confer find little to perceive. ---Wordsworth
Cor Bosman
forms for every little change they make, and have it signed by management.
'Dear management, I am about to remove a spurious lockfile. Please grant
me permission.'.
Cor
--
------------------------------------------------------------------------------
| Cor Bosman | ____Xs4all Public Access____ | tel: +31-(0)20-622-2885 |
| c...@xs4all.net | Network Administrator | fax: +31-(0)20-622-2753 |
-------------The building is clear, Leisa has crossed the bridge-------SP6----
William Unruh
>Jeffrey Kegler (jef...@algor2.algorists.com) wrote:
>clear when I wrote earlier. What i meant is: Is there any way
>[instead of appealing] to open the case anew? Complete with a jury
>and all? Perhaps even with a different case, where the new case
>involves say charges against the police for fabricating (from all
>accounts) Schwartz's statement?
It is not clear that you want to. A jury or primary trial has as its
main job the determination of facts of the case. In this case, the facts
are not really in doubt. Randell does not dispute what he did.
He did insert a gateway. He did run crack. The questions are about
implicit authorisation and about intent. He
disputes the interpretation and the breadth of the law. That is better
carried out by a higher court whose main job is to rule on issues of law
(rather than fact). The judges tend to be better trained, and have as
their main purpose deciding about how the law applies to cases and
whether or not the law itself is too broad or has other failings.
--
Bill Unruh
un...@physics.ubc.ca
John C. Randolph
>On 3 Jan 1996 04:48:39 GMT, Rahul Dhesi <dh...@rahul.net> wrote:
>>
>>>I guess it's time for all sysadmins around the world to start using
>>>forms for every little change they make, and have it signed by management.
>>
>>Only sysadmins at Intel. Not every company is as stupid.
>Only Intel? Would you really want to bet your future freedom that the
>company you're contracting with wouldn't choose to prosecute you over
>something you consider to be your responsibility and they consider to be
>a criminal violation? I'd say it would now be prudent for any contract
>sysadmin to bring up this issue before starting work. The scariest part
>is that there's no clear boundary, so the suggestion about getting a
>form signed for every little change, as ridiculous as it sounds, may
>actually become necessary.
Well, I for one will never consider working for Intel. The next time
any headhunter asks me if I'm interested in doing contract sysadmin work
at Intel, I'll tell him that Intel's just too dangerous to work for.
Let Intel starve for competent sysadmins for a decade or so. I don't
think that anyone familiar with Randall's case would consider working
for them at all, let alone for the miserly $50/Hr they were paying
Randall.
What a pack of cheap, incompetent, paranoid and stupid bastards.
I shouldn't be surprised though, that their security and their corporate
bureaucracy is as fucked as their processor architecture.
-jcr
Actually, I can see one possible way to work for intel safely: make them
put down in writing that they will not press charges for any activity
that a panel of industry experts (like maybe, Dan Farmer, or someone
else of that level) considers normal and proper procedure.
Michael Sierchio
a long time to make a hobby of trying to crack passwords and gain
access to systems where he's been a contractor -- including places
where he had no sysad duties, but was hired to teach Perl (of
all things!:-)
It is difficult to honestly justify this as a benefit to an
employer.
The object lesson is that the ancient Unix fortune cookie that says:
"it is easier to gain forgiveness than permission"
has expired.
People use their computers to do real work, run the lifeblood
of companies, and we can't treat our employers' computers as
our own personal toys anymore simply because we have the skills
to use them.
John Caruso
>
>>I guess it's time for all sysadmins around the world to start using
>>forms for every little change they make, and have it signed by management.
>
>Only sysadmins at Intel. Not every company is as stupid.
Only Intel? Would you really want to bet your future freedom that the
company you're contracting with wouldn't choose to prosecute you over
something you consider to be your responsibility and they consider to be
a criminal violation? I'd say it would now be prudent for any contract
sysadmin to bring up this issue before starting work. The scariest part
is that there's no clear boundary, so the suggestion about getting a
form signed for every little change, as ridiculous as it sounds, may
actually become necessary.
--
John Caruso, Senior Technical Consultant
ADP Claims Solutions Group Phone: (800) 366-4237 x2102
2010 Crow Canyon Place FAX : (510) 866-4839
San Ramon, CA 94583 (USA) Email: jca...@sr.csg.com
Jack Wilson
>On 3 Jan 1996 04:48:39 GMT, Rahul Dhesi <dh...@rahul.net> wrote:
>>
>>>I guess it's time for all sysadmins around the world to start using
>>>forms for every little change they make, and have it signed by management.
>>
>>Only sysadmins at Intel. Not every company is as stupid.
>
>Only Intel? Would you really want to bet your future freedom that the
>company you're contracting with wouldn't choose to prosecute you over
>something you consider to be your responsibility and they consider to be
>a criminal violation? I'd say it would now be prudent for any contract
>sysadmin to bring up this issue before starting work.
I think the best way for programmers and system administrators to
'discourage' this kind of thing from happening is to not work at Intel -
find employment elsewhere if for some reason you should already be working
there. It appears that Intel is selectively enforcing the law in order to
demolish someone it doesn't like. This can't be tolerated.
If Intel gets hit hard with a serious "brain drain", it might reconsider its
position on this case.
If you're already working at Intel, can you afford to stay there? You might
be next!
--
= Jack Wilson: dee...@netcom.com =
Rahul Dhesi
Caruso) writes:
>...There's no clear boundary, so the suggestion about getting a
>form signed for every little change, as ridiculous as it sounds, may
>actually become necessary.
Only at Intel. Not every company is as stupid.
Jeffrey Kegler
>No offense intended to Randal's defenders, but he has been known for
>a long time to make a hobby of trying to crack passwords and gain
>access to systems where he's been a contractor -- including places
>where he had no sysad duties, but was hired to teach Perl (of
>all things!:-)
Well, no offense to you, Michael, because I assume the above statement
is an honest mistake on your part. But one of the saddest parts of
Randal's persecution by Intel has been the rumors that have arisen. I
mean, suppose there was a charge against you Michael, and soon even
juicier stories of your misdeeds started being spread around?
Randal's used crack in an attempt to help out his publisher and his ISP.
He found some bad passwords at the ISP, and the ISP's admin thanked him
for his efforts at the time and testified in Randal's defense at the
trial. ORA's security was bulletproof. The sysadmin at O'Reilly and
Associates also testified in Randal's defense and Tim has made a very
supportive statement. At this point Randal's connections with O'Reilly
and Associates is closer than ever.
Randal does not crack passwords at the places he gives Perl classes.
They couldn't continue long if they thought he did. Randal's Perl
teaching practice is doing extremely well, in spite of these rumors. In
fact, I believe he's being forced to turn away new business at the
moment.
Any past wrong-doing by Randal was fair game at the trial and the
prosecution could and did make the most of it. They had nothing.
If you'll look at the Web site you'll find I tracked down every single
past "hacking incident" the prosecution claimed. Fortunately, I was
able to dig up proof every single one of this claims is wrong, and
include the proof in the FAQ.
Think how remarkable this is! Suppose I threw out the accusation you
had committed acts against all your past employers, placing the burden
on you to track through large parts of your work history to disprove
that smear? Randal's record is so clean, and his relationships with all
his past employers and co-workers so good he can do this!
Finally, Randal is well known as a just plain old generous nice guy. He
spends long hours each and every week answering newbie Perl questions
for free, and has for years. He has a lot of loyal friends, who have
been appalled and bewildered by all this. He's not a "mad cracker".
Well, perhaps enough on this. I suspect you are just repeating
something you heard, and that your intentions were innocent. Look at
the Web site. I devoted a lot a time to tracking down all these
accusations. You can judge their worthlessness for yourself from the
evidence. (If you have new, direct evidence I don't know of, please
pass it on.)
Like I say, I don't want to beat up on a guy with innocent intentions,
but I think unless you have new evidence here, an expression of regret
might be appropriate.
The Web site is http://www.lightlink.com/spacenka/fors/. Please,
anybody who has heard any of these rumors or has any questions on any of
these things, check out the evidence. I assume, like most rumors, the
sources of these are lost in the mists. If anyone does find a source,
though, I'd love to hear it.
Jeffrey Kegler
>Jeffrey Kegler wrote:
>> Randal does not crack passwords at the places he gives Perl classes.
>
>knowledge. Your assertion above is false -- he has done so in at
>least one case that I am aware of. He left phantom accounts on
>hosts with root privileges, and did indeed run crack, and was noticed
>on the system long after his tenure as an instructor. Perhaps it
>was a mistake for everyone involved not to come down hard on him at
>the time. It might have saved him a lot of discomfort.
If this is so, an account of it definitely belongs on our Web site.
It's like nothing else in the current record. And you must have the
specifics. There must be names, places, dates. What's the company
involved? You mention "everyone". Who else saw evidence of this?
Michael Kaufman
>Only Intel? Would you really want to bet your future freedom that the
>company you're contracting with wouldn't choose to prosecute you over
>something you consider to be your responsibility and they consider to be
>a criminal violation?
Not to support Intel, but apparently they did warn him a few times not
to continue with his actions. Plus, having O'Reily's password file on
an Intel machines can hardly be considered part of his "responsibility".
Again, this should not be taken as a support of Intel's actions which seem
to me to be such an over-reaction that I would like to use a stronger word
then "over-reaction".
Michael
--
Michael L. Kaufman | Everything should be made as simple as possible,
kau...@mcs.com | but not simpler.
http://www.mcs.net/~kaufman | Albert Einstein
Jack Wilson
>> Randal does not crack passwords at the places he gives Perl classes.
>
>I was referring to an incident of which I have direct and personal
>knowledge. Your assertion above is false -- he has done so in at
>least one case that I am aware of. He left phantom accounts on
>hosts with root privileges, and did indeed run crack, and was noticed
>on the system long after his tenure as an instructor. Perhaps it
>was a mistake for everyone involved not to come down hard on him at
>the time. It might have saved him a lot of discomfort.
Unless you name specific people and places, you are basically slandering
Randal Schwartz. Either name names, or retract your statement, as it might
save you a lot of discomfort.
Anthony D. Tribelli
: Well, I for one will never consider working for Intel. The next time
: at Intel, I'll tell him that Intel's just too dangerous to work for.
I don't think Randal was contracted to do syadmin work, that is why he
got into trouble.
Tony
--
------------------
Tony Tribelli
adtri...@acm.org
Jeffrey Kegler
>Not to support Intel,
Yes, I think it is important to make distinctions between Intel's work
rules, which Intel should have the freedom to interpret rather loosely,
and their incorporation by reference into the criminal code, in which
context the same type of enforcement is an serious injustice.
>but apparently they did warn him a few times not
>to continue with his actions.
Well. Getting back to discussing this in Intel's terms, where if you
prove an innocent infraction of the work rules against Randal, he should
go to jail and lose his civil rights, the above is still not quite
right, IMHO. There were discussions about his use of gateways with
other sysadmins. It's not clear what was said, or even who actually
spoke directly to whom. It is clear these were peer to peer
discussions, that no managers were ever involved, and that Randal when
there was a disagreement acquiesced. If the "they" means Intel in
anything like an official capacity, that's not right. If it means
fellow employees, it's unclear.
I state this in the "Why care?" document, which is backed up with quotes
in the FAQ, and further backed up in the archives. It's all on the Web
site http://www.lightlink.com/spacenka/fors/.
Again, it would be nice if Intel would have just said, "We decide what
our work rules are and when they are violated" and just fired Randal,
instead of making a criminal case out of it.
>Plus, having O'Reily's password file on
>an Intel machines can hardly be considered part of his "responsibility".
Here's Randal's biggest error in judgement, IMHO. Despite there being
benign intent and trivial harm, I cannot condone misuse of Intel
resources. If anyone was the victim it's ORA, and ORA certainly did not
support Intel pressing criminal charges on its behalf, much less
claiming to do so on its behalf.
Helping out on client on another client's machines, even when the use of
resources is de minimis is clearly wrong, IMHO. Ironically, this most
culpable of Randal's actions was not a subject of the criminal charges.
Perhaps since it's so simple and so obviously minor, it's hard to make
more out of it than it is without looking ridiculous.
Intel would have been fully justified in firing Randal for this, and
demanding payment for the $19.95 or whatever in resources (whatever some
weeks storage for a small file, plus associated CPU would come to). If
they wanted to play hard ball they could also have publicized it. If
Randal complained to me about this treatment, I would have very little
sympathy.
>Again, this should not be taken as a support of Intel's actions which seem
>to me to be such an over-reaction that I would like to use a stronger word
>then "over-reaction".
I think our attention should focus on the use of the criminal justice
system as an Intel company errand boy. This should really be of concern
not just to sysadmins, but to all Americans.
Anthony D. Tribelli
: ... the minor nature of the charges, especially when contrasted with the
: penalties ...
Why are these crimes minor? Aren't they the sort of acts one might commit
during industrial espionage (I'm not saying that this is what occurred in
this case)?
: ... Randal, by his own admission, decrypted passwords ...
: ... and the decrypted passwords never left Intel.
Except in Randal's memory. Is this any less dangerous than if they were
in a file?
: ... The
: presumption of innocence, and simple common sense, would seem to argue
: that an employee or contractor is routinely presumed to have authorized
: access to a company's computers unless there are reasons to think
: otherwise ...
Presumed to have LIMITTED access in order to perform one's job. Randal
obviously exceeded his authorization. Are you arguing that an
employee/contractor should be allowed go anywhere they wish?
: ... The alternative in today's world is to generate a mountain
: of forms to authorize a day's work ...
Grossly exaggerated, approval would only be necessary to access areas
outside of one's normal responsibilities and duties.
: ... He had been sysadmin of the computers whose
: passwords he was checking ... When he moved on to other duties ...
And he violated law not when he was sysadmin, but after he was relieved of
that responsibility. Furthermore, I believe he did not inform the new
sysadmin of what he was doing. Are you suggesting that a person should get
privelages for life once they become a sysadmin?
: ... he suspected that
: password checking had lapsed again...
And the ethical thing to do would be to inform those responsible, not to
exploit the weakness himself since he had no right to do so.
: ... Of course, nobody
: at Intel ever told Randal not to check for weak passwords.
More importantly, did anyone at Intel tell him he should do so at the
time he committed his crimes?
: ... it also shows that it was generally recognized at Intel that Randal
: was allowed to and did run gateways ...
Only when Intel authorities are aware of his actions, not whenever Randal
feels like it.
: ... There was no evidence that
: Randal made any attempt to get Intel secrets ...
Aren't passwords a secret?
IMHO, Randal did some pretty serious things. The fact that he probably had
no malicious intent does not mean his crimes should be ignored. His intent
is something that is taken into consideration only at sentancing time.
Weren't his sentences at the lighter end of the sentencing range?
Jeffrey Kegler
>In article <30EC14...@dnai.com> Michael Sierchio <ku...@dnai.com> says:
>>> Randal does not crack passwords at the places he gives Perl classes.
>>I was referring to an incident of which I have direct and personal
>>knowledge. Your assertion above is false -- he has done so in at
>
>Unless you name specific people and places, you are basically slandering
>Randal Schwartz. Either name names, or retract your statement, as it might
>save you a lot of discomfort.
Actually, I think I will point this accusation on the Web site
regardless of what specifics emerge. I have heard a lot of false rumors
about this case. Some are relatively benign, like the "double warning"
rumor and the "not a sysadmin" rumor and even can be traced to vague
origins in the facts, though the facts don't support them.
I have had the "Randal, the mad cracker" rumor repeated to me via E-mail
several times, but nobody was ever willing to come forward with it or
give specifics. Michael has done the former (we'll see about the
latter), and I think it's important to document how seriously this case
threatened to wreck Randal's life and career.
I think there is some denial among "sysadmins", frankly. Picture
yourself after the 1st accusation at a high level in your company is
made. There will be a lot of glory in catching a hacker, so people will
be coming out of the woodworks with tales of your misdeeds, whether
actual or imagined. This will happen even if you have never made
enemies. Then the cost of defense, against an adversary who is both
wealthy and powerful and having the taxpayer foot his legal expenses,
anyway. Remember, the cost of a criminal defense is not tax-deductable
so you must earn $133K to pay $100K in legal expenses.
Once the accusation is made, how far are most of us from conviction? If
you are innocent would you be able to establish it. Look at the sort of
thing thrown out here. Could you refute all of it, charge by charge?
It's time for us tech nerds to stop denying what this case really is.
The difference between Randal Schwartz, double felon, and the rest of us
is nobody unprincipled enough to take advantage of this poorly drafted
law has gotten ticked off at us. Yet.
Art Walker
: Only Intel? Would you really want to bet your future freedom that the
: company you're contracting with wouldn't choose to prosecute you over
: something you consider to be your responsibility and they consider to be
: sysadmin to bring up this issue before starting work. The scariest part
: is that there's no clear boundary, so the suggestion about getting a
: form signed for every little change, as ridiculous as it sounds, may
: actually become necessary.
So why is this a bad thing?
(Considering that documentating system changes often takes low priority at
many installations, perhaps we can kill two birds with one stone...)
--
Art Walker, Recovering Iowan | Art.W...@mnscorp.com
"The Internet is a telephone system that's gotten uppity." -- Clifford Stoll
Michael Sierchio
> Well, no offense to you, Michael, because I assume the above statement
> is an honest mistake on your part....
>
>...
> Randal does not crack passwords at the places he gives Perl classes.
I was referring to an incident of which I have direct and personal
knowledge. Your assertion above is false -- he has done so in at
least one case that I am aware of. He left phantom accounts on
hosts with root privileges, and did indeed run crack, and was noticed
on the system long after his tenure as an instructor. Perhaps it
was a mistake for everyone involved not to come down hard on him at
the time. It might have saved him a lot of discomfort.
> Finally, Randal is well known as a just plain old generous nice guy. He
> spends long hours each and every week answering newbie Perl questions
> for free, and has for years. He has a lot of loyal friends, who have
> been appalled and bewildered by all this. He's not a "mad cracker".
I believe that he is a generous nice guy. I also believe that such
people are capable of making mistakes. Believing that what you are
doing is good for others (despite their stated objections or the
understanding of the law) is not a defense I would want to rely on.
> Well, perhaps enough on this. I suspect you are just repeating
> something you heard
Alas, no...
Jeffrey Kegler
>System administrators already have authority to do this. Randal WAS NOT a
>system administrator, that is why he would need permission.
Randal was a sysadmin, and had been a sysadmin for all the machines
involved. He was not at the time a sysadmin for some of the machines
on which he cracked passwords.
Intel maintains it has a clearly defined "Maginot Line" policy on
password security, whereby nobody can crack passwords except on
a machine for which they are currently sysadmin. They don't have
any evidence Randal would have know of this "Don't ask, don't tell"
approach to security.
Again, if Intel wants a foolish security policy, and wants to fire
people who violate it, whether innocently or not, I do not have a major
problem with that. I don't work there and don't own stock so it's
pretty much their own business. Their carelessness might make them a
haven from which hackers can compromise other Internet machines, but
this is a large problem and it is not clear that Intel is a significant
fraction of it.
It is the perversion of the criminal courts into enforcing Intel work
rules I strongly object to. I would object even if the work rules
were sensible and consistently enforced.
Stanley Chow
Jeffrey Kegler <jef...@algorists.com> wrote:
>Any past wrong-doing by Randal was fair game at the trial and the
>prosecution could and did make the most of it. They had nothing.
>If you'll look at the Web site you'll find I tracked down every single
>past "hacking incident" the prosecution claimed. Fortunately, I was
>able to dig up proof every single one of this claims is wrong, and
>include the proof in the FAQ.
May I assume that Randal's lawyer(s) also did this? What was the
reaction of the jury when presented with this evidence?
>Finally, Randal is well known as a just plain old generous nice guy. He
>spends long hours each and every week answering newbie Perl questions
>for free, and has for years. He has a lot of loyal friends, who have
>been appalled and bewildered by all this. He's not a "mad cracker".
Being a "generous nice guy", even one with lots of loyal friends, just
not disqualify one from being stupid and/or criminal. (I think Randal's
action were at least stupid, and at least one set of jury has found him
criminal).
>Well, perhaps enough on this. I suspect you are just repeating
>something you heard, and that your intentions were innocent. Look at
>the Web site. I devoted a lot a time to tracking down all these
>accusations. You can judge their worthlessness for yourself from the
>evidence. (If you have new, direct evidence I don't know of, please
>pass it on.)
Since I have not read the transcripts of the case (and I am not likely
to have time or access to ever read them); I will ask you instead (-:)
Why do you think the jury decided their way?
What was the key evidence that the jury believed/disbelieved?
The fact that Intel had a guy on the prosecuting team is irrelevant. The
fact that Intel is BIG is irrelevant (unless you think the jury was looking
for jobs in Intel).
There must have been something that the prosecutor presented and the
jury believed. Or are you saying the whole Oregon legal system is totally
screwed up?
--
Stanley Chow; sc...@bnr.ca, stanley....@nt.com; (613) 763-2831
Bell Northern Research Ltd., PO Box 3511 Station C, Ottawa, Ontario
Me? Represent other people? Don't make them laugh so hard.
Anthony D. Tribelli
: I guess it's time for all sysadmins around the world to start using
: forms for every little change they make, and have it signed by management.
: me permission.'.
System administrators already have authority to do this. Randal WAS NOT a
system administrator, that is why he would need permission.
Tony
Randal L. Schwartz
Michael> No offense intended to Randal's defenders, but he has been known for
Michael> a long time to make a hobby of trying to crack passwords and gain
Michael> access to systems where he's been a contractor -- including places
Michael> where he had no sysad duties, but was hired to teach Perl (of
Michael> all things!:-)
If this is the scale of unfounded rumor going around about me, you
should choose better places to believe the next time.
Your statement is fiction, having no basis in fact. And I would
caution you from passing around fiction on the net in the guise of
*fact*... such actions might very well land *you* in a position of
having to tangle with *my* lawyers.
I presume that a rational person will require you reveal your sources,
or simply ignore you. So, I'll do the same. Reveal your sources, so
that I can know not to trust *them* on any other statements as well.
(One wonders if those sources don't have an agenda of their own --
they appear to be playing dirty for no stated reason.)
For the details of my story, see
http://www.lightlink.com/spacenka/fors, or send a message to my email
replybot at fu...@stonehenge.com (content will be mostly ignored).
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: <mer...@stonehenge.com> Snail: (Call) PGP-Key: (finger mer...@ora.com)
Web: <A HREF="http://www.teleport.com/~merlyn/">My Home Page!</A>
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
Kevin Martinez
>I guess it's time for all sysadmins around the world to start using
>forms for every little change they make, and have it signed by management.
>'Dear management, I am about to remove a spurious lockfile. Please grant
>me permission.'.
I would suggest that any Intel sysadmins that read this take Cor's
warning seriously. Intel has shown time and time again just how much
regard they show for their employees and even their customers.
Having dealt with Intel in the past and having crucial projects delayed
or fail because of their shoddy and immature products, I have concluded
that such products directly reflect the management of Intel as well as
their corporate values and philosophy.
--
------------------------------------------------------------------------
Kevin Martinez | Fry's Electronics: Where
l...@rahul.net | Incompetence is the Standard!
------------------------------------------------------------------------
Anthony D. Tribelli
: In article <adtDKo...@netcom.com>, Anthony D. Tribelli wrote:
: >System administrators already have authority to do this. Randal WAS NOT a
: Randal was a sysadmin, and had been a sysadmin for all the machines
: involved. He was not at the time a sysadmin for some of the machines
: on which he cracked passwords.
Sorry for not being clear, this is what I was attempting to say :-). That
he was not currently responsible for these machines.
: Intel maintains it has a clearly defined "Maginot Line" policy on
: password security, whereby nobody can crack passwords except on
: a machine for which they are currently sysadmin. They don't have
: any evidence Randal would have know of this "Don't ask, don't tell"
: approach to security.
IMHO, common sense says you should not be cracking passwords on machines
you are not responsible for. Lack of common sense or lack of good
judgement has never been an acceptable defense for criminal activity.
: Again, if Intel wants a foolish security policy, and wants to fire
: people who violate it, whether innocently or not, I do not have a major
: problem with that...
Foolish? The majority of white collar crime involves insiders. Criminal
employees and contractors are a greater threat than outsiders usually.
Cracking passwords is not innocent behavior. Assuming you are not the
sysadmin of the system, it is negligence or malpractice at best.
: ... Their carelessness might make them a
: haven from which hackers can compromise other Internet machines ...
I would suspect that their "aggressive" prosecution of Randal is part of
a policy to deter people from unauthorized use of their machines.
: It is the perversion of the criminal courts into enforcing Intel work
: rules I strongly object to. I would object even if the work rules
: were sensible and consistently enforced.
Perhaps consistency is part of the reason they prosecuted Randal. If they
had declined to prosecute Randal, but attempted to prosecute the next
person cracking their passwords, this second person may have tried to sway
a jury with some sort of selective enforcement argument. That he was
really the victim of a vendetta. Yes, this is a weak argument, but juries
have been known to buy all sorts of weak arguments.
Jeffrey Kegler
>behaviour?
There have to be several lines. Unacceptable to Intel should not
necessarily always mean unacceptable to society. In allowing Intel to
define acceptable behavior in its workplace I go as far as anyone can
go. It's easy since I am not likely to ever work there :-). Punishment
as felons, however, must be reserved for those who engage in behavior
extremely dangerous to society.
We have come very far from being a free society when we allow any
infraction whatsoever of Intel's work rules to make one a felon. It
sounds at times like people are defending such a state of affairs and I
cannot believe what I hear (read?).
>But sometimes nice people really screw up
>badly. I have, I've just been lucky enough not to have my butt dragged
>into court.
More than luck should protect our rights.
To properly understand the problem here, I think you have to move beyond
unacceptable versus acceptable. There are degrees of misbehavior. Most
behavior which it is OK to punish in a work place, ought to be
"acceptable" to a criminal court, which should concern itself with the
many serious dangers to our society.
Maxwell Daymon
: Well, I for one will never consider working for Intel. The next time
: any headhunter asks me if I'm interested in doing contract sysadmin work
: at Intel, I'll tell him that Intel's just too dangerous to work for.
This is regardless of intel. If the law allows prosecution, ANY company
could suddenly decide to take advantage of it. The law is the point in
question here - not intel's use of it. The fact that the law ALLOWED
intel's reaction is the problem.
Anthony D. Tribelli
: Unless you name specific people and places, you are basically slandering
: Randal Schwartz. Either name names, or retract your statement, as it might
: save you a lot of discomfort.
In order to be slander, don't the statements have to be false? If the
statements are true then the author has committed no offense, although
there is the danger of harassment and/or retaliation.
An yes, it is usually more comfortable to remain quiet reagrdless of the
truth.
For the record, I'm not backing up the original statements. I'm only
arguing that the author is under no obligation to satify our curiosity so
we can gossip ;-).
Anthony D. Tribelli
: It's time for us tech nerds to stop denying what this case really is.
: The difference between Randal Schwartz, double felon, and the rest of us
: is nobody unprincipled enough to take advantage of this poorly drafted
: law has gotten ticked off at us. Yet.
Could the difference between Randal and "the rest of us" be that most of
us are not foolish enough to crack machines we are not officially
responsible for?
If you are not doing highly questionable things in the first place you are
not giving your enemies an opportunity.
Sometimes, your arguments seem to imply that we should be allowed to mess
around with we have at our disposal as long as our intentions are "pure".
Could you clarify this, where do you draw the line on unacceptable
behaviour?
BTW, I apologize for sounding a bit harsh toward Randal in my recent
posts. I seem to be arguing philospohical points and ignoring the person
caught in the middle. I don't know him. I'm not trying to make an enemy.
He probably is a nice person. But sometimes nice people really screw up
badly. I have, I've just been lucky enough not to have my butt dragged
into court.
Tony
Rahul Dhesi
>Could the difference between Randal and "the rest of us" be that most of
>us are not foolish enough to crack machines we are not officially
>responsible for?
A bigger different is that most of us are not foolish enough to strike
a business relationship with Intel.
Jeffrey Kegler
Michael Sierchio <ku...@pyramid.com> is not convenient to news posting
facilities at the moment, and thinking it best that the following be
circulated as rapidly as possible, asked me to it.
================ Michael Sierchio's Message =======================
Since the others with knowledge of the incidents that were alleged to
involve Randal Schwartz are unwilling to substantiate my earlier
comments, I must retract them. I also wish to make clear that I
do not believe that Randal in any circumstances had any malicious
intent.
Please feel free to distribute this message to whatever newsgroups
you feel appropriate.
=====================================================================
Danny Aldham
: I have had the "Randal, the mad cracker" rumor repeated to me via E-mail
During the trial I was working my way thru Randall's book,
Learning Perl. I had to laugh that the opening exercises teach
how to create a backdoor, for Randall.
Danny Aldham
Mika Sorsa
I have a wonderful idea for a law that everybody will love: at birth,
everybody is sentenced to life-time prison and payments worth a
$ 5 000 000 000 000 000 000 000 000. Then, all suits become unnecessary
because everyone is already guilty and enough charged. Furthermore,
lawyers will happily welcome all new babies and gather their 10 %.
Isn't that lovely? I'm sure this suggestion is most welcome and will
pass through by the end of this year.
--
?
S. Keeling
>In <slrn4em5ar....@raptor.sr.csg.com> jca...@sr.csg.com (John
>Caruso) writes:
>
>>actually become necessary.
>
As far as I know, the law is applicable within the USA, not
just Intel. Do you really want to stake your future on the assumption
that *your* CEO won't go berserk if some fool misunderstands what
you're doing? Intel vs. Schwartz is just an instance of the real
problem.
--
"Remember, obsolescence (Win95) isn't an accident; it's an art form!"
keel...@wl.aecl.ca s. keeling, aecl - whiteshell labs
Rahul Dhesi
Daymon) writes:
>If the law allows prosecution, ANY company
>could suddenly decide to take advantage of it....
>The fact that the law ALLOWED
>intel's reaction is the problem.
There are thousands of bad laws on the books. Yes, they are bad. Yes,
they will often let you legally stab somebody in the back. Yes, they
should be removed.
Until they are, one must rely on the good conscience of people who
could misuse these laws and choose not to. One cannot rely on the good
conscience of a company like Intel, which has demonstrated that it
has none.
This is definitely a problem.
Jeffrey Kegler
> Why do you think the jury decided their way?
I you start out with an attitude of respect toward our system of justice
(and I do), then that Randal was convicted by a jury of twelve peers
inclines you to believe he's guilty. The jury decided this complicated
case quickly -- in about 3 hours, which with all the formalities needed
is about as fast as it gets.
We'll know more once the transcript comes out, but apparently Portland
for all its "Silicon Forest" pretensions is pretty hostile to geeks.
The D.A. appealed to this, essentially painting Randal as a smart-ass
who needed to be cut down a peg. The _Oregonian_, unbelievably, echoed
this, mocking Randal (I am not making the quotes up!) for his "trouble
grasping is that a person can be too smart for his own good". He was "a
computer whiz kid and social misfit before he became part of the
computer programming subculture". (The evidence he's a misfit, by the
way, was that he was a working programmer at 16.) The D.A., in the
summation harped on the fact Randal was making a princely $45.00 a hour.
Much too much for a nerd!
Even if the jury were convinced that Randal were a "hacker" in the good
sense, not the bad sense, it seems they still would despise him for it.
In the atmosphere where Randal was tried, neither sense of word "hacker"
was seen as good.
Given that the employer who was about 100% of the county's economy
uttered a lot of computer mumbo-jumbo to the effect that Randal was
evil, Randal apparently never had much of a chance.
Anthony D. Tribelli
: ... Punishment
: as felons, however, must be reserved for those who engage in behavior
: extremely dangerous to society.
Cracking passwords is a behaviour that can be part of industrial espionage
and other white-collar crimes that may lead to huge finanical losses.
Would you consider this "extremely dangerous" or is this term only
reserved for physical harm caused to another human being?
: We have come very far from being a free society when we allow any
: infraction whatsoever of Intel's work rules to make one a felon.
Isn't "any infraction" leading to a felony a gross exagerration and
misrepresentation?
: It
: sounds at times like people are defending such a state of affairs and I
: cannot believe what I hear (read?).
The situation as you described is not desirable, but I don't believe such
a situation exists. The person who has been punished committed some highly
questionable acts that are by statute illegal. I don't think good
intentions allow such actions to be ignored, at least from a law
enforcement perspective. A company could choose to do so, but a law
enforcement agency may not have such discretion. Once felony activities
are brought to their attention they may have to act.
: >But sometimes nice people really screw up
: >badly. I have, I've just been lucky enough not to have my butt dragged
: >into court.
:
: More than luck should protect our rights.
Luck was involved in my not getting caught. If I had been caught it would
have been just to punish me. Our rights do not protect us from being
punished when we do something wrong.
Peter da Silva
> There must have been something that the prosecutor presented and the
> jury believed. Or are you saying the whole Oregon legal system is totally
> screwed up?
I think he's saying that the computer crime laws are screwed up.
I run our firewall. I'd be pissed if a contractor poked a hole in our
firewall, and I hadn't approved it. I've had contractors do things that
have pissed me off before, and I'd probably have been pissed if Randall
had been working here. I'm not some Randall Schwartz Apologist.
And I think the way Intel went about this stinks, and I think that the
laws they used against Randall are criminally (heh) badly written. Either
they're intentionally too hard, or they're so loosely written they've
been abused in this case.
How about that?
In fact, I think that the current computer crime laws, in general, are
ridiculously hard. Let's look at another case... Len Rose is pissed at
me for saying he was *probably* guilty of a crime, but I'll say any time
that I can't believe that he would have gotten anything more than a slap
on the wrist in any sane world.
So what Intel did to Randall is so outrageously out of proportion that I
can't imagine why anyone with the technical know-how to understand what's
going on could possibly be defending it. Even if he was doing it with nobody
inside Intel knowing (and we now know that's not the case) the most he
should have gotten was fired.
--
Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard
Bailey Network Management 'U` Sugar Land, TX 77487-5013
+1 713 274 5180 "Har du kramat din varg idag?" USA
Bailey pays for my technical expertise. My opinions probably scare them
William Unruh
>: Intel maintains it has a clearly defined "Maginot Line" policy on
>: password security, whereby nobody can crack passwords except on
>: a machine for which they are currently sysadmin. They don't have
>: any evidence Randal would have know of this "Don't ask, don't tell"
>: approach to security.
>IMHO, common sense says you should not be cracking passwords on machines
>you are not responsible for. Lack of common sense or lack of good
>judgement has never been an acceptable defense for criminal activity.
Nor is lack of common sense a criminal state. The question here is of
authorisation. Randell felt he had authorisation. Intel felt he did not.
A policy like this could be used to demonstrate lack of authorisation
only if it was a clear policy which had been clearly communicated to the
person involved. Otherwise the person is justified in applying the
common standards of the profession. If one is hired as a sysadmin, one
can assume that that hiring itself constitutes permission to engage in
all of the common bahaviours of that position, and using crack on
whatever machine one happens to have handy rather than only on the
machines that one is actually administrator of could be argued to be
such common practice.
The problem of course is that the field as curreently practiced is very
very young and "common practice" is still rather ill defined, and can be
open to interpretation. This is especially true in a court case in which
neither the judge not the jury ae likely to have any idea whatsoever of
what the issues are, and will tend to believe "the big guns" (in this
case Intel) over any individual or even group of individuals (other
sysadmins). This is especially true when the law itself is written so
broadly that ANY activity at the computer can be construed to fall under
that law.(I take the Canadian law as an example, in which ANY activity
on any computer, including your own, falls under the definition of
criminal activity as defined in the law.)
>: Again, if Intel wants a foolish security policy, and wants to fire
>: people who violate it, whether innocently or not, I do not have a major
>: problem with that...
>Foolish? The majority of white collar crime involves insiders. Criminal
>employees and contractors are a greater threat than outsiders usually.
>Cracking passwords is not innocent behavior. Assuming you are not the
>sysadmin of the system, it is negligence or malpractice at best.
No, it can be considered due diligence in your job. As I understand it
he was hired in order at least in part to carry out duties which
involved security issues. To simply close your eyes to blatant security
faults could in that case be considered negligence. (The old Nuremberg
defence- It wasn;t my job). As an employee of the company he felt it was
his duty to ensure that within his area of expertise the company was
running its affairs in the optimal manner. You could argue that one
should never look around oneself in a company to try to correct things
whichare not under ones immediate job description. A company which
follow that policy is incompetent in my opinion.
You see a car with its headlights on in the parking lot. Do you try to
switch them off? And yet doing so you could be accused of illegal
trespas etc.
>I would suspect that their "aggressive" prosecution of Randal is part of
>a policy to deter people from unauthorized use of their machines.
That is what they seem to think, however, Randall was an employee acting
in what he felt was the best interests of the company. As such their
action has exactly the opposite effect- namely ensuring that none of
their employees gives a damn about the security of the system and
opening them wide up to the external breakins ( which are a more serious
threat in my opinion). An employee who wanted to break in would not run
Crack on the internal machines themselves. He would make some attempt to
hide his activity.
--
Bill Unruh
un...@physics.ubc.ca
Ram Samudrala
>Cracking passwords is a behaviour that can be part of industrial
>espionage and other white-collar crimes that may lead to huge
>finanical losses.
"Can" and "may".
Any moron with half a brain examining this SPECIFIC case in detail
(which I presume the Jury did) could've easily reached the conclusion
that this was not the case. Why did they not? It takes two seconds
to realise that if Schwartz really meant harm, he'd have hidden
everything.
Schwartz, as far as I know, wasn't charged for "industrial espionage".
As such, your point is only detracting from the argument.
The system of law fails for this very reason: it generalises far too
much. Who was the victim in this case?
--Ram
m...@ram.org || http://www.ram.org || http://www.twisted-helices.com/th
The view they once knew made our nooses too tight.
This justice in swine, this devil in god. So god bless my soul---
I've got total control and the crosshairs lined up dead in my sight...
I'm voting with a bullet! ---Corrosion of Conformity
Cor Bosman
>That is what they seem to think, however, Randall was an employee acting
>in what he felt was the best interests of the company. As such their
>action has exactly the opposite effect- namely ensuring that none of
>their employees gives a damn about the security of the system and
>opening them wide up to the external breakins ( which are a more serious
>threat in my opinion). An employee who wanted to break in would not run
>Crack on the internal machines themselves. He would make some attempt to
>hide his activity.
Nah, if any Intel system gets broken into (should I be talking future
or past tense?) Intel will just fire whoever was responsible. That is
obviously how the system works. Too bad there arent any Pentium
clones yet..but as soon as they pop up...
Btw, this is not a 1 time deal. I have a friend who worked at Intel
who got fired for 'showing too much initiative'. Geez...how lame can
they get.
Cor
--
------------------------------------------------------------------------------
| Cor Bosman | ____Xs4all Public Access____ | tel: +31-(0)20-622-2885 |
| c...@xs4all.net | Network Administrator | fax: +31-(0)20-622-2753 |
-------------The building is clear, Leisa has crossed the bridge-------SP6----
Cor Bosman
>Cor Bosman (c...@xs4all.nl) wrote:
>: I guess it's time for all sysadmins around the world to start using
>: forms for every little change they make, and have it signed by management.
>: 'Dear management, I am about to remove a spurious lockfile. Please grant
>: me permission.'.
>System administrators already have authority to do this. Randal WAS NOT a
Says who? Does your contract say 'This person can do anything he pleases'?
Cor Bosman
> Why do you think the jury decided their way?
> What was the key evidence that the jury believed/disbelieved?
Well, the state probably wouldnt want this big employer called Intel
to leave now would it. But that is probably better suited for another
newsgroup. Im sure the US legal system doesn;t work that way.
>There must have been something that the prosecutor presented and the
>jury believed. Or are you saying the whole Oregon legal system is totally
>screwed up?
Only if you're paranoid enough to think the US legal system isnt
flawless.
Rahul Dhesi
>Do you really want to stake your future on the assumption
>that *your* CEO won't go berserk if some fool misunderstands what
>you're doing?
I *am* my CEO, but that's not really the point.
>Intel vs. Schwartz is just an instance of the real
>problem.
Only at Intel. Not every company is as stupid.
William Unruh
>>Only at Intel. Not every company is as stupid.
> As far as I know, the law is applicable within the USA, not
>just Intel. Do you really want to stake your future on the assumption
I believe I recall that he was done in under an Oregon law, not a
Federal law. Federal laws need some pretence at interstate commerce to
justify them, and there was no interstate commerce here.
--
Bill Unruh
un...@physics.ubc.ca
D. J. Bernstein
> Truth is a defence I think (but am not sure), but you must be able to
> prove the statement true in a court of law.
Truth is an absolute defense: if the jury finds that the statement was
true, then you aren't liable.
As for proving it, you just need the preponderance of the evidence (at
trial), not proof beyond a reasonable doubt.
If the statement was, in fact, false, you still might not be in trouble:
libel laws require that you either (1) knew that the statement was false
or (2) said it in reckless disregard of the truth. The problem here is
that there's rarely any direct evidence of your past mental state, so
juries (as in criminal cases) will tend to assume that you are a liar.
---Dan
William Unruh
>Even if the jury were convinced that Randal were a "hacker" in the good
>sense, not the bad sense, it seems they still would despise him for it.
>In the atmosphere where Randal was tried, neither sense of word "hacker"
>was seen as good.
Since the jurydecides fact and there was not too much dispute over what
the facts were, the decision isn't terribly surprising. Apparently the
law is so broad that it would be very hard to claim that he did not fall
under that law. However, the law can be so broad that anything can fall
under it ( see the Canadian law on Computer Mischief). It is then up to
the Judge ( who rules on law) or higher courts to throw out the law.
To give an example, the Canadian Criminal Code essentially says that
anyone who alters anything on any computer is guilty of Criminal
Mischief and liable to 10 years in jail. Now hand that to a jury and ask
them to decide whether or not what you have done amounts to altering
anything on any computer. They have to decide yes, almost no matter what
it is that you have done. And it should not take them long to do so. The
law is clearly totally silly, but juries rarely say that ( the only time
is in Morgenthaler abortion cases here in Canada, where the jury
returned not guilty verdicts even though M admitted performing
abortions. They thought the law was so silly the facts should be ignored
and justice, rather than law, dispensed- but that is rare).
--
Bill Unruh
un...@physics.ubc.ca
Jeffrey Kegler
>Could
>someone post the Oregon law that Randall was convicted under here?
The full text is on the Web Site:
http://www.lightlink.com/spacenka/fors/.
The "main" language for two of the counts is "Any person commits
computer crime who knowingly accesses, attempts to access or uses, or
attempts to use, any computer, computer system, computer network or any
part thereof for the purpose of ... committing theft". The language
here was interpreted with great looseness, as I detailed in the "Why
care?" document. You could act "for the purpose of" theft without
intending theft, according to the prosecution and judge. And it was
"theft" of item even if you did not deprive someone of any portion of
the economic value of an item.
The other count was for this law: "Any person who knowingly and without
authorization alters, damages or destroys any computer, computer system,
computer network, or any computer software, program, documentation or
data contained in such computer, computer system or computer network,
commits computer crime." Randal was not accused of damaging or
destroying, so "alter" was the operative word here. The context would
seem to have "alter" mean "alter in a harmful way", but no showing of
harm was made or required in the judge's interpretation.
This was obviously a very pro-prosecution judge. The looseness of the
law was bad enough, but the judge allowed them to be construed beyond
their plain meaning.
Those seriously interested in this case (and since it is our necks,
I believe serious interest is merited) should consult the full language
on the Web site.
Maxwell Daymon
Ray Todd Sevens
>I you start out with an attitude of respect toward our system of justice
>(and I do), then that Randal was convicted by a jury of twelve peers
>inclines you to believe he's guilty. The jury decided this complicated
>case quickly -- in about 3 hours, which with all the formalities needed
>is about as fast as it gets.
A bunch more people who have no idea how to operate a computer. They also are
told that they have to abide by the law even if they disagree with it. This
says nothing of if the law is good.
Jeffrey Kegler
>Jeffrey Kegler (jef...@algor2.algorists.com) wrote:
>: ... Punishment
>: as felons, however, must be reserved for those who engage in behavior
>: extremely dangerous to society.
>
>and other white-collar crimes that may lead to huge finanical losses.
Yes. But note the language "can be part of" (and this is not the
language used against Randal, but it is just as vague). Driving a car
can be part of a bank heist. Most benign acts "can be part of"
felonies. Except under "computer crime" laws, they don't become
felonies until a felony is committed or intended.
It comes down to this. A co-worker and fellow professional is accused
of a crime. You ask what he did. Nothing, they reply, in fact his
intentions were benign. But the same acts could have been part of a
real crime, and besides, he was making Security look stupid. Do you
say, "Oh, all right".
Anthony, do you want it said about you as a co-worker and fellow citizen
that this is your response? Think about it.
As has been noted, it does not matter whether you like or hate Randal.
And it does not matter whether you feel you are likely to act exactly as
Randal did (with hindsight few will commit that exact set of mistakes, I
expect). It matters whether you feel a company and a justice system
that demands the right to take down geeks whenever they irritate them is
acceptable to you.
William Unruh
>Jeffrey Kegler (jef...@algor2.algorists.com) wrote:
>: ... Punishment
>: as felons, however, must be reserved for those who engage in behavior
>: extremely dangerous to society.
>Cracking passwords is a behaviour that can be part of industrial espionage
>and other white-collar crimes that may lead to huge finanical losses.
>Would you consider this "extremely dangerous" or is this term only
>reserved for physical harm caused to another human being?
And driving a car can be part of espionage or even murder. So is driving
"extremely dangerous"? Surely the intent is important in actions, since
most actions can be benign or criminal depending on the intent. Could
someone post the Oregon law that Randall was convicted under here?
>The situation as you described is not desirable, but I don't believe such
>a situation exists. The person who has been punished committed some highly
>questionable acts that are by statute illegal. I don't think good
The question is whether or not the statue is sensible or not. As I keep
giving as example, the Canadian law on Computer mischief is clear, and
it is also such that ANY activity at a computer contravenes the statute.
Computer law is in an attrocious state at teh present time, and the fact
that an action contravenes some law is not evidence at all that that
action is in any sense reprehensible.
>intentions allow such actions to be ignored, at least from a law
>enforcement perspective. A company could choose to do so, but a law
Intention is the key to most criminal activity. Almost any human action
can be a vital part of a criminal act if the intention is wrong.
>enforcement agency may not have such discretion. Once felony activities
>are brought to their attention they may have to act.
Absolute nonesense. The law enforcement agencies have immense latitude
to ignore felonious behaviour, and do so often. With Intel complaining
however, they will tend not to. Phone them about your suspisions that
someone has been trying to hack your PC at home sometime to see how they
respond.
--
Bill Unruh
un...@physics.ubc.ca
John K. Taber
>
>IMHO, Randal did some pretty serious things. The fact that he probably had
>no malicious intent does not mean his crimes should be ignored. His intent
>is something that is taken into consideration only at sentancing time.
>Weren't his sentences at the lighter end of the sentencing range?
Tony, you are not distinguishing between serious wrongs and criminal
wrongs. There are acts that may be serious wrongs, but it is quite
another matter to make those acts criminal.
Just because I am furious with you does not mean that I should be able
to put you in jail. Even if I am justly furious with you.Even if I am
powerful. Even if district attorneys gladly curry my favor.
For the record: I know nothing about Schwartz's case, and take no stand
on it for or against.
Most computer crime laws, and I daresay Oregon's is no exception, make
"unauthorized access" the criminal offense. That is a very vague
act to criminalize. Compare with "unauthorized access of a filing cabinet"
to get an idea of its vagueness.
I have said before, and I repeat myself, the computer crime laws are
very bad laws, hastily written and passed with no study or deliberation
in state after state by legislators who had no idea of what they were
criminalizing. They must be repealed.
--
John K. Taber
PGP Key fingerprint = B5 49 65 B5 42 54 14 D3 B4 9F B4 D3 AE 59 C2 A3
=======================================================================
The "work ethic" was originally not a prescription for happiness, but a
diagnosis of a neurosis. --Richard Todd in _Worth_
Cor Bosman
>Cor Bosman (c...@xs4all.nl) wrote:
>: sc...@bnr.ca (Stanley Chow) writes:
>: > Why do you think the jury decided their way?
>: > What was the key evidence that the jury believed/disbelieved?
>:
>: Well, the state probably wouldnt want this big employer called Intel
>: to leave now would it...
>Except a jury of citizens, not the state decided guilt. And where the hell
Oh yeah, a jury of peers. I forgot. The peers that knew exactly what
Crack was, how it worked, what a computer is, and what it means to
be an system administrator. Im glad we're talking about the same peers.
>did the threat of Intel leaving the state come from?
Oh, just a loose remark. Just brainstorming. You know, the stuff that isnt
illegal yet. One could ofcourse wonder what would have happened to a state
when its biggest employer would suddenly find the state less interesting
for its negative ruling against the company. But as I said, Im sure
the American justice system is 100% fair and wouldnt ever work that way.
Regards,
Anthony D. Tribelli
: sc...@bnr.ca (Stanley Chow) writes:
: > Why do you think the jury decided their way?
: > What was the key evidence that the jury believed/disbelieved?
:
: Well, the state probably wouldnt want this big employer called Intel
: to leave now would it...
Except a jury of citizens, not the state decided guilt. And where the hell
did the threat of Intel leaving the state come from?
Tony
Anthony D. Tribelli
: >: I guess it's time for all sysadmins around the world to start using
: >: forms for every little change they make, and have it signed by management.
: >: 'Dear management, I am about to remove a spurious lockfile. Please grant
: >: me permission.'.
: >System administrators already have authority to do this. Randal WAS NOT a
: Says who? Does your contract say 'This person can do anything he pleases'?
Is it unusual for a sysadmin for a machine to be responsible for security
and maintenance? I would expect a job description or list of duties to
cover stuff like this. If not ask for clarification, it is a ONE TIME
event.
Cor Bosman
>The system of law fails for this very reason: it generalises far too
>much. Who was the victim in this case?
Randal ofcourse.
Anthony D. Tribelli
: >IMHO, Randal did some pretty serious things. The fact that he probably had
: >no malicious intent does not mean his crimes should be ignored. His intent
: >is something that is taken into consideration only at sentancing time.
: >Weren't his sentences at the lighter end of the sentencing range?
: Tony, you are not distinguishing between serious wrongs and criminal
: wrongs. There are acts that may be serious wrongs, but it is quite
: another matter to make those acts criminal.
With respect to cracking passwords I think it is appropriate to make the
act a criminal violation.
: Just because I am furious with you does not mean that I should be able
: to put you in jail. Even if I am justly furious with you.Even if I am
: powerful. Even if district attorneys gladly curry my favor.
Agreed, assuming I have done nothing criminal. But if I am foolish enough
to do something criminal in your presence I am at your mercy.
Ray Todd Sevens
>From: a...@netcom.com (Anthony D. Tribelli)
>Subject: Re: Intel v. Randal Schwartz: Why care?
>Date: Sat, 6 Jan 1996 19:52:03 GMT
>Cor Bosman (c...@xs4all.nl) wrote:
>: Btw, this is not a 1 time deal. I have a friend who worked at Intel
>: who got fired for 'showing too much initiative'. Geez...how lame can
>: they get.
>I wish I could think of a better phrase, I am not trying to attack your
>friend. But was he/she fired for "showing too much initiative" or "playing
>cowboy"? If you act on your own with informing or coordinating with others
>you can really screw things up.
Yea like come up with a product that might compete with the present intel
line. Companies don't want you coming up with a solution to a problem unless
you are assigned to fund a solution to the problem. I had a budy who worked
for a tax loss R&D subsidary of a larger corporation. He came up with a new
type of filter for satilite TV. It worked better than the current box which
cost 1000-2000 bucks. It is normally only used when absolutely necesary
because of the cost and because it takes a skilled by several hours to get it
setup right. My friends inprovement cost $50 to produce, and was so simple to
setup that anyone could do it. It had two dials. You turned both all the way
the the right. You then turned the right one till the picture was the best.
You then turned the other one till the picture was the best. DONE.
Have you seen this nifty box. NOPE The MBAs at the corporate HQ were horified
the their tax loss corporation was going to make a profit that they killed the
whole project.
Anthony D. Tribelli
: The "main" language for two of the counts is "Any person commits
: computer crime who knowingly accesses, attempts to access or uses, or
: attempts to use, any computer, computer system, computer network or any
Isn't cracking passwords a type of intellectual or security related theft?
It is valuable information.
: The other count was for this law: "Any person who knowingly and without
: authorization alters, damages or destroys any computer, computer system,
: computer network, or any computer software, program, documentation or
: data contained in such computer, computer system or computer network,
: commits computer crime."
Doesn't cracking passwords damage the integrity of a system's security.
Anthony D. Tribelli
: ... Driving a car
: can be part of a bank heist. Most benign acts "can be part of"
: felonies. Except under "computer crime" laws, they don't become
: felonies until a felony is committed or intended.
But cracking passwords is not a benign act, it is the felony. It is the
"taking the money" part of the bank heist, not the "driving the car" part.
: It comes down to this. A co-worker and fellow professional is accused
: of a crime. You ask what he did. Nothing, they reply, in fact his
: intentions were benign. But the same acts could have been part of a
: real crime, and besides, he was making Security look stupid. Do you
: say, "Oh, all right".
:
: Anthony, do you want it said about you as a co-worker and fellow citizen
: that this is your response? Think about it.
First. I don't consider cracking passwords to be "nothing".
Second. Benign intentions are an assumption. The person responsible for
security at Intel is being paid to be paranoid and assume the worst.
Third. If it was painfully obvious that there was no "damage", I
personally would have terminated the contractor with a provision that
the contractor was not elligible for rehire and I would describe the
facts of the incident to anyone who asked for a reference. Intel is under
no obligation to be as generous as I :-).
Fourth. Once the factual felony is reported to law enforcement, law
enforcement may be obliged to prosecute. If a company reports the action
prematurely they may loose discretionary control.
: ... It matters whether you feel a company and a justice system
: that demands the right to take down geeks whenever they irritate them is
: acceptable to you.
I think this is a gross exaggeration and misrepresentation. But to
continue it, are you suggesting that geeks have the inherent privelage to
go wherever they want and do whatever they want so long as they harm
nothing?
Anthony D. Tribelli
: >Cracking passwords is a behaviour that can be part of industrial espionage
: >and other white-collar crimes that may lead to huge finanical losses.
: >Would you consider this "extremely dangerous" or is this term only
: >reserved for physical harm caused to another human being?
: And driving a car can be part of espionage or even murder. So is driving
: "extremely dangerous"?
I would argue that cracking passwords is an illegal act under most
circumstances, it is not a benign act that coincidentally facilitated the
illegal act. That cracking is at the spying or killing end of things, not
at the driving away end of things, in the scenarios you described.
Anthony D. Tribelli
: r...@mbisgi.umd.edu (Ram Samudrala) writes:
: >The system of law fails for this very reason: it generalises far too
: >much. Who was the victim in this case?
: Randal ofcourse.
He is the victim of his own actions. Perhaps Intel overreacted, but he
provoked the incident through irresponsible misconduct.
Anthony D. Tribelli
: >IMHO, common sense says you should not be cracking passwords on machines
: >you are not responsible for. Lack of common sense or lack of good
: >judgement has never been an acceptable defense for criminal activity.
: Nor is lack of common sense a criminal state. The question here is of
: authorisation. Randell felt he had authorisation. Intel felt he did
: not...
Misunderstanding is not a defense either.
: A policy like this could be used to demonstrate lack of authorisation
: only if it was a clear policy which had been clearly communicated to the
: person involved...
When the actions to be taken are illegal under normal circumstances, it is
a persons responsibility to verify that they are acting under special
circumstances where such actions are permissable. For example, that they
are responsible for security on the machine they are cracking.
: ... If one is hired as a sysadmin, one
: can assume that that hiring itself constitutes permission to engage in
: all of the common bahaviours of that position, ...
Agreed.
: and using crack on
: whatever machine one happens to have handy rather than only on the
: machines that one is actually administrator of could be argued to be
: such common practice.
Is this the "everyone else is doing it" defense?
Running crack from a handy machine is OK, but the target of the cracking
must be a machine you are responsible for. Being sysadmin of one machine
does not give you authority to mess with others.
: > ... The majority of white collar crime involves insiders. Criminal
: >employees and contractors are a greater threat than outsiders usually.
: >Cracking passwords is not innocent behavior. Assuming you are not the
: >sysadmin of the system, it is negligence or malpractice at best.
: No, it can be considered due diligence in your job...
It is not your job to test the security of machines other people are
responsible for. If you suspect security problems, it is you duty to
report it to those who are responsible. It would be courteous to offer
assistance if you thought those responsible are less capable than you. But
it is malpractice, especially for an outside contractor, to probe the
security of machines one is not responsible for without the approval of
those who are responsible.
: As I understand it
: he was hired in order at least in part to carry out duties which
: involved security issues...
And if he restricted his activities to these machines there would have
been no illegal action.
: You see a car with its headlights on in the parking lot. Do you try to
: switch them off? And yet doing so you could be accused of illegal
: trespas etc.
If the door is locked and I pick the lock, equivalent to running crack, I
am doing something illegal.
Anthony D. Tribelli
: >Cracking passwords is a behaviour that can be part of industrial
: >espionage and other white-collar crimes that may lead to huge
: >finanical losses.
: Schwartz, as far as I know, wasn't charged for "industrial espionage".
: As such, your point is only detracting from the argument.
I wasn't making an accusation. I was explaining why cracking passwords is
considered a serious enough offense to be considered a felony.
Anthony D. Tribelli
: Btw, this is not a 1 time deal. I have a friend who worked at Intel
: who got fired for 'showing too much initiative'. Geez...how lame can
: they get.
I wish I could think of a better phrase, I am not trying to attack your
friend. But was he/she fired for "showing too much initiative" or "playing
cowboy"? If you act on your own with informing or coordinating with others
you can really screw things up.
Tony
Ray Todd Sevens
>I think he's saying that the computer crime laws are screwed up.
Lets face it, we have laws written by people who frequently barly know how to
turn on a computer. They are ripe for people to "advise" them who have an ax
to grind. I think that is how we are ending up with the communications
decency act.
John S. Dyson
Patrick Mahoney <pmah...@inow.com> wrote:
>
>: For the details of my story, see
>: http://www.lightlink.com/spacenka/fors, or send a message to my email
>: replybot at fu...@stonehenge.com (content will be mostly ignored).
>
>No doubt slightly biased. A better suggestion would be pulling up
>old copies of the business section of the San Jose Mercury News
>during June-Sept at www.sjmercury.com. Or the Time magazine Internet
>archive...
>
You mean the press unbiased, and technically informed? I have seen
computer trade magazines be totally off the mark. The problem here
is that I am not sure that anyone knows all of the facts about what
went on, including Mr Schwartz. BTW, if my life had been as upset
as Mr Schwartz's -- I think that I would be a bit angry (and confused) also.
I don't know how anyone should "judge" this situation any farther, other
than to avoid it. (Both by fixing the laws, and being careful about
behavior.)
John Dyson
Jeffrey Kegler
Exchange between Randal L. Schwartz (mer...@stonehenge.com) and Michael
Sierchio <ku...@dnai.com> deleted ]
>Most of the debate on this thread has been over the inappropriateness of
>a company prosecuting an employee in a criminal court. Personally I find
>Intel's action much more appropriate that what I just read Mr. Schwartz
>write in the above paragraph. I can understand his anger, but give me a
>break... Are you honestly saying that you would prosecute someone for
>saying untruthful things on the Internet? Most of the posts on the
>Internet have little basis in fact. ... The courts are full of enough silly
>cases. Mr. Schwartz, you have lost the little sympathy I had for your
>plight.
Let me make what I consider an important point. If Randal's statements
make you lose sympathy, it should be with Randal, not his plight.
Because we could be in his plight, and if people find out prosecutions
like Oregon v. Schwartz are fun, career-enhancing and easy, we will be.
So hate Randal, if you want, but for your own and all our sakes, be
worried about his plight.
When I got into this I hardly knew Randal. At this point I've met him
only a handful of times. He seems nice enough, but that's not why I'm
concerned about this case.
That out of the way, I spoke with both Michael (a nice, reasonable
fellow, by the way) and Randal about this matter, and Michael gave me a
statement to post retracting his statements, which I did post to this
group. That should end the matter. I didn't want yet more lawyers
being fed out of this, and I think that won't happen here.
Note the prosecution had ample resources and motive to trace through
Randal's entire employment history for any past hacking activities they
could show evidence of. Had they found anything it would have been very
much fair game to admit as evidence against Randal in this case. I am
open to the evidence, but I do think it unlikely we will hear anything
new and genuine on this score.
>Most people would just flame the guy to hell and back, but no, let's
>threaten the guy with legal action.
Whether you sympathize with Randal is the lesser point, but allow me to
pursue it a bit. If I said in a forum where all your potential
employers could hear and would likely believe me, something that would
not just lose you your job, but end your career, lose you your prospect
of any future work in the field, would you be content to flame me and
take up bar-tending? I'd expect you to take legal action and if you
did, I would have myself to blame for forcing you to do it. Randal said
what he did not because he was upset and angry (though, of course, he
was), but because he was backed in a corner. He had no choice I could
see.
Make no mistake, this prosecution had and continues to have every
possibility of destroying Randal's life. Flaming back, well, sometimes
it is just not enough. (By the way, my talks with both parties were
actually quite civil.)
>: For the details of my story, see
>: http://www.lightlink.com/spacenka/fors, or send a message to my email
>: replybot at fu...@stonehenge.com (content will be mostly ignored).
>
>No doubt slightly biased. A better suggestion would be pulling up
>old copies of the business section of the San Jose Mercury News
>during June-Sept at www.sjmercury.com. Or the Time magazine Internet
>archive...
Not necessary actually, the Mercury News coverage is on the FORS Web
site, along with all the Web-reprintable coverage we know of. Is there
stuff about Oregon v. Schwartz on the Time magazine archive?
William Unruh
>Cor Bosman (c...@xs4all.nl) wrote:
>: Well, the state probably wouldnt want this big employer called Intel
>: to leave now would it...
>Except a jury of citizens, not the state decided guilt. And where the hell
>did the threat of Intel leaving the state come from?
He is of course overstating. However, whom would you believe if your
knowledge of computing were minimal- a large company which is known
world wide for its computer expertise, and is lauded in the press as one
of Oregons and the USA's great companies, or some individual who admits
to carrying out tasks that you have read that crackers also carry out-
where Intel denies giveing authorisation, while the person claims he had
it, where the judge orders the jury to interpret the law in ints boadest
possible sense. The outcome is not surprising, but it is nevertheless
very disturbing.
--
Bill Unruh
un...@physics.ubc.ca
Jeffrey Kegler
>And where the hell
>did the threat of Intel leaving the state come from?
It can be much more subtle than that. A slight adjustment of
Intel's work force between New Mexico and Oregon could multiply
by 10 the number of homes on the market in Washington County,
Oregon. And the effect of that subtle change would drive home
prices down dramatically, with associated ripple effects hitting
the rest of the County's economy.
The extent of Intel's influence is shown by the _Oregonian_, which is
out of the County, and on whom Intel's influence is much more dilute
than on the Washington County court. The _Oregonian_, after wildly
biased trial coverage, has dropped all mention of the case. The _New
York Times_ has covered the thing since, but the _Oregonian_'s attitude
is if the citizens of Portland want to hear more about this case, they
should read the _New York Times_ or the _San Jose Mercury News_.
Jeffrey Kegler
>With respect to cracking passwords I think it is appropriate to make the
>act a criminal violation.
Cracking passwords, as my "Why care?" document explained, and most
sysadmins will already known, is standard maintenance. CERT makes Crack
publicly available. The URL is ftp://cert.org/pub/tools/crack/.
Your position comes down to this: "Every good sysadmin is a criminal,
and may be rendered a felon when it amuses his employer or the local
D.A. so to do."
I've never read Kafka's _The Trial_, but I think now I will have to buy
a copy and do so. The amazing thing is this is not fiction. This is a
real, ordinary tech nerd. He found something that made Intel Security
look bad, and they discovered that under the law the slightest work rule
infraction they can discover or concoct will make him a felon.
The "Why care?" document, slightly revised, is on
http://www.lightlink.com/spacenka/fors/.
William Unruh
>: Says who? Does your contract say 'This person can do anything he pleases'?
>Is it unusual for a sysadmin for a machine to be responsible for security
>and maintenance? I would expect a job description or list of duties to
>cover stuff like this. If not ask for clarification, it is a ONE TIME
>event.
The problem of course arises in the details. There is no accepted code
of practice for sysadmins. One company could claim that say running
Crack on a President's password (of the company) is definitely not in
what they expected the sysadmin to do and is a criminal action. What
can you point to to argue that it is not, that it is in fact part of the
sysadmin job? Or say denying access to etherfind? Or say storing backup
tapes off the company property? All of these most would feel are
reasonable actions of the sysadmin, but are also actions that a company
could, after the fact, object to. Witht he law as loose as it is, they
are all also actions which could be regarded as criminal and land you in
jail. With purely a blanket permission to do a sysadmin's job, any such
action could be disputed as not being a part of that job. Even if you
brought in 5 witnesses to testify that the actions are reasonable for a
sysadmin, the testimony will come from other "geeks", whom the jury can
disbelieve. On the otherhand, if you had a National Sysamin Association
to come testify, you might be able to carry the day against say an
Intel, GM or ATT.
Reasonable people can disagree. That disagreement should not land one of
them in criminal court.
--
Bill Unruh
un...@physics.ubc.ca
William Unruh
>Randal L. Schwartz (mer...@stonehenge.com) wrote:
>: Your statement is fiction, having no basis in fact. And I would
>: caution you from passing around fiction on the net in the guise of
>: *fact*... such actions might very well land *you* in a position of
>: having to tangle with *my* lawyers.
...
>Most people would just flame the guy to hell and back, but no, let's
>threaten the guy with legal action. The courts are full of enough silly
>cases. Mr. Schwartz, you have lost the little sympathy I had for your
>plight.
It is Schwartz who is facing years in jail. It is Scwartz who may be
having to spend many dollars appealing his case to a higher court,
where, although it will be isues of law that are supposed to be judged,
his reputation will also come into play. It is Schwartz whose reputation
the statement does seriously damags, and has since been retracted as
unsubstantiable. Although the Internet does tend to have flame fests, it
is also a public forum like any other, and statements made here have
consequences to the lives of others. It is not an irrsponsible medium,
and when someone accuses someone else of criminal activity, those
accusations should neither be made or taken lightly. Such statements
also have a large potential impact on his reputation here and the extent
to which people here will support him or his case. Allowing that
statement to stand would have had a far larger impact on the sympathy he
got here than the loss he suffered by your defection, and as a reminder,
that statement was withdrawn.
--
Bill Unruh
un...@physics.ubc.ca
Ray Todd Sevens
>From: pmah...@inow.com (Patrick Mahoney)
>Subject: Re: Intel v. Randal Schwartz: Why care?
>Randal L. Schwartz (mer...@stonehenge.com) wrote:
>: >>>>> "Michael" == Michael Sierchio <ku...@dnai.com> writes:
>:
>: Michael> No offense intended to Randal's defenders, but he has been known for
>: Michael> a long time to make a hobby of trying to crack passwords and gain
>: Michael> access to systems where he's been a contractor -- including places
>: Michael> where he had no sysad duties, but was hired to teach Perl (of
>: Michael> all things!:-)
>:
>: Your statement is fiction, having no basis in fact. And I would
>: caution you from passing around fiction on the net in the guise of
>: *fact*... such actions might very well land *you* in a position of
>: having to tangle with *my* lawyers.
>Most of the debate on this thread has been over the inappropriateness of
>a company prosecuting an employee in a criminal court. Personally I find
>Intel's action much more appropriate that what I just read Mr. Schwartz
>write in the above paragraph. I can understand his anger, but give me a
>break... Are you honestly saying that you would prosecute someone for
>saying untruthful things on the Internet? Most of the posts on the
>Internet have little basis in fact.
I would disagree. I don't know about the trueth of the original statement.
If it is true, Mr. Schwartz has a lot of explaining to do. If it is false,
the Michael has commited libel, which is a civil action which Mr. Schwartz has
the right to presue.
>Most people would just flame the guy to hell and back, but no, let's
>threaten the guy with legal action. The courts are full of enough silly
>cases. Mr. Schwartz, you have lost the little sympathy I had for your
>plight.
>: For the details of my story, see
>: http://www.lightlink.com/spacenka/fors, or send a message to my email
>: replybot at fu...@stonehenge.com (content will be mostly ignored).
>No doubt slightly biased. A better suggestion would be pulling up
>old copies of the business section of the San Jose Mercury News
>during June-Sept at www.sjmercury.com. Or the Time magazine Internet
>archive...
>Just my $0.02.
>Patrick Mahoney
Anthony D. Tribelli
: >: >Cracking passwords is a behaviour that can be part of industrial
: >: >espionage and other white-collar crimes that may lead to huge
: >: >finanical losses.
: >: Schwartz, as far as I know, wasn't charged for "industrial espionage".
: >: As such, your point is only detracting from the argument.
: >I wasn't making an accusation. I was explaining why cracking passwords is
: >considered a serious enough offense to be considered a felony.
: My statement still holds. "Cracking passwords" == "felony" (which is
: what you're literally stating, since you don't even allow a "may") is
: non-pithy. Cracking passwords for what?
I apologize, I thought it was clear that I was referring ONLY to cracking
systems a person IS NOT RESPONSIBLE FOR. Of course a person responsible
for a system can run crack, of course a person operating under the
direction of another person who is responsible for a system can run
crack, or course a person operating under a warrant issued by a judge can
run crack...
: I think the relevant issue is what was done with the cracked passwords.
I think the relevant issue is whether one has responsibility for the
machine or not.
Ram Samudrala
>I apologize, I thought it was clear that I was referring ONLY to cracking
>systems a person IS NOT RESPONSIBLE FOR.
Perhaps that was the context, but if I were you, I'd qualify it each
and every time else people are gonna jump on you; this is USENET. <-:
My example of the FBI cracking passwords still holds. Are they
"responsible" for your system? What determines responsibility? Is it
an appointed position alone? How about a student running crack on the
school's password file? There were usually a few cases of this (even
in cases where there are shadow password files) on a system I managed
as an undergrad. I would cringe to call it a "crime" as long as there
was no harm done. Even if there was harm done, I'd see it as
something for the civil courts. I know people who did really stupid
things after cracking passwords on the machine I ran (not malicious,
but stupid), but I never for a moment thought that it was "criminal".
I encourage learning this, even if it means toeing the line, as long
as no harm is done! What do you want? A workplace where everyone is
a clone? What good is an environment that doesn't encourage incentive
and curiousity?
>Of course a person responsible for a system can run crack, of course
>a person operating under the direction of another person who is
>responsible for a system can run crack, or course a person operating
>under a warrant issued by a judge can run crack...
Why not a person who wants to run crack to expose the weaknesses of
the system?
--Ram
m...@ram.org || http://www.ram.org || http://www.twisted-helices.com/th
Memory is the cabinet of imagination,
the treasury of reason, the registry of conscience,
and the council chamber of thought. ---St. Basil
Anthony D. Tribelli
: >Is it unusual for a sysadmin for a machine to be responsible for security
: >and maintenance? I would expect a job description or list of duties to
: >cover stuff like this. If not ask for clarification, it is a ONE TIME
: >event.
: The problem of course arises in the details. There is no accepted code
: of practice for sysadmins...
: Reasonable people can disagree. That disagreement should not land one of
: them in criminal court.
You have some good points, however many of the actions you described seem
reasonable to me. Cracking other people's machines does not. If a person
had been "nailed" for committing reasonable acts I would be more concerned.
Anthony D. Tribelli
: >With respect to cracking passwords I think it is appropriate to make the
: >act a criminal violation.
: Cracking passwords, as my "Why care?" document explained, and most
: sysadmins will already known, is standard maintenance. CERT makes Crack
: publicly available. The URL is ftp://cert.org/pub/tools/crack/.
:
: Your position comes down to this: "Every good sysadmin is a criminal,
: and may be rendered a felon when it amuses his employer or the local
: D.A. so to do."
Gross exaggeration and misrepresentation.
I have said (typed) this so many times I thought it was unneccessary to
say (type) this again: I am ONLY referring to cracking machines that ONE
IS NOT RESPONSIBLE for. Given your tendency to exaggerate and misrepresent
I will be more careful in the future. Of course a sysadmin can probe the
security of his/her machine, but he/she has no such privelages for the
machines of other.
: ... He found something that made Intel Security
: look bad, and they discovered that under the law the slightest work rule
: infraction they can discover or concoct will make him a felon.
Again exaggeration and misrepresentation. I am struggling to comprehend
your position. You believe that a sysadmin has the authority to probe the
security of machines administered by others, without their knowledge or
consent, so long as he/she does no damage? Please correct me if I am
misunderstanding your position.
Anthony D. Tribelli
: >Misunderstanding is not a defense either.
: Why not? I would surely hope the american justice system differentiates
: between intent and accidents.
Actually, the phrase is usually stated something like:
Ingornance of the law is not a defense.
I am not a lawyer, but I believe our justice system is basically fact
based. First it is established that a crime has been committed, then it is
determined if a person committed the crime, then intentions may be used to
determine the degree of the crime and the punishment. Intent does not
nullify the fact that a crime was committed.
Cor Bosman
>Jeffrey Kegler (jef...@algor2.algorists.com) wrote:
>: >With respect to cracking passwords I think it is appropriate to make the
>: >act a criminal violation.
>: Cracking passwords, as my "Why care?" document explained, and most
>: sysadmins will already known, is standard maintenance. CERT makes Crack
>: publicly available. The URL is ftp://cert.org/pub/tools/crack/.
>:
>: Your position comes down to this: "Every good sysadmin is a criminal,
>: and may be rendered a felon when it amuses his employer or the local
>: D.A. so to do."
>Gross exaggeration and misrepresentation.
>I have said (typed) this so many times I thought it was unneccessary to
>say (type) this again: I am ONLY referring to cracking machines that ONE
>IS NOT RESPONSIBLE for. Given your tendency to exaggerate and misrepresent
>I will be more careful in the future. Of course a sysadmin can probe the
>security of his/her machine, but he/she has no such privelages for the
Why? My contract doesnt specifically say that. Does yours?
Neither does mine specifically say I cant check other machines in the
company. Does yours?
Roger Espel Llima
>Jeffrey Kegler wrote:
>
>> Your position comes down to this: "Every good sysadmin is a criminal,
>> and may be rendered a felon when it amuses his employer or the local
>> D.A. so to do."
>
>best interest. Even persons whose job is explicitly defined as
>including a role in security may check to see that the doors are
>locked, but don't always attempt to pick those locks.
Which is why so many locks can still be picked (not that I've checked
personally :-), after the technique for picking them has been known
for decades.
> Security, like
>quality, isn't assured by testing for it (or the lack of it) -- it's
>the product of a disciplined process.
In a well-designed system, it is, but not all systems are well designed,
and the administrator (who has to care about security) isn't always the
one who can change the design or the desciplined process behind it.
Testing is a very important part of any real-world security policy.
>And remember, regarding the law -- you may regard it as an amusing
>fiction until someone else's fantasy becomes your reality. That's the
>lesson here. The programmer's cult isn't full of well-socialized
>individuals.
I think the issue there is mosly one of technical means of protection
vs. human (social and legal) ones. The position that the
"hacker"/programmer/whatever community is defending (and that I agree
with) is that technical access control should reflect as much as
possible your actual rights, and that actively testing these protections
or finding technical ways to circumvent them should at worst be
considered a minor fault as long as no harm is done or proven to be
intended.
The alternative (with computers, networks, as well as many aspects of
'real life' that are not related to computers) is, IMO, a world of false
security in which the only real deterrent is fear of punishment, but
where breaching security is actually easy for those who have strong
enough reasons to.
But then, isn't our world like this already?
--
e-mail: roger.es...@ens.fr IRC: orabidoo
"You don't possess me, don't impress me, just upset my mind
Can't instruct me or conduct me, just use up my time" -King Crimson
Cor Bosman
Ofcourse not, but I sure hope there is a difference between walking up
to your wife's lover and shooting his head off with a shotgun or
running your bike into a pedestrian during major fog who then dies of
the consequences.
van...@wimsey.com
>In article <adtDKs...@netcom.com>, Anthony D. Tribelli wrote:
>>With respect to cracking passwords I think it is appropriate to make the
>>act a criminal violation.
>Cracking passwords, as my "Why care?" document explained, and most
>sysadmins will already known, is standard maintenance. CERT makes Crack
>publicly available. The URL is ftp://cert.org/pub/tools/crack/.
I'm sure I will be corrected if I am wrong, but my recollection from
the original spat of posts on this subject has the senario running something
like this:
Mr Schwartz runs Crack on a machine he was an authorized user of and
breaks a password of one of the users (as I recall there was some dispute about
whether he was at that time a sysadmin on the orginal system, but he was at
least an authorized user). This user has an account (with the same password)
on a machine in another area of Intel (where Mr Schwartz does not have an
account at least at this time, and is not, again at this time the system
administrator, although he had been in the past). Mr Schwartz uses the account
and broken password to access this new machine (which in Canada would be a
criminal act) and transfers a copy of its password file to the machine he did
have an account on.
While I am not a lawyer, I doubt that cracking a password file (without
using the data so obtained in any way) would be considered illegal here. The
theory that Crack constitutes "burglery tools" was tried on for size, but a
police officer pointed out that "burglery tools" are specifically defined in
the criminal code, and Crack isn't one of them. However an access to a computer
using an account name and password that were not issued to you would be and has
been the basis of at least two successful prosecutions here).
Cor Bosman
>Cor Bosman (c...@xs4all.nl) wrote:
>: >He is the victim of his own actions. Perhaps Intel overreacted, but he
>: >provoked the incident through irresponsible misconduct.
>: He is a victim of trying too hard...
>To amuse himself, to impress others, to be a hero? If he was truly working
>on behalf of Intel, wouldn't he have told someone at Intel what he was
>doing? Afraid he wouldn't get his credit or glory?
To me it seems like he just didn't know it was such a big deal for Intel.
To me it seems he had no intent to destroy or spy on anything.
It looks as if he made an error in judgement. A mistake I could have
made. Maybe you too. It's so easy to judge someone after the fact.
I definately don't believe he deserved the current harsh sentence,
and I blame Intel for it.
>Remember, all he had to do was send an email to a sysadmin. Why was it
>necessary for him to crack these machines without anyone else's knowledge?
Maybe because he thought they'd appreciate it without thinking deeper
about it. Happens sometimes.
>It is a bit of an assumption that his actions would have ultimately
>benefitted the company. He could have easily shown management the
>problems he found or he just as easily could have memorized some
>passwords and given them to competitors. He may have actually had the
>more honorable intentions, but why should Intel make that assumption?
Could have would have should have. He made a judgement error, which to
me doesn't seem to warrant his punishment. If Intel would have had
any good competitors I would have bought those instead now.
And where comes this idea that it suddenly is ok to run crack on the
system you DO manage? My contract doesn't say 'he may run crack'.
(hypothetical, since I'm in the daily management anyways :)
And indeed, if your boss would suddenly get pissed at you, who says
he won't burn you to a crisp too because you ran crack without
authorization?
I've always assumed a sysadmin can do what he thinks necessary for the
benefit of the company. Now I am not so sure anymore.
Bill Strahm
jef...@algor2.algorists.com (Jeffrey Kegler) wrote:
>In article <adtDKo...@netcom.com>, Anthony D. Tribelli wrote:
>>Could you clarify this, where do you draw the line on unacceptable
>>behaviour?
>
>There have to be several lines. Unacceptable to Intel should not
>necessarily always mean unacceptable to society. In allowing Intel to
>define acceptable behavior in its workplace I go as far as anyone can
>go. It's easy since I am not likely to ever work there :-). Punishment
>as felons, however, must be reserved for those who engage in behavior
>extremely dangerous to society.
>
>We have come very far from being a free society when we allow any
>infraction whatsoever of Intel's work rules to make one a felon. It
>sounds at times like people are defending such a state of affairs and I
>cannot believe what I hear (read?).
>
I have a hard time with this arguement. Ok I make it a rule that you can't
steal from my bussiness, if I catch you stealing from my bussiness then I
should only be able to fire you ???
I don't think so. There is a clear law that says stealing of computing
resources is a crime also. Randall to the best of my knowledge was attempting
to steal computer resources ( passwords ) and he didn't have the authorization
to do this ( there is an arguement that says that sysadmins need to do this as
a part of a security audit ). He was told not to do this then he was caught
doing it, how is Intel supposed to determine that his motives were pure or
not, heck the best crimes are committed right out in the open
Bill Strahm
Andrew Molitor
I am not convinced that it has anything to do with the content of that
group any more, and it seems to have degenerated to a flame war in which
the lies cannot be distinguished, by an outside observer, from the truth.
Andrew
IAN = I Am Nuts!
: In <adtDKr...@netcom.com> a...@netcom.com (Anthony D. Tribelli) writes:
: >Cor Bosman (c...@xs4all.nl) wrote:
: >: to leave now would it...
: >Except a jury of citizens, not the state decided guilt. And where the hell
: >did the threat of Intel leaving the state come from?
: He is of course overstating. However, whom would you believe if your
: knowledge of computing were minimal- a large company which is known
: world wide for its computer expertise, and is lauded in the press as one
: of Oregons and the USA's great companies, or some individual who admits
: to carrying out tasks that you have read that crackers also carry out-
: where Intel denies giveing authorisation, while the person claims he had
: it, where the judge orders the jury to interpret the law in ints boadest
: possible sense. The outcome is not surprising, but it is nevertheless
: very disturbing.
: --
: Bill Unruh
: un...@physics.ubc.ca
Correction. Intel is not yet known for its computing rather than its
computing component technologies ans supporting peripherals.
--
~~~~~~~~~~~~~~~~~~~~~~
Ian Goh C M
ian...@teleview.com.sg
Cor Bosman
>William Unruh (un...@physics.ubc.ca) wrote:
>: >IMHO, common sense says you should not be cracking passwords on machines
>: >you are not responsible for. Lack of common sense or lack of good
>: >judgement has never been an acceptable defense for criminal activity.
>: Nor is lack of common sense a criminal state. The question here is of
>: authorisation. Randell felt he had authorisation. Intel felt he did
>: not...
>Misunderstanding is not a defense either.
Why not? I would surely hope the american justice system differentiates
between intent and accidents.
Cor
Anthony D. Tribelli
: >And where the hell
: >did the threat of Intel leaving the state come from?
: It can be much more subtle than that. A slight adjustment of
: Intel's work force between New Mexico and Oregon could ...
I repeat, was any such direct or indirect threat actually made? Or is
this fantasy?
BTW, could such a threat be considered jury tampering or obstruction of
justice?
: The extent of Intel's influence is shown by the _Oregonian_, which is
: out of the County, and on whom Intel's influence is much more dilute
: than on the Washington County court...
And how is Intel controlling this newspaper? Again, is this pure fantasy?
William Unruh
>If the door is locked and I pick the lock, equivalent to running crack, I
>am doing something illegal.
Even if you open an unlocked door, you can be argued to be doing
something illegal.
The law states that the actions are a crime only if, beyond any
reasonable doubt, the authorisation does not exist. Misunderstanding on
authorisation can be defense.
--
Bill Unruh
un...@physics.ubc.ca
William Unruh
>I would argue that cracking passwords is an illegal act under most
>circumstances, it is not a benign act that coincidentally facilitated the
Under which act is "cracking a password" illegal, and what circumstances
does that act allow it? Your opinions of illegality are fortunately
irrelevant. Give us the law!
--
Bill Unruh
un...@physics.ubc.ca
Michael Sierchio
> Your position comes down to this: "Every good sysadmin is a criminal,
> and may be rendered a felon when it amuses his employer or the local
> D.A. so to do."
Rattling the knobs to see which doors open isn't always in *anyone's*
best interest. Even persons whose job is explicitly defined as
including a role in security may check to see that the doors are
locked, but don't always attempt to pick those locks. Security, like
quality, isn't assured by testing for it (or the lack of it) -- it's
the product of a disciplined process.
And remember, regarding the law -- you may regard it as an amusing
Ram Samudrala
>Ram Samudrala (r...@mbisgi.umd.edu) wrote:
>: >Cracking passwords is a behaviour that can be part of industrial
>: >espionage and other white-collar crimes that may lead to huge
>: >finanical losses.
>: Schwartz, as far as I know, wasn't charged for "industrial espionage".
>: As such, your point is only detracting from the argument.
>I wasn't making an accusation. I was explaining why cracking passwords is
>considered a serious enough offense to be considered a felony.
My statement still holds. "Cracking passwords" == "felony" (which is
what you're literally stating, since you don't even allow a "may") is
non-pithy. Cracking passwords for what? If tomorrow the FBI cracks
passwords to find the Unabomber, is it a felony? If I crack
passwords on my Linux box for the fun of it, is it a felony? I
think the relevant issue is what was done with the cracked passwords.
--Ram
Your shadow, the white one, who you cannot accept and who will never
forget you --- Rolf Jacobson
William Unruh
>I am not a lawyer, but I believe our justice system is basically fact
>based. First it is established that a crime has been committed, then it is
>determined if a person committed the crime, then intentions may be used to
>determine the degree of the crime and the punishment. Intent does not
>nullify the fact that a crime was committed.
Soory but no. The justice system works by defining the commision of
certain acts as crimes. It then proceeds to ask whether or not the
specific person before the court commited those acts. Thos acts in
general have to be willful, and made in a state in which the person
could understand the consequenses of those actions.
The death of a person by another person can be illegal or it can
perfectly legal. In these laws the presence of "authorisation" can make
illegal actions legal. Furthermore, the person themselves must be aware
of the lack of authorisation. Reasonable doubt means that the person is
innocent, not guilty. Especially in an employee, the authorisation is
usually assumed unless it can be shown beyond a reasonable doubt that it
is not authorised. That is the legal system. Only specific people can
commit crime, and intent plays a large roll in whether or not they did
commit a crime.
--
Bill Unruh
un...@physics.ubc.ca
William Unruh
>and broken password to access this new machine (which in Canada would be a
>criminal act) and transfers a copy of its password file to the machine he did
As I have repeatedly pointed out here, in Canada, ANY use of any
computer could be cosidered a criminal act under the Computer Mischief
law- authorisation is irrelevant under the words of the act.
--
Bill Unruh
un...@physics.ubc.ca