[309] in linux-security and linux-alert archive
Perl guru Randal Schwartz convicted.
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Mon Aug 7 19:40:19 1995
Date: Mon, 7 Aug 1995 19:25:17 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@tarsier.cv.nrao.edu
This is not directly related to Linux security, but I thought that it
would be of definite interest to those involved with system
administration and/or computer security, Linux or otherwise--primarily
as an example of what blunders it can be very dangerous to make.
The following is a direct quote from Randal Schwartz's legal-fund
mailbot. For those that aren't familiar with who Randal is, he is the
author and coauthor of the O'Reilly books "Learning Perl" (the "llama
book") and "Programming Perl" (the "camel book"), respectively, and has
been one of the primary figures in the development of the Perl language.
This is not meant to be an editorial comment by either Olaf or me
regarding this case, nor is it intended to convey any personal opinions
from either of us. I am posting Randal's own words, rather than the
media account(s), because his words, despite their understandable bias,
actually show some technical knowledge about the actions that led to his
conviction.
-----begin quote-----
[This message was generated automatically because you sent me mail
containing @FUND on a line by itself, or sent mail to fund@stonehenge.com.
I did not read the rest of your note -- merlyn]
On March 14th, 1994, I was indicted on three felony counts of Computer
Crime according to Oregon State Law. The "victim" and accuser is
Intel Corporation (yes, the multinational microchip manufacturer), a
client of mine for five years running, and possessor of vastly greater
financial, time, and legal resources than I could ever muster up.
On July 25th, 1995, I was convicted of those same counts. I'm
currently awaiting sentencing. The sentencing hearing is scheduled
for September 11th.
The charges are as follows:
Count 1: altering without authorization two computer systems.
Counts 2 and 3: accessing a computer with intent to commit theft.
First, let me say that I am sorry that I caused Intel any grief or
hardship, and that in hindsight, I should have been clearer about my
intention and actions. I'll never get to work at Intel again, and my
mistakes may even make it nearly impossible to get any work at any
location that respects Intel's beliefs about me.
However, my actions were motivated by my desire to give Intel the best
possible value for the money they were paying me. At no time did I
*intend* to have any harm come to Intel, and any damage they may claim
resulted from their mopping up on things that I *might* have done but
they couldn't tell I hadn't.
In short, count 1 comes from me having installed two different methods
of accessing my Intel e-mail through the Internet while I was away but
still working for Intel. I was responsible for the timely deployment
of the DNS servers for the entire corporation, and a system
administrator on some network support machines, and I wanted to keep
on top of developing situations. I believed at the time that I was
complying with the intent of every rule I was aware of regarding the
setup of these access methods, but it became clear at the trial that
my understanding was very different from their understanding.
Count 1 is also based on a law about which we have raised
constitutional questions of overbreadth and vagueness. We always
thought these issues would require appellate examination.
Counts 2 and 3, as I understand it, result from their claim that I
committed "theft" of a password file from the SSD division by
copying it to a machine in the HF division where I was working and
that by running crack (the password guesser) on the file, I also
committed "theft" of the passwords. I was a sysadm for SSD about a
year and a half previous, and I still had an active account on a lab
machine at SSD. I had discovered that a user at SSD had picked a
dictionary word ("deacon") for a password on the lab machine.
Fearing that the SSD folks had stopped running crack regularly, I
copied the SSD password file (using the cracked password from the lab
machine) and found that my fears were justified. (The vice
president's password was "pre$ident", for example.) However, I now
had vital information that I had obtained through the use of a cracked
password, and I was in an awkward situation. Before I reported the
findings to SSD, a co-worker noticed the crack runs (they were 6-8
days long!) running under my own userID on the systems that we shared
at HF, and feared the worst: that I had turned into a spy and was
actually stealing secrets.
Yes, as you can see, I made a number of bone-headed mistakes (not
getting the rules about internet access clear, not reporting the
single bad cracked password, and not immediately reporting the results
of the crack run), and I probably should have been terminated for
those mistakes, but NONE OF THE ACTS WERE BASED ON MALICIOUS INTENT.
I have fought the charges using money out of my pocket and
borrowed on credit cards, and the goodwill of many special Net
Citizens such as the folks at the Electronic Frontier Foundation.
-----end quote-----
A description of how to get more information/updates follows, as well as
a blurb on how to contribute to his legal defense fund; send e-mail to
fund@stonehenge.com for more information on this (I'm not posting it
here).
Schwartz faces likely jail time of 3-6 months, according to reports, as
well as possible restitution of $60,000 to Intel for "damages" (plus any
additional fines that the state may impose). He has spent over $100,000
so far on his legal defense.
The "moral" of this story is obvious: Fooling around with computer
security within an organization, without explicit permission, can be
*very* dangerous (and expensive!)--even if your intentions are good (as
Randal claims that his were). MAKE SURE YOU UNDERSTAND LOCAL POLICIES!
Followups on this subject to the Linux-security lists will not be
approved. There is quite a debate regarding this case going on in the
USENET group misc.legal.computing that is raising all sorts of
interesting points; that is the proper forum for followups.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
