Closing Statement by Mr. Thomas J. Tintera, for the State of Oregon 25 July 1995 ------------- MR. TINTERA: Thank you, Judge. Good morning. We have been here, this is week three, and at the start of this case, we had people who knew nothing about computers, it was a new area to them, and some people that had some knowledge, and hopefully, although it's difficult to know, through the course of this trial, you've all followed along through the concept of what we have been talking about and received a bit of an education about how computers work, what's appropriate, what's inappropriate, how people use them in their work, how Intel, as a corporation, uses computers, and the people that work there and how they use them. At this point in the trial, each counsel has an opportunity to speak to you both about what the charges are in particular and how the law or the facts apply to those charges. You, as a jury, are the people that determine what the facts are. That is part of your job. You do it by looking at the witnesses, deciding who you can and who you can't believe. That's a judgment. We all like to think that when people raise their right hand and swear to tell you the truth, that they're going to do that. That may not be true. That may not be accurate. Some people may -- for their own reasons or motives may not do that. That's part of your job. You're not to look into the future and say what will happen, you're to look in the past and tell us what you think has occurred. That's your job. As a part of that, there is a tendency to say, "What's going to happen if I do this?" You can't do that. You have to look at what happened in 1993. There is nothing we can do to change it and we let the chips fall where they may. People have to be accountable for their behavior. I'd like to go over the charges with you. This chart doesn't stand up very well, so I have to use this. There are three counts that are alleged. Count 1, this is the Gate script that we have been talking about, and what Count 1 says, between the dates of November 1st, 1992, November 1st, 1993 -- and this is, it also includes the defendant, Randal Schwartz, in Washington County, Oregon, did he knowingly, was he aware of his conduct, did he know what he was doing and without authorization alter a computer or computer network, Mink and Brillig? That's in its bare essence. So although this trial is laced with computer terminology, it really is a simple concept. Did -- by the installation on Mink and Brillig, did Mr. Schwartz knowingly and without authorization alter those computers? Obviously, the keys are -- MR. SUSSMAN: Mr. Tintera, would you mind moving that back a bit? Thank you. THE COURT: Can you all see there? MR. TINTERA: -- without authorization. Because as we know, the term "alter," we have heard talk about, well, if you typed in your name, wouldn't that alter a computer? Sure, it would. But the point is, that's with authorization because that's how Intel gets their work done. Whatever they are doing with those 3,000 computers that they have at Hawthorn Farms, the "with authorization" is doing the work. The altering that we're talking about is without authorization. That's what we're talking about. Did he alter a computer beyond the policies of the Intel Corporation? I'm not going to go into all the facts that established these counts right now, but the second count involves between the timeframe of August 1st, 1993 and November 1st, 1993, did the defendant, in Washington County, Oregon, knowingly access or use as a computer or computer system for the purpose of theft? And that specifically references the Supercomputer Division or SSD passwords file. Did he knowingly know what he was doing, access or use the computer system for the purpose of committing theft? And our last count is really an extension of the theft of the Supercomputer Division file and involves the same elements, knowingly accessed or used a computer or computer system for the purpose of committing theft of the individual users' passwords. So this count is taking the Supercomputer Division password file and this is -- Count 3 is running Crack against the Supercomputer password file to take the individual users' passwords. So through the trial, as I tried to explain to you in my opening statement, we talked about did he have authorization? Did he know it was within Intel's policies? In fact, many of the people from Intel that were here, supervisor, all of them were produced to establish one thing, that he was never authorized to copy the Supercomputer Division password file and he was never authorized to put in a gate program on any of the computers, Mink or Brillig, that no one in a position of authority gave him that right, privilege, whatever you want to call it. What happened was, Mr. Schwartz, because of his expertise and special knowledge with computers, granted himself a special privilege for computers. In spite of what he knew to be Intel's policy, he granted himself the special privilege because of his special knowledge of one, taking, stealing the SSD password file. He didn't have a right to it. He knew that. He essentially told you that. Running Crack against it, we'll get into his own particular purposes. But he said they were for his own purposes. He converted it to his own use, not for Intel's use, and he put this Gate program on because it was easier for him. That's the way he wanted to do it. That's what he wanted to do. But the fact of the matter is, he's getting paid $45 an hour by the Intel Corporation and part of his responsibilities is to follow the rules. If he is not happy with the way that he gets his e-mail, then don't work there. Intel, as a corporation, has a right to set their own security policies. As Mr. Cower told you, it is a risk that Intel is not willing to accept to have an incoming connection through their fire wall and that is a decision that Intel is entitled to make, not Mr. Schwartz. Now, what does "theft" mean? The definitions of theft -- ignore this one, "conceal," for the time being. "Theft" means to appropriate property of another to oneself. Theft, as all of our laws, have evolved over time. Part of the rules of society before we had legislatures, before we had formalized rules, there was understandings of groups of people that you just don't do certain things. And those understandings eventually have been codified into law. You don't take your neighbor's food or whatever. You just don't -- there are certain things that we know. We know that in the computer industry, there are certain things that people that work in computers know. It's that sense of trust that eventually gets translated into a criminal charge by the Legislature. So they put in there that you can't go into your neighbor's house and steal the TV. We all know that. Just as Mr. Schwartz knew he couldn't go into the Supercomputer Division and take their password file. So what does appropriate property to another -- of another to oneself, to exercise control over property of another under such circumstances as to acquire the major portion of the economic value or benefit of such property? Well, with a password file, what's the benefit of an encrypted password file? One, it's supposed to stay in the Supercomputer Division, not supposed to be copied over to his particular computer. But the benefit of the file is that it stays where it is. It is of limited access, in spite of what Mr. Mayer said, that this is a public access. It is public for the authorized users. Mr. Schwartz was not an authorized user. When you look at, as Mr. Schwartz surely must have, State's Exhibit No. 26 is a readout of the passwords on May -- September 24th, and it shows which ones are working and which ones aren't. And Mr. Schwartz marked this one with this red arrow as his, and right at the end in capital letters, is "disabled." This is the response to his inquiry into the Supercomputer Division password file, his user name is disabled. He knew that, but just in case he'd forgotten, it's right here on his computer screen. And it goes back to October 21st and on October 6, "disabled." So he clearly knew that he wasn't to be appropriating that particular property to himself. And the question, does that deprive from the rightful owner, the Intel Corporation, the benefit of the property? Well, we also know that based on his actions to put back what he had done, as Mr. Cower said, it cost the Intel Corporation over $60,000 to fix this, to place their security back where it was supposed to be in the first place before Mr. Schwartz meddled with it. Deprive another of property, to withhold the property of another under such circumstances that the major portion of its economic value or benefit is lost. Count 3, when we were asked after the Crack program had run on the Supercomputer password file what value did those passwords have, well, since they were compromised, they had no value and the defendant demonstrated that by his use of Ron B to go into the Supercomputer Division and steal the password files. As he said himself -- and when you evaluate a witness' testimony, you can evaluate how they testify and who they would answer questions for and who they would not answer questions for. That's a legitimate inquiry for you. And did you notice any differences between how Mr. Schwartz talked to you when he testified -- when Mr. Sussman was following their questions and when I asked him questions? Now, admittedly, I'm fairly close to the facts of this case and sometimes it's difficult for me to get the proper perspective, and that's why I rely on you. But it seemed that when he was answering questions from his attorney, he would look to you and he would gesture and he would just talk. But when he -- when I asked him questions, well, either he didn't answer the question, but he certainly was not interacting with you in the same way. **(ck) But look at all the other witnesses. Was there any other witnesses -- even Lou Poehlitz, frankly, I didn't understand much of what he said, he wasn't trying to hide anything. He was answering the questions as every witness except Mr. Schwartz, appeared to answer every question as best they could. You can look at that in assessing his testimony as to whether it should be given any weight or not, and that's a judgment call that you can make. So what we're talking about in regard to the theft definition, did he appropriate property to himself and gain, acquire the benefit of such property? And did he deprive another? Well, you're going to hear the Supercomputer Division password file was right where it was supposed to be, it was still over in the Supercomputer Division. But the point is, it was not secure because he had violated a position of trust to use the Ron B password to go in there when his account had been disabled, to take it, and that compromised the security that the Intel Corporation had and that's what we're talking about in Counts 2 and 3. Now, when we're talking about various statements, you'll be hearing instructions about the defendant's statements and this is an area that we need to be careful on. This is an area that the Judge will tell you that you need to make sure that the defendant made the statement and clearly expressed what he intended to say. "Did the witness correctly hear and understand what the defendant said? Did the witness correctly relate what the defendant said? And did the witness intentionally or mistakenly alter the words used by used by the defendant, thereby changing the meaning?" So you want to look carefully at what he said, and rightly so. And let's look at November 1st, 1993, when the facts were fresh in Mr. Schwartz's mind. He was talked to by the police, advised of his constitutional rights, told he didn't have to say anything. He cooperated with the police and answered their questions. He talked to three different people, and each of them testified to you as to what he what he said, and there is a common thread. Mr. Lazenby spoke to him first, and that was alone. And Mr. Lazenby, in quotes, because the statement impressed him, he wrote it down, he quoted it, made a report out of it, and in quotes, the defendant told Paul Lazenby after he knew what they were there for, talking about his crack activities, deciphering passwords, talking about the gate program, he told him, "I needed them" -- by "them" he's referencing the passwords -- "in case they caught me doing it and knew they would shut me down. So the more passwords I had, the longer I could continue doing what I wanted to do." Special knowledge, he granted himself a special privilege because he was very smart with computers. He decided that he knew what was best for the Intel Corporation, in spite of what they had told him repeatedly, that they found to be an unacceptable security risk. He told Paul Lazenby on November 1st, "I needed the passwords in case they caught me doing it and they would shut me down. So the more passwords I had, the longer I could continue to do what I wanted to do." He said he had the capability to do it and he knew he could do it. Asked if it was wrong and if he knew it violated Intel's policy, in quotes, "Yes, it is, but I knew I could do it anyway." That arrogance is what brings him here today. If he is working for a corporation, the laws of this state essentially say without authorization, you cannot do certain things. If he is not willing to follow their policies and rules in the laws of this state, then he will either be terminated, but if he's going to be accepting the $45 an hour, then he's got to follow their rules. They set the rules and if it's an unacceptable security risk to have an incoming gate and the fact of whether it's secure or not, although we have spent a lot of time talking about it, is really a false issue. It's a red herring in this case because it doesn't matter if it was secure at all. What matters is whether it was there or not and whether the defendant put it there. What we're talking about is not whether it was secure. Intel policy is that it's not to be there. He works for Intel, he's required to follow the policy. So the question is, does he know that policy? Let's look at what he told Jim Lilley. Defendant admits to gate and that it violated Intel policy and was technically illegal. Defendant said he knew this. In regard to the Crack program, defendant initially says for security, but he knew his activities were against Intel policy and technically illegal and he did it to enable continued access to the Supercomputer Division. What he told Rich Cower, that he said he knew gate and cracking against Intel policy. He worried that gate would be found and he needed the passwords so he would have another computer to land the gate on. So of all the password files that were available to him in the Intel Corporation, he says he was just testing out the Snoopy computer, but we know he had what is called root access and System Administrator duties on ***programs of the Domain Name Service, Clayton Kirkwood and Bob Wilcox, the thing that changes Mink into numbers, that's how I look at it, and he could have copied password files to them from there to run on this. But why would the Supercomputer Division password file be important to him in regard to the gate program? Well, we heard from Dirk Brandewie that there were nine or so computers at this time that allowed Internet access, Mink being one of them. Except for Super -- the SSD area, that area was rich with computers that allowed Internet access, and that is why he chose that password file; not for Intel security, but so that he could get their password file because those machines that he would then have access to would allow him to place the gate there because they had the Internet access. That's why he chose Supercomputer Division over the Domain Name Server password file. There was a specific intent in his actions and it was to breach security, violate the position of trust and go into the Supercomputer Division. So he had already been closed out of Mink. When they caught him on Brillig, he wanted to have his rich access area to put on his gate program. Let's talk about Count 1. "Knowingly and without authorization." The State has proven this to you beyond a reasonable doubt three different ways, four if you count the defendant's system, one of which, I don't know if you notice, was not apparent when we started trial. The first one was Seth Bradley. Let me get my dates correct. I know people have been a little loose with them. In the fall of 1991, Seth Bradley talked about a two-way door that had been set up by the defendant in regard to Carnegie Mellon. Seth Bradley was his supervisor. In the fall of 1991, he told you that he found that gate, found out about it, and he knew it violated Intel's policy. You'll hear a lot about independent contractors don't have -- they can do whatever they can do to get the job done, they don't know policy, but Seth Bradley said that wasn't exactly true. He said, "We went over policy. I talked to him about policy. He knew what the policies were." That makes sense because how can someone administer other computers in IWARP without knowing what the marching orders are from the Intel Corporation? So when he was a Systems Administrator at IWARP, the only way he could do that job was to know what the policies were of the corporation so that he could help with their individual computers, could follow that. He knew what the policy was. That's another thing that is not correct, that he didn't know -- after 17 years with various companies, he didn't know the policies of a company that he works for? He knows. Once he granted himself that special license because of that special knowledge, he feels he can ignore them because he's Randal Schwartz and he could do whatever he wants, in spite of whatever Intel may feel is security appropriate for them. So Seth Bradley finds out about the gate program in IWARP. He said no -- I asked him, "You sat down Mr. Schwartz, didn't you, and made it clear in no uncertain terms that this violated Intel policy?" His answer, "Yes." Right then and there Count 1 is established. Is there any doubt that that happened in your mind? Is there any doubt that his supervisor sat him down and told him in no uncertain terms that Intel policy does not permit inbound connections? Okay. That's how we prove Count 1 beyond a reasonable doubt. The second time we prove Count 1 beyond a reasonable doubt happened in March of 1993, and that's when Dirk Brandewie, who administers the Mink computer, found the process running that he wasn't familiar on. He was the Systems Administrator for that computer and he found the door program. That was a two-way Telnet. I'm not very good with these terms so if I'm wrong, rely on your own recollection, but as I look it, it was a two-way door on his Mink computer that was one of the ones that allow Internet access to go outside. The ones with the tags on them, you get to take back to the jury room, by the way. This is what John Kent -- and you'll have the nice glossy copies in there with you. Anyway, this is what John Kent did. It kind of demonstrates the two-way door. So what Dirk found, the two-way door, and goes to Mr. Schwartz and says, "Hey, we can't have the incoming part. We can't have that. Intel policy does not permit the incoming part of this program that you put in. You need to put blocks on it." He says, "Okay." He put blocks on it. And the blocks meant you couldn't come in from the outside through the fire wall into Intel and consistent with their policy. He was told that and how do we know he was told that? Because he did it. He put the blocks there like he was told to conform with Intel's policy. And he did it. It wasn't good enough for him. He just couldn't wait to get home to get his mail, so it wasn't good enough for him. So he tried another computer and that was too slow for him. Then he went back to Mink and took off the blocks and was caught in July of 1993. And that's the third way we have proven Count 1 beyond a reasonable doubt. He's confronted again. And in case you think Dirk Brandewie wasn't telling you the truth, we had Mark Morrissey say, "Yeah, we both confronted him and told him what the policy was and you can't have an inbound connection." Rightly or wrongly, Intel gets to set that policy. It's an unacceptable security risk for them. End of sentence. Period. And it was told over and over and over to Mr. Schwartz and he didn't want to do it. If he didn't want to do it, he should have quit. Don't take their money any more and go somewhere else where you can do whatever you wanted to do. But when he agrees to take their money, he agrees to stay within the corporate policy, and his actions are unauthorized if he goes beyond that. And he was told over and over again, but he just didn't want to do it. He wanted to do it his own way with that special license and privilege he granted himself. So he -- again, in July of 1993, Dirk Brandewie confronts Mr. Schwartz and says, "The blocks are gone. I told you the blocks had to be there." It is now a two-way gate again. Then he says, "If you want this, get security clearance, get something in writing where somebody will allow you to do this." Now, Mr. Schwartz knew that before when Seth Bradley authorized him to change that so that at IWARP -- so it would be outside the fire wall to allow that access under very limited circumstances with Carnegie Mellon, and that was put outside of the fire wall. But Brillig wasn't outside the fire wall and neither was Mink. So he knew what the process was. You could get a supervisor to okay this, but he didn't want to. As he said, it was going to take him too much time. But he was told right then and there, "If you want to have this, get somebody from security to write off on it and I'll let you do it." He didn't do that. He said, "Just close my account." And then what did he do? He went from Brillig or Mink, he took the same gate program, knowing that it was unacceptable to Intel's policy, and put it on the Brillig machine. And if you're not convinced yet, there is really not much more I can say to you, but I'll just throw in for the thought processes, that he did have an inkling of how Intel thought, what Intel thought would be appropriate for access through their fire wall, and that's called the Defender System, a system that Mark Morrissey told you told you he never used, but it was there and that is the way Intel will allow inbound connections through their system with their security within their corporate policy which they are entitled to set. He had an account there. He could have used it. He didn't use it. He wanted to do it his own way with his own license that he granted himself. It is without authorization, it is knowingly, and it is a crime in this state. The Legislature has said without authorization, if you alter a computer, Mink and Brillig, you are guilty of computer crime, and that is Count 1. It is proven to you three separate ways beyond a reasonable doubt. Reasonable doubt. As intelligent people, we can all come up with alternative scenarios for anything. That's why when the founding fathers came up with this standard, they said when 12 reasonable people reach a reasonable result based on the facts before them. And I'd submit to you that count has been established beyond a reasonable doubt. Let's talk about the crack he says in the password file, Counts 2 and 3, they are interrelated. They stand alone in that they each involve different aspects and they kind of help you decide or look at -- I don't have this all filled up, by the way, this is not going to take all that long, but let's look at what he said in regard to taking the supercomputer password file. He said he did it for security reasons. He said he did it for other reasons also, those were his personal reasons. But, what do we know about his explanation? We know at that period of time the only place he's a Systems Administrator at all is on the Domain Name Service, the DNS service, with either Bob Wilcox or Clayton Kirkwood. And we also know that the Domain Name Service is a service that involves changing numbers to words, as I understand it. That is the only place that he administers a system. He has been taken away the Systems Administrators duties in Bob Wilcox's group except for the Domain Name Server in July of 1993 by Mark Morrissey. He no longer works for IWARP. He never had any security obligations in SSD, according to John Gray, and he was never a Systems Administrator there, only with IWARP, but his contract is over there. And I can say this now, I practiced it last night, the test ***aTom TROPB program was over in the spring of 1993, so that is over. He has no legitimate reason to be on the Brillig system. He's not there to work on a contract. He is there for his own purposes, his own purposes. How do we know that? One, he cracks their password file. Now, we know that he knew how to set up an automatic program to notify any person that had a faulty password that would automatically send them a message saying, "Hey, boy, so, you're using a stupid -- or a password that can be cracked by my program. Fix it." Because he did that at IWARP. He knew how to do it and he did it. Did he do that in this case? If this was done for security, as even his own expert said, the Crack program has no security benefit at all if you don't notify the person whose password you've cracked that there is a problem. It has no security benefit if you don't tell the person. None at all. But he also said, if a person is doing it for his own reasons, he would never notify the person that the password is cracked because then they'd fix it. So he goes into Brillig, the account should have been closed on Brillig, we know that, it was an oversight, and he looks at the password file. But he does more than that. He copies it over to his machine. Exactly what Mr. Johnson- Laird said a person that was wanting to do mischief or use their own purposes would do, they'd get it away from there. And then he ran the Crack program against it, compromised passwords, notified no one. Now, defense counsel in his opening statement said this all started on October 21st, but we know that's not true. We know, based on the defendant's own laws, that this started -- well, we don't know when it started, but we can show you that it at least was going on September 24th. These are the Crack logs. So we know on at least September 24th, that this was started. On State's 23, we see on September 24th at 14:31 the password file from Brillig was entered into the defendant's directory into the "play" CR and then the name of it, password Brillig. A few minutes later, 21 minutes later, the Supercomputer Division password file is entered onto the defendant -- and this is September 24th, is entered into the defendant's directory over at Hawthorn Farms from Cornell Oaks. He's admitted to you that he violated the position of trust and uses someone else's password to steal them from the SSD. He was not a Systems Administrator there. His accounts were disabled there. He knew that. He said he -- he had to know that. He said he knew he wasn't supposed to be using Ron B password file. He was disabled there. He had no business there. He was trespassing in an area that he had no right to be in. He was doing it for his own personal reasons. If he was doing it for security, then when he ran the Crack program, he would have notified someone. He said his other reason for doing that was that -- if you look at what he told the police, it was right here, "I needed the passwords in case they caught me doing it and I needed someplace to land the gate." Right here is why he was doing it back in November 1st when everything was fresh. Now, he says he doesn't remember anything that he told the police, or doesn't remember that, but it's uncontroverted what these policemen said. And Mr. Cower is not a policeman, but he remembers. He was concerned about Intel and their vulnerability because these passwords had been taken and cracked. He was concerned about that. That was his primary concern. But the defendant knew he wasn't supposed to be in that account. He knew it. Because he's using someone else's password to get there. But he says in his initial testimony that, "Hey, I was only doing it -- I wanted to show them that this could be cracked and I wanted to show them how quickly it could be." That's why he said he was waiting until the end of this program or moved it from Wyeth over to Snoopy. But that's not true, and I'll tell you why. On October 21st, he recopied the password file from the Supercomputer Division. Now, if all he was doing is time trials, why does he need a new password file? You would keep the old password file and do a time trial on it. It would make no sense to get a new password file to do your time trial, but it would make sense if you waited about a month to get a new password file to find out if anybody changed this. To find out if people had been changing their passwords. As the policy manuals will tell you, people are to change their passwords at least every three months. So if his private purpose for getting that password file is to use it in case this gate is discovered on Brillig to find -- to find another computer, he has to update that password file and keep on cracking it, which he was doing, which he was caught on October 28th, keep on cracking it to make sure that when those passwords are changed, he can still access the system. He's not doing this for time trials. He's doing it for his own purpose and that he wants to be able to put that gate where he wants to put it, because he's granted himself this license to do it because of his special knowledge. That's why he was doing it. There is no reason in the world for him to recopy this file if he's doing time trials. How do we know it's recopied? It's a different size. These numbers on September 24th, 54,303. Those are characters, those are like -- it could be fifty-four hundred three and three-eighths, but they are called bytes, so they are just like -- anyway, and it's larger on October 21st. It's 56,147, two different files. This isn't time trials. This is his own purpose. He was copying this for his own particular purpose. I cannot show you that in the 21 minutes between when he copied the password file for the Brillig machine that he ran Crack on it and then copied the password file. He may have done that earlier and was just updating the records. I can't show you that. So when it comes down to it, Count 1, which is establishing the gate program on Mink and Brillig, has been proven beyond a reasonable doubt three separate ways. And I'd ask you on Counts 2 and 3 to use your common sense when you look at what he did. It's a common excuse to say, "I was doing it for security." Do we believe that? Does his behavior, what we can see, lead you to conclude that he was doing it for security reasons in a system he had no access to, he was disabled from? He knew he had no business there. He had to use someone else's password to get there. He copies the file away from there so he can run Crack against it and he tells the police, "I'm doing it, I know it violates Intel's policy, I know it violates the law." But what does he tell Paul Lazenby? In quotes, "but I knew I could do it anyway." That's the essence of this case. I will not dispute to you that Randal Schwartz is a computer -- is facile with computers and knows how to use that medium. But when you take the king's gold ***to to the rings gold you follow the king's rule or you don't work for the king. It's simple as that. He was told based on experience not to do it. He knew, based on his experience, that you don't use someone else's password. That's a breach of trust. All of our laws primarily, theft laws, are based on a breach of trust. You trust that the vehicle that you got here to the courthouse in will not be broken into while you're here and driven off. Now, there is no guarantee. In a perfect world, I suppose that wouldn't happen. That is part of our social agreement. Now, computer crime is a new crime. It's a new area. It's developing. But Randal Schwartz has been in it 17 years. He has been in it as a Systems Administrator and in security. He knows right from wrong. He basically told you that. And he violated law and violated Intel's policy and he knew this was wrong. He's asking you to ignore that and I'm asking you to hold him accountable for what he did and what has been proven here. You've taken an oath to follow the law. When we talked about the scales of justice with the blindfolds, the scales of justice don't say, "Well, geez, he's pretty smart in computers, give him a break." They don't say, "Geez, looks like a nice guy. Give him a break." Goes over the eyes. Passion, prejudice, sympathy, do not enter into the facts of what happened in September and October of 1993. You have to determine those facts and apply the law and justice ***is going to let people accept responsibility for what they have done. I'm asking you to hold Mr. Schwartz responsible for what he has done. Thank you.