From: Jeffrey Kegler
Subject: FAQ Version 4 - part 1
Date: Sun, 17 Sep 1995 00:11:12 -0700 (PDT)
OREGON V. SCHWARTZ FAQ (V4)
Disclaimer: It is possible, as I have gathered this material from
miscellaneous mailing list messages, news postings, and so forth,
that it contains errors of ascertainable fact or ascribes
statements to people who never made them. I regret both deeply.
Please inform me of any such problems so I may correct them.
This version is almost completely changed from the previous.
Part 2 of FAQ
Part 3 of FAQ
Part 4 of FAQ
Q1. What is Oregon v. Schwartz?
The case in which Randal Schwartz was convicted on July 25, 1995
of three computer crime felonies. It's full name is "State of
Oregon v. Randal Schwartz" and it was Washington County Circuit
Court Case No. C94-0322CR. One of the felonies was reduced to a
misdemeanor on sentencing.
Q2. Why the interest in Oregon v. Schwartz?
There are quite a few interesting aspects to this case.
1. Computer crime cases which come to trial are still somewhat
unusual.
2. The defendant: Randal Schwartz is the first wizard convicted
of cracking. That is, he is the first prominent cracker who was
already prominent for legitimate reasons.
3. The circumstances: There appears to be no case made that
Randal was malicious, or had anything like what laymen recognize
as criminal intent. The element of "personal gain" necessary for
the theft counts was supplied by Randal confessing he hoped what
he did would make a favorable impression on Intel.
4. The law: As the above would indicate, the laws, and the
court's interpretation of them, was very sweeping, and seems to
criminalize activity widely regarded as normal, helpful and even
necessary.
5. The Internet security policy implications: In the Morris
case, it was clear the conviction strengthened computer security.
Here that conclusion seems most dubious.
Q3. Who is Randal Schwartz?
Randal is perhaps Perl's number one fan. His early and energetic
advocacy of Perl and his co-authorship with Larry Wall of that
language's most authoritative text have identified Randal with
Perl so thoroughly he is often mistakenly thought of as co-
inventor of Perl. (Larry Wall alone invented Perl.) Randal is
widely known through his generosity in answering perl questions
on the net, and he is an established and generally well liked
personality on the Internet. Randal is far from the
stereotypical cracker.
Q4. What was count 1?
Knowingly and without authorization altering a computer network.
This refers to Randal installing gateway programs on two
computers so he could access Intel computers from a remote
computer.
Q5. What was count 2?
Theft of a password file. This consisted of copying it from one
Intel machine to another.
Q6. What was count 3?
Theft again, this time of individual passwords decrypted from
that same file. Randal decrypted these passwords using crack.
Q7. What abbreviations and terms are used in this FAQ?
Mark Morrissey and Randal Schwartz are quoted and referred to so
often they are usually "Mark" and "Randal", respectively. I am
sometimes "the FAQ keeper" and sometimes "JK". SSD is Intel's
Scalable Systems Division. "Report on a Security Incident at the
Oregon Facility" by Mark Morrissey, dated 11/3/1993 is usually
referred to as "Mark's Report". The police reports by Officers
Lilley and Lazenby of the Washington County Sheriff's office are
often referred to as "Lilley's report" and "Lazenby's report".
In the who's who a number of acronyms are used for Intel titles
and organizations which the FAQ keeper does not know the meaning
of.
Terms proved surprising difficult. In addition to the well known
ambiguity in the term 'hacker', 'cracker' can either mean 'one
who runs crack' or 'a computer criminal'. I have used the term
'wizard' to be the equivalent of 'hacker' in the old and positive
sense. I have used the verb 'attack' and the noun 'attacker' to
mean 'hack or crack with criminal intent'.
Square bracket enclose revisions to fit context and spelling
corrections. (It's astonishing and disappointing how many people
cannot spell a good Irish name like O'Reilly.)
Q8. What were the incidents in this case?
Count 1 was three incidents of running gateway programs: a
program named 'door' on Mink, another program named 'gate' on
Mink, and a program named 'gate' on Brillig. These are the Door
in Mink Incident, the Gate on Mink Incident and the Gate on
Brillig Incident. Counts 2 and 3 were due to running crack on a
machine named snoopy. This is called the Crack on Snoopy
Incident.
There was also a Door on Hermes incident for which there was no
charge.
At the time and in the aftermath, Randal was accused of having a
history and pattern of attacking systems. No prosecutions or
discipline ever resulted from any of these.
These are discussed as the Tandem Incident, the Tektronix
Incident, the ORA Incident and the Teleport Incident. As will be
seen, "incident" is really too strong a word for these and the
FAQ keeper would ignore these rumors were it not that every one
of them has been the base of a publicly made accusation against
Randal.
Q9. What are the sources for this FAQ?
The primary sources for this FAQ are Mark Morrissey's postings
and E-mail, Mark's report to Intel, Randal's postings and E-mail,
and two police reports. Mark discovered Crack on Snoopy and
participated in a major way in all the incidents which were the
basis of the indictment. The San Jose Mercury News called him
Randal's "chief accuser" (9/12/95, page 5G). Surprisingly for a
criminal case, his comments and Randal's differ on no significant
matter of fact. In fact, all of the witnesses but two largely
agree.
The police reports stand by themselves and contain much not
confirmed elsewhere. In particular, they contain a great many
confessions by Randal. Being statements by Washinton County law
officers, these reports may have had considerable influence with
the jury.
Q10. What was the Door on Mink Incident?
The Door on Mink incident is part of the basis for count 1.
Mark on fors-discuss@teleport.com (Tue, 15 Aug 95 10:18 PDT): "In
about March of 1993, Dirk and I confronted Randal after Dirk
found a program owned by Randal running on a machine named mink
that would allow incoming access to Intel from the Internet.
Dirk and I told Randal quite clearly and very [ explicitly ] that
access to Intel networks from outside of Intel was a violation of
Intel security policy. Randal seemed quite surprised and was
very apologetic, so I told him that we would handle the situation
internally and not involve Intel security. Since Randal didn't
seem to know the rules, I made sure that he understood them and
let him off with a warning. I informed Intel security that a
possible security hole had been found and resolved.
>From Mark's Report: "About March of this year, Dirk Brandewie
from ADL noticed a long running process on a machine called mink,
which Dirk administers. Dirk's investigation showed that this
program was accepting connections from outside of Intel. The
process and program were owned by Randal Schwartz. Dirk and Mark
Morrissey confronted Randal, who agreed to add code which would
ensure that only connections from within Intel would be accepted.
Dirk followed up to ensure that the changes were made. Rich
Cower was advised at that time that a security threat had been
found and dealt with."
Q11. Why leave the 'Door on Mink' running at all?
Mark Morrissey responded on fors-discuss (Wed, 30 Aug 95 10:42
PDT): "Randal told us that he used the program for making
connections out of Intel, which was the sole purpose for the
existence of the machine mink. This explains why the gate
program wasn't terminated."
Q12. What is in Det. Lilley's report about Door on Mink?
Lilley's Report: "Schwartz stated that he had been accessing
Intel's "MINK" system by a method known as "backdooring" until
about April of 1993. Again, he stated that this was in order to
enable him to receive electronic mail at his work station at
Intel but at this point, Schwartz admitted to me that while
conducting this backdooring, he knew it was against Intel policy
and could possibly be considered a criminal act. Mr. Schwartz
admitted to me that he was confronted by Mark Morrissey and an
Intel employee by the name of Dirk Brandewie and advised that
what he was doing was not permitted and that he was to reinstall
the appropriate gates to the "MINK" system to prevent outside
access, Mr. Schwartz told me that he in fact did do that [ ...
]"
Q13. What were the implications of the Door on Mink Incident
for authorization?
Mark: "Let me be very clear: Randal agreed to modify the program
so that it would not receive connections from IP addresses not in
the Intel domain. Later checking by Dirk confirmed that Randal
had installed this block (at least, this is what Dirk told me).
Mark: "Randal certainly understood that the problem was access to
Intel networks from outside of the company. I made this very
clear and he assured me that he understood."
The implications of this incident in the future were to be quite
serious. It seems that some form of entry by Randal was
established as unauthorized and a revised form as authorized.
Mark and others have drawn as one of the major lessons of this
affair that everyone should have written authorization in these
matters. It is ironic, then, that apparently none of this
generated anything like a contemporaneous written record, as far
as the FAQ keeper is aware.
Q14. What was the Door on Hermes incident?
Lazenby's Report: "Randal advised that he first had the 'GATE' [
actually door - JK ] program on the 'MINK' computer a while back
and he was caught and confronted by supervisors. Randal said he
stopped using 'MINK' and that he switched over 'GATE' to 'HERMES'
and was doing that but 'HERMES' was too slow so he went back to
'MINK' again. He was caught again on 'MINK' so he switched
'GATE' over to 'BRILLIG'."
Lilley's Report: "Mr. Schwartz told me [ ... ] that for a while,
he attempted to use another system known as 'HERMES' but found
that the Hermes system was too slow for his needs".
The Door on Hermes Incident was not an element of count 1.
Q15. What was the Gate on Mink Incident?
The Gate on Mink incident is part of the basis for count 1.
>From Mark's Report: "In the July time frame, Dirk rechecked the
program and found the security checks removed. Dirk confronted
Randal a second time. Randal explained that the program was
being used to accept X Window connections from an O'Reilly and
Associates machine named ruby.ora.com. Dirk informed Randal that
connections from outside of Intel would not be allowed. Randal
requested that his account on mink be removed as outside access
was the only reason for having that account."
Randal on fors-discuss, 30 August 1995, 20:44:02 -0700: "[I]
abandoned "use of 'door' (allowing access to *any* inside machine
once you get through all of the security locks), shortly
thereafter.
Randal: "Some substantial time later, [ I created ] 'gate',
restricting access only to a single machine that does not contain
product data and believed to be reasonably secure.
Randal: "Dirk/Mark discover[ed] gate, decide[d] that *that* isn't
secure enough. [ I said I ] no longer need[ed the] account if [I
couldn't] even run gate there, and ask[ed] for the account to be
closed. They [ Mark et al ]comply.
Mark on fors-discuss (Wed, 30 Aug 95 22:27 PDT): Mark: "I'll
yield to Randal on the mink incident since I never saw the second
program, only the first. All I know is that I was told that he
had made the changes to the script that we saw to block outside
connections and at a later date I was told that the blocks were
removed and when confronted, opted to have his account removed.
Mark: "This is consistent with his email on this subject and I
apologize for calling both programs 'gate'. Thanks for the
corrections Randal."
FAQ Keeper: You will note the three main documents this FAQ
relies on were produced in the period after Crack on Snoopy was
discovered and before they were able to get details from Randal.
These documents, understandably, make no distinction between
'gate' and 'door'.
FAQ Keeper: After the Gate on Mink Incident Randal moved Gate to
Brillig.
Q16. What is in Det. Lilley's report about Gate on Mink?
Lilley's Report: "[ Randal ] then wrote a new program, different
from the first, that enabled him to re-access "MINK" in order to
receive electronic mail. Mr. Schwartz admitted to me that he
was confronted again by Mr. Morrissey and Mr. Brandewie (about
July of 1993) at which time, he was once again told that this
activity was not permitted and that he was to cease doing it."
Q17. What were the disciplinary consequences of Gate and Door
on Mink?
Randal on fors-discuss, 30 August 1995, 20:44:02 -0700: "[ Not ]
so much as a sanction or other disciplinary action."
These same incidents were later to be prosecuted as felonies.
Q18. What was the difference between Gate and Door?
Randal: "'gate' had a very narrow purpose, akin to what I was
doing for my group when I was at iWarp/SSD... access to a
specific, non-product machine. When Mark/Dirk disagreed with
even its use, I finally concluded that they were being even more
tight than SSD. So I moved the program back to SSD, where I
understood the policy to be more liberal. [ ... ] 'door' and
'gate' had entirely different access protocols and scope of
operation."
Q19. Why did Randal move Gate to Brillig?
"SSD [ had a ] security policy more accomodating and familiar."
[ Randal on fors-discuss, 30 August 1995, 20:44:02 -0700 ].
Mike Northam on fors-discuss (Wed, 30 Aug 1995 21:16:19 -0700):
"Having worked at Intel as a contractor both within SSD and in
other Intel organizations, I can vouch for Randal's assertion
that SSD is 'different'. [ ... ] but my view is that SSD, being
more a research organization, is more "accomodating" than other
Intel divisions. And, since Randal had worked there for several
years previously, I can imagine it would seem 'more familiar'."
Mark to JK, 6 Sep 95 12:11 PDT: "SSD, being an Intel division,
was required to follow Intel corporate security policy. While any
group can make their own, the corporate policy is the baseline
which cannot be subtracted from - only added too. Corporate
policy forbid this activity. It should be noted that when
contacted, SSD sysadmins stated that the use of 'gate' violated
SSD security guidelines."
Q20. How did Mark discover Randal's crack runs?
>From Mark's Report: "On Thursday, October 28, at 12:30 in the
afternoon, I logged on to a machine called 'snoopy.' This
machine is a recently installed Sun SparcStation 10 model 51
running the UNIX operating system. This machine was purchased to
run the server portion of Cabletron's network management
application, Spectrum. Snoopy has been operating since October
14. Part of my responsibilities in the Oregon SIT/NTU
organization is systems administration for NTU UNIX systems at
Hawthorn Farms. On Thursday, I had two reasons for logging on to
snoopy: 1) to ensure that the Spectrum server was operating
correctly and that no further system modifications were required;
and 2) to make sure that Randal Schwartz had not moved any of his
programs to this machine as Randal has a habit of using as much
CPU power as he can find. Randal had been previously asked not
to run jobs which could interfere with the Spectrum server once
snoopy had been installed.
Mark's Report: "I executed a command to list the processes on
snoopy. I was not surprised to find a process owned by merlyn.
This process had been running since October 21st. I executed
another command which would allow me to see what command merlyn
was running. To my surprise, the running command was called
crack-pwc. Given that there is a UNIX password cracking program
called crack, I became suspicious and decided that I should
investigate. The program was executing from the directory
/two/usrmerlyn/play/cr/sparc. I went to that location and
discovered that the cr directory contained the newest version of
the crack program. I also discovered two suspicious files:
passwd.ssd and passwd.ora. These appeared to be UNIX password
files.
Mark's Report: "I know that Randal has previously contracted at
SSD and that he has an account on a system owned by his book
publisher, O'Reilly and Associates. O'Reilly goes by ORA and has
the email address of ora.com.
Mark's Report: "At this time, I contacted Rich Cower in corporate
security to receive instructions on how to proceed. Rich and I
decided that this was a serious problem. Rich suggested that I
contact Lou Poehlitz or John Kent at SSD to inform then of what I
knew. I contacted Lou, who directed me to John Kent. John
confirmed that Randal should not be in possession of SSD password
files and did not have permission from John to crack passwords.
John mentioned that running the crack program is, with only
limited exceptions, a firing offense at SSD. While talking to
John, I mentioned that I had seen several logins by Randal from
an SSD machine called brillig. John was alarmed and stated that
all of Randal's accounts should have been removed after his
contract expired the previous spring. John also mentioned that
Randal received a severe reprimand within a week of his contract
expiring for a security incident at SSD."
Part 2 of FAQ