From: Jeffrey Kegler
Subject: FAQ Version 4 - part 2
Date: Sun, 17 Sep 1995 00:11:12 -0700 (PDT)
OREGON V. SCHWARTZ FAQ (V4)
Disclaimer: It is possible, as I have gathered this material from
miscellaneous mailing list messages, news postings, and so forth,
that it contains errors of ascertainable fact or ascribes
statements to people who never made them. I regret both deeply.
Please inform me of any such problems so I may correct them.
This version is almost completely changed from the previous.
Part 1 of FAQ
Part 3 of FAQ
Part 4 of FAQ
Q20. How did Mark discover Randal's crack runs?
>From Mark's Report: "On Thursday, October 28, at 12:30 in the
afternoon, I logged on to a machine called 'snoopy.' This
machine is a recently installed Sun SparcStation 10 model 51
running the UNIX operating system. This machine was purchased to
run the server portion of Cabletron's network management
application, Spectrum. Snoopy has been operating since October
14. Part of my responsibilities in the Oregon SIT/NTU
organization is systems administration for NTU UNIX systems at
Hawthorn Farms. On Thursday, I had two reasons for logging on to
snoopy: 1) to ensure that the Spectrum server was operating
correctly and that no further system modifications were required;
and 2) to make sure that Randal Schwartz had not moved any of his
programs to this machine as Randal has a habit of using as much
CPU power as he can find. Randal had been previously asked not
to run jobs which could interfere with the Spectrum server once
snoopy had been installed.
Mark's Report: "I executed a command to list the processes on
snoopy. I was not surprised to find a process owned by merlyn.
This process had been running since October 21st. I executed
another command which would allow me to see what command merlyn
was running. To my surprise, the running command was called
crack-pwc. Given that there is a UNIX password cracking program
called crack, I became suspicious and decided that I should
investigate. The program was executing from the directory
/two/usrmerlyn/play/cr/sparc. I went to that location and
discovered that the cr directory contained the newest version of
the crack program. I also discovered two suspicious files:
passwd.ssd and passwd.ora. These appeared to be UNIX password
files.
Mark's Report: "I know that Randal has previously contracted at
SSD and that he has an account on a system owned by his book
publisher, O'Reilly and Associates. O'Reilly goes by ORA and has
the email address of ora.com.
Mark's Report: "At this time, I contacted Rich Cower in corporate
security to receive instructions on how to proceed. Rich and I
decided that this was a serious problem. Rich suggested that I
contact Lou Poehlitz or John Kent at SSD to inform then of what I
knew. I contacted Lou, who directed me to John Kent. John
confirmed that Randal should not be in possession of SSD password
files and did not have permission from John to crack passwords.
John mentioned that running the crack program is, with only
limited exceptions, a firing offense at SSD. While talking to
John, I mentioned that I had seen several logins by Randal from
an SSD machine called brillig. John was alarmed and stated that
all of Randal's accounts should have been removed after his
contract expired the previous spring. John also mentioned that
Randal received a severe reprimand within a week of his contract
expiring for a security incident at SSD."
Q21. What is in Det. Lilley's report about Crack on Snoopy?
Lilley's Report: "I then asked him about his use of the password
cracking program "CRACK" to break passwords that would allow him
to access files in Intel computer systems referred to as
"BRILLIG" and Intel Supercomputer's Systems Division (SSD). Mr.
Schwartz freely admitted to me that he had in fact employed the
"CRACK" program to access passwords for both "BRILLIG" and SSD
but told me that his only reason for doing so was to test both
security systems that should have prevented anyone from using the
crack type program to access passwords.
Lilley's Report: "Mr. Schwartz then went into some detail as to
his activities regarding access the 'BRILLIG' system and the SSD
system and the using of the Intel 'SNOOPY' system to speed up the
accessing 'CRACK' program to obtain passwords to allow him access
to the systems. At this point, Mr. Schwartz readily acknowledged
that not only was this activity against Intel policy but there
was no doubt in his mind that he could also be found criminally
liable for this activity. However, Mr. Schwartz was very
adamant that his only purpose in conducting these exercises was
to try and find out how hardened these two systems were against
attempts to crack their password codes using 'CRACK' programming
or similar. Mr. Schwartz did acknowledge however that another
reason he was attempting to crack a 'BRILLIG' password was that
his contract with the 'BRILLIG' system was soon due to end and he
wished to ensure that he would continue to have password access
to the 'BRILLIG' system after his contract ended and his personal
password revoked.
Lilley's Report: "In response to our questions, Mr. Schwartz was
adamant that at not time did he ever actually access files using
any of the cracked passwords that he had obtained using the
'CRACK' program. However, on further questioning, Mr. Schwartz
did admit to me that about three years ago, while working at 'I-
WARP' (and Intel subsidiary) that he had, in fact access files in
the I-WARP system through a process known as 'ROOT' and that at
that time, he had taken the further step of actually viewing
information from files he had accessed. He admitted to me that
when he had done that he had known at the time that what he was
doing was both against Intel policy and also illegal. However,
again, Mr. Schwartz denied that during his accessing of 'BRILLIG'
and SSD, he had never at any time either viewed the contents of
any file that he had accessed, not had he made any copies of any
kind of any of those files."
Q22. How many Intel passwords did Randal crack?
>From Mark's Report: "Randal Schwartz did crack a password file
from the SSD organization and possibly an outside company. In
the case of SSD, at least 40 passwords were compromised."
Lazenby's Report: "I passed this information on to Intel
personnel and they checked the machine under "STUFF.TAR" and
found that there were at least forty to fifty passwords that had
been compromised and obtained by Randal. I went back and
confronted Randal with this because he had told me that there
were only ten to twelve. Randal then said, "I don't remember how
many exactly because I was just sticking them under the
"STUFF.TAR" and not really using them."
Q23. How was gate on brillig discovered?
>From Mark's Report: "By 1:30 [ of the day Mark noticed crack
running - JK ] I was in contact with John Kent at SSD. John
confirmed that Randal did not have permission to crack password
files from SSD. I told John that I had noticed logins to my
machines by Randal over a period of months from an SSD machine
called "brillig." John confirmed that Randal did not have
permission for this activity. I asked John to check for a
backdoor program called "gate" which would allow Randal to gain
access to Intel computers from outside of Intel. John did find
this program as well as log files which showed connections to
Intel from a machine called ruby.ora.com (operated by O'Reilly
and Associates). At this time we decided that two security
violations existed.
>From Mark's Report: "I instructed John to look for a program
called gate running on brillig. This past spring, Randal was
found to be running this program on a machine at ADL which has
Internet access. The program can be used to gain access to the
Intel network from computers outside of Intel. The use of this
program on the ADL machine eventually resulted in the removal of
Randal's account from the ADL machine. See the end of this
document for a summary of that incident.
>From Mark's Report: "John did find the gate program running on
brillig and also found log files indicating that Randal had used
brillig to gain access to the Intel network on many occasions
from a machine called ruby.ora.com. This machine is operated by
O'Reilly and Associates, a publisher of UNIX books."
Q24. Why and how were the police first brought into this
matter?
Mark's Report: "At 3:30 on Friday, a bridge meeting was held to
discuss the situation. The activities were shown to be serious.
The group opted not to make any changes over the weekend which
were likely to be discovered by Randal should he log on to our
systems or if he had a watchdog program installed. The decision
was made to have everyone involved ready to move on Monday,
November 1, if that proved necessary.
Mark's Report: "Saturday afternoon I logged on to snoopy to check
the progress of the crack program. The program was not running.
My calculations, based on the log file for crack, showed that the
program should have been running for several more weeks. I admit
that I do not know enough to determine if the program terminated
normally, abnormally, or was stopped by Randal or others. The
fact that the program terminated in the middle of an
investigation into the program was unsettling to me. I left
messages for John Kent and Rich Cower and asked that brillig be
checked for activity.
Mark's Report: "On Monday, November 1st, I met with Rich Cower,
Rick Pierce, Clyde Stites, and John Kent to discuss the situation
and bring everyone up-to-date. Washington County authorities
were briefed later in the morning and onsite before the
afternoon. I cooperated with the Washington County authorities
in writing an affidavit which was to be used to secure a search
warrant. I was informed that there was a very high probability
that the search warrant would be executed Monday evening. I
physically shut down the six computers which I control at 5:30 on
Monday evening. At 6:30 pm on Monday, I was informed that the
search warrant had been executed.
Mark's Report: "On Tuesday, November 2nd, I met with Rich Cower
and Clyde Stites to discuss how to ensure that my systems were
secure and also to make sure that I maintained all information
which might be of use to Washington County authorities. During
this meeting, Washington County authorities arrived to present a
search warrant."
Q25. Who told the police Randal was breaking the law?
Lazenby's Report: "On 11/01/93, writer assisted Sr. Deputy Lilley
in the preparation of a search warrant in regards to Randal
Schwartz who had been illegally bypassing computer systems and
using a password cracking program to obtain passwords to a
computer system within Intel."
Lilley's Report: "On 11/01/93 at 11:40 a.m., I met with the above
mentioned Intel employees at the Intel building where I was
advised of their discovery that one of their contract employees,
Randal Schwartz, had been illegally bypassing access gates to
systems and illegally utilizing password cracking programs to
crack passwords to computer systems. (Refer to attached report
by Mark Morrissey for details)."
Mark on fors-discuss: 8 Sep 95 12:39 PDT: "I think that it is
fairly obvious from this report that I didn't see any clear
indication of a violation of the law. However, if one reads the
search warrant (that I didn't see until after it was served),
there is a statement attributed to me where I supposedly tell law
enforcement that Randal has violated Oregon law. I never made
such a statement to law enforcement."
Q26. Why did Intel go straight to the police, rather than
simply calling Randal and asking him what was up?
Mark on fors-discuss, 8 Sep 1995 12:45:42 -0700 (PDT): "Intel was
informed that if they asked Randal if they could verify that he
had no Intel property on his computers or in his home and that
Randal said 'no', there was nothing that they could do. The only
way that they could verify that Randal was not in possession of
Intel property was to either trust his word or turn it over to
the police and hope for a search warrant.
"At the time of the initial investigation, before the police were
involved, Intel had no way of knowing if Randal had stolen
secrets. What he had done - cracked passwords and established a
covert channel into the company - looked might[y] suspicious.
Q27. Did Randal confess?
The two police reports are full of confession language attributed
to Randal. What follows are the most damning statements from
Lazenby's Report.
Lazenby's Report: "Writer then asked Randal if he felt he was
doing anything wrong. Randal told writer that he was in fact
violating Intel policy and he also thought that he could be
criminally prosecuted for these incidents.
Lazenby's Report: "I asked Randal if this was wrong and in
violation of Intel policy and Randal said, 'Yes it is, but I knew
I could do it anyway.' Randal said that he wanted to do it
because he wanted to be efficient in getting his E-mail very fast
and he felt was important and when they shut him down, he wanted
to continue doing what he was doing and since he had the
capability to do it and knew he could do it, he did it without
permission."
Lazenby's Report: "I then told Randal that if he knew this, and
it was a security measure back then, why was he doing it [
running crack ] without authorization now. Randal advised that
he knew it was totally wrong and would get in trouble if caught
doing it."
FAQ keeper: Det. Lazenby shows surprising knowledge of computer
jargon, and shows Randal to have been surprising familiar both
with Oregon computer crime law and the elements necessary to a
full confession. Randal is especially careful to establish the
necessary elements of criminal intent.
Q28. How does Randal explain his confession?
Randal on fors-discuss (Sat, 02 Sep 1995 08:32:48 -0700): "I was
indeed read my rights before any questioning started.
Randal: "In a brilliant example of the all-around bad judgement
about this incident, I just started talking. You see, I was
determined to show that *nothing* was going on, and that if they
were considering me as having committed some bad act, they must
simply just not understand what I was doing yet. So I spent two
hours trying to educate them.
Randal: "Please, I've heard the 'next time, call a lawyer' 97
times. Spare me the private email about that.
Randal: "I've never had a run-in with the law before. I've
always thought cops were my friends. That's the way I was
raised. So, while this situation was different and scary, I
still thought that the guys sitting across the room from me
asking me questions were there to help me. Perhaps they could
even be a neutral arbitor.
Randal: "As it turns out, cops, like all of us, seem to have
selective hearing. I had somehow forgotten that. (I had
selective memory. :-)"
Randal on fors-discuss (Fri, 01 Sep 1995 17:45:11 -0700): "[ The
police reports ] should be read knowing that: (1) the cops had a
tape recorder in the car, but chose not to use it. (2) the cops
had *video* equipment at the office, but chose not to bring it.
(3) little or no notes were taken from a two hour 'interview'
(aka interrogation). (4) I tried to make the cops understand
everything that was happening, but I was very very stressed and
confused, because while this 'interview' was going on, other cops
were scouring my house, ripping out computer systems. (This is
not the usual sort of behavior at my house. :-) (5) I recall the
cops testifying that the information was very technical, and many
times hard for them to understand. (6) I *now* understand why
I'm not supposed to talk to cops without a lawyer present, as the
difference between what I understood to say and what actually
ended up on the paper is nearly night and day. (If you've had
the opportunity, recall the last time you were quoted in the
popular news media... :-)"
Randal: "My legal team has gone over that statement with me in
detail. We believe that it is actually a very good demonstration
that what they were understanding and/or recording was different
than what was in my head.
Randal: "It may very well be that I said, under the stress of the
situation, exactly what was in those reports. But my mind
sometimes races ahead of what I am saying, especially under
stress. As I have already said in this forum before, I answered
'yes' to the prosecutor's question of 'so you did this for
personal gain?', when in fact, what I was thinking of was 'well,
it was to keep my employment at Intel, and that benefits me
personally, so yes.'
Randal: "Clearly, viewing the record of my statements in the
clear calm of a situation removed from the original interrogation
reveals the lunacy. Why would I want to read *my* email after
*I* had been terminated??? The real question then for review is:
(1) what question did I think I was answering, and (2) what did I
say, and (3) what did I think I meant by that? I would say #2
can be answered by the police report, but we have to get to #1
and #3 to get the whole picture."
Q29. Besides Randal, are there others who say they were
inaccurately quoted by law enforcement in this matter?
Mark on fors-discuss: 8 Sep 95 12:39 PDT: "I think that it is
fairly obvious from this report that I didn't see any clear
indication of a violation of the law. However, if one reads the
search warrant (that I didn't see until after it was served),
there is a statement attributed to me where I supposedly tell law
enforcement that Randal has violated Oregon law. I never made
such a statement to law enforcement."
Q30. What about Randal's hacking fantasies?
The police reports are not without a little comic relief.
Lilley's Report: "During the course of our conversation, Mr.
Schwartz made mention of the fact that on occasion, he had
entertained private fantasies of engaging in computer espionage
but explained that they were merely idle daydreaming and that it
was not something that he had given any serious consideration to.
We began to explore this avenue in greater depth and during
further discussion, Mr. Schwartz admitted to me that in the
course of his espionage fantasy, he had given thoughts to such
matters as what type of information would be the most valuable to
competitors, what people or organizations would be most
interested in this information who would provide the greatest
reward. On urging from me, he admitted that he suspected that
the Cray Organization would probably be the biggest competitor
who would be the most interested, and pay the most for, any
intelligence that he obtained from Intel systems.
Lilley's Report: "Mr. Schwartz at first was very vague in his
answers as to what information he would obtain and where he would
obtain it, etc. [ Police, it seems, like fantasies to be
specific -- JK ] However, on further discussions with me, he
became more specific about the types of information, how he would
access it, and who he would take it to. At one point, I asked
Mr. Schwartz if he had ever taken any active steps in carrying
out this fantasy and his response to me was, 'I never to any
steps externally to carry out this fantasy'. I then asked him if
that meant that he had possibly contacted somebody within the
Intel cooperation regarding this fantasy at which point he
stated, 'No, no, I meant externally beyond the tips of my
fingers, outside my mind.'"
People who work in computer security will tell you of course,
that envisioning how attackers would attack a system is precisely
how you determine which measures to take to defend it.
Q31. How does Mark read Randal's confession?
Mark forwarded by Randal to fors-discuss, 09 Sep 1995 15:14:03
-0700: "I believe that the reports basically substantiate what
Randal has said publicly here. I don't think that anyone will
find anything that substantially conflicts with his version.
However, [ one caveat mentioned here ]. I have always believed
Randal's version with the one caveat mentioned above [ the access
after end of contract issue, see elsewhere in the FAQ]. And
Randal, I really did mean it when I said that we should get
together when this is all over and I really was seriously wishing
you the best of luck not only with the case but with the future
implications as well."
FAQ-Keeper: The above quoted message got lost and then forwarded
to the net. I have no reason to doubt its authenticity and that
it was intended for fors-discuss and therefore public
dissemination.
Q32. Why did the police not tape Randal's confession?
Mark to JK, 6 Sep 95 12:11 PDT: "There were never less than 2,
and often three people in the room with Randal while he was
making statements.
Mark: "They chose not to use the tape/video equipment because it
often makes the interview difficult. They also had more than one
person in the room (often the Intel UNIX security
representative). All three reports concur."
Q33. Beyond reports of oral confessions, what incriminating
emerged from the search?
Apparently nothing. Randal's computer were returned some weeks
later.
Q34. Are there other sources as to what was said at the search?
Lilley's Report: "Mr. Schwartz also discussed with the Intel
personnel in the interview with me more technical aspects of his
activities within Intel and outside companies that he had
contracts with. These statements were better understood and
assessed by the Intel personnel. Refer to their reports on those
aspects of our interviews."
The FAQ keeper would love to see these.
Q35. What did Randal do immediately after the search?
Randal on fors-discuss, Sun, 10 Sep 1995 14:41:27 -0700: "To my
recollection, my conversation with Tim O'Reilly took place
Tuesday, November 2nd, the day after the raid at my house the
night before. It was just after my conversation in the morning
with Mike Godwin, Lead Counsel for EFF. I also then called a
bunch of my friends and associates, looking for a criminal
defense lawyer to handle the case. Within 48 hours, I had
selected my present counsel, Marc Sussman, on the recommendation
of a trusted business partner."
Q36. When was the indictment?
D. Lawrence Olstad on fors-discuss, Sat, 16 Sep 1995 11:59:36
-0700: "For example, this all happened on November 1, 1993 and
there was no indictment until March 2, 1994. That's 4 months.
It generally does not take that long. I am working on a
Washington County drug case right now that happened on June 4,
1995 and the defendant was indicted June 9, 1995. Now, it took
them a little over 1 month to analyze what was on Randal's hard
drives, but still . . . "
Q37. Was there no offer of a plea bargain?
Randal on fors-discuss (Fri, 01 Sep 1995 12:54:50 -0700): "1)
first offer, prior to *indictment* (mar 94): one felony. (At
this point, we weren't even able to figure out what they could
possibly charge me for, so I couldn't figure out why I was
possibly copping to a felony.)
Randal: "2) second offer, the week before the trial (jul 95): 'if
the judge wants to apply misdemeanor treatment for the crimes, I
won't stand in the way, but I won't suggest it either'. (This is
before the judge even gets to hear any of the evidence.)
Randal: "Both offers, obviously, were declined."
Q38. Who wrote to or petitioned the judge for leniency?
Kevin Luster on fors-discuss, 5 Sep 1995 19:55:49 -0700 (PDT):
"There were 303 responses from 21 countries: Austria, Australia,
Canada, Chile, Estonia, France, Germany, India, Ireland, Italy,
Japan, Netherlands, New Zealand, Norway, South Africa, Sweden,
Switzerland, Taiwan, Ukraine, United Kingdom, USA
"There were a number of letters from people in Oregon, including
current and former employees and contractors of Intel.
"There were a number of letters from places that you would
normally associate with heightened computer security
requirements: Northrop, Grumman, Rockwell, the US Army.
"There were a couple of signatures from noted computer security
experts. The judge might not know them from squat, but people in
the unix world do.
"I also got 2 anti-petition responses."
Q39. What was the sentence?
>From Randal's fund daemon: "Count 1, reduced to a misdemeanor, 5
years probation, 90 days jail to begin september 1, *1998*.
However, 60 days before this date I can petition the court to
demonstrate excellent behavior and rehabilitation, and they may
dismiss the jailtime. Disclosure required (see below)."
Randal: "Count 2, 2 years probation, 480 hours of community
service, disclosure required (see below).
Randal: "Count 3, 2 years probation, 480 hours of community
service (hours count for both counts 2 and 3, so it's 480 total,
not 960). Disclosure required (see below).
Randal: "Restitution hearing still to be set. Intel is asking for
an additional $9,000 over the original $63,000. Disclosure: I
must not become either a contract employee or employee without my
potential employer becoming fully aware of my conviction. I
attend my 'probation induction' meeting on September 20th. More
details then."
The probation is also concurrent, so the totals are 1
misdemeanor, 2 felonies, 5 years probation, 480 hours community
service, disclosure on all three counts, plus restitution yet to
be determined. The legal expenses and time lost Randal has
incurred, of course, while not formally a part of the punishment,
are very substantial.
Q40. How does Randal's sentence and crime compare with Morris?
Steve Pacenka on fors-discuss, 13 Sep 1995 07:36:55 -0400:
"According to the appeals court's synopsis, Robert Tappan Morris
(probably Jr.) had the following sentence:"
Steve:
"- 400 hours community service
- 3 years probation
- $10,500 fine plus probation supervision costs"
Steve: "The actual cost of cleaning up after Morris' negligence
and trespass must have been at least 10x the $70k+ that Intel is
seeking from Randal now, due to the large number of systems
Morris' worm affected."
Steve: "Randal is being penalized much harder, with the deferred
90 day jail term, the larger restitution payment (compared to the
Morris fine), the longer probation, the longer community service.
Randal also seems to have had far less impact, if indeed there
was any besides Intel's cost of investigation and reverifying
security. Very disproportionate in comparison to Morris, if that
case is a valid benchmark of comparison."
Part 3 of FAQ