From: Jeffrey Kegler 
Subject: FAQ Version 4 - part 3
Date: Sun, 17 Sep 1995 00:11:12 -0700 (PDT)

                   OREGON V. SCHWARTZ FAQ (V4)

Disclaimer: It is possible, as I have gathered this material from
miscellaneous mailing list messages, news postings, and so forth,
that it contains errors of ascertainable fact or ascribes
statements to people who never made them.  I regret both deeply.
Please inform me of any such problems so I may correct them.

This version is almost completely changed from the previous.

Part 1 of FAQ
Part 2 of FAQ
Part 4 of FAQ



Q41.   What is in the Det. Lazenby's police report about
Teleport?

Lazenby's Report: "I asked Randal if he used it anywhere else and
he said that he used it on "TECHBOOK" [ now Teleport - JK ].
Randal advised that this is a bulletin board type system and that
he used "CRACK" on that system to obtain their passwords.  Randal
advised that he did get a password and that he wrote to James D.
at "TECHBOOK" and advised him that he had done this as a way of
making him aware of his weak security."


Q42.   What happened at Teleport?

Mark on fors-discuss:  8 Sep 95 12:39 PDT: "In addition to
cracking O'Reilly, Randal has admitted to cracking Teleport.  I
have no information as to where Randal ran crack on the Teleport
system, but he did use Intel resources to crack O'Reilly."

Randal on fors-discuss, Thu, 14 Sep 1995 07:25:42 -0700: "I have
an account on teleport.com, a local ISP (then called
techbook.com).  I logged in one morning, and the /etc/motd said
'someone has discovered the password of four users.  we've
notified those people.  please watch what you select for
passwords' or something like that.  Now, I was familiar with
crack (my name is in the documentation), and I had a pretty
unused sparc sitting a few feet from me, and I hadn't played with
the latest version of crack, so I thought that this would be a
good opportunity to (1) use some otherwise unused cycles, (2)
test out the new kinds of passwords that the new crack could
find, and (3) perhaps restore me to mostly good graces with James
Deibele (the owner of techbook/teleport).  (As 'just a user', I
can be annoying, because I know what I want, and am used to being
root and just going in and changing something. James and I had
crossed before. :-)

"So, I grabbed the latest crack, and the techbook password file,
and had at it.  It popped out about 24 passwords out of 300 or
so.  I immediately emailed James with the results, and his
response was 'well, I was wondering when *you* would get around
to that.  thanks.  I'll notify them right away'.

James Deibele apparently testified at the trial, confirming
Randal's story.


Q43.   How was ORA brought into this matter?

Mark's Report: "I know that Randal [ ... ] has an account on a
system owned by his book publisher, O'Reilly and Associates.
O'Reilly goes by ORA and has the email address of ora.com.

>From Mark's Report: "Seeing that access from an external company
was occurring and suspecting that Randal was cracking the
O'Reilly password file, I asked Rich Cower to contact CERT to ask
for advice and to inform them that we were tracking a potential
security threat to O'Reilly as well as Intel and that
unauthorized access to the Intel network had been achieved from
an O'Reilly machine.  Rich later informed me that CERT would make
contact, but that Intel's name would not be used.  I was asked to
be prepared to provide information related to O'Reilly to CERT
when requested.

>From Mark's Report: "By 1:00 on Friday afternoon, I had given the
information pertaining to O'Reilly and Associates to CERT.  No
Intel information was given to CERT."


Q44.   What is in Det Lazenby's report about ORA?

Lazenby's Report: "Randal advised that he used 'CRACK' on the
'ORILEY' system which is his publishers back east and he obtained
a password from them.  I asked Randal how he did this and he said
he put 'ORILEY' on 'SNOOPY', used 'CRACK' on it and obtained the
password.  He said he did it just because he was curious to see
if 'ORILEY' had any security.  Randal advised that he only got
one password.  I asked him if he ever used that password to go
into the 'ORILEY' system and he said no.


Q45.   What was ORA's reaction to the ORA incident?

Tim O'Reilly on fors-discuss, 9 Sep 1995 08:17:45 PDT: [ The FAQ
keeper ] "recently brought to my attention the fact that rumors
are going around that ORA was supportive of Intel in its
prosecution of Randal Schwartz.  Nothing can be further from the
truth.  Tanya Herlick, our system administrator, actually
testified in his defense at his trial.

Tim: "When we first heard from Intel that Randal had hacked our
password file, we were a little miffed, but after a five minute
conversation with Randal were convinced that no harm had been
done or intended, and that was the end of it.

Tim: "An aside on the facts:  Yes, Randal ran crack on our
password file.  Yes, he got one password.  No, he did not gain
illegal access to our system.  He already had an account!  And
the account that he cracked did not gain him any additional
access.  What's more, this account was cracked by Tanya right
around the same time and that password was changed before the FBI
even called to tell us about it.

Tim: "Randal continues to have an excellent relationship with
ORA.  He remains one of our key authors, and we're talking about
a number of projects with him, including revisions to Programming
Perl and Learning Perl, and several new books.   We can only hope
he has time to work on them."

Tim: "As far as my opinion of Randal as a security risk, the
following facts should speak for themselves.  Randal still has a
login account with ORA, without any unusual restrictions.  I do
not believe he has ever had any criminal intent toward ORA.  I
feel his prosecution serves the Internet and justice very poorly.
Given all this, I hope any rumor that ORA ever had the slightest
intention of prosecuting Randal for anything rapidly goes to its
grave."

Randal on fors-discuss, Sun, 10 Sep 1995 14:41:27 -0700: "To my
recollection, my conversation with Tim O'Reilly took place
Tuesday, November 2nd, the day after the raid at my house the
night before."


Q46.   What was the Tektronix Incident?

Lilley's Report: "Through conversation with Mr. Schwartz, I
learned from him that he had worked for Tektronix between the
years of 1978 and 1983 and that at one point (he believed
somewhere around 1981) he had actually been suspended at
Tektronix for engaging in similar activities."

The FAQ keeper has nothing he can quote, but he understands, that
the the Tektronix incident was similar to the Tandem effort,
where Randal was pursuing security duties as requested.  When
Randal discovered a security hole, his authorization became
briefly a matter of controversy.  (This, alas, seems par for the
course in security work.)  Whether this amounted to a formal
suspension is not clear.  The difficulty was very brief (perhaps
24 hours), and it was soon realized that Randal's actions were
both authorized and beneficial.

The following is a matter of public record.  Randal's manager at
Tektronix, Lyle Settle, wrote a glowing account of Randal's
activities while there, and Randal even received a plaque from
Tektronix.  Randal stayed at Tektronix for two years after his
supposed attack.


Q47.   What is in Det. Lilley's report about the Tandem Incident?

Lilley's Report: "He also went on to admit that he worked for a
company called Tandem between the years of 1986 and 1987 and that
as an April Fools joke on one of those years, he had also
illegally cracked password and accessed files in Tandem's
systems.  He stated that as a result of this activity, he was
actually 'technically terminated' for about two hours.  Mr.
Schwartz stated however that he was immediately reinstated by a
supervisor who took the point of view that in fact what Mr.
Schwartz had been doing was actually part of his job description
which was testing security systems within computer systems for
Tandem.  Mr. Schwartz stated that in fact, at that point in time,
he was writing a book about security systems and that he was
doing this in part as research for his book."


Q48.   What really happened at Tandem?

Lyle Settle's letter to Judge Bonebrake, August 25, 1995: "A
requirement of the Security Administration Guide was that it
itemize all possible avenues of intrusion into Tandem systems and
that it explain how to prevent such intrusions.  Digging into the
bowels of the Tandem system, Randal found several previously
unknown avenues of intrusion. Some of these Tandem could fix (and
did). Others required special security software tailored to the
customer`s configuration and security policy. To help customers,
Randal created software that system administrators could adapt to
their particular systems. The Security Administration Guide was a
great addition to Tandem`s library, eliciting dozens of
appreciative letters from Tandem customers and Tandem support
people around the world. The Defense Department`s certification
committee applauded the book and told me that it contains exactly
the right information."

Lyle: "[ ... ] A year or so later, Tandem was about to allow its
customers limited access to the Tandem network. Tandem security
experts had taken extensive precautions to protect against the
possibility of customers intruding beyond the allowed limits.
Before allowing customer access, however, Tandem contracted with
Randal to try to break past the allowed limits into parts of the
network reserved for Tandem people. Within a few minutes after
his arrival in Cupertino, he succeeded! Tandem treated his break-
in as a contribution to their security effort. They fixed the
loopholes and happily paid his fee."

Incidentally, for those not familiar with computer security work,
the above case is a good example of why breaking into our
client's systems is both necessary and useful.  Ordinary
precautions had been taken to make sure the system was secure,
and except for Randal's break-in the system would have gone on-
line with a security loophole.  Fortunately, that first break-in
attempt was made by one of the good guys.

The comparison of Lyle Settle's account and Officer Lilley's is
interesting.  In the Lilley report, Randal's actions are a prank,
even down to their timing.  Lyle, Randal's boss, at the time
shows that Randal was acting per instructions, and the timing was
based on a Tandem deadline.  Why does Randal, in the Lilley
report, confess to things he has not done?


Q49.   What do Randal's actions show about intent?

>From Mark's Report: "We do not know at this time if other
backdoors have been installed elsewhere on Intel machines."

FAQ keeper:  Presumably someone of Randal's sophistication, if he
had other than benign intent, would have done precisely what Mark
feared -- installed backdoors elsewhere in forms not previously
discovered by Mark.  Randal certainly has enough passwords,
access and expertise to have done this.


Q50.   Had Randal taken any steps to conceal his actions?

>From Mark's Report: "Historically, the user name for Randal
Schwartz at Intel is merlyn.  The processes running on brillig
that allowed unauthorized access from outside of the Intel
network were owned by merlyn.  The actual programs were located
in the merlyn directory.  On my systems, the crack program was
found in the merlyn directory.  The crack process found running
on my system was owned by merlyn.

Mark on FD, Thu, 7 Sep 1995 09:33:21 -0700 (PDT): "[ ... ] oh
yes, Randal could have covered his tracks.  He made no attempt to
do so."


Q51.   Why does Randal say he created the gateway?

Randal L. Schwartz on fors-discuss@teleport.com (Mon, 14 Aug 1995
15:10:45 -0700): "I established what I believed to be very secure
ways of checking on my Intel email over the internet while I was
away from Intel (for the small number of weeks that I was out of
town), and having Xterms and X-emacs access my Xserver at Intel
while I was at my desk (part time).  ('gate' and 'door' were in
Perl, making this what I believe to be the first time Perl code
is now a part of the public record. :-)"


Q52.   What is in Det. Lilley's report about Randal's reasons for
running gateways?

Lilley's Report: "Initially, Mr. Schwartz admitted to me that he
had in fact bypassed access gates to Intel systems, explaining
that the did this in order to be able to receive 'E-mail'
messages at his work station in Intel.  While Mr. Schwartz
admitted that he knew what he was doing was both against
department policy and, to use his words, 'technically illegal',
he stated that his only intent was to make it more convenient for
him to correspond through computer mail at his work station
rather than having to wait until he got back home."


Q53.   Did Randal intend to use the gateway after the end of his
contract?

Mark forwarded by Randal to fors-discuss, 09 Sep 1995 15:14:03
-0700: "[ ... ] what I have found interesting from the beginning,
and about which I had several conversations with the
investigators regarding, is Randal's statement that he was
cracking passwords so that he could continue to read his email
even after he was terminated by Intel at the end of his contract
(and presumably no longer had an account).  This is confirmed by
the Intel UNIX security expert (who is *very* good, I assure you)
who was present for much of the interview.

Mark: "This detail appears in every report and was mentioned by
everyone who was involved in the interviews (which I was not,
being at Intel preserving the chain of evidence).  It could
simply be a case of nerves on Randal's part, but I haven't had a
chance to buy him a beer to talk about things.  The ramifications
are evident: he appears to have intended to leave gate running
after he left the company and intended to use other accounts and
passwords for some reason - the 'reading email' bit doesn't wash
for all the obvious reasons.  I am at a loss to explain this
part."

Randal on fors-discuss (Sat, 02 Sep 1995 08:32:48 -0700): "No, I
intended continued employment and continued access to my email
while I was employed.  Even if I misspoke. :-)"


Q54.   According to the police, what reason did Randal give for
running crack?

Lazenby's Report: "Randal advised that he was using 'MERLIN' as
his login on those systems.  I asked Randal why he was using the
'CRACK' program to obtain passwords and asked if he realized that
these passwords would access the SSD system.  Randal advised that
he did realize this and that he was obtaining the passwords
because he wanted to get his E-mail quicker.  I asked Randal if
he ever logged in on SSD using any of the passwords.  Randal said
first that he only logged in and logged out one time and later,
changed it to two or three times.  I asked Randal if he ever
copied anything or looked at anything and he said that he did
not.

Lazenby's Report: "I asked Randal why he would need forty to
fifty passwords and he said, 'I needed them in case they caught
me doing it and knew they would shut me down so the more
passwords I had, the longer I could continue doing what I wanted
to do.'  Randal advised that he had the capability to do it and
he knew he could do it.  I asked Randal if this was wrong and in
violation of Intel policy and Randal said, 'Yes it is, but I knew
I could do it anyway.'  Randal said that he wanted to do it
because he wanted to be efficient in getting his E-mail very fast
and he felt was important and when they shut him down, he wanted
to continue doing what he was doing and since he had the
capability to do it and knew he could do it, he did it without
permission.

Lazenby's Report: "Randal then told me that about one or two
years ago, he was a SYS administrator at Intel with SSD and that
he would run the 'CRACK' program back then.  Randal advised that
this was a tool used to keep passwords honest.  Randal said that
if you can break it with 'CRACK', bad guys can too.  I then told
Randal that if he knew this, and it was a security measure back
then, why was he doing it without authorization now.  Randal
advised that he knew it was totally wrong and would get in
trouble if caught doing it.  I then asked Randal if he remembered
using 'CRACK' to enter any other systems to obtain passwords."


Q55.   If your intent was benign, Randal, why were you doing so
much cracking of password files?

Randal on fors-discuss, Thu, 14 Sep 1995 07:25:42 -0700: "Why
would I believe that cracking a password file not entirely within
my area would be percieved as positive?  Let's back up in time to
about two weeks before the crack run on brillig...

"I have an account on teleport.com, a local ISP (then called
techbook.com).  I logged in one morning, and the /etc/motd said
"someone has discovered the password of four users.  we've
notified those people.  please watch what you select for
passwords" or something like that.  Now, I was familiar with
crack (my name is in the documentation), and I had a pretty
unused sparc sitting a few feet from me, and I hadn't played with
the latest version of crack, so I thought that this would be a
good opportunity to (1) use some otherwise unused cycles, (2)
test out the new kinds of passwords that the new crack could
find, and (3) perhaps restore me to mostly good graces with James
Deibele (the owner of techbook/teleport).  (As 'just a user', I
can be annoying, because I know what I want, and am used to being
root and just going in and changing something. James and I had
crossed before. :-)

"So, I grabbed the latest crack, and the techbook password file,
and had at it.  It popped out about 24 passwords out of 300 or
so.  I immediately emailed James with the results, and his
response was "well, I was wondering when *you* would get around
to that.  thanks.  I'll notify them right away".

"One of the things I noticed was that the new crack could find
additional types of passwords (like "pre$ident").  So, now I was
anxious to have more raw data to feed it.  That, combined with
the fact that James had thanked me (and thus giving me those
naturally desirable good strokes), let me on a chase to look for
other big password files.  I figured that if anything serious
turned up, I would just inform the owners.

"So, next I grabbed the password file from ORA and from brillig.
ORA didn't turn up anything noteworthy (turns out they were
running the same crack on a regular basis), but brillig turned up
"ronb"/"deacon".  [ ... ]

"Hopefully, this sheds light on why I had the ORA file and what
led me to run it against brillig.  I had obtained some good
strokes and useful research from having done it against techbook.
I was merely following the pattern, trying to repeat something
that had worked."


Q56.   Why did Randal delay so long in alerting SSD of its weak
passwords?

Randal on fors-discuss, 15 Sep 1995 17:29:37 -0700: "I wanted the
*best* possible evidence of how badly the situation had gotten at
SSD before I went to SSD.  That's why there were (as Mark pointed
out) *two* grabs of the SSD password file, and six weeks of time
from the beginning of the first week-long crack run down to the
day I was booted.  You must also remember that I was
notphysically at Intel for the middle two weeks of those six, so
I had to start all over to make sure they hadn't fixed things
while I was gone.

"I'm not trying to justify my actions.  In hindsight, they were
outrageously dumb.  But I'm trying to portray the thinking
process that got me here."

Randal on fors-discuss, Fri, 01 Sep 1995 12:46:14 -0700: "I
walked out in a huff two months early on the iWarp/SSD contract.
This is part of the reason that I didn't immediately report my
results about the SSD security problem -- because I had left in a
huff, I wanted to make sure I had all my ducks in a row before I
cried wolf.  And I couldn't bear to say it too early, so I got
pigeonholed into being a snake in the grass.  (:-)"


Q57.   Were Randal's claim of non-malicious intent contested in
court?

Apparently not.

San Jose Mercury News (9/12/95 5G): "Intel's Woodard said the
company found no information that showed Schwartz planned to use
the stolen information."


Q58.   What was Randal's contract with Intel?

Randal on fors-discuss: 15 Sep 1995 08:18:27 -0700 "A contractor
signs a specific agreement, and is subject to the contents of
*that agreement only*.

"My entire relationship with Intel at the time of these events is
two contracts.  One that said 'set up DNS servers all around the
world' and another that said 'be a system administrator for HF'.
It was up to *me* in my *professional* opinion to decide *how* to
do these jobs.

"I believed at the time that part of being a good sysadm for HF
was to help other sysadms.  After all, that goes on *all* the
time in all large orgs.  I truly believed at the time that
running crack would *help* the people back at SSD.  So, this
*did* fall under the purvey of my job and my contract (at least,
that was my thinking).

"Of course, now I know that my work was not appreciated.  But I
did not presume it would not be at the time.

"If you've never helped a fellow sysadm, or been a contractor in
a large organization, maybe that's why you're having difficulty
seeing my point of view."

Mark on fors-discuss, 15 Sep 1995 09:36:31 -0700 (PDT): "But your
contract at HF mutated while you were there, just like it does
with many contractors.  And your contract was not rewritten, just
as with many contractors.  At the direction of Bob Wilcox (your
manager) and me, I became the systems administrator for the iPGNS
systems and you were told that this was no longer your
responsibility and that you were to concentrate on writing the
PERL code for turning the host updates into DNS updates.

"So while you had a contract with Bob that said 'systems
administration', both you and Intel knew that the original
purpose of the contract had mutated and that this was no longer
your job.  This mutation had occured at least 3 months before you
started cracking passwords."


Q59.   Was all this authorized or unauthorized?

This turns out to be a complicated question.  There are three
parts to it.  First, what was Intel's official policy?  The Intel
people quoted in the reports are very sure it banned what Randal
was doing, but the FAQ keeper has not seen the Intel policies
which ban Randal's actions.

Second, what was Intel's enforced policy?  For example, recently
a computer school was convicted of illegal copying of software.
It had a very clear written policy banning its employees from
doing such a thing, but it also never budgeted for more than one
copy of any piece of software, school-wide.  This is an extreme
case, but it is quite common for a written policy to be regarded
as unworkable, and widely disobeyed.

Third, was Randal made aware of the relevant policy?  There
cannot be a reasonable expectation Randal would obey rules he
didn't know existed.  There seems to be no evidence Randal was
presented with anything about Intel security policies in writing
until the time the Washington County Police handed him a search
warrant.


Q60.   Did Randal have permission to run crack?

>From Mark's Report: "We can demonstrate that Randal has run a
password cracking program against SSD, and possibly ORA, password
files.  For the SSD password file, we can show that he did not
have permission to do so."

Mark's Report: "John [Kent] mentioned that running the crack
program is, with only limited exceptions, a firing offense at
SSD."

Randal on on misc.legal.computing, 09 Aug 1995 19:17:08 -0700: "I
had never ever been instructed not to run Crack while at Intel.
I had started running it on my own initiative while a sysadm at
iWarp, and it was still being run when I left iWarp/SSD in mid
92.  Why no-one was running it in oct 93 is *still* the question.
(If they had, I suspect I would not have discovered 48 passwords
of 600 users, and that the vice president's password was
'pre$ident'.)"

Mark on misc.legal.computing, 2 Aug 1995 22:18:01 GMT: "But he
*wasn't* a systems administrator for the systems on which crack
was being run (*I* was the systems administrator for those
systems) and he wasn't a systems administrator for SSD at the
time in question.  Also, he *knew* who to contact at SSD and
failed to do so.  At a very minimum, he could have informed me
and asked me to handle things.  We did, after all, sit next to
each other."

Randal on fors-discuss, Thu, 14 Sep 1995 07:25:42 -0700: "1)
sysadms at Intel are *encouraged* to run crack.  In fact, crack
is provided at an internal FTP site.

Randal: "2) I *was* a sysadm at Intel at the time I ran crack
against the brillig and ssd password files.  I just wasn't the
sysadm of those machines.

Randal: "3) my job description was *one line* on a purchase
order, starting with the words "administer systems at HF" (or
something like that).  There was never a more detailed contract
or written description.  Everything was to be decided by common
sense.

Randal: "4) At the time, I believed that running crack would be
for the greater benefit of Intel, and would be received with open
arms.  I saw a problem, and I was trying to assist in solving it,
and I had the right skills to determine the scope of the problem.
Of course, it was only *after* the cops showed up at my door that
I had any clue to the contrary."


Part 4 of FAQ