From: Jeffrey Kegler 
Subject: FAQ Version 4 - part 4
Date: Sun, 17 Sep 1995 00:11:12 -0700 (PDT)

                   OREGON V. SCHWARTZ FAQ (V4)

Disclaimer: It is possible, as I have gathered this material from
miscellaneous mailing list messages, news postings, and so forth,
that it contains errors of ascertainable fact or ascribes
statements to people who never made them.  I regret both deeply.
Please inform me of any such problems so I may correct them.

This version is almost completely changed from the previous.

Part 1 of FAQ
Part 2 of FAQ
Part 3 of FAQ



Q61.   Did Randal have permission to run the gateway?

Randal on fors-discuss@teleport.com (Mon, 14 Aug 1995 15:10:45
-0700): "If, as Intel claims in the trial, that my actions in
March and June of 1993 (where I was told to modify 'door' and
'gate' to be more secure) are truly crimes, why the heck was I
allowed to work until November 1993?  This seems to be the case
of moving the line drawn in pencil on the floor (not visible
under average light) to the other side of the room without
telling me, and retroactively deciding that something I wasn't
even disciplined for is now a crime.  Gack."

Mark to JK, 6 Sep 95 12:11 PDT: "Also note that this essentially
became an unregulated mechanism for enterring Intel from the
Internet over which Intel exercised no control.  One can imagine
why Intel would obviously not want this to be in place and why
anyone with Intel's best interest in mind would not attempt such
a thing."

Randal on fors-discuss, 30 August 1995, 20:44:02 -0700: "I
*never* *knowingly* disobeyed any guidelines handed to me.  My
understanding of [ the Door on Mink Incident ] is that they were
telling me that 'door' wasn't secure enough because it allowed
access to any machine.  I *never* ran 'door' in that fashion
again.  Ever."

See also the various discussions under the history of Gate and
Door.


Q62.   Did Randal know of Intel's security policy?

Randal on fors-discuss, 14 Sep 1995 16:21:57 -0700: "[My
accusers] make it sound like I was looking at two big doors, and
on one it said 'authorized by Intel' in big bold letters, and on
the other it said 'not authorized by Intel' in very big red bold
letters.

"And that seeing the words and reading them, I selected the
second door and walked through it.

"I assure you, this was not the case.

"Continuing the analogy, it's more like the signs were pointed
out to me on the *back* of the door by a police officer.  And the
paint perhaps appeared to be wet.

"I repeat what I have said earlier.  I have never knowingly
violated any directive of any employer.  Ever."

Jeff Boerio on FD, 8 Sep 1995 09:56:56 -0700 (PDT): "Intel has
information kiosks setup in every building where any employee
(regardless of full time, temporary, contractor, etc) can pick up
any type of documentation, including security policies."

FAQ keeper:  Of course, Randal was a contractor and not an
employee.  It seems Randal never read any of this material, and
was never asked to read any of it.  Had Randal stopped at the
kiosk and studied its contents, it is not clear that it would
have been clear how much of the material was applicable to him.


Q63.   Whose case is this, Oregon's or Intel's?

Mike Northam on fors-discuss, 14 Sep 1995 09:02:23 -0700: "I
think it's unfortunate that some folks on this list continue to
see this as an Intel problem rather than what it really is, which
is a State of Oregon law problem.  Once information had been
turned over to the authorities (which occurred, you'll recall, in
the course of getting a search warrant to determine if Randal had
any stolen Intel property at his home), whether to prosecute the
case was no longer in Intel's hands.

Mike: "This was a criminal proceeding, not a civil case.  (I
don't know whether Intel's press for restitution of damages is a
civil action or merely part of the overall criminal case,
however.)  While Intel is no doubt influential locally, being a
large employer and a major force in the local economy, it is far
from clear that they wield sufficient influence over the local
judicial system to press for a criminal proceeding if the
district attorney hadn't wanted to go forward."

Mark to JK, 6 Sep 95 12:11 PDT: "Intel doesn't decide anything
about 'felonious action', this determination is made by the
Washington County DA.  Previous use of this was handled
internally by people who did not wish to sanction Randal; instead
opting to believe that the best aproach was unofficial
education."

Mark to JK, 6 Sep 95 12:11 PDT: "Intel didn't press for charges.
This was determined by the DA and the Grand Jury. Really - Intel
had very little to do with this."

FAQ keeper:  I will note, as reported elsewhere in the FAQ, Intel
had no less than three people at the search.  John Woodard, an
Intel attorney, attended most of the trial, and has made himself
available to the press.  Your FAQ keeper assumes this is not how
he chose to spend his vacation.  I have also heard reports, which
I cannot confirm, that extensive Intel security, technical and
legal resources were made available to the prosecution.

FAQ keeper:  The answer to this question seems so straight-
forward to me, that I considered leaving it out of the FAQ, as a
no-brainer.  I don't doubt the sincerity of those who maintain
otherwise, but the that the Washington Country D.A. would even
consider proceeding with this case without considerable and
continuous encouragement from Intel strikes me as absurdly
unlikely.


Q64.   How important is Intel to Oregon and to Washington County?

Tom Phoenix on FD, 12 Sep 1995 14:28:09 -0700 (PDT): "Intel is
the largest single employer in the entire state of Oregon, with
over 7000 employees. Every one of those people is employed in
Washington County."

Mark on FD, 13 Sep 1995 10:29:40 -0700 (PDT): "Intel is [ the ]
largest private employer of any kind in the state of Oregon.
Including contractors, it is around 12,000 employees.  Once
Ronlar Acres is online, this will begin to climb again, perhaps
by 2,000."


Q65.   Even if Randal is guilty, this does not seem like the sort
of thing you ordinarily prosecute.  Why did they?

Randal L. Schwartz on fors-discuss@teleport.com (Mon, 14 Aug 1995
15:10:45 -0700) Randal: "Allowing me to opine for a moment, it
seems that as long as I was being innovative in directions that
didn't embarrass the vice president of SSD, I could experiment
all I wanted, because my overall net contribution to the company
far exceeded any hassle I was causing the grunts.  And, both the
mail-access method and running crack were further attempts on my
part to be of overall benefit to the company.  But we know how
these two turned out. :-("

John H. Woodard, an Intel lawyer quoted in the Oregonian: "I
think it was good for all the high-tech companies moving into
this area that the county is willing to pursue these types of
crimes."

FAQ keeper: Personally, this case has me afraid to change planes
in Washington County.

FAQ keeper: Among the things the FAQ keeper has heard is that
Intel believes Randal to have been responsible for a rash of
losses of Intel company secrets, far more than they can prove or
have publicly charged.  See the question on "Was Intel having
security problems?".  This would explain why such seemingly minor
charges are being pursued so vindictively -- no serious offer of
a plea bargain, each charge pressed to the maximum of the law,
and the bringing of charges which would usually be taken care of
with a firing or at most a civil suit.  The FAQ keeper would be
pleased to learn anything that refutes or confirms this.

FAQ keeper: I regard it as unlikely in the extreme Randal was the
culprit in any theft of corporate secrets.  This means the real
thief is still at large, perhaps reading this FAQ, quite possibly
employed at Intel.


Q66.   Was Intel having security problems?

Jeff Boerio on FD, 8 Sep 1995 09:56:56 -0700 (PDT) "It appears
that SSD had some problems with security."

Jeff: "I will say this, and I've said it before.  Intel is very
paranoid when it comes to security and intellectual property.
>From all the security documents I've read around Intel, almost
all of them have the attitude that you'll see in airports:  don't
even think of making jokes about it, or you don't need to partake
in security measures - we have a team in place to do that."

Mike Northam on fors-discuss (Wed, 30 Aug 1995 19:47:47 -0700):
"My personal feeling (and this is pure speculation) is that there
were perhaps cracking attempts, possibly industrial espionage,
against some Intel systems which hold major corporate secrets
about the Pentium follow-on chip.  Perhaps this kind of thing was
what caused the major reaction against Randal.

Mike: "What folks [ ... ] perhaps need to fully understand is
that hundreds of millions of dollars are at stake in those kinds
of ballparks.  Finding a system accessible to the outside world,
in any manner whatsoever, bypassing the firewalls would cause the
alarm bells to ring, I've no doubt.  But why, after it became
apparent that the 'attack' was benign, would Intel press for
felony charges?"


Q67.   Isn't a felony conviction without harm, intent to harm or
malicious intent unusual?

D. Lawrence Olstad on fors-discuss, 15 Sep 1995 14:46:17 -0700:
"All criminal acts must, unless the statute defining them
specifically says otherwise, be accompanied by a 'culpable mental
state,' which, roughly translated, means a guilty state of mind.
There are 4 in Oregon.  The act(s) must be committed
'intentionally,' 'knowingly,' 'recklessly' or with 'criminal
negligence.'

"You do something intentionally if you intend to do it.  You do
it knowingly if you know you are doing it.  You do it recklessly
if you are aware of a substantial and unjustifiable risk of harm
attendant upon the behavior and you go ahead anyway.  You are
criminally negligent if you are unaware of the aforementioned
risk, and that unawareness is itself a gross deviation from the
ordinary standard of care.

"The only requirement for intentional or knowing criminal
liability is that you intend to do, or know you are doing, the
acts which constitute the crime.

"But this is only part of a larger picture.  Some crimes,
especially some serious crimes, can only be committed
intentionally.  Frequently, the degree of the crime charged, and
even the nature of the charge itself, is determined by the level
of culpable mental state that can be proved or that is clearly
manifest.

"First degree manslaughter can only be committed recklessly under
circumstances manifesting an extreme indifference to the value of
human life or intentionally while under the influence of an
extreme emotional disturbance.  Manslaughter committed
recklessly, without the aggravating circumstance, is second
degree manslaughter.

"Other factors which can increase or decrease the seriousness of
criminal activity are the use or non-use of weapons, the degree
of injury caused and whether the defendant acted alone or in
concert with others.

"In Randal's case the culpable mental state underlying all the
allegations was 'knowingly.'  One of the twists, however, was
that in Counts 2 and 3, the state alleged that he acted 'for the
purpose' of committing theft of the SSD password file and 'for
the purpose' of committing theft of the individual user's
passwords, respectively.

"Oregon statutes dealing with culpable mental states, where all
this other stuff comes from, do not recognize the 'for the
purpose of' language.  It exists, so far as I know, only in the
computer crime statute."


D. Lawrence Olstad on fors-discuss, Sat, 16 Sep 1995 11:59:36
-0700: "They have to make the allegation track the statute or
they won't get past the pleading stage (there are ways to attack
the indictment if it does not generally track the statute).

"It is the statute that uses the language 'for the purpose of.'"

"What I *think* happened here is they discovered, after the
decision to prosecute had been made, that Randal had not stolen
anything and that all he was doing was what sysadmins do.  But
the decision to prosecute had been made, and also perhaps some
promises had been made.  I don't know about this, but it explains
what happened later.    [ Comment on long delayed indictment, and
its unusualness. ]"

"So this theory about stealing the passwords and the password
file was contrived.  Some criminal 'purpose' had to be arguable,
or two of the three counts would be scuttled.

"My personal opinion is that the prosecutor hornswoggled the
court and the jury with this hogwash.  You don't leave a thing it
is your 'purpose' to steal where it was when you found it.  Even
stretching things, because we are in a novel area, would a
criminal hacker do the cracking on one of Intel's machines?  Come
on - wouldn't he get in and get out as soon as possible, leaving
no trace whatsoever.  He certainly would not want anyone to know
he had the passwords, or they would all be instantly changed and
his efforts would avail him of nothing."


Q68.   What are the implication of such a broadly drafted and
interpreted law?

Randal on fors-discuss, Fri, 15 Sep 1995 08:25:48 -0700: "How
many companies have you worked at that had a strict policy
against 'personal calls using the company PBX'?  And how many
personal calls went in and out *daily* on that PBX?  In Oregon,
each occurance is technically 'altering' a 'computer' without
'authorization' => a class C felony.  Boy, most large companies
could have a hayday with that.

Randal: "Here's another.  How many companies have you worked at
that had a strict policy against 'games on the business
computers'?  OK, now how many games do you see?

Randal: "And another.  How many companies have strict policies
against 'personal use of email'?

Randal: "And so on.

Randal: "So here we have a lot of very official policies that are
*routinely* violated in the course of doing business.  In Oregon,
you can now go to jail for any of these *if* you get into a
dispute with your employer.

Randal: "Get the point yet?"


Q69.   Did Randal take a polygraph?

Randal on fors-discuss, Sun, 10 Sep 1995 14:41:27 -0700: "One of
the officers suggested I was lying, and that one thing that would
really beef up my story was to take a lie detector test at the
police station.  Now, I didn't know that in Oregon, a lie
detector test is inadmissible as evidence, but in an effort to
clear things up, I agreed to the test.

Randal: "After consulting with Marc, I paid for a private
licensed polygraph examiner to administer a test.  On November
8th, 1993, I took the test.

Randal: "In his report about that test, Kenneth L. Simmons, a
polygraph examiner says: 'Although there are some inconsistent
responses on the polygraph charts, it is my opinion that Mr.
Schwartz is answering relevant questions R1 and R2 truthfully.
Other questions were used on the test to evaluate responses but
no decision as to truth or deception is made on those questions.'

Randal: "The report states:

Randal: "R1. Are you concealing any information that you obtained
from SSD files?
    Answer - No

Randal: "R2. Other than the password file, did you use anyone
else's password at Intel
    to look at files?
    Answer - No

Randal: "We offered to take a polygraph at the police station
immediately following this result, but the detective would not
commit to the position that a clean polygraph would affect
*anything* about the prosecution (seemingly contrary to what he
had insisted the night of the raid), so the matter was dropped.

Randal: "Just for the record.  I don't expect a polygraph to
convince anyone here one way or the other, but if you wanna know
where some of that $120K went, here's a piece of it. :-("


Q70.   What is crack and who should run it?

Crack is a program to find weak passwords by the direct means --
cracking them.  The idea is that if a good guy can crack a
password, so can the bad guy.  Of course, and unfortunately,
crack is a highly useful tool to bad guys as well.

>From Mark's Report: "The act of cracking password files can have
two motives: 1) enhancing local security by identifying insecure
passwords and encouraging users to change them to be more secure;
and 2) a desire to find out passwords.  Cracking password files
without explicit direction or permission from appropriate sources
can be interpreted as a hostile act."

>From Cheswick & Bellovin, _Firewalls and Internet Security_, p.
245.: C&B: "If none of these [authentication devices or a "smart"
version of passwd] are used, crack your own password files and
weed out the weak ones.  Crack is a well known and widely
distributed password cracking program by Alec Muffett."  Far from
discouraging its use, CERT distributes it as
ftp://ftp.cert.org/pub/tools/crack.  Perhaps ironically, one of
the people credited by Alec Muffet for help with this important
tool is Randal Schwartz.


Q71.   Do sysadmins consider Randal annoying?

Yes.

Tanya Herlick as quoted by Tim O'Reilly on fors-discuss, 9 Sep
1995 08:17:45 PDT: "Randal likes to see what he can get away
with.  What he did was inappropriate, but I'm sure he didn't have
any criminal intent toward us."

Mark's Report: "Randal has a habit of using as much CPU power as
he can find."

Randal on fors-discuss, Thu, 14 Sep 1995 07:25:42 -0700: "As
'just a user', I can be annoying, because I know what I want, and
am used to being root and just going in and changing something."

It was Mark's observation that led him to the investigation that
turned up the crack run and started this whole train of events.
I hope readers take away the moral that one should be nice to
one's sysadmins, and a good citizen about using disk and CPU
time.  Otherwise, you may never hear the end of it.


Q72.   What was the chronology of events?

November 1, 1992: Start of activity alleged in indictment.

March 1993:  Randal's 'door' program is discovered on mink and
changed to meet Intel's objections.

May/June 1993:  Randal's 'gate' program is discovered on mink.
Randal, in reponse to objections, asks for mink account to be
closed.

September 24, 1993:  Backups showed crack runs started by this
day.

October 28, 1993, 12:30PM:  Intel discovers crack program
running.

October 28, 1993: CERT contacted by Mark with respect to ORA.

November 1993:  'gate' is found running on Brillig.

November 1, 1993: End of activity alleged in indictment.
Randal's residence searched.

November 2, 1993: Randal calls Tim O'Reilly.

November 3, 1993: Date of "Report on a Security Incident at the
Oregon Facility" by Mark Morrissey.

November 8, 1993: Randal takes a polygraph.

March 1994, but before the indictment: Randal is offered the
change to plead guilty to one felony count.

March 2, 1994:  Randal indicted on 3 felony counts.

Apr 19, 1994:  Randal was scheduled to return to enter a plea
this day.

July 1995 (one week before the trial): Second plea bargain
offered.  Prosecution offers to neither oppose or support
misdemeanor treatment before judge.

July 25, 1995:  Randal convicted on all 3 counts.

September 11, 1995:  Sentence handed down.

September 20, 1995:  Restitution hearing scheduled for this day.


Q73.   Who's who in this case?

Merlon Altermatt was an Intel employee told not to reuse relevant
backup tapes after discovery that Randal was running crack.

Brad Benson was SIT/SAU owner and Mark's manager.

The Honorable Alan C. Bonebrake presided at the trial.

Dirk Brandewei was a software engineer in a research group at
Intel who maintained mink as a service to others at Intel.

An Ed Bunch is mentioned in Det. Lazenby's report as an Intel
employee who may have been told that Randal had found passwords.
"Ed was asked about this incident the day after the search of
Randal's house by Intel investigators.  He does not recall being
told that Randal, and he commented it would have been something
he would have remembered. This is (according to Randal) about 1-2
weeks after he reportedly told Ed."  [ E-mail Mark to JK, Wed, 6
Sep 95 12:11 PDT ]

Coeta Chambers was with Intel HR legal.  Mark consulted her on
October 29.

Rich Cower was an employee of Intel security.  He was present at
the search.

John Gray was HF campus IT owner.

Tanya Herlick, the system administrator at ORA, whose password
file was one of those Randal was running crack on.  Tanya being a
diligent sysadmin, Randal only found one password, one which
Tanya had already found and changed.

John Kent was an Intel employee at SSD.

Detective P. Lazenby was one of those who searched Randal's
apartment.  He filed a report containing many statements by
Randal full of confession language.

Sr. Deputy Lilley was a Washington County officer who
participated in the search.  He wrote an extensive report of the
search.

Mike Moon was Oregon site IT owner.

Bill Morgan was an Intel employee told not to reuse relevant
backup tapes after discovery that Randal was running crack.

Mark Morrissey was "a senior network engineer involved with SNMP-
based management tools, techniques, and practices at Intel, with
specific charge for the Intel site.  Part of his many small
duties was systems administration for the local network of Sun
workstations used for SNMP-based management.  The systems used to
run crack against Intel and [ O'Reilly ] password files were
included in this set of machines."  [ Mark to JK, 6 Sep 95 12:11
PDT ].

D. Lawrence Olstad is a paralegal working with Randal.

Tim O'Reilly is founder and owner of O'Reilly and Associates,
pubisher of Randal's and many other quality computer books.

Rick Pierce was an Intel employee present at the November 1
meeting, and the search.

Lou Poehlitz was an Intel employee at SSD.

Rick Query was Oregon SIT/NTU.

Kenneth L. Simmons administered a polygraph to Randal.

Clyde Stites was an Intel employee present at a November 1
meeting, and the search.

Marc A. Sussman is Randal's defense attorney.

Thomas J. Tintera, Senior Deputy D.A., was the prosecutor.

Bob Wilcox was Randal's manager.

John H. Woodard is an Intel lawyer, who observed much of the
trial and who comments on it in the press for Intel.


Q74.   Where can I find more information?

The web site is http://www.lightlink.com/fors/.

There are two mailing lists: fors-discuss@teleport.com (The
Friends of Randal Schwartz discussion group) and fors-
announce@teleport.com (The Friends of Randal Schwartz
announcement list).  Despite the name, fors-discuss has been open
to all viewpoints, and is the best place to follow the case.  To
subscribe, send email to majordomo@teleport.com with

          subscribe fors-announce [your email address]

for the announce only list (1-2 messages a week), or

           subscribe fors-discuss [your email address]

for the discussion group.  If the E-mail address is the same as
that in the headers it may be omitted.

Randal archives the past messages of fors-discuss at
ftp://ftp.teleport.com/users/merlyn/fors/discuss

The newsgroup comp.security.unix, comp.security.misc and
misc.legal.computing also contain some discussion of this case.
Archived news articles discussing the case can be batch
downloaded from
http://cheddar.nyswri.cfe.cornell.edu/news/batch.htm.


Q75.   How can I help?  And does Randal keep his own version of
this story anywhere?

Send email to fund@stonehenge.com for more information about
Randal's version of these events, his defense fund, and
suggestions on how you can help.  You will get an automatic
response and the content of the mail message will be ignored.


Q76.   What are the guidelines for this FAQ?

I have tried to represent people's views in their own words.  One
disadvantage is this requires taking old postings.  News is an
interactive medium, and one takes less care than in writing for
other forums.  I am open to considering replacement language from
the same source, where the poster wants to revise his remarks.

The FAQ keeper volunteered and was accepted by Randal.  Randal
exercises no editorial control over this FAQ, and does not see
copies of it in advance.  Randal reserves the right to remove the
FAQ keeper at any time, and the FAQ keeper reserves the right to
resign at any time.