The following editorial is from Dr. Dobb's Journal , March, 1996, Page 6.

© 1996 by Miller Freeman, Inc. All rights reserved.

Reprinted by permission.


Absence of Malice

From time to time, all of us end up doing the wrong thing for the right reason. Of course, sometimes we do the right thing for the wrong reason, or even the wrong thing for the wrong reason - oh, you get the idea. In any case, you can make up your mind regarding the cause and effect of the pickle that Randal Schwartz is in once you've heard his story.

Schwartz is a respected member of the programming community. In addition to writing the popular Learning Perl and coauthoring (with Larry Wall) Programming Perl (both published by O'Reilly & Associates), Schwartz has been a contributor to the comp.lang.perl newsgroup, moderator of the newer comp.lang.perl.announce newsgroup, and Perl columnist for both Unix Review and Web Techniques magazines. Schwartz also has made a name for himself as professional trainer and contractor, focusing, on sysadm and security issues.

It was two years ago this month, however, that Schwartz was indicted on three felony charges - one count of altering computer systems without authorization, and two of accessing a computer with intent to commit theft. The victim was Intel's Hillsboro, Oregon supercomputing division where Schwartz had been working for several years as a consultant. In July, a jury convicted him on three felony violations of Oregon's computer crime law. Then in September, the judge reduced the first count (which essentially charged that Schwartz had installed two different methods of accessing his Intel e-mail through the Internet) to a misdemeanor, then sentenced Schwartz to five years probation and a 90-day jail sentence that will begin in 1998. For the other two counts combined, Schwartz received 18 months probation, 480 hours of community service, and is required to tell prospective employers about his felony convictions. Furthermore, Intel is asking restitution, somewhere in the neighborhood of $70,000, even though an Intel attorney acknowledges that the company found no evidence that Schwartz planned to use the "stolen" information.

In his defense, Schwartz said that he was only trying to show Intel how inadequate its security system was. At the time, Schwartz was working under two Intel contracts: one to deploy DNS servers for the entire corporation, and another as a system administrator for some network-support machines. Since both contracts were running out, he'd hoped to generate a new contract to improve Intel's security. To that end, Schwartz ill-advisedly ran Crack, a commercially available password-breaking program that uses brute force to discover vulnerable passwords. His plan was simply to put together a proposal - based on real data - for improving Intel security. The sort of information he intended on presenting in the proposal included nearly 50 network passwords he'd discovered (including that of one ambitious vice president whose password was "pre$ident").

Before Schwartz could put his proposal together, however, an Intel employee noticed an unauthorized program was hogging computer time. Upon discovering Schwartz's Crack run, he notified security, and in the flip of a bit, Schwartz went from being an "independent consultant" to an "industrial spy." Even though management recommended that Schwartz simply be confronted because there was clearly no criminal intent at work (Schwartz ran Crack under his own login and didn't try to dissimulate his efforts), Intel's jackbooted security team (maybe needing to justify their jobs) opted to call in the sheriffs department.

Schwartz admits that he made a number of '"bone-headed" mistakes - not clarifying the rules about Internet access, not reporting the first cracked password, not immediately reporting the results of the run - for which he probably deserved termination. However, he also says that his actions "were motivated by my desire to give Intel the best possible value for the money they were paying me," adding that none of his acts were based on malicious intent. In summary, Schwartz said: "I am sorry that I caused Intel any grief or hardship, and that in hindsight, I should have been clearer about my intention and actions."

The upshot of all this is that Schwartz is in a financial bind. There's little chance he will ever work at Intel again, even though he has given the company five years of good measure. Nor is he likely to work at any company that agrees with Intel's beliefs about him. With dim employment prospects, Schwartz has so far spent about $135,000 on his defense. When it's all said and done, he will probably end up paying $160,000 before even considering appeals.

A legal defense fund has been set up for him, and fellow programmers have "paid" Schwartz for "services rendered" to the tune of about $15,000. If you wish to contribute, make a check out to "Stonehenge" and send it to Stonehenge Consulting Services, Attn: Legal Defense Fund, 4470 SW Hall Suite 107, Beaverton, OR 97005-2122. Anv money you contribute will be disclosed as income by Schwartz and thus is not tax deductible for you, unless you're a business and want to file a 1099 form on him. I've sent in my check, and hope you'll send in one, too.

Jonathan Erickson

editor-in-chief