Re: Schwartz conviction

• Subject: Re: Schwartz conviction
• From: jrp@teleport.com (Joshua R. Poulson)
• Date: 26 Jul 1995 19:50:47 -0700
• Distribution: or
• Newsgroups: or.general
• Organization: Yet another user of the Teleport ISP, Portland, OR
• References: <3v60k3$29p@qiclab.scn.rain.com>

In article <3v60k3$29p@qiclab.scn.rain.com>,
Andrew Burke <aburke@qiclab.scn.rain.com> wrote:
>But it seems to me this is a pretty big event in our little
>community. One of own has just landed in the slammer and may lose
>his house. And it seems to me that there has been an incredible
>lack of discussion on this event. And I happen to think there
>are many questions which should be asked, and this forum is a
>great place to ask those questions.

I dropped my discussion of this onto comp.lang.perl.misc.

I believe a period of disbelief is occurring, as hero worship
dissipates.

>Do people really think Randal deserves this conviction? 

Judging from the Oregonian's information, at least one charge was
fully warranted. The others are questionable.

>Does this put the fear of god in other consultants? Any Intel
>consultants dare offer their opinions? 

No. It's easy to not fall afoul of the law.

>It seems likely Randal's situation is not unique - most of us like
>to see how fast cpu's can go, and Intel's are among the fastest.
>Perhaps there is community of speed freaks at Intel and Cray who
>get their jollies doing exactly what Randal was doing. Will y'all
>change your ways?

I have been a security consultant on far more than one occasion and I
always had the permission of someone VERY senior in the organizations
I audited. It's a good policy. On more than one occasion I had the
permission of someone senior and no one else was informed, because
their reactions were also being audited.

>Anybody else think the NSA/CIA/Spooks United _potentially_ could
>have had influence in this case, since Randal was clearly a rogue
>seeing exactly what could be done with Crack? 

The NSA could care less about Crack. Crack is chicken feed. It is a
brute force dictionary attack on the crypt() results in a password
file. It is trivial and beneath notice.

>Or at least that
>Intel has to show they are in firm control of the users of their
>supercomputers, and what better way than to hold a public lynching
>of a jerk consultant? (Why didn't Intel just fire him?? Surely there
>were others in Intel running Crack just to see what's possible)

The lynching is a result of the fact that Randal was arrogant and
pointed out VERY real security defects in the organization.

>How does this affect our community? Will people think twice about
>working for Intel, or do people recognize this as a very unique
>situation?

One should think twice before working for anyone that has restrictive
policies. This situation doesn't change anything.
-- 
Joshua R. Poulson, jrp@pun.org, http://www.pun.org/~jrp
"finger -l jrp@teleport.com" for PGP public key

• Schwartz conviction
• From: aburke@qiclab.scn.rain.com (Andrew Burke)

• Prev: Oregonian: Computer expert convicted in hacking [Randal Schwartz]
• Next: Re: Schwartz conviction
• Index: Mail Index
• Thread: Mail Thread Index