Re: Perl Co-inventor Convicted

• Subject: Re: Perl Co-inventor Convicted
• From: lsantist@lsantist.dfrc.nasa.gov
• Date: Thu, 17 Aug 1995 21:29:13 GMT
• Newsgroups: comp.security.unix
• Organization: NASA Dryden
• Sender: news@news.dfrf.nasa.gov

Newsgroups: misc.legal.computing
Date: Mon, 14 Aug 95 19:02:29 PDT
>>In article <4056fc$sk@nyx10.cs.du.edu>, <spritcha@nyx10.cs.du.edu> writes:
>
>>1: Randal is guilty as charged by his own admission.
>
>True.  And (as I described in another thread) I have been.  Others
>have been telling similar stories.  The argument here (to me) is not
>over "guilt" or "innocence", but rather over Randal's intentions and
>Intel's reaction.  It seems ridiculous that this was a criminal case
>to begin with, and seeing Randal get convicted makes me nervous, in
>all honesty.

There is *nothing* ridiculous about security to security people. :-(  
I wish I could read in this thread the thoughts of someone who has actually
worked as a system administrator at a secure military site (for a little
contrast).  :-)

Of course you should be nervous about this; None of us should doubt that
the intent of this prosecution is to raise the level of concern when
our work includes security responsibilities.  I for one hope Randal
appeals the conviction, since that is the only way to clarify the legal
aspects of the issue.  In the mean time, don't forget to CYA if you have
reason to be concerned.

>>2: A vulnerable password file from Intel/SSD is *very* valuable property
>>   to competitors or potential consultants to competitors (like Randal).
>
>My question still stands.  Do you really think a consultant would pull
>a stunt like that?  I wouldn't even consider it.  I rather like the
>idea of people hiring me.

I don't know Randal well enough to answer that, and based on this post, I 
don't think you do either.  But if try to see the issue from the viewpoint 
of someone responsible for security at Intel, you might find the discovery 
of these acts very alarming.  And remember, we don't know what other 
borderline acts might have occurred (by Randal or others) that Intel decided
not to pursue.  It may well have been a case of enough is enough.

>>3: Most (all?) consultants know they can be held liable for their 
professional
>>   actions (some even get insurance).
>
>Right, which is why I find it hard to believe that Randal was trying
>to do any damage.

I don't think it was important to Intel whether Randal did any damage or
intended to do damage.  The issue for them seems to be the flaunting of
the rules.  Intel though it was serious enough to warrant a criminal
prosecution.  Again, I would like to hear some analogies from those 
familiar with work in an environment where security is taken very
seriously.

>>4: Randal got caught breaching security in a manner that he was specifically
>>   told *not* to do.
>
>That could well be.  If so, he should have been fired and quite
>possibly sued.  It shouldn't be a criminal case.

Apparently Intel, the prosecutor, and the jury all thought the breach of
security was serious enough to be considered criminal.  I certainly would
be interested in the specific facts presented at the trial.

>>S/W engineering is full of arrogant and egotistical people who are so good 
at 
>>what they do and have such a good technical reputation that they feel
>>invulnerable and beyond contempt.
>
>This could be partly because most people, even those who work in the
>computer field, don't understand the work of programmers or system
>administrators.  I think this lack of understanding is what allowed
>this whole thing to get blown out of proportion.  If you don't believe
>me, you might note that most of the people who seem to be on Randal's
>side are sysadmins and consultants.  (In case I haven't made it clear,
>I have a consulting business.  I just don't advertise in my .signature.)

This is a valid point, and as you point out, a major argument that has been 
made by many in this thread.  In my view, two items need to be addressed.  
First, the Oregon law must be clarified in the legal context.  Based on what 
I've read, the law itself may be too broad.  And two, conscientious system 
administrators like yourself, need to seriously and professionally address 
the issue.  What sort of rules can be worked out to address the legitimate 
concerns of the various vested interests?  I can see that this will be very 
difficult, but is it possible?  Maybe Intel can redeem themselves with many 
by participating in a serious dialog about the responsibilities of computer 
and network security professionals once this case is closed.

>>This category of folk tend to feel that
>>their technical talents have equal currency in every other aspect of life.  
In
>>this case, the goodwill Randal has from other s/w professionals based on his
>>technical talent has little or no meaning in the courtroom.
>
>I have a great deal of respect for Randal based on his technical
>talent, true.  But my good-will is mostly the result of two things.
>First of all, Randal seems to be a nice guy.  I get this impression
>from his posts on usenet, his web pages, and his books.  I realize
>that it counts for absolutely nothing.  Second, he basically has the
>same business I do.  He apparently has been making a living at it.  I
>respect that.  :-)  Between these two things, I have a hard time
>believing that he would try to do something damaging to a client.
>Last I knew, intent had some bearing in the courts.

I suspect that Intel was able to proved that he *intended* to flaunt 
the security rules and got caught.

>>I don't know
>>whether Randal falls into the arrogant category or not, but I feel some of
>>his defenders certainly do (IMHO).
>
>People have said here (and sent me email) saying that he is, but I'm
>not sure that it has any bearing here at all.  Whether or not his
>defenders are arrogant *certainly* has no bearing.

I believe it has some bearing in making the technically arrogant think twice 
about the consequences of this kind of unprofessional behavior.

>>It is specially irritating to read "hey, 
>>what's wrong with that.  I do that all the time" as if that was the *only*
>>criteria for judging this case.
>
>If people do *anything* "all the time", then either it shouldn't be a
>felony, or the law isn't being evenly enforced.  (That is the problem
>with drug laws in this country, IMO, but that's another debate.)  If
>the law that got Randal convicted wasn't bogus, then a hell of a lot
>of people should be in jail.  So it is certainly a consideration in
>this case.

What should be a consideration is that none of us can afford to be naive 
about this or any other legal matter that carries serious consequences.

>>What about the right of property owners (i.e.
>>investors) to legal protection of their property?
>
>That's what the civil courts are for.  Intel knows all about the civil
>courts.  Why did they make a criminal case out of this?

Probably to significantly raise your anxiety level. :-)

>>Folks, the work we do as engineers and the right to make the rules of the 
job 
>>does NOT belong to us.  You and I may not like it, but that's a fact.  
Within 
>>other legal constrains, these are things that belong to those who pay for 
the
>>work.
>
>Fine.  And if someone has a problem with my work or something I've
>done while working for them, they should confront me with it, fire me
>if they think it is justified, even sue me, but I don't like the idea
>of them running to a criminal justice system that doesn't understand
>the work I do.  Doesn't the precedent here frighten anyone besides
>me?
>
>>*FLAME OFF*
>
>Good.  I'm tired of typing.  ;)
>
>Steve
>-- 
>steve@jal.cc.il.us        | Southern Illinois Linux Users Group
>(618)549-8579             | Meetings the 1st and 3rd Mondays of every month.
>Steven Pritchard          | http://www.jal.cc.il.us/SILUG/

Sorry about the long post.

--
Lou Santisteban - lsantist@lsantist.dfrc.nasa.gov 

• Re: Perl Co-inventor Convicted
• From: wendy

• Prev: Re: Perl Co-inventor Convicted
• Next: Re: Perl Co-inventor Convicted
• Index: Mail Index
• Thread: Mail Thread Index