[Prev][Next][Index][Thread]
Letter to CERT Re Oregon v. Schwartz
-
Subject: Letter to CERT Re Oregon v. Schwartz
-
From: jeffrey@best.com (Jeffrey Kegler)
-
Date: 17 Aug 1995 18:58:57 -0700
-
Newsgroups: comp.security.unix
-
Organization: Best Internet Communications, Inc. (info@best.com)
-
Summary: CERT Oregon Schwartz
==== Start of message to CERT ===
This is a request for a formal CERT investigation of the criminal case
involving Intel and Randal Schwartz in Oregon. Randal was recently
convicted of hacking Intel's computers while a contractor there. The
case raises many questions.
I do not believe CERT has the option of treating this as entirely a
matter involving the criminal courts, or the two parties. Facts are
still emerging, but it appears Randal was convicted for activities which
Internet security professionals carry out routinely, and it currently
seems that his crime consisted of overzealous performance of those
duties, if even that much.
As a sample of the questions raised, if there appears to be a security
breach on the Internet, and in the course of working up facts for
reporting it, a sysadmin runs nslookup, ping or telnet against someone
else's machine, that may be a felony in Oregon. While such probes are
similar to those launched by a cracker, fear of prosecution for
performing more than the most cursory investigation can make the
Internet a more cracker friendly place. This example, if anything,
understates the implications of this case. The probes which Randal was
convicted for were against the machines of a client with whom he had a
current contract for, among other things, security duties.
I did not attend the trial, and the transcript is still unavailable, so
I apologize for any factual errors in the above. It is not my intent
here to indicate fault in any of the parties in the Schwartz case. The
lack of such facts is all the more reason for a CERT investigation.
Again, I do not believe CERT has the option of overlooking this case.
It may be an advance in our profession, to turn certain activities in
the past considered ordinary parts of an Internet security
professional's duties into felonies, with the facts to be judged by
local D.A.'s and jurors called to civic duty from their plows. CERT, if
it concludes this, should not do so by default.
==== End of message to CERT ===
This matter raises too many issues to be focused on the issue of
which of two parties "blew" it. The case of Oregon v. Schwartz
has major implications for the Internet security professionals,
and cannot now be ignored or swept under the rug. This matter must
be debated and investigated by our profession in as formal a way
as possible.
--
Jeffrey Kegler, President, Algorists, Inc.
743 East El Camino Real, #338, Sunnyvale CA 94087, jeffrey@best.com
Follow-Ups: