Re: Randal Schwartz Cracking Conviction

• Subject: Re: Randal Schwartz Cracking Conviction
• From: jeffrey@crl.com (Jeffrey Kegler)
• Date: 2 Sep 1995 12:08:19 -0700
• Newsgroups: comp.security.unix, comp.security.misc, misc.legal.computing
• Organization: CRL Network Services (415) 705-6060 [Login: guest]
• References: <NEWTNews.808669857.3579.lsantist@lsantist.dfrc.nasa.gov> <DE8n9H.AM0@uns.bris.ac.uk> <427l27$isl@shell1.best.com> <4281fj$3hr@reuter.cse.ogi.edu>
• Xref: newsstand.cit.cornell.edu comp.security.unix:19697 comp.security.misc:21341 misc.legal.computing:16824

In article <DE8n9H.AM0@uns.bris.ac.uk>, Paul Smee <P.Smee@bristol.ac.uk> wrote:
Paul> And, most things you do for your boss don't (or shouldn't) look like
Paul> illegal activities - unless you've got a seriously weird job.

In article <427l27$isl@shell1.best.com>,
Jeffrey Kegler <jeffrey@best.com> wrote:
Jeffrey> By this definition, Internet security is necessarily a "seriously
Jeffrey> wierd job".  

In article <4281fj$3hr@reuter.cse.ogi.edu> Mark Morrissey wrote:
Mark> well, no.  it's not illegal if you get your management to give
Mark> you written authorization to perform these activities.

OK, let's take as the example Randal's change to his gateway program
'door'.  Since this incident was one of those which resulted in a felony
conviction for which Randal faces jail, it should be serious enough to
generate written authorizations.  You ordered a change to 'door', and
Dirk later checked it had been made.  This both established that the old
'door' would be unauthorized and the one changed per your instructions
authorized.  Were your instructions in writing?  Was Randal's authorization
to run the revised 'door' program in writing?  Did Dirk report in writing
on his finding that 'door' was now within guidelines?

Another of Randal's convictions was for checking for weak passwords, of
which he found many.  Was there a written authorization stating whose
job was it to check for weak passwords, and how they were authorized to
do it?  Was there a record in writing of how often this check was performed,
and what was found?

Mark> The
Mark> authorization can be vague enough to cover most eventualities.
Mark> At least all the authorizations that I have been give were
Mark> written this way.  btw, I never had any problems getting this
Mark> type of permission from my management and this includes the
Mark> same group where Randal was working when all this started.

Vague authorizations are like unverified backups of data -- they "work"
as long as you don't need them.  If you are going to face what Randal
went through, you would be insane not to have specific, detailed
authorizations.  If you had to confront the sworn statements of two
police officers, that you had confessed to them (orally and with their
tape recorder left in the police car, of course) that you knew what you
were doing was against Intel policy, would you feel comfortable with an
authorization "vague enough to cover most eventualities".

[ I have take the liberty of changing the subject line, which all
agree was inaccurate.  Randal was not, and has never to my knowlege
claimed to be co-inventor of Perl.  His early and strong help in
promoting Perl was such that it is an easy mistake to make. ]
-- 
Jeffrey Kegler, President, Algorists, Inc.,  jeffrey@best.com
743 East El Camino Real #338, Sunnyvale CA 94087

• Re: Randal Schwartz Cracking Conviction
• From: vin@shore.net (Vin McLellan)

• Re: Perl Co-inventor Convicted
• From: lsantist@lsantist.dfrc.nasa.gov
• Re: Perl Co-inventor Convicted
• From: ccpes@sun.cse.bris.ac.uk (Paul Smee)
• Re: Perl Co-inventor Convicted
• From: jeffrey@best.com (Jeffrey Kegler)
• Re: Perl Co-inventor Convicted
• From: markm@bogart.cse.ogi.edu (Mark Morrissey)

• Prev: Re: Perl Co-inventor Convicted
• Next: Re: Randal Schwartz Cracking Conviction
• Index: Mail Index
• Thread: Mail Thread Index