[Prev][Next][Index][Thread]
Re: Randal Schwartz Cracking Conviction
In article <42aa33$lkp@crl.crl.com>, jeffrey@crl.com (Jeffrey Kegler) wrote:
> OK, let's take as the example Randal's change to his gateway program
> 'door'. Since this incident was one of those which resulted in a felony
> conviction for which Randal faces jail, it should be serious enough to
> generate written authorizations. You ordered a change to 'door', and
> Dirk later checked it had been made. This both established that the old
> 'door' would be unauthorized and the one changed per your instructions
> authorized. Were your instructions in writing? Was Randal's authorization
> to run the revised 'door' program in writing? Did Dirk report in writing
> on his finding that 'door' was now within guidelines?
>
> Another of Randal's convictions was for checking for weak passwords, of
> which he found many. Was there a written authorization stating whose
> job was it to check for weak passwords, and how they were authorized to
> do it? Was there a record in writing of how often this check was performed,
> and what was found?
Mr. Kegler is an impassioned advocate, but this discussion seems to
have slipped some crucial factual moorings. As I recall, Mr. Schwartz's
explanation of his situation acknowledged that these explorations of a
specific system's security were launched with a stolen or illicitly
appropriated password which gave him his initial access to the system in
question.
Now, its no surprise that actions that a hacker takes to search for
system weaknesses or other ways to obtain higher-level access on a target
system are identical to the action a security administrator often uses to
identify system weaknesses. As others have said, the question is
authorization, not technique.
Mr. Schwartz's own comments seem to clearly indicate that he was
operating beyond the scope of any authorization made to him by his
employers, right? I don't think even he would argue that his employers
expected him to be doing what he ended up doing on the system(s) he
eventually targeted within Intel. His argument all along has been that --
despite his efforts to break down the security of the target system;
despite the fact that he broke security to make the initial entry into
this system -- his intentions were not criminal nor malovelent, right?
I also think this discussion could benefit from some description of
the resources and capabilities available to the authorized users of this
target Intel system. (Anyone follow the trial or get a copy of the
indictment?) Someone who picks the lock on a tool shed may be judged in a
different light from someone who hacks and spoofs his way into Citicorp's
electronic funds transfer system.
I haven't followed this case, and I'm not trying to pre-judge (or
post-judge) Schwartz. To me, however, it seems clear that this is the
latest manifestation of a thirty-year struggle between corporate culture's
property claim and the broader claims of programmer's freedom, an implicit
claim of a right to explore as far as wit and technical savvy will allow
-- whatever the claims of ownership staken out by corporate sponsors.
Suerte,
_Vin
--
Vin McLellan +The Privacy Guild+ <vin@shore.net> USA
Tel. (617) 884-5546 Mail: 53 Nichols St., Chelsea, Ma. O2150
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Follow-Ups:
References: