[Prev][Next][Index][Thread]
Oregon v. Schwartz FAQ
This is the FAQ for the fors-discuss (Friends of Randal Schwartz)
mailing list, now into its 3rd version.
==== Start of FAQ
OREGON V. SCHWARTZ FAQ (V3)
Disclaimer for early drafts: It is possible, as I have gathered
this material from miscellaneous mailing list messages, news
postings, and so forth, that it contains errors of ascertainable
fact or ascribes statements to people who never made them. I
regret both deeply. Please inform me of any such problems so I
may correct them immediately.
I have tried to represent people's views in their own words. One
disadvantage is this requires taking old postings. News is an
interactive medium, and one takes less care than in writing for
other forums. I am open to considering replacement language from
the same source, where the poster wants to revise his remarks.
Significantly changed or new questions are followed by an
asterisk.
FAQ Index
Q1. What is Oregon v. Schwartz?
Q2. Why the interest in Oregon v. Schwartz?
Q3. Who is Randal Schwartz?
Q4. What was count 1?
Q5. Why does Randal say he created the gateway?
Q6. Was the gateway authorized or unauthorized?*
Q7. What was count 2?*
Q8. What was count 3?
Q9. Why was Randal running crack? Was Randal authorized to
check security using crack?
Q10. What is crack and who should run it?
Q11. What is the most serious evidence against Randal?*
Q12. How does Randal explain his confession?*
Q13. Even if Randal is guilty, this does not seem like the sort
of thing you ordinarily prosecute. Why did they?
Q14. Was there no offer of a plea bargain?*
Q15. Besides Randal, who's who in this case?*
Q16. What was the chronology of events?*
Q17. How can I help? And does Randal keep his own version of
this story anywhere?
Q18. Where can I find more information?*
Q1. What is Oregon v. Schwartz?
The case in which Randal Schwartz was convicted on July 25, 1995
of three computer crime felonies.
Q2. Why the interest in Oregon v. Schwartz?
There are quite a few interesting aspects to this case. First,
cracker cases which come to trial are still somewhat unusual.
Second, the defendant. Randal Schwartz is the first wizard
convicted of cracking. That is, he is the first prominent
cracker who was already prominent for legitimate reasons. Third,
the circumstances. There appears to be no case made that Randal
was malicious, or had anything like what laymen recognize as
criminal intent. The element of "personal gain" necessary for
the theft counts was supplied by Randal confessing he hoped what
he did would make a favorable impression on Intel. Fourth, the
law. As the above would indicate, the laws, and the court's
interpretation of them, was very sweeping, and seems to
criminalize activity widely regarded as normal, helpful and even
necessary. Fifth, Internet security policy implications. In the
Morris case, it was clear the conviction strengthened computer
security. Here that conclusion seems most dubious.
Q3. Who is Randal Schwartz?
Randal is perhaps Perl's number one fan. His early and energetic
advocacy of Perl and his co-authorship with Larry Wall of that
language's most authoritative text have identified Randal with
Perl so thoroughly he is often mistakenly thought of as co-
inventor of Perl. (Larry Wall invented Perl alone.) Randal is
widely known through his generosity in answering perl questions
on the net, and he is an established and generally well liked
personality on the Internet. Randal is far from the
stereotypical cracker.
Q4. What was count 1?
Knowingly and without authorization altering a computer network.
This refers to Randal installing gateway programs on two
computers so he could access Intel computers from a remote
computer.
Q5. Why does Randal say he created the gateway?
Randal L. Schwartz on fors-discuss@teleport.com (Mon, 14 Aug 1995
15:10:45 -0700): "I established what I believed to be very secure
ways of checking on my Intel email over the internet while I was
away from Intel (for the small number of weeks that I was out of
town), and having Xterms and X-emacs access my Xserver at Intel
while I was at my desk (part time). ('gate' and 'door' were in
Perl, making this what I believe to be the first time Perl code
is now a part of the public record. :-)"
Randal's claim of benign intent does not seem to have been
contested in court. Apparently malicious or criminal intent was
not a necessary element of this crime.
Q6. Was the gateway authorized or unauthorized?
Randal L. Schwartz on fors-discuss@teleport.com (Mon, 14 Aug 1995
15:10:45 -0700): "Now, having said that, there's another flaw
with charge one. If, as Intel claims in the trial, that my
actions in March and June of 1993 (where I was told to modify
'door' and 'gate' to be more secure) are truly crimes, why the
heck was I allowed to work until November 1993? This seems to be
the case of moving the line drawn in pencil on the floor (not
visible under average light) to the other side of the room
without telling me, and retroactively deciding that something I
wasn't even disciplined for is now a crime. Gack."
Mark Morrissey on fors-discuss@teleport.com (Tue, 15 Aug 95 10:18
PDT): "In about March of 1993, Dirk and I confronted Randal after
Dirk found a program owned by Randal running on a machine named
mink that would allow incoming access to Intel from the Internet.
Dirk and I told Randal quite clearly and very explicitely that
access to Intel networks from outside of Intel was a violation of
Intel security policy. Randal seemed quite surprised and was
very apologetic, so I told him that we would handle the situation
internally and not involve Intel security. Since Randal didn't
seem to know the rules, I made sure that he understood them and
let him off with a warning. I informed Intel security that a
possible security hole had been found and resolved.
Mark: "Let me be very clear: Randal agreed to modify the program
so that it would not receive connections from IP addresses not in
the Intel domain. Later checking by Dirk confirmed that Randal
had installed this block (at least, this is what Dirk told me).
Mark: "Randal certainly understood that the problem was access to
Intel networks from outside of the company. I made this very
clear and he assured me that he understood."
The FAQ-keeper asked "Why leave the gateway running at all?" and
Mark Morrissey responded on fors-discuss (Wed, 30 Aug 95 10:42
PDT): "Randal told us that he used the program for making
connections out of Intel, which was the sole purpose for the
existence of the machine mink. This explains why the gate
program wasn't terminated."
Randal L. Schwartz on fors-discuss (Wed, 30 Aug 1995 20:44:03
-0700) gave a longer version of events as corrections and
additions to a scenario put forth by the FAQ-keeper. The
scenario began as follows:
1. Intel discovers 'door', labels it offending and orders it
changed.
2. Randal accepts the Intel policy, and changes 'door'.
3. Intel checks and passes on the changed 'door', seemingly
implicitly authorizing it.
Randal then picked up the story: "4. Randal abandons use of
'door' (allowing access to *any* inside machine once you get
through all of the security locks), shortly thereafter.
Randal: "5. Some substantial time later, Randal creates 'gate',
restricting access only to a single machine that does not contain
product data and believed to be reasonably secure.
Randal: "6. Dirk/Mark discover gate, decide that *that* isn't
secure enough. Randal says he no longer needs account if he
can't even run gate there, and asks for account to be closed.
They comply.
Randal: "7. Randal runs 'gate' on SSD machine, which has security
policy more accomodating and familiar.
Randal: "8. Months later, when Intel begins prosecution relating
to use of crack, they decide that events 2 and 6 are now
felonious action, when in prior instances, it hadn't even
resulted in even so much as a sanction or other disciplinary
action.
Randal: "So, some points here:
Randal: "I *never* *knowingly* disobeyed any guidelines handed to
me. My understanding of event 2 is that they were telling me
that 'door' wasn't secure enough because it allowed access to any
machine. I *never* ran 'door' in that fashion again. Ever.
Randal: "'gate' had a very narrow purpose, akin to what I was
doing for my group when I was at iWarp/SSD... access to a
specific, non-product machine. When Mark/Dirk disagreed with
even its use, I finally concluded that they were being even more
tight than SSD. So I moved the program back to SSD, where I
understood the policy to be more liberal. [ ... ] 'door' and
'gate' had entirely different access protocols and scope of
operation."
Mike Northam on fors-discuss (Wed, 30 Aug 1995 21:16:19 -0700):
Mike: "Having worked at Intel as a contractor both within SSD and
in other Intel organizations, I can vouch for Randal's assertion
that SSD is 'different'. [ ... ] but my view is that SSD, being
more a research organization, is more "accomodating" than other
Intel divisions. And, since Randal had worked there for several
years previously, I can imagine it would seem 'more familiar'."
Mark Morrissey on fors-discuss (Wed, 30 Aug 95 22:27 PDT): Mark:
"I'll yield to Randal on the mink incident since I never saw the
second program, only the first. All I know is that I was told
that he had made the changes to the script that we saw to block
outside connections and at a later date I was told that the
blocks were removed and when confronted, opted to have his
account removed.
Mark: "This is consistent with his email on this subject and I
apologize for calling both programs 'gate'. Thanks for the
corrections Randal."
In response to my question, exactly which instances count 1
consisted of, Randal replied on fors-discuss (Fri, 01 Sep 1995
12:46:14 -0700): "door on mink (mar 93), gate on mink (may/jun
93), gate on brillig (nov 93)".
Q7. What was count 2?
Theft of a password file. This consisted of copying it from one
Intel machine to another.
Q8. What was count 3?
Theft again, this time of individual passwords decrypted from
that same file. Randal decrypted these passwords using crack.
Q9. Why was Randal running crack? Was Randal authorized to
check security using crack?
Randal L. Schwartz on on misc.legal.computing (09 Aug 1995
19:17:08 -0700): "I had never ever been instructed not to run
Crack while at Intel. I had started running it on my own
initiative while a sysadm at iWarp, and it was still being run
when I left iWarp/SSD in mid 92. Why no-one was running it in
oct 93 is *still* the question. (If they had, I suspect I would
not have discovered 48 passwords of 600 users, and that the vice
president's password was 'pre$ident'.)"
Mark Morrissey on comp.sys.intel,misc.legal.computing (2 Aug 1995
22:18:01 GMT): "But he *wasn't* a systems administrator for the
systems on which crack was being run (*I* was the systems
administrator for those systems) and he wasn't a systems
administrator for SSD at the time in question. Also, he *knew*
who to contact at SSD and failed to do so. At a very minimum, he
could have informed me and asked me to handle things. We did,
after all, sit next to each other."
Randal on fors-discuss (Fri, 01 Sep 1995 12:46:14 -0700): "I
walked out in a huff two months early on the iWarp/SSD contract.
This is part of the reason that I didn't immediately report my
results about the SSD security problem -- because I had left in a
huff, I wanted to make sure I had all my ducks in a row before I
cried wolf. And I couldn't bear to say it too early, so I got
pigeonholed into being a snake in the grass. (:-)"
Again, Randal's claim of benign intent does not seem to have been
contested in court.
Q10. What is crack and who should run it?
Crack is a program to find weak passwords by the direct means --
cracking them. The idea is that if a good guy can crack a
password, so can the bad guy. Of course, and unfortunately,
crack is a highly useful tool to bad guys as well.
From Cheswick & Bellovin, _Firewalls and Internet Security_, p.
245.: C&B: "If none of these [authentication devices or a "smart"
version of passwd] are used, crack your own password files and
weed out the weak ones. Crack is a well known and widely
distributed password cracking program by Alec Muffett." Far from
discouraging its use, CERT distributes it as
ftp://ftp.cert.org/pub/tools/crack. Perhaps ironically, one of
the people credited by Alec Muffet for help with this important
tool is Randal Schwartz.
Q11. What is the most serious evidence against Randal?
Of the material out so far, the police report, which contains a
lot of confession language attributed to Randal. The whole is
important to read. It is currently only available in Randal's
archive of fors-discuss. What follows are the most damning
statements:
Report of Detective P. Lazenby, quoted by Mark Morrissey on fors-
discuss (Fri, 1 Sep 1995 21:32:24 -0700 (PDT)): "Writer then
asked Randal if he felt he was doing anything wrong. Randal told
writer that he was in fact violating Intel policy and he also
thought that he could be criminally prosecuted for these
incidents."
Lazenby: "I asked Randal if this was wrong and in violation of
Intel policy and Randal said, 'Yes it is, but I knew I could do
it anyway.' Randal said that he wanted to do it because he
wanted to be efficient in getting his E-mail very fast and he
felt was important and when they shut him down, he wanted to
continue doing what he was doing and since he had the capability
to do it and knew he could do it, he did it without permission."
Lazenby: "I then told Randal that if he knew this, and it was a
security measure back then, why was he doing it [ running crack ]
without authorization now. Randal advised that he knew it was
totally wrong and would get in trouble if caught doing it."
Reading of the whole shows its author to have considerable
knowledge of computer jargon, and Randal to have been surprising
familiar both with Oregon computer crime law and the elements
necessary to a full confession.
Q12. How does Randal explain his alleged confession?
Randal on fors-discuss (Sat, 02 Sep 1995 08:32:48 -0700): "I was
indeed read my rights before any questioning started.
Randal: "In a brilliant example of the all-around bad judgement
about this incident, I just started talking. You see, I was
determined to show that *nothing* was going on, and that if they
were considering me as having committed some bad act, they must
simply just not understand what I was doing yet. So I spent two
hours trying to educate them.
Randal: "Please, I've heard the 'next time, call a lawyer' 97
times. Spare me the private email about that.
Randal: "I've never had a run-in with the law before. I've
always thought cops were my friends. That's the way I was
raised. So, while this situation was different and scary, I
still thought that the guys sitting across the room from me
asking me questions were there to help me. Perhaps they could
even be a neutral arbitor.
Randal: "As it turns out, cops, like all of us, seem to have
selective hearing. I had somehow forgotten that. (I had
selective memory. :-)"
Randal on fors-discuss (Fri, 01 Sep 1995 17:45:11 -0700): "[ ...
] they should be read knowing that: (1) the cops had a tape
recorder in the car, but chose not to use it. (2) the cops had
*video* equipment at the office, but chose not to bring it. (3)
little or no notes were taken from a two hour 'interview' (aka
interrogation). (4) I tried to make the cops understand
everything that was happening, but I was very very stressed and
confused, because while this 'interview' was going on, other cops
were scouring my house, ripping out computer systems. (This is
not the usual sort of behavior at my house. :-) (5) I recall the
cops testifying that the information was very technical, and many
times hard for them to understand. (6) I *now* understand why
I'm not supposed to talk to cops without a lawyer present, as the
difference between what I understood to say and what actually
ended up on the paper is nearly night and day. (If you've had
the opportunity, recall the last time you were quoted in the
popular news media... :-)"
Mark Morrissey, quoted by Randal on fors-discuss (Sat, 02 Sep
1995 10:10:58 -0700): "I believe that the reports basically
substantiate what Randal has said publicly here. I don't think
that anyone will find anything that substantially conflicts with
his version. However, what I have found interesting from the
beginning, and about which I had several conversations with the
investigators regarding, is Randal's statement that he was
cracking passwords so that he could continue to read his email
even after he was terminated by Intel at the end of his contract
(and presumably no longer had an account). This is confirmed by
the Intel UNIX security expert (who is *very* good, I assure you)
who was present for much of the interview."
Randal in that same message: "My legal team has gone over that
statement with me in detail. We believe that it is actually a
very good demonstration that what they were understanding and/or
recording was different than what was in my head.
Randal: "It may very well be that I said, under the stress of the
situation, exactly what was in those reports. But my mind
sometimes races ahead of what I am saying, especially under
stress. As I have already said in this forum before, I answered
'yes' to the prosecutor's question of 'so you did this for
personal gain?', when in fact, what I was thinking of was 'well,
it was to keep my employment at Intel, and that benefits me
personally, so yes.'
Randal: "Clearly, viewing the record of my statements in the
clear calm of a situation removed from the original interrogation
reveals the lunacy. Why would I want to read *my* email after
*I* had been terminated??? The real question then for review is:
(1) what question did I think I was answering, and (2) what did I
say, and (3) what did I think I meant by that? I would say #2
can be answered by the police report, but we have to get to #1
and #3 to get the whole picture."
Mark quoted by Randal: "I have always believed Randal's version
with the one caveat mentioned above. This detail appears in
every report and was mentioned by everyone who was involved in
the interviews (which I was not, being at Intel preserving the
chain of evidence). It could simply be a case of nerves on
Randal's part, but I haven't had a chance to buy him a beer to
talk about things. The ramifications are evident: he appears to
have intended to leave gate running after he left the company and
intended to use other accounts and passwords for some reason -
the loss to explain this part."
Randal: "No, I intended continued employment and continued access
to my email while I was employed. Even if I misspoke. :-)"
Q13. Even if Randal is guilty, this does not seem like the sort
of thing you ordinarily prosecute. Why did they?
Randal L. Schwartz on fors-discuss@teleport.com (Mon, 14 Aug 1995
15:10:45 -0700) Randal: "Allowing me to opine for a moment, it
seems that as long as I was being innovative in directions that
didn't embarrass the vice president of SSD, I could experiment
all I wanted, because my overall net contribution to the company
far exceeded any hassle I was causing the grunts. And, both the
mail-access method and running crack were further attempts on my
part to be of overall benefit to the company. But we know how
these two turned out. :-("
John H. Woodard, an Intel lawyer quoted in the Oregonian:
Woodard: "I think it was good for all the high-tech companies
moving into this area that the county is willing to pursue these
types of crimes."
FAQ-keeper: Personally, this case has me afraid to change planes
in Washington County.
Mike Northam on fors-discuss (Wed, 30 Aug 1995 19:47:47 -0700):
"My personal feeling (and this is pure speculation) is that there
were perhaps cracking attempts, possibly industrial espionage,
against some Intel systems which hold major corporate secrets
about the Pentium follow-on chip. Perhaps this kind of thing was
what caused the major reaction against Randal.
Mike: "What folks [ ... ] perhaps need to fully understand is
that hundreds of millions of dollars are at stake in those kinds
of ballparks. Finding a system accessible to the outside world,
in any manner whatsoever, bypassing the firewalls would cause the
alarm bells to ring, I've no doubt. But why, after it became
apparent that the 'attack' was benign, would Intel press for
felony charges?"
Q14. Was there no offer of a plea bargain?
Randal on fors-discuss (Fri, 01 Sep 1995 12:54:50 -0700): "1)
first offer, prior to *indictment* (mar 94): one felony. (At
this point, we weren't even able to figure out what they could
possibly charge me for, so I couldn't figure out why I was
possibly copping to a felony.)
Randal: "2) second offer, the week before the trial (jul 95):
wants to apply misdemeanor treatment for the crimes, I won't
stand in the way, but I won't suggest it either'. (This is
before the judge even gets to hear any of the evidence.)
Randal: "Both offers, obviously, were declined."
Q15. Besides Randal, who's who in this case?
Thomas J. Tintera, Senior Deputy D.A., was the prosecutor.
Alan C Bonebrake, Circuit Court Judge, was the judge at the
trial.
Marc A. Sussman is Randal's defense attorney.
Mark Morrissey was sysadmin of the system crack was run against,
and the person who discovered crack running. He testified at the
trial.
Dirk Brandaweighe was another Intel sysadmin who worked for Mark.
Detective P. Lazenby was one of those who searched Randal's
apartment. He filed a report containing many statements by
Randal full of confession language.
Sr. Deputy Lilley was another officer who participated in the
search. He apparently wrote a more extensive report, which as of
this version of the FAQ, the FAQ-keeper has not seen.
An Ed Bunch is mentioned in Det. Lazenby's report as an Intel
sysadmin who may have been told that Randal had found passwords.
John H. Woodard is an Intel lawyer, who observed much of the
trial.
Q16. What was the chronology of events?
November 1, 1992: Start of activity alleged in indictment.
March 1993: Randal's 'door' program is discovered on mink and
changed to meet Intel's objections.
May/June 1993: Randal's 'gate' program is discovered on mink.
Randal is reponse to objections, asks for mink account to be
closed.
September 24, 1993: Crack runs started by this day.
October 28, 1993: Intel discovers crack program running.
November 1993: 'gate' is found running on Brillig.
November 1 1993: End of activity alleged in indictment.
Randal's residence searched.
March 1994, but before the indictment: Randal is offered the
change to plead guilty to one felony count.
March 14, 1994: Randal indicted on 3 felony counts.
Apr 19, 1994: Randal was scheduled to return to enter a plea
this day.
July 1995 (one week before the trial): Second plea bargain
offered. Prosecution offers to neither oppose or support
misdemeanor treatment before judge.
Jul 25, 1995: Randal convicted on all 3 counts.
Sep 11, 1995: Sentencing scheduled for this day.
Q17. How can I help? And does Randal keep his own version of
this story anywhere?
Send email to fund@stonehenge.com for more information about
Randal's version of these events, his defense fund, and
suggestions on how you can help. You will get an automatic
response and the content of the mail message will be ignored.
Q18. Where can I find more information?
The web site is http://www.usa1.com/fors.
There are two mailing lists: fors-discuss@teleport.com (The
Friends of Randal Schwartz discussion group) and fors-
announce@teleport.com (The Friends of Randal Schwartz
announcement list). Despite the name, fors-discuss has been open
to all viewpoints, and is the best place to follow the case.
Randal archives the past messages of fors-discuss at
ftp://teleport.com/pub/merlyn/fors.
The newsgroup comp.security.unix, comp.security.misc and
misc.legal.computing also contain some discussion of this case.
Archived news articles discussing the case can be batch
downloaded from
http://cheddar.nyswri.cfe.cornell.edu/news/batch.htm.
--
Jeffrey Kegler, President, Algorists, Inc.
743 East El Camino Real, #338, Sunnyvale CA 94087, jeffrey@best.com