[Prev][Next][Index][Thread]
Re: Tim O'Reilly on Randal Schwartz Prosecution
Thus spake O'Riley of O'Riley & Associates:
> > When we first heard from Intel that Randal had hacked our password
> > file, we were a little miffed, but after a five minute conversation
> > with Randal were convinced that no harm had been done or intended,
> > and that was the end of it.
Well, I guess that takes care of the nascent dispute between Mr. Kegler
and Mr. Morrissey. Morrissey was right. ORA confirms that Mr. Schwartz
"hacked" the ORA password file, but Mr. O'Riley, after talking with Mr.
Schwartz, has satisfied himself that... er, this is just what Mr. Schwartz does,
and that "no harm had been done or intended."
On the other hand (assuming that Det. P. Lazenby of the Washington
County Sheriff's Office, Oregon, accurately reported his interview with
Mr. Schwartz) we also know that Mr. Schwartz not only crunched the ORA
password file with his enhanced CRACK -- but that he did so successfully,
and obtained at least one person's secret ORA password.
From Mr. O'Riley's message, it seems clear that Mr. Schwartz had not
bothered to inform O'Riley of his successful attack. From Mr.
O'Riley's tone, I'd also venture a guess that it was not Mr. O'Riley's
password that Mr. Schwartz cracked and tucked away somewhere.
I wonder what the person whose ORA password was filtched by Mr.
Schwartz thinks of all this?
Actually, that might be a very interesting POV (particularly since
the RORS-dominated threads on all these newsgroups have shown an awesome
disregard for the dignity, privacy, and property rights of the 48
individuals whose personal passwords were covertly collected over a period
of what? two months? by Mr. Schwartz at Intel.)
Under the California Privacy Act of 1993, as it was originally proposed
by Sen. Bill Lockyer, I believe the owner of that account and password --
separately, and in addition to ORA, the owner of the computer system --
would be considered an injured party with recourse to sue or press charges
against Mr. Schwartz. (Maybe even sue ORA, if Mr. O'Riley's casual attitude
toward Mr. Schwartz's raid led him to neglect to identify and warn the
owner of that account that his/her password had been stolen.) I don't
know the current status of that law in detail, but I do recall that the
bill was eventually enacted as an amendment to Penal Code 502, the
California Computer Crime Law.
I would also be very very surprised if Section 502 did not criminalize
unauthorized acts to obtain and process an encrypted
password file, when those illicit actions resulted in the perpetrator gaining
access to another person's restricted data, including but not limited to
his secret password and other access information.
Oregon, much maligned in these threads, is not the only state where
unauthorized acts -- which result in an attacker obtaining other people's
personal passwords and access data -- is considered a crime. In
California, the '93 Privacy Act hiked the penalty for such use, misuse,
and theft of information considerably. Convicted felons can face, as I
recall, a fine of up to $10,000 and/or imprisonment for up to three years.
Vin McLellan +The Privacy Guild+ <vin@shore.net>
53 Nichols St., Chelsea, Ma., USA Tel: (617) 884-5548
ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ
Follow-Ups:
References: