[Prev][Next][Index][Thread]
Intel v. Randal Schwartz: Why care?
At first glance the recent conviction of Randal Schwartz for three
computer crimes, potentially carrying 15 years of prison, is simply a
hacker case, with an unfortunate twist. Randal is the well known
teacher and author of books on the Perl language. As Peter Lewis said
in the _New York Times_, "Much of the Internet's World Wide Web has been
built by programmers who got their start by reading his _Programming
Perl_ and _Learning Perl_ books."
Clearly, Randal was someone who should have known better. And in fact,
Randal would be the first Internet expert already well known for
legitimate activities to turn to crime. Previous hackers have been
teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick
never made any name except as a hacker. Never before Randal would
anyone on the "light side of the force" have answered the call of the
"dark side". Randal received a deferred 90 day jail term, 5 years
probation, and 480 hours community service. His legal fees have run
over $170,000 and a request for $71,000 in restitution awaits a ruling.
This is enough to make this case sad and troubling. However, a closer
look at Oregon v. Schwartz is more troubling.
1. Even taking the prosecution's case at face value, one is struck by
the minor nature of the charges, especially when contrasted with the
penalties. A charge against Randal was copying an Intel password file
from one Intel machine to another. No intent to take it outside Intel
or further use or misuse it was even alleged. Randal was convicted on
this count, which is a felony potentially carrying a 5 year jail
sentence. Like any felony, it also carries with it the loss of many of
the rights we take for granted. For example, Randal may not leave
Oregon, change residence or change employment, without prior permission
from his probation officer.
2. A second charge against Randal was also a felony with a penalty of
up to 5 years in jail. Randal, by his own admission, decrypted
passwords from the password file above mentioned. He says it was to
show their poor quality as passwords to his client, Intel. No other
intent was alleged, and the decrypted passwords never left Intel.
Randal was convicted of this count.
It is necessary to note that the first two counts were special "computer
crimes", specifically "knowingly access[ing] and us[ing] a computer and
computer network for the purpose of committing theft". As we will see
below, the prosecution did not show, and was not required to show, most
of what it must in order to convict ordinary, non-computer thieves.
Many of the missing elements are also essential to the ordinary, common
sense notion of what theft is.
3. A third charge (and Randal was convicted on all three counts against
him) was altering a computer without authorization. The facts behind
this charge are uncontested. Intel said and Randal admitted, he had
installed a gateway through Intel's firewall. Randal says he was did
this as part of his work for Intel. Nobody alleges the gateway caused
harm, or that Randal intended harm in running it.
4. Even to prove such trivial charges, the prosecution required
extraordinarily low standards of proof to make its case. The
presumption of innocence, and simple common sense, would seem to argue
that an employee or contractor is routinely presumed to have authorized
access to a company's computers unless there are reasons to think
otherwise. The alternative in today's world is to generate a mountain
of forms to authorize a day's work, or else require the employees to
operate without clear authorization and be subject to prosecution
whenever their employer is upset with them for other reasons. The
Nevada computer crime law requires the employee's presumption of
authorization to be overcome by "clear and convincing evidence to the
contrary". The Oregon law contained no such language, only the verb
"authorize" without any definition, and in effect, the court placed the
burden on Randal to prove he was "authorized".
5. Even if the burden of proving authorization is placed on Randal, the
evidence shows that he had good reason to believe he was authorized.
Randal's use of and advocacy of checking for weak passwords with crack
had long been known and approved of by Intel. Randal, in fact, was
perhaps the first person within Intel to follow this now accepted and
routine procedure. He had been sysadmin of the computers whose
passwords he was checking, at which time he found that checking for weak
passwords, by now Intel policy, had lapsed on some machines (or never
been done). When he moved on to other duties, he suspected that
password checking had lapsed again. If Randal's suspicions proved
correct this would be a serious problem not just for the weak set of
machines, but for all machines inside the same firewall with them. And
Randal's worries on behalf of Intel were well founded -- 48 of 600
passwords were weak. Randal had no reason to think his password
checking activities would surprise Intel, and every reason to think
Intel would benefit by and approve of his activities. Of course, nobody
at Intel ever told Randal not to check for weak passwords.
6. Randal's original reason for writing a gateway was a request from
Dave Riss's staff at Intel, who needed to access their data and E-mail
while at Carnegie Mellon. Riss approved the result and his group used
it for a time. Later, Randal was traveling extensively and performing
duties at Intel which required the same kind of access, as Intel knew.
Randal created a more secure gateway for this purpose. That Intel knew
and approved of Randal's use of gateway programs for his own duties is
shown by the evidence.
When two Intel employees were troubled by the security of the gateway
they asked Randal not to shut it down, but to change it to run more
securely. They checked Randal's changes and passed off on them. This
shows a proper concern about the security implications of gateways, but
it also shows that it was generally recognized at Intel that Randal was
allowed to and did run gateways.
There can be some misunderstanding about gateways and firewalls. Those
not in the field sometimes assume that where there is a firewall,
gateways are necessarily sinister -- that the only purpose of a gateway
is to subvert a firewall. This is simply wrong. Readers of Internet
E-mail these days who are behind a firewall (and that is practically all
of them) almost always get their E-mail via a gateway. Rare indeed is
the firewall that does not do its job in cooperation with several
gateways. And custom gateways are often created for special needs, such
as Dave Riss's requirement. Randal's gateway went through several
versions, each more secure than the previous. Unfortunately hackers
have also gotten more sophisticated so neither Randal or his co-workers
at Intel were ever able to take the security of his gateway for granted.
Those interested in more details on the history of Randal's gateway,
including the statements from all sides of the issue, may find them at
http://www.lightlink.com/spacenka/fors/. The full story is rather
complicated and not given here, but none of its twists and turns obscure
the basic facts. Randal is an expert in the safe construction and use
of gateways, and Intel recognized him as such. Randal's creation and
use of gateways was well known to Intel. Randal never received any
Intel reprimand about his use of gateways (or anything else for that
matter) until Intel Security and the police searched Randal's home and
found nothing. At that point it became convenient for them that Randal
be seen to have a record of criminal activity.
7. While the prosecution's case on authorization is very weak, that on
Randal's criminal intent is outright silly. No evidence was presented
that Randal caused harm or intended harm. There was no evidence that
Randal made any attempt to get Intel secrets, much less sell or misuse
them. But Randal did testify that he hoped his actions would be
appreciated by Intel and result in future business. The prosecution
called this hoped for future business "personal gain" and Randal's
motive for theft. The prosecution theory was that a transfer of data
entirely within a company, which does not deprive the company of the use
of that data or cause harm, and where not only no harm was intended but
where the "thief" expected the "victim" to learn of his action and
reward him for it, is a computer use "for the purpose of theft" and
worthy of 5 years in jail.
One must wonder why the prosecution was allowed a much lower standard
for convicting Randal than it would be allowed for those more ordinary
thieves who force us into the routine of checking that house, car, and
so forth, are safely locked up. But the prosecution was able to
hornswoggle judge and jury into believing that it could show one acted
"for the purpose of" theft, without showing one either committed theft
or intended to.
8. For the "altering without authorization" no intent element was
required. Crimes where the defendant's state of mind is not an issue
are common, but typical of these are traffic offenses. Almost always a
crime of any seriousness requires some finding of mental state. A
little reflection shows why this is. Imagine doing something sanely,
soberly, carefully, and without any suspicion you are breaking a law or
causing harm, only to find yourself facing many years in jail. It
hardly seems just and therefore serious crimes require a criminal at the
least demonstrate recklessness or disregard.
The jury found Randal guilt of a felony here. One suspects that had a
leaf blown into the jury room, it would have been marked guilty and
delivered to the bailiff. The judge reduced this count to a
misdemeanor.
9. Those genuinely interested in catching hackers will wonder how
Randal was caught. The answer is that he was found to be checking
passwords on a computer account issued to him. His account name was
used to look up his name, address and phone number in the personnel
files and this information was passed on to the police.
As anyone familiar with even the popular literature on computer hackers
knows, they have available and use many techniques to conceal their
activities. Basic among them is not working from their own account, but
using compromised accounts belonging to others. (This is why one checks
for weak passwords, as Randal was doing.) Password checking programs
and their results can be thoroughly disguised. It takes only a glance
at Randal's publications to realize that, had he made any attempt to
hide his actions, he would have been very hard to catch. And at the
trial, several Intel employees so testified.
That Randal's actions strongly indicate he didn't feel any need to hide
what he was doing and therefore must have felt that he was doing nothing
that he feared being discovered doing, must forcibly strike anyone even
slightly acquainted with hackers and the techniques for fighting them.
This does not seem to have been much noticed by Intel security or the
Washington Country D.A., however.
10. Intel is Oregon's largest private employer and largest single
taxpayer. Washington County, in which the case was tried, is where
every single one of these jobs is. Even slight changes in employment by
Intel can have a major effect on Washington County, and D.A., judge,
jury and witnesses all knew that.
11. Intel's influence on the prosecution was not subtly exercised.
Rich Cower was at once Intel's employee as its "network security
expert"; "State's Expert", a member of the prosecution team sitting at
the prosecutor's left; and an expert witness. Unlike the defense expert
witness, Cower was allowed to hear all the testimony. Cower himself
testified in rebuttal, after the defense's case had been presented. In
addition, an Intel lawyer attended large parts of the trial.
12. The prosecution's most damning evidence is the two police reports
which contain extensive confession statements attributed to Randal, and
which indeed show Randal careful to cover elements necessary to a full
confession. (The statements were not recorded, though the officers had
recording equipment in the police car.) The 10 minutes of statements
were culled from a 2 hour conversation with Randal during the police
search of his house. In fact, the police reports of Randal's statements
were the only evidence the police took away from the search. They found
no misappropriated data or physical evidence.
13. In order to obtain the search warrant, the police had to show they
had reason to believe a crime was being committed and that the evidence
was at Randal's house. (As mentioned, no such physical evidence was
found.) The officers refer for their belief a crime was being committed
to Mark Morrissey, but Mark has denied he made any such statement.
14. Charles Mann of _The Atlantic Monthly_ has seen a more current
version of the password file which Randal faced 5 years for copying on
three non-Intel sites out on the Internet. Mann, in order to protect
the sources for his forthcoming article on Internet Security, cannot say
how it got there, but is quite clear that Randal had nothing to do with
its misappropriation.
15. The Friends of Randal Schwartz maintains a Web site which archives
the available record from all sides on this issue:
http://www.lightlink.com/spacenka/fors/.
--
Jeffrey Kegler, Algorists, Inc.
jeffrey@algorists.com, http://www.best.com/~jeffrey
743 East El Camino Real #338, Sunnyvale CA 94087
Follow-Ups: