To: fors-discuss@teleport.com Subject: Rich Cower's Report of the Search Date: Sun, 12 Jan 1997 12:24:58 -0800 From: Jeffrey I recently obtained Rich Cower's report on the search of Randal's house, which I give in full after my signature. I typed it in. At numerous points in the original there are issues of diction, punctuation, etc., but I have proofed it carefully to try to ensure that it is accurate, even down to such matters. Since such matters are really beside the point, I have not interrupted the document by noting these. Any one with access to the original who is kind enough to find a transcription error has my gratitude and the promise of a correction ASAP. The one note I make, in square brackets, is at a point where my copy has 2 pairs of lines overprinting each other. It would nice if this lacuna could be supplied. Jeffrey Kegler ======================================================================= My name is Rich Cower. I work in the Intel Corporation Security department. My manager, Cary Daugherty, requested I visit the Oregon site to assist Clyde Stites in an information security investigation. I flew to Portland on Sunday, Oct. 31st. I met with Clyde at the HF facility on Monday, Nov. 1st. This investigation was centered around the discovery of some password cracking efforts by a contractor named Randal Schwartz. These activities were found by Mark Morrissey, a UNIX specialist working in the Oregon site IT group. Mark found active processes that were running under the PID of "merlyn", a user ID owned by Randal Schwartz. These processes were running the Crack program, a public domain utility used to guess passwords. He found these processes cracking a password file owned by the SSD Intel group, and another that appeared to be owned by a publishing company named O'Reilly and Associates. Randal Schwartz authors books that are published by this publisher. After further examination, a process named "gate" was found running on a Silicon Graphics workstation named Brillig. "Gate" provided Randal network access he was not authorized to have. This "gate" process violated Intel Information Security policy. Monday, Nov. 1st, I met with the Intel team organized to address these issues, and it was decided we would try and obtain assistance from law enforcement authorities to search the various computer systems and related computer equipment that Randal was known to have. Randal had, in the course of his work at Intel, regularly attached his Apple Powerbook to Intel's computer network. This would have offered him the opportunity to copy confidential Intel data to this Powerbook, and easily exit the Intel facility with this data. The search warrant was obtained by the Washington County sheriffs department at about 18:00 on Monday, Nov. 1st. It was decided that the warrant would be served at Randal's house, when he was known to be home. The sheriffs department requested that Clyde Stites, Rick Pierce and I would be present when the warrant was served. I needed to call some system and network administrators at Intel when the warrant was served so they could initiate processes to cut off Randals access to our system and networks. We were doing this to minimize disruption should Randal want to be malicious. His knowledge of Intel systems and networks was deemed sufficient to require this. The Washington county sheriffs team also wanted me present to help them with the interview, specifically to assist with technology questions and answers that might come up in the interview process. The warrant was served at approximately 19:30, I waited in Clyde Stites vehicle until they asked me to join them. One of the detectives came out and asked me to come in, Randal has a transfer running on his color Powerbook and they wanted me to look at it and advise them what was going on. Upon examining the screen, it appeared he was transferring some Quicktime data or programs, and I advised the detective that this didn't appear to be Intel related. I went outside and advised Clyde and Rick what I had observed. Randal was being interviewed in a room near the back of his house. I was asked by a detective to join them and participate in the interview. I needed to determine if Randal had access to Intel system and or networks that we were not aware of, and asked him where his access was and what the privilege level of this access was. He responded that he had root and iroot access on all the (Domain Name Systems) deployed at all Intel domestic sites and Israel. He mentioned an account on the HF cluster, which is where the Crack process was found running. I asked about the account on Brillig in SSD, and he replied that although he had not have a contract which would authorize him using this account, he had used it. Randal mentioned his access to the HF routers. Rick Pierce asked Randal to sign a ??, asked him where his Intel badge was and informed him that his contract with Intel was over. Rick and I then left the room. We joined Clyde Stites outside, and Clyde inquired if we had asked him if he know why the Crack process had terminated on Saturday. We had not, and it was decided that we would ask that question if the detectives asked us to join the interview process again. About 20 minutes later, were were asked to join in again. Randal was asked why the Crack process had terminated, he responded he did not know it had as it was not something he was actively monitoring. Randal was asked why he was running the Crack process, and he replied it was to keep his access open should his account on Brillig be found and subsequently terminated. If the Brillig account had been discovered, he needed another place to run the "gate" program, and Crack would give him access to a system to do that. He was asked about other systems he might have run the Crack process against, and he responded with TECHBOOK.COM. He mentioned he was curious about these system, and was Cracking in an effort to improve system security. Since Randal didn't mention cracking ORA.COM, I asked why he was doing that. He again responded he was curious, if their system security was better than ours. I asked why he would want to keep his access to and from Intel open, given the active work in progress to find a full time person to replace him. He admitted knowing of these efforts, but didn't think Intel would replace him in a reasonable time frame - and given this he felt he had to keep this access open. We then left the room, and were joined outside by detective Jim ??. Jim requested I join him on the next interview, he believed we had too many people in the room to really address the issues at hand with Randal. About 20 minutes later, Jim and I met again with Randal. Randal was again asked about the cracking the passwords from SSD. He again mentioned he was just trying to improve system security, and that when he had cracked TECHBOOK.COM he had sent the system administrator, JamesD, a note about the cracked passwords. Randal mentioned that while at lunch about a week ago, on either Tuesday or Wednesday, with Ed Bunch he had mentioned to Ed that he had cracked a bunch of SSD passwords. I asked how he had obtained the SSD password file. Randal explained that when he cracked passwords on the Brillig system, he had obtained a password of a user named RONB. RONB also had an account on SSD, and Randal admitted to using the RONB user name and password to access SSD. Once Randal was on the SSD system impersonating RONB, he could easily take the password file. He was asked if he knew how many passwords the Crack process had cracked, and replied with "about a dozen". We informed him the number was approximately 40, and asked if he had used any of them to access SSD. Randal responded that he had used 1 or 2, but he couldn't remember which ones he had used. Randal explained his long association with security work, at both Tektronix and Tandem. He had cracked passwords while working at TEK, had been caught and was suspended for two weeks. His recollection of the year was not very clear, he thought it might have been 1981. In 86/87, while at Tandem he had found ROOT passwords being shared in the EMAIL system. He used these to play an April fools joke, and the management at Tandem tried to end his contract. His contract included being able to demonstrate the ability to break into systems, and based on this, he claimed he was simply exercising his contract. He was allowed to stay, and authored a book on system security for Tandem. We then backed up in and attempt to establish a timeline for when he had done his hacking at Intel. I asked when he had started using Brillig for his "gate" process. Randal had moved the process to Brillig about 5 or 6 months ago, after this process was discovered on a system named Mink. He mentioned he was told not to run it on Mink and at this time he moved it to Hermes, which he found too slow for his needs. He then changed it slightly, and moved it back to Mink where it was found for a second time. This occurrence resulted in the Mink system administrator to remove his account, and Randal then moved the process to Brillig. I asked when his contract an authorized access to Brillig had ended, he responded with sometime in Oct/Nov/Dec of 92. He admitted he knew it was a violated of policy to do this, but did it because he needed this access to respond quickly to email. Randal explained that Rich Cower had put roadblocks up in the form of policy and software to make what he wanted to do impossible. I [ ... At this point 4 lines overprint each other -- JK ] had ever broken into an account and accessed information associated with or owned by that account. Randal replied that while an administrator in the IWARP group at Intel used his privileges to another users mail. He went on to explain that he knew it was wrong, and had stopped. We pressed him on this issue, at it did not make sense given his current activities. He did not add any new incidents of accessing information. Jim then asked Randal if he had ever thought of doing espionage, and this was explored for the remainder of the interview. Randal responded that he had thought of doing this, as it could be worth a lot of money. The primary problem Randal saw in this was how to market something like this without getting caught by the "good guys". He didn't know how you could announce this information was for sale, and not get caught. He was asked who would want such information, and he responded with he thought SSD's competition was coming from Cray. Jim asked him where he thought the latest chip design might be in the Intel organization. Randal responded he didn't know, he thought some of the design work was probably going on in Chandler, and that it was probably on a DECNET machine. I found this comment ridiculous given the intimate knowledge Randal has of the inner workings of Intel. I asked him to not assume we were stupid enough to believe that comment. Jim asked Randal to please admit anything else he might have done, as it would be discovered anyway and it would be easier here. Randal responded that he hadn't done anything other than what we already knew, and that he was sorry. The interview was ended.