This makes me sick (fwd)

From: Valtteri Vuorikoski To: 0xdeadbeef@substance.abuse.blackdown.org Date: Thu, 27 Jul 1995 17:43:18 +0300 (EET DST)
mw@x.org has randomly hit several keys, resulting in
From owner-meditation@gnu.ai.mit.edu  Thu Jul 27 17:35:59 1995
From: mw@x.org
Message-Id: <9507271420.AA00993@sundew.x.org>
Date: Thu, 27 Jul 1995 10:20:01 -0400 (EDT)
Subject: This makes me sick (fwd)
To: meditation@gnu.ai.mit.edu, lost-souls@spy.org
X-Mailer: Ishmail 1.1-950721-sol23
Mime-Version: 1.0
Content-Type: text/plain
Status: RO
X-Status: 

Originally From jerryw@imagine.convex.com  Thu Jul 27 00:09:53 1995
Message-Id: <199507270509.AAA06765@imagine.convex.com>
To: jaggi@imagine.convex.com, pwh@bradley.edu
Subject: Oregonian: Computer expert convicted in hacking [Randal Schwartz] (fwd)
Newsgroups: comp.lang.perl.misc
In-Reply-To: <3v6o8r$nvi@myst.plaza.ds.adp.com>
Organization: Engineering, Convex Computer Corporation, Richardson, Tx USA
Cc: 

Just in case you haven't seen it yet...

------- start of forwarded message -------

Judging by the email responses, my first posting on this subject has
been treated with shock and surprise. Let's try again.

[Reprinted without permission from the Oregonian, July 26, 1995, pages
D1, D5 for the purposes of commentary] [No apologies for the tone of
the article, I didn't write it, comments in brackets are my own.]

By Fiona M. Ortiz, of the Oregonian Staff

HILLSBORO -- Randal L. Schwartz has always known he was smart. What he
has had trouble grasping is that a person can be too smart for his own
good.

Schwartz, 33, was earning $45 an hour as a contractor for Intel in
October 1993 when he got caught cracking computer passwords in a
system he was not authorized to access.

Schwartz told jurors he was only trying to help point out security
flaws.  His lawyer insisted throughout the 2 1/2 week trial that
Schwartz hacked because he could, not because he meant any harm.

But after closing arguments Tuesday, the Washington County Circuit
Court jury found the Cedar Hills consultant guilty of three charges of
computer crime. [This is a felony offense in Oregon] He wept and left
the courtroom facing a potential jail term and $60,000 in restitution
to Intel.

Schwartz's case was Washinton County's first computer-crime trial and
meant a crash course in computerese for everyone in the courtroom.  In
the end, jurors were swayed more by the letter of Oregon's
computer-crime law than the ``no harm, no foul'' defense of Schwartz's
computer-hacker world.

[Is this the same world where he's the author of two of the most
popular reference books O'Reilly and Associates sells? I guess not.]

Schwartz was a computer whiz kid and social misfit before he became
part of the computer programming subculture.

[The #2 industry in Oregon is a subculture now. Odd ain't it?]

By age 9, at an elementary school in Gladstone, he knew he wanted to
work with computers. By age 16, he was working full time for
Tektronix. He set up his own consulting firm in 1985.

His world was not the sensationalized subculture of young cyberpunks
who use drugs and try to break into military computers. [Probably
because it doesn't exist.] Schwartz's milieu was more of an academic
subculture, where the computer cognoscenti talk of ``elegant
solutions'' and wear their brains on their sleeves [So we're academic
illuminati now, I see. I shouldn't have gotten my degree in Computer
Science, obviously.]

Even his defense lawyer, Marc A. Sussman, asked jurors not to judge
Schwartz's sometimes ``irritating or arrogant'' personality. That
arrogance, prosecutor Thomas J. Tintera told the jury, that flouting
of rules, was what got him into trouble.

[Being feloniously irritating or arrogant is indeed a national
problem... yet both Newt and Clinton are free.]

For more than a decade, thinkers on cyber ethics have debated how much
leeway to give talented hackers whose pride is proving they can get
into any system.

[No, hackers pride themselves on their technical knowledge. CRACKERS
pride themselves on being able to break into any system. It's a good
thing that the media colors the mood of the people, and also sets the
agenda.]

Corporate policies make it clear they will not tolerate even
``harmless'' intrusions to their systems, but not all hackers agree.

[True, some of us actually work on security... ;) and get paid well to
make things better.]

``The idea that `if it's there, I can look at it' does permeate a lot
of the hacker world,'' says Tom Schubert, a computer science professor
at Portland State University.

[It is the responsibility of the reader to apply this statement to
Schwartz, despite the fact that he never professed it.]

It's hard for outsiders, even managers of computer programmers, to
understand people who are driven to expose, if not to exploit, bugs in
computer programs, said Tom Christiansen, a Colorado computer
programmer, and a collegaue of Schwartz.

[Just how far out of context is that, Tom?]

``They're not going to understand what drives someone to play with a
system,'' Christiansen said, ``not illegally, but to make it do
tricks, to feel a sense of accomplishment, because you've created this
very interesting thing.''

[Ah, I see, it's about four miles out of context, since it's obvious
to me you're describing why people do neat things with computers, not
why they break into them.]

Christiansen, as well as one of Schwartz's legal advisers, was
concerned that Schwartz could not get a fair trial unless the jury was
full of computer-philes.

[Did you really use a word like that, Tom?]

``To me, `peer' means someone who understands what I'm doing,''
Christiansen said. ``You are not granted a legitimate legal trial by
your peers but by simpletons who do not understand the technical
aspects of what's going on and consequently aren't able to judge
you.''

Even among fellow computer lovers, Schwartz likes to stand apart,
especially by letting people know he was a hacker from way back.

[Like, ``I was a hacker before the media made the term derogatory,''
which I actually coined, but has been echoed by some others. Besides,
who'd want to be close to other people that are called ``computer
lovers'' anyway? That sounds mildly disgusting.]

People familiar with Schwartz's postings in news groups on the
Internet [sic] said he always signed off with words to the effect that
he's been hacking around since before anyone else on the net was born.

[You should read those postings, they typically refer to being on
Usenet or Perl hacking, not breaking into computers.]

Yet Schwartz is not a household word among programmers. Nationally he
is well-known to people interested in Perl, a programming language,
because he wrote and co-wrote two books about the language.

[Even Rear Admiral Grace Murray Hopper is not a household word among
programmers, nor do even most BASIC programmers know about Kemmeny and
Kurtz at Dartmouth. What's your point?]

He has generated some sympathy among some peers. 

[None of which were on the jury, obviously.]

``The general feeling in the community, not knowing all the legitimate
facts, of course,'' Christiansen said, ``looks like he's probably
guilty of bad judgement.''

Darrell Fuhrman, a systems administrator at Teleport, an Internet
subscriber service in Portland, said he's a security-conscious
administrator, and he'd be mad if Schwartz tampered with his system.

[Loaded question, all system administrators would be mad if ANYONE
tampered with their systems.]

``But I think it's in a large way good to have people pokling and
prodding and seeing if there's a hole here,'' Fuhrman said. ``It's not
the good guysd you have to worry about and I consider Schwartz to be
one of the good guys.''

There was never a question in the courtroom of Schwartz removing data
from Intel's system. But his offense was still serious, said Intel
lawyer John H. Woodard, who observed much of the trial.

[True, he copied data of a sensitive nature. There are three values to
exposed data, it's value if changed, it's value if deleted, and it's
value if exposed to someone else. However, Randal only exposed the
data to himself, so it's pretty low on the spectrum.]

``If somebody break's into your home, do you feel OK just because you
can't prove you took something?'' Woodard asked. ``Do you want people
looking at your medical records and back account s even if they say
they didn't change them?''

[It would more like the case of your neighbor trying your door and
seeing that it was open, than breaking and entering, except that
Randal did use the password file of one box to get to another.]

Woodard said Intel spent money and time making sure Schwartz had not
installed unauthorized programs in their systems.

[All sensitive systems should be regularly checked for such activity,
whether or not a breakin had occured. It's a smart practice. Woodard
is complaining that Randal provoked them into being a little safer,
instead of having a safe program in the first place. Are you willing
to accept that kind of reasoning from the cops?]

``We were the victim. We were not the prosecutors in this case,'' said
Woodard, who is concerned that some people mistakenly see the case as
Intel vs. Schwartz.

[There is a large amount of politics here that I'll not try to
address.  Basically, Woodard is right in saying that it was the State
of Oregon that prosecuted the case, but it is indeed Intel that's
pressing charges.  I think it is good that they pressed charges, as
most companies tend to hide incidents like these because they are
embarassing, however, there is some question as to whether Randal was
encouraged into this practice, and also not properly warned not to.]

``I think it was good for all the high-tech companies moving into this
area that the county is willing to pursue these types of crimes.''

[Yes, it does get the attention off the zoning restrictions on strip
joints.]

---
Sidebar on Schwartz Verdict
---

* COUNT 1: Guilty of knowingly and wiuthout authorization altering a
computer network.

* WHAT DID HE DO?  Randal L. Schwartz flouted Intel policy when he
installed so-called ``gateway'' programs on two computers so he could
access Intel computers from a remote computer.

[We don't know if this is a simple dial-in, SLIP, PPP, or what, let
alone what kinds of machines these are. This was done while Randal was
still working at Intel.]

* HIS DEFENSE: Schwartz said he had previously installed such programs
when Intel had made policy exceptions. He also said that he didn't
compromise Intel security.

[He installed a door, but it still had a lock on it.]

* COUNTS 2 AND 3: Guilty of knowingly using a computer system to steal
a password file from the Supercomputer Systems Division; stealing
individual users' passwords.

* WHAT DID HE DO? Schwartz did not have access to the division's main
password file. [I guess this means he didn't have an account on the
big box inside SSD.] He cracked passwords [he ran COPS] from a minor
computer in the division where he did have access. He used one of
those passwords to log on to the main cluster of division computers,
where he copied the password file to his own computer [a baaaad idea,
Randal] and ran a password-cracking program. He cracked, among others,
the password of an Intel vice president. [It is unclear of whether he
even looked at the output file of this particular run of COPS.]

* HIS DEFENSE: Schwartz said it was a clumsy attempt to alert Intel to
security problems and that he didn't use the passwords to peek at
information. [Ouch, you should have told them in advance, and then
there wouldn't have been a problem, Randal.]

* PENALTIES: A sentencing hearing is set for Sept. 11. Because of his
clean criminal record, jail time of 3-6 months [per count?] is likely.
The prosecutor will ask for $60,000 restitution, the amount Intel says
it spent fixing problems Schwartz caused. [Caused? You mean
discovered. Or is this the money Intel spent tracking down what really
happened?]

---

I highly recommend getting copies of the Oregonian from this entire
week if you want to really read up on this case. It's also helpful to
the Oregonian to send in letters to the editor about the problems you
might have about the articles, after you buy the paper. Don't send
them comments based on this transcription, I'm only putting it here
for commentary, and not to violate the Oregonian's right to charge for
the words it prints.

I have never worked for Intel, nor am I affiliated with Randal L.
Schwartz, the Oregonian, O'Reilly and Associates, or anyone else. I am
not posting as a mouthpiece of ADP or any other organization... I just
happen to live in the area.
-- 
Joshua R. Poulson, Systems Engineering, ADP Dealer Services, Portland, OR
PGP Public Key available upon request
------- end of forwarded message -------

-- 

------------------------------------------------------------------------------
Jerry Whelan -- Information Superman                         jerryw@convex.com


-- 
'Good-bye and hello, as always'