Friday, January 05, 2007
Thursday night with the Portland Linux/UNIX Group
After missing the last few, I finally made it to one of the Portland Linux/UNIX Group (PLUG) monthly meetings at Portland State University. This night, Randal Schwartz, perl expert and one-time Intel contractor, shared with us his side of the story about his well-known encounter with the law. (If you haven't heard about his day in court, the facts are available at the Friends of Randal Schwartz website.)
Randal made it clear that the point of his presentation was not to bash Intel; he explained that he has a number of friends who work at Intel (and probably knew that a few current or past Intel employees were in the audience), and claimed that under the "right conditions" he would work there again. His purpose was to offer a warning to all sysadmins and other computer professionals about what to do -- and what not to do.
(I won't repeat all of what he said -- or in the order he said it. He had given this talk thirty times before last night, so the information is out there. At the end of his talk he also explained that he was available to repeat this talk to anyone who was interested, schedule permitting.)
He started with the observation that one's life is defined by certain dates, when nothing after that day or moment is like anything before. 1 December, 1993, the day that the police came to search his house for evidence of his alleged computer crimes, was one of those dates for him. He described in detail the routineness of this eventful day: his book Learning Perl had just been released, and he was checking his email for early feedback about it, his gym bag close at hand, and was about to leave for his daily workout when there was a knock at the door. Not expecting anyone, he answered the door, to find two plainsclothes officers with a search warrant.
Everyone who has heard about the case has likely that this all started with Randal running the UNIX utility "crack" on a passwd file to proving to his boss at Intel that his boss's password was insecure. The account of how it started that I heard last night was more detailed: Randal, on his own initiative, stated that he had just run crack on the passwd file at his ISP, TekBooks (which later became Teleport), and encouraged he decided to the same thing for his group at Intel. However, before he could share his information, a co-worker discovered Randal's program running on a computer at Intel computer. (Then again, Randal stated a few minutes later that "I don't know just what I was thinking." Regardless of what Randal's original intention, it was hard not to listen to his story and not believe that he had good intentions and was trying to help improve things at Intel.) This co-worker reported it to his boss, who took it to a Vice President, who called the law on Randal Schwartz.
That night in December, Randal lost his computer equipment -- which was the means he made his living. He lost work, and lost savings when he hired a legal team to deal with the growing legal problems. (He said his legal fees were $270,000 when all was finished.) And he struggled with the pressure -- and depression -- of the impending conflict with the law. He was broke when he finally found another contract (in Arizona), and had to talk the person at the company into paying for his plane ticket to the interview. Although very overqualified he got the job, and on the third day of his first week learned that a warrant had been issued for his arrest for three counts of felony.
Randal recounted the stress of the trial, especially being grilled by the prosecutor for six hours while on the stand -- "an experience I would not wish on my worst enemy." And the fact he cried when he heard the verdict. Telling his story up to this point took about 90 minutes, but no one in the audience complained that he was running over the usual hour presentations to PLUG are expected to take. (And since we adjourn to the Lucky Lab for beer immediately after, this rule is often enforced when the presentation proves to be boring, and ignored when it is not.)
After describing his sentence, and how he discharged his penalties, Randal then listed the lessons he learned. One thing he had emphasized through his talk was that although he did things that were officially against corporate policy, everything he did was what a direct employee did unofficially. One telling scene was when the Vice President, the one who had started the whole misadventure, was being cross-examined on the stand, and was shown to have violated Intel corporate policy by selecting a weak password -- "pre5ident" -- and admitted to giving his password to his secretary even though Intel policy prohibited employees from sharing passwords for any reason.
He started with two lessons. The first one was that if your job involves handling data, document everything; document your workday, document everyday, so that you can prove if the company uses the same law against you, you can prove that what the corporation claims is a crime is actually your normal activity, performed in clear view of everyone around you. The second was to get authorization for everything you did -- even if it seems minor.
This led him to discuss the law that used against him. That part of the Oregon Revised Statutes was passed in 1985, as part of a general campaign by the telcos in every state against "computer piracy", but has not been significantly changed since then. He described how it was vague, and could be abused. That law has no definition for "computer", so that misuse of a company cell phone could be prosecuted as a felony crime; Randal cited a case where a retail clerk, who had committed a misdemeanor by stealing $60-70, was prosecuted instead for the felony charge of unauthorized use of a computer. (That computer was her cash register, and the unauthorized act was resetting the tape to avoid detection -- despite the fact she was caught on tape stealing the money.) He also described how the word "authorized" is defined in every instance of its use in the state code -- except for this specific law. A disgruntled employer can use it to punish any employee -- except those who take the extraordinary steps Randal described above.
Whether you think Randal "got what he deserved", I find it hard not to agree with him that this is a badly written law. As a final note, he shared with us that the Assistant District Attorney who prosecuted him admitted off the record that he "still has no idea of what Randall did."
Geoff
Randal made it clear that the point of his presentation was not to bash Intel; he explained that he has a number of friends who work at Intel (and probably knew that a few current or past Intel employees were in the audience), and claimed that under the "right conditions" he would work there again. His purpose was to offer a warning to all sysadmins and other computer professionals about what to do -- and what not to do.
(I won't repeat all of what he said -- or in the order he said it. He had given this talk thirty times before last night, so the information is out there. At the end of his talk he also explained that he was available to repeat this talk to anyone who was interested, schedule permitting.)
He started with the observation that one's life is defined by certain dates, when nothing after that day or moment is like anything before. 1 December, 1993, the day that the police came to search his house for evidence of his alleged computer crimes, was one of those dates for him. He described in detail the routineness of this eventful day: his book Learning Perl had just been released, and he was checking his email for early feedback about it, his gym bag close at hand, and was about to leave for his daily workout when there was a knock at the door. Not expecting anyone, he answered the door, to find two plainsclothes officers with a search warrant.
Everyone who has heard about the case has likely that this all started with Randal running the UNIX utility "crack" on a passwd file to proving to his boss at Intel that his boss's password was insecure. The account of how it started that I heard last night was more detailed: Randal, on his own initiative, stated that he had just run crack on the passwd file at his ISP, TekBooks (which later became Teleport), and encouraged he decided to the same thing for his group at Intel. However, before he could share his information, a co-worker discovered Randal's program running on a computer at Intel computer. (Then again, Randal stated a few minutes later that "I don't know just what I was thinking." Regardless of what Randal's original intention, it was hard not to listen to his story and not believe that he had good intentions and was trying to help improve things at Intel.) This co-worker reported it to his boss, who took it to a Vice President, who called the law on Randal Schwartz.
That night in December, Randal lost his computer equipment -- which was the means he made his living. He lost work, and lost savings when he hired a legal team to deal with the growing legal problems. (He said his legal fees were $270,000 when all was finished.) And he struggled with the pressure -- and depression -- of the impending conflict with the law. He was broke when he finally found another contract (in Arizona), and had to talk the person at the company into paying for his plane ticket to the interview. Although very overqualified he got the job, and on the third day of his first week learned that a warrant had been issued for his arrest for three counts of felony.
Randal recounted the stress of the trial, especially being grilled by the prosecutor for six hours while on the stand -- "an experience I would not wish on my worst enemy." And the fact he cried when he heard the verdict. Telling his story up to this point took about 90 minutes, but no one in the audience complained that he was running over the usual hour presentations to PLUG are expected to take. (And since we adjourn to the Lucky Lab for beer immediately after, this rule is often enforced when the presentation proves to be boring, and ignored when it is not.)
After describing his sentence, and how he discharged his penalties, Randal then listed the lessons he learned. One thing he had emphasized through his talk was that although he did things that were officially against corporate policy, everything he did was what a direct employee did unofficially. One telling scene was when the Vice President, the one who had started the whole misadventure, was being cross-examined on the stand, and was shown to have violated Intel corporate policy by selecting a weak password -- "pre5ident" -- and admitted to giving his password to his secretary even though Intel policy prohibited employees from sharing passwords for any reason.
He started with two lessons. The first one was that if your job involves handling data, document everything; document your workday, document everyday, so that you can prove if the company uses the same law against you, you can prove that what the corporation claims is a crime is actually your normal activity, performed in clear view of everyone around you. The second was to get authorization for everything you did -- even if it seems minor.
This led him to discuss the law that used against him. That part of the Oregon Revised Statutes was passed in 1985, as part of a general campaign by the telcos in every state against "computer piracy", but has not been significantly changed since then. He described how it was vague, and could be abused. That law has no definition for "computer", so that misuse of a company cell phone could be prosecuted as a felony crime; Randal cited a case where a retail clerk, who had committed a misdemeanor by stealing $60-70, was prosecuted instead for the felony charge of unauthorized use of a computer. (That computer was her cash register, and the unauthorized act was resetting the tape to avoid detection -- despite the fact she was caught on tape stealing the money.) He also described how the word "authorized" is defined in every instance of its use in the state code -- except for this specific law. A disgruntled employer can use it to punish any employee -- except those who take the extraordinary steps Randal described above.
Whether you think Randal "got what he deserved", I find it hard not to agree with him that this is a badly written law. As a final note, he shared with us that the Assistant District Attorney who prosecuted him admitted off the record that he "still has no idea of what Randall did."
Geoff
Labels: portland tech
Comments:
<< Home
Thank you for posting that summary. You have a few items slightly factually incorrect (and inconsistent with my presentation), but I'll attribute that to the speed with which I talked, making it hard to take good notes.
For fact verification and more, please see the http://www.lightlink.com/fors/ website.
Post a Comment
For fact verification and more, please see the http://www.lightlink.com/fors/ website.
<< Home
