Randal Schwartz Hacking Conviction Expunged

Thomas Ptacek | March 2nd, 2007 | Filed Under: Slashdot Rounddown, Uncategorized

From Slashdot:

Justice delayed is justice denied. This is not a feather in the cap for the justice system.

All too often, when the “little guy” wins, he’s also bankrupt. Anyone know what the bill was for all this legal action?

The bottom line is that corporate management doesn’t give a shit about the actual security of their system. They only care about the illusion of security, and they’ll bring their full wrath against anyone who dares shatter that illusion.

13 years of fighting doesn’t sound especially pleasant. I can’t imagine what Randall had to go through to get his name cleared.

Yep, it finally happened: greybeard Unix security folk hero Randal Schwartz had his Oregon criminal record expunged, after his calamitous 1993 run-in with security teams at Intel. Schwartz has long been the poster child for over-broad “computer crime” laws; he was convicted of 3 felony counts and fined over $60,000 simply for cracking a password file. No malicious intent on his part was ever demonstrated.

Of course Schwartz has my sympathy. Computer crime laws across the country are a farce, and the ones that convicted Schwartz in Oregon are no exception.

But Schwartz is no hero. Apparently months after his contract with the Supercomputer Division at Intel had expired, he used a backdoor he installed on one of their servers to grab an unshadowed Intel password file, which he then copied to a server in the new group he was contracting for and cracked. He got caught. It was then discovered that he’d also been cracking passwords from O’Reilly and Associates (and allegedly two other companies) as well as tunneling into Intel from outside their network.

These are, at a minimum, “firing-with-cause” offenses in modern enterprises. But Schwartz’ frenzied cult of supporters (motivated by his beloved contributions to the Perl community) aren’t content merely to point out that his actions probably weren’t criminal; they want to make a “whistleblower” out of him. Paraphrasing from one his best-known amicus articles:

• No evidence existed that Intel disapproved of Randal’s behavior

• An Intel Security person sat at table next to the prosecutor during the trial

• Three Intel employees helped search Randal’s house, and one helped police interrogate Randal.

• Intel’s presence influenced and biased a police statement where Randal “confessed” to “hacking” everyone he contracted for, even though “every one of those companies” testified on his behalf.

• The police couldn’t possibly have been smart enough to have taken a reliable oral account from someone as technical as Schwartz.

• Intel had authorized Schwartz to backdoor their computers (which he did to make it easier to read his mail) and crack passwords.

• Schwartz didn’t hide his activities.

But the record on this case is nowhere near this simple:

• According to Mark Morrissey, the admin who caught Schwartz cracking passwords, Schwartz had been reprimanded by the Supercomputer Division for a security breach after losing his contract there.

• According to the prosecution, Schwartz is on the record repeatedly acknowledging that he knew his actions violated Intel policy.

• Schwartz acknowledged during the trial that he had been accessing machines where his own account had been disabled.

• According to the prosecution, Schwartz didn’t tell some of people who had weak passwords, and allegedly even admitted that he was stockpiling them to retain access to servers.

• Regardless of whether Schwartz’ friends and former employers cared about his security habits, Intel clearly did. They almost certainly didn’t profit from Schwartz’ prosecution.

• And, of course, there’s the obvious fact that Schwartz was cracking passwords for a business unit he apparently hadn’t worked for in months.

The prosecution in this case loses me, like they lose every one of you, when they start talking about the “theft” of Intel’s password files. But they have me completely when they compare Schwartz’s actions to those of a contractor working on your garage who uses the keys you give him to rifle through your bedroom drawers. And they allude to Schwartz’ arrogance, as he seemingly asserts that violating policy was fine as long as he himself knew his actions were benign. This resonates with me and saps my sympathy for his predicament.

Remember also that an expungement is not an overturned conviction. Records can be expunged for “good behavior” in many states, and Oregon is apparently one of them; the order to expunge says “That the circumstances and behavior of the defendant since the date of conviction on January 16, 1996 are found to warrant setting aside that conviction and records of arrest.” No doubt they’re right. Schwartz’ status as a Perl hero is unquestionable. But his standing as a security icon is ridiculous.