INTEL V. RANDAL SCHWARTZ: WHY CARE? BY JEFFREY KEGLER, FEBRUARY 4, 1996 _________________________________________________________________ At first glance, the recent conviction of Randal Schwartz for three crimes potentially carrying 15 years of prison is an ordinary computer crime case with an unfortunate twist. Randal is the well known teacher and author of books on the Perl language. As Peter Lewis said in the _New York Times_, "Much of the Internet's World Wide Web has been built by programmers who got their start by reading his _Programming Perl_ and _Learning Perl_ books." Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side". Randal received a deferred 90 day jail term, 5 years probation, and 480 hours community service. His legal fees have run over $170,000 and he has been ordered to pay over $68,000 in restitution. This is enough to make this case sad and troubling. However, a closer look at Oregon v. Schwartz is more troubling. 1. Even taking the prosecution's case at face value, one is struck by the minor nature of the charges, especially when contrasted with the penalties. A charge against Randal was copying an Intel password file from one Intel machine to another. No intent to take it outside Intel was alleged. Randal was convicted on this count, which is a felony potentially carrying a 5 year jail sentence. Like any felony, it also carries with it the loss of many of the rights we take for granted. For example, Randal may not leave Oregon, change residence or change employment, without prior permission from his probation officer. 2. A second charge against Randal was also a felony with a penalty of up to 5 years in jail. Randal, by his own admission, decrypted passwords from the password file above mentioned. He says it was to show their poor quality as passwords to his client, Intel. No further intent to use or misuse this password file was even alleged, and the decrypted passwords never left Intel. Randal was convicted of this count. It is necessary to note that the first two counts were special "computer crimes", specifically "knowingly access[ing] and us[ing] a computer and computer network for the purpose of committing theft". As we will see below, the prosecution did not show, and was not required to show, most of what it must in order to convict ordinary, non-computer thieves. Many of the missing elements are also essential to the ordinary, common sense notion of what theft is. 3. A third charge (and Randal was convicted on all three counts against him) was altering a computer without authorization. The facts behind this charge are uncontested. Intel said and Randal admitted, he had installed a gateway through Intel's firewall. Randal says he was did this as part of his work for Intel. Nobody alleges the gateway caused harm, or that Randal intended harm in running it. 4. Even to prove such trivial charges, the prosecution required extraordinarily low standards of proof to make its case. The presumption of innocence, and simple common sense, would seem to argue that an employee or contractor is routinely presumed to have authorized access to a company's computers unless there are reasons to think otherwise. The alternative in today's world is to generate a mountain of forms to authorize a day's work, or else require the employees to operate without clear authorization and be subject to prosecution whenever their employer is upset with them for other reasons. The Nevada computer crime law requires the employee's presumption of authorization to be overcome by "clear and convincing evidence to the contrary". The Oregon law contained no such language, only the verb "authorize" without any definition, and in effect, the court placed the burden on Randal to prove he was "authorized". 5. Even if the burden of proving authorization is placed on Randal, the evidence shows that he had good reason to believe he was authorized. Randal's use of and advocacy of checking for weak passwords with crack had long been known and approved of by Intel. Randal, in fact, was perhaps the first person within Intel to follow this now accepted and routine procedure. He had been sysadmin of the computers whose passwords he was checking, at which time he found that checking for weak passwords, by now Intel policy, had lapsed on some machines (or never been done). When he moved on to other duties, he suspected that password checking had lapsed again. If Randal's suspicions proved correct this would be a serious problem not just for the weak set of machines, but for all machines inside the same firewall with them. And Randal's worries on behalf of Intel were well founded -- 48 of 600 passwords were weak. Randal had no reason to think his password checking activities would surprise Intel, and every reason to think Intel would benefit by and approve of his activities. Of course, nobody at Intel ever told Randal not to check for weak passwords. 6. Randal's original reason for writing a gateway was a request from Dave Riss's staff at Intel, who needed to access their data and E-mail while at Carnegie Mellon. Riss approved the result and his group used it for a time. Later, Randal was traveling extensively and performing duties at Intel which required the same kind of access, as Intel knew. Randal created a more secure gateway for this purpose. That Intel knew and approved of Randal's use of gateway programs for his own duties is shown by the evidence. When two Intel employees were troubled by the security of the gateway they asked Randal not to shut it down, but to change it to run more securely. They checked Randal's changes and passed off on them. This shows a proper concern about the security implications of gateways, but it also shows that it was generally recognized at Intel that Randal was allowed to and did run gateways. There can be some misunderstanding about gateways and firewalls. Those not in the field sometimes assume that where there is a firewall, gateways are necessarily sinister -- that the only purpose of a gateway is to subvert a firewall. This is simply wrong. Readers of Internet E-mail these days who are behind a firewall (and that is practically all of them) almost always get their E-mail via a gateway. Rare indeed is the firewall that does not do its job in cooperation with several gateways. And custom gateways are often created for special needs, such as Dave Riss's requirement. Randal's gateway went through several versions, each more secure than the previous. Unfortunately criminals have also gotten more sophisticated, so neither Randal or his co-workers at Intel were ever able to take the security of his gateway for granted. Those interested in more details on the history of Randal's gateway, including the statements from all sides of the issue, may find them at http://www.lightlink.com/spacenka/fors/. The full story is rather complicated and not given here, but none of its twists and turns obscure the basic facts. Randal is an expert in the safe construction and use of gateways, and Intel recognized him as such. Randal's creation and use of gateways was well known to Intel. Randal never received any Intel reprimand about his use of gateways (or anything else for that matter) until Intel Security and the police searched Randal's home and found nothing. At that point it became convenient for them that Randal be seen to have a record of criminal activity. 7. While the prosecution's case on authorization is very weak, that on Randal's criminal intent is outright silly. No evidence was presented that Randal caused harm or intended harm. There was no evidence that Randal made any attempt to get Intel secrets, much less sell or misuse them. But Randal did testify that he hoped his actions would be appreciated by Intel and result in future business. The prosecution called this hoped for future business "personal gain" and Randal's motive for theft. The prosecution theory was that a transfer of data entirely within a company, which does not deprive the company of the use of that data or cause harm, and where not only no harm was intended but where the "thief" expected the "victim" to learn of his action and reward him for it, is a computer use "for the purpose of theft" and worthy of 5 years in jail. One must wonder why the prosecution was allowed a much lower standard for convicting Randal than it would be allowed for those more ordinary thieves who force us into the routine of checking that house, car, and so forth, are safely locked up. But the prosecution was able to hornswoggle judge and jury into believing that it could show one acted "for the purpose of" theft, without showing one either committed theft or intended to. 8. For the "altering without authorization" no intent element was required. Crimes where the defendant's state of mind is not an issue are common, but typical of these are traffic offenses. Almost always a crime of any seriousness requires some finding of mental state. A little reflection shows why this is. Imagine doing something sanely, soberly, carefully, and without any suspicion you are breaking a law or causing harm, only to find yourself facing many years in jail. It hardly seems just and therefore serious crimes require a criminal at the least demonstrate recklessness or disregard. The jury found Randal guilt of a felony here. One suspects that had a leaf blown into the jury room, it would have been marked guilty and delivered to the bailiff. The judge reduced this count to a misdemeanor. 9. Those genuinely interested in catching computer criminals will wonder how Randal was caught. The answer is that he was found to be checking passwords on a computer account issued to him. His account name was used to look up his name, address and phone number in the personnel files and this information was passed on to the police. As anyone familiar with even the popular literature on computer criminals knows, they have available and use many techniques to conceal their activities. Basic among them is not working from their own account, but using compromised accounts belonging to others. (This is why one checks for weak passwords, as Randal was doing.) Password checking programs and their results can be thoroughly disguised. It takes only a glance at Randal's publications to realize that, had he made any attempt to hide his actions, he would have been very hard to catch. And at the trial, several Intel employees so testified. That Randal's actions strongly indicate he didn't feel any need to hide what he was doing and therefore must have felt that he was doing nothing that he feared being discovered doing, must forcibly strike anyone even slightly acquainted with computer criminals and the techniques for fighting them. This does not seem to have been much noticed by Intel security or the Washington Country D.A., however. 10. Intel is Oregon's largest private employer and largest single taxpayer. Washington County, in which the case was tried, is where every single one of these jobs is. Even slight changes in employment by Intel can have a major effect on Washington County, and D.A., judge, jury and witnesses all knew that. 11. Intel's influence on the prosecution was not subtly exercised. Rich Cower was at once Intel's employee as its "network security expert"; "State's Expert", a member of the prosecution team sitting at the prosecutor's left; and an expert witness. Unlike the defense expert witness, Cower was allowed to hear all the testimony. Cower himself testified in rebuttal, after the defense's case had been presented. In addition, an Intel lawyer attended large parts of the trial. 12. The prosecution's most damning evidence is the two police reports which contain extensive confession statements attributed to Randal, and which indeed show Randal careful to cover elements necessary to a full confession. (The statements were not recorded, though the officers had recording equipment in the police car.) The 10 minutes of statements were culled from a 2 hour conversation with Randal during the police search of his house. In fact, the police reports of Randal's statements were the only evidence the police took away from the search. They found no misappropriated data or physical evidence. 13. In order to obtain the search warrant, the police had to show they had reason to believe a crime was being committed and that the evidence was at Randal's house. (As mentioned, no such physical evidence was found.) The officers refer for their belief a crime was being committed to Mark Morrissey, but Mark has denied he made any such statement. 14. Charles Mann of _The Atlantic Monthly_ has seen a more current version of the SSD password file -- the same one which Randal faced 5 years for copying -- on three non-Intel sites out on the Internet. Mann, in order to protect the sources for his forthcoming article on Internet Security, cannot say how it got there, but is quite clear that Randal had nothing to do with its misappropriation. 15. The Friends of Randal Schwartz maintains a Web site which archives the available record from all sides on this issue: http://www.lightlink.com/fors/. Jeffrey Kegler, Algorists, Inc., Sunnyvale CA jeffrey@algorists.com, http://www.best.com/~jeffrey