A case illustrating that some judgment mistakes can cause a system administrator to become a convicted felon.
Randal Schwartz started his career at the Intel Corporation in early 1988 and left at the end of 1993. During Schwartz’s employment at Intel iWarp (a part of Intel’s Supercomputer System Division, or SDD), he recommended to the company that it keep its systems secure by following some standard procedures such as using good passwords. To this end, in 1991 Schwartz began checking passwords by running a software program known as “crack,” distributed by CERT. It attempts to crack a set of passwords found in a UNIX /etc/passwd file. In 1991, Schwartz was no newcomer to “crack”; he served as a beta-tester for its version 3.
As part of his job at Intel iWarp, Schwartz gave security training courses to individuals in other firms. Many of these courses focused on Perl, a popular programming language at that time. Because much of his job involved travel, Schwartz set up various ways to read his email at Intel iWarp when off-site. This seemed to be a wise move because starting in late 1993, he was responsible for setting up DNS (Domain Name System) servers for the company.
In late 1993, while working for Intel’s SGI division as a system administrator, Schwartz ran the “crack” software on the password file of an SGI computer in his previous division where he still had an account. Schwartz decided to investigate the problem further by testing the password file of the central set of systems at the SSD division, but he thought that he would wait until he had final study results before telling SSD officials what he was doing. One of his staff members noticed that Schwartz was running “crack” and told his manager, who reported the incident to those at the top of the firm. When word reached the top, corporate leaders began to think that Schwartz was a corporate spy.
Soon thereafter, the police arrived at Randal Schwartz’s house, took all his computer equipment, and pressed charges under an Oregon law for altering or transporting computerized information. Because the district attorney viewed Schwartz’s moving a password file from one of Intel’s computers to another to be at least transporting, Schwartz was charged on March 14, 1994, with three criminal felony counts—even though the district attorney never alleged that any information ever left Intel’s premises.
In September 1995, after a jury trial, Schwartz was given five years of probation, 480 hours of community service, 90 days of initially deferred and then suspended jail time, and he was ordered to pay Intel Corporation $68,000 in restitution. On appeal, the court upheld the conviction on all counts but reversed the restitution order, sending it back to the original court for reconsideration.
Pacenka, S. Computer Crime. [Online, April 8, 2001.] Lightlink Website. http://www.lightlink.com/spacenka/fors/; Quarterman, J. System Administration as a Criminal Activity or, the Strange Case of Randal Schwartz. [Online, September, 1995.] MIT Computer Science and Artificial Intelligence Laboratory “Project Mac” Website, http://www.swiss.ai.mit .edu/6095/articles/computer-crime/schwartz-matrix-news.txt.