System Administration as a Criminal Activity or, the Strange Case of Randal Schwartz Copyright (c) 1995 John S. Quarterman jsq@mids.org From Matrix News, 5(9), September 1995 Please redistribute this article. mids@mids.org, http://www.mids.org +1-512-451-7602, fax: +1-512-452-0127 The other week (16 Aug 1995) I went to our local UNIX User's Group (CACTUS: Capital Area of Central Texas UNIX system User's Group) meeting and heard Randal Schwartz tell a strange tale. I'd heard parts of it before, but the details were more peculiar than the gist. The gist is that a few mistakes in judgment can easily make a system administrator into a convicted felon. Randal began Intel in early 1988, and worked there continuously (except for two weeks in late 1988) until the end of 1993. While working at Intel iWarp (which later became part of SSD, the Supercomputer System Division), he had recommended they maintain basic security by following some standard procedures, such as using good passwords. (This really is basic, as any security expert from DIA to NSA to CERT, the Internet's Computer Emergency Response Team, can tell you.) He had started checking their passwords by running crack in mid-1991. Crack is a program familiar to most system administrators today (and one distributed by CERT; see ftp://cert.org/pub/tools/crack/). What crack does is to attempt to crack a set of passwords, typically as found in a UNIX /etc/passwd file. Randal was quite familiar with crack, having served as a beta tester for crack version 3. He left SSD in the middle of 1992 to work for a different Intel division (HF), and crack was still running in SSD at that time (on autopilot). While working for Intel, Randal had started giving week-long training courses for other organizations around the country. These were about Perl, a popular programming language invented by Larry Wall. Since these courses involved travel, he arranged ways to read his mail at Intel over the Internet while he was still working for Intel but not physically present. This seemed prudent, since, starting in late 1993, he had become responsible for deploying DNS (Domain Name System) servers throughout Intel. Since DNS handles the basic mapping of symbolic hostnames (such as ssd.intel.com) to IP addresses (such as 137.46.3.5), a broken DNS server can adversely affect almost every other TCP/IP service. Thus it was useful to know quickly of any problems with Intel's DNS servers. Intel has previously told MIDS that everyone in their company from the President down uses there enterprise TCP/IP network, so we can see how they would want it to continue working. Randal had co-authored a popular book for O'Reilly and Associates (ORA) about Perl (*Programming Perl*, published January 1991). He also took the obvious next step with his training material, and wrote another Perl book (*Learning Perl*, published November 1993). He had an account on ORA's machines, and figured they wouldn't mind if he did a little testing there. Against ORA's password files, crack found one (1) password out of about 200. And the ORA system administrator, Tanya Herlick, had already discovered that bad password, so it was cleaned up almost before Randal even found it (not that either of them knew what the other was doing at the time). Thus ORA was a good comparison case for reasonably good security. In late 1993, while working for Intel, but in a different division (as a system administrator for HF), Randal ran crack against the password file of an SGI machine in SSD where he had an account to support prior work for SSD. It found one password straight out of the dictionary (user ronb password deacon). This is very bad because it is an ordinary dictionary word, which makes it easy to crack simply by trying numerous dictionary words; a task that any programmer can accomplish. Randal decided to see how far the problem extended. He was no longer working for SSD, but he was currently a system administrator in a different division, and he was consulting for corporate on the DNS project. Security is traditionally part of a system administrator's job, and a security problem in one division is a security problem in the whole company if it's on the corporate network, since a compromised account on one machine can be used as a base to attack other machines. This particular user also had an account on the main SSD server cluster. Randal guessed that that account would have the same password. One might well say the prudent course would have been to inform the current SSD system administrators of the problem. But Randal decided to try it himself. It was the same. Randal decided to test the password file for the main SSD cluster. He pulled its passwd file over to a fast machine and ran crack on it, and similarly for other machines in that division. Crack broke 48 out of 600 passwords. So, it was clear that Intel's security was not very good. Crack had found about 50 likely ways an outsider might break in. Randal thought he was doing his employer a big favor by discovering these weak spots in the company fence. One of them was particularly bad, since it was a vice-president's account, and the password was pre$ident, which is an ordinary dictionary word with one letter (the most obvious letter, S) replaced with a dollar sign. Unfortunately, Randal was waiting until he had relatively final results before informing regular SSD staff of what he was doing. Meanwhile, one of them noticed that he was running crack, and told his manager. The manager, rather than approaching Randal about it, reported it up the hierarchy. Evidently many of the powers that be at Intel thought they had discovered a corporate spy. Three days later, Randal discovered something was amiss when police arrived at his house on 1 November 1993. About half a dozen of them took all his computer equipment. Having watched too many episodes of Dragnet, he figured it was some sort of mistake, and the police would clear it up if he just cooperated with them and told them anything they wanted to know. Unfortunately, real police are paid to find things to charge people with, and they also kept his computers for 40 days, including the one with his checkbook on it. He was also terminated from Intel within the same two hour period as the raid. He did have the consolation of learning that his new book, just released on the same day, was selling like hotcakes. What Randal didn't know was that the report up the Intel hierarchy had resulted in criminal charges being filed against him. Oregon has a vague law against ``altering'' or ``transporting'' computerized information, with the distinction between the two not being clear. The D.A. considered moving a password file between two Intel machines to be at least transporting. So Randal stood accused of stealing information from Intel, even though even the D.A. never alleged that anything left Intel's premises. Stood accused on three (3) criminal felony counts. The indictment was handed down 14 March 1994. The three felony counts of Computer Crime according to Oregon State Law are: Count 1: altering without authorization two computer systems. Counts 2 and 3: accessing a computer with intent to commit theft. The first count has to do with the remote mail access. It seems Intel's interpretation was that Randal had ``altered'' their systems by, for example, putting a .forward file in his login directory to cause his mail to be forwarded elsewhere. The defense attorney apparently also wanted to show use of Intel accounts for non-Intel business. The other two counts have to do with the passwords he discovered on other people's accounts by running crack. What he was accused of stealing (theft) was password files. Meanwhile, the system administrator at ORA, Tanya Herlick, was informed by the FBI that someone had allegedly broken into her systems. She was at a systems administration conference at the time. As chance would have it, a security session was scheduled for the same afternoon, so she asked the assembled administrators what they would do in her situation. Their advice was to do the standard things (run tcpwrapper, install COPS, reinstall old binaries, etc.). She says: What noone knew at the time was that this was not a typical hacker breakin. It wasn't a breakin at all in fact. This did not keep me from having a heart attack at the conference however. I mean, someone comes up to you and says "The FBI called and said someone hacked your main server." And you were 2,000 miles away and afraid to log on (and definitely not as root)? What would you do? She didn't know that the alleged perpetrator was Randal, which would have been interesting, since he was known to her audience through his books and tutorials and through USENET and the Internet. She says: If I had known it was Randal, I possibly wouldn't have even brought it up! ... Not because Randal is any kind of white knight or anything, but because I knew he had an account on our system so it couldn't have been a breakin. I found out early the next morning that it was him. I ran into Tim (O'Reilly) after I found out and it turned out that he already knew cause Randal had called him. What she actually did was to disable Randal's account for a couple of days and then reinstate it after talking to him. The case went to a jury trial. Some of the jury members apparently did own computers, but of course anybody who might do anything remotely resembling system administration was rejected. This is evidently common practice these days; a jury of your peers means nobody that does what you do. The ORA systems administrator testified (by telephone) for the defense at the trial, saying that Randal still had his account at ORA and they had no intention of taking any legal action against him. Tim O'Reilly (founder and President of ORA) even spoke up for Randal when asked by the press. Tanya Herlick says: If Randal had come to me and asked if he could run crack I would have said no. It was presumptuous of him to think we wouldn't mind. If anything, a system admin should know this better than other users. However, it is not a crime. Just inappropriate (I wish I could have had the chance to say this at the trial, but I didn't). Nonetheless, Randal was found guilty on all counts, on 25 July 1995. The deciding factor may have been the prosecutor's final summary, in which he made the analogy of letting a carpenter into your house to fix the garage and finding him upstairs rifling your personal papers. Nevermind that the analogy is not apt, if for not other reason because Randal *was* fixing the garage, to the best of his abilities and of his understanding of his job description. The jury didn't know that. Randal is now a convicted felon, unable to vote, hold public office, serve on a jury, or fulfill government contracts. And he's already spent $112,000 in legal fees, with an expection of a total of $140,000 just for the first trial. All for helping his employer. Why did this happen? It wasn't because of the regular Intel staff. Apparently they tried to get their bosses to talk to Randal directly, and were told that that would not be possible. It was of course partly because Randal made mistakes. For example, one might count not keeping both Intel and ORA informed, and trying the account with the deacon password. He readily admits he made mistakes, and has apologized to Intel more than once in public for doing so. But if Intel thought he had exceeded his authority as a systems administrator or had shown poor judgment, they had plenty of recourse available to them by traditional methods, ranging from a talk in his supervisor's office to a cut in pay to being summarily fired and walked out the gate. Instead they brought criminal charges. Randal also made mistakes during the legal proceedings. The police did read him his Miranda rights, and he now knows that ``you have the right to remain silent'' is a very good phrase to consider without speaking. And he made at least one bad mistake during the trial. When asked by the prosecutor whether he had done what he had done for personal gain, he thought about it and considered that helping his employer would make him look good, bring in more consulting, maybe increase his pay, etc., and said (one may well say foolishly), ``yes.'' The prosecutor, no dummy, brought this up during his summation. It may be relevant that that the prosecutor apparently remarked, in a news conference after the verdict, that it would send a message that Oregon was "safe for business". It may also be relevant that Intel is the largest employer in the state. Not that this case (or the problem it represents, anyway) is specifically about Intel; it could have happened at any largish company or university. System adminstrators almost always work in very vague job descriptions, with little or no demarcation of the scope of their activities or when or to whom they should report them. Consultants work under even more vague job descriptions, because they can't even be required to work at specific hours or told when to work on specific tasks or the IRS won't consider them to be consultants. Intel is not alone or even unusual in having no clear usage guidelines about their systems. The risk of the hierarchy at any large organization getting incensed at some (to them) clerical worker running something called ``crack'' and finding out that, for example, high level executives have bad (not to mention embarrassing) passwords, is always with us. The nature of system administration leads to all sorts of possibilities of civil or criminal charges. If not crack, how about illegal transportation of company property off the premises (taking source listings home to study)? Or illegal use of university communications facilities for political purposes (sending an electronic mail message to your Congress member)? Or illegal export of controlled processes (such as PGP, in the Phil Zimmermann case)? Or, if the U.S. Senate has its way, ``making available'' files that some D.A. chooses to consider ``indecent''? The possibilities are numerous. They aren't limited to system administrators, either. The nature of, oh, library work has become so involved with computers and networks these days that librarians, or professors, or schoolteachers, or, yes, secretaries could be subject to the same difficulties. Once again, Randal made mistakes. The nature of Randal's mistakes was such that you or I could easily have made them or others quite like them. The response to Randal's mistakes was out of all proportion to what he did, under any reasonable interpretation by people knowledgable of the nature of his work. We're not talking Kevin Mitnich here; this is not about a KGB-funded malicious cracker. For that matter, the liberties Randal took were small compared to those certain well-known trackers of wiley hackers have taken in their self-appointed detective work. We're not even talking Robert Morris Jr., where the alleged perpetrator clearly was, for whatever reason, at least using lots of computers in organizations that had not given him any permission. We're talking a system administrator trying to do his job and being branded a felon for simple mistakes in who he informed and when. Sentencing in Randal's case is scheduled for 11 September. The sentence could involve any or all of jail time, a hefty fine, damages, and a requirement not to leave the state. It is possible to request leniency from the judge. Letters of support for Randal Schwartz to be put before the judge should be sent to his lawyer's office so they can be presented to the judge as a package. Randal's lawyer's address is: Marc Sussman 503-221-0520 135 SW Ash Suite 600 Portland OR 97204 Re: Randal Schwartz Or send mail to fund@stonehenge.com to find out how else you can assist Randal, for example financially. That electronic mail address goes to an autoresponder which will also send you Randal's short version of the story. On a personal note, I'd like to say that I actually had never met Randal until he came to Austin recently. However, when he sent me a note in advance asking for a guest account on our Internet Service Provider (Zilker Internet Park) so he could read his mail, read news, look at web pages, etc., without having to call long distance back to Portland, I had no hesitation in providing him one. Yes, I knew he was a convicted felon. I also knew he was the co-author of *Learning Perl* and *Programming Perl*, which are two of the most useful books about one of the most useful programming languages I've ever encountered. I also knew a number of people he had taught Perl in his classes. And I had heard a version of his story before. This man should not be labeled a criminal. He is, in fact, a pillar of the UNIX and Internet communities (see his web page, http://www.teleport.com/~merlyn). The World Wide Web, for example, would not have grown as quickly and as easily as it did without Perl, nor without Randal's efforts to promulgate Perl. Does being a pillar of the community make one immune from criminal activity? No (just ask Ivan Boesky). However, I do not see how simple timing mistakes while attempting to do one's job in the generally accepted manner constitute felonious behavior. Randal is taking this whole thing rather philosophically. He thinks the main benefit that could come out of it would be to prevent future erroneous felony charges of this kind. Much of the above account does come from Randal. I have no reason to doubt that he is telling the truth, but of course there may always be more to the story. If anyone has reports that cast a different light on the matter, do send them in. So far, the worst I've heard has been someone claiming to know that Randal had ``broken into at least one system previously.'' This turned out to be an allusion to him running crack on ORA's systems, which is something that he not only readily admits but discussed at some length at the CACTUS meeting. If he really did find that crack could break no (zero) passwords on ORA's machines, it would seem that ``broken into'' would be a rather inaccurate description. Not to mention he already had accounts on ORA's machines. Could it be that once someone is charged with criminal activity the networked community considers that they must have done something to deserve it? If so, the networked world is much like the rest of the world, indeed. Actually, the discussion online has been mostly in favor of Randal. Incidentally, we have not yet received input from Intel, but we would be happy to print some when we get it. The discussion in the mainstream press has been mostly nonexistant. Except for the local Portland newspaper and television station, apparently no major news medium has carried the story. So, it appears that *Matrix News* is the first national and international publication to break the story.