[ISN] The crime of distributed computing

From: InfoSec News (isnat_private)
Date: Mon Dec 24 2001 - 00:12:18 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - December 21st 2001"

    Forwarded from: Jei <jeiat_private>
    By Ann Harrison
    Posted: 20/12/2001 at 17:33 GMT
    A college computer technician who offered his school's unused computer
    processing power for an encryption research project will be tried next
    month in Georgia for computer theft and trespassing charges that carry
    a potential total of 120 years in jail.
    The closely-watched case if one of the first in which state
    prosecutors have lodged felony charges for allegedly downloading
    third-party software without permission.
    David McOwen was working as a PC specialist at the state-run DeKalb
    Technical Institute in 1998, when he learned about a project by the
    non-profit organization distributed.net that allowed computer users to
    donate their unused processing power to test the RC5 encryption
    algorithm. Noticing that many of the machines he maintained on the
    seven DeKalb campuses sat idle for long periods, McOwen installed
    distributed.net clients at several of those locations while performing
    a Y2K upgrade on the machines in 1999.
    According to McOwen, during the Christmas holidays in 1999 school
    administrators noticed that unused machines were sending and receiving
    the distributed.net data -- about the equivalent of one email a day.
    The school sent McOwen a letter of suspension in January of 2000,
    without specifying a grievance, and McOwen resigned shortly
    afterwards, believing that he had put the incident behind him.
    Instead, in June of 2001 McOwen was contacted by an investigator from
    the Georgia Bureau of Investigation who informed him that he was the
    subject of an 18-month computer crime investigation. In October,
    prosecutors from the Georgia state attorney general's office charged
    McOwen with eight violations of Georgia's tough computer crime law:
    one count of computer theft, and seven counts of computer trespass --
    one for each of the school offices where McOwen downloaded the
    distributed.net client.
    Each felony count carries a $50,000 fine and a 15-year possible prison
    term, for a 120 year maximum possible sentence. The indictment also
    calls for restitution equal to the amount of money paid to state
    workers to uninstall the programs from 500 PCs.
    As the case nears trial, it's raising eyebrows among some legal and
    technology experts for the unusual application of an anti-hacking law
    to actions taken by a network's legitimate administrator.
    'This Is Not Hacking' "Our problem with this kind of statute is that
    it is written in such broad terms that it can reach all sorts of
    behavior that doesn't constitute computer fraud, but can give the
    government prosecutorial discretion," says Lee Tien, a senior staff
    attorney with the San Francisco-based Electronic Frontier Foundation,
    who has followed McOwen's case.
    "This is a hacking statute," says McOwen, "but obviously this is not
    hacking." At an early stage in the proceedings, prosecutors claimed
    that McOwen had cost the state of Georgia $415,000 in bandwidth
    charges, based on a calculation that the distributed.net clients
    consumed precisely 59 cents worth of bandwidth per second. The state
    has since backed away from the $415,000 figure.
    Today, much of the case rests on whether McOwen violated DeKalb's
    policies by downloading the distributed.net client. Russ Willard, a
    spokesman for Georgia Attorney General Thurbert Baker, contends that
    McOwen deliberately ignored the college's written computer usage
    guidelines, which were issued to him with his first user I.D. and
    password. Willard says the policy forbade McOwen from downloading any
    unauthorized third-party software onto the college's machines.
    McOwen claims he had permission from college officials to download the
    software, and his lawyer suggests that there were no written
    guidelines forbidding such installations to begin with. "If there is a
    policy I have not seen it," says attorney David Joyner, who says he
    has received all the discovery evidence in the case. DeKalb college
    president Paul Starnes and McOwen's supervisors from the college's IS
    department would not comment on the case.
    Even if there was such a policy presented to McOwen, those who work at
    universities say they are often disregarded. "It think it's so common
    on the academic community that nobody reads agreements like that,"
    says David Farber, a professor of telecommunications at the University
    of Pennsylvania and former chief technologist of the FCC. "It is part
    and parcel of many academics and many students that inquisitiveness
    motivates them to download third-party software. If you are going to
    prosecute a person for that on those grounds, than you should
    prosecute everybody on campus because everyone has done it."
    Financial Motive Alleged 
    Willard says that McOwen was singled out for prosecution partly
    because he had ignored his supervisor's warnings. "In this case, Mr.
    McOwen was expressively prohibited by his superiors from downloading
    these programs and was informed on many occasions by his supervisors
    to stop downloading programs," said Willard. "They were aware that he
    was doing it and he had gone in and cleaned it up on numerous
    occasions." Joyner insists McOwen received no such warning.
    Prosecutors also claim that McOwen had a financial motive for
    volunteering the school's machines. McOwen was a top producer on
    distributed.net for "Team AnandTech," a group sponsored by a hardware
    forum site which is still the second ranking contributor to the RC5
    research project. A $1,000 prize goes to the individual contributor
    who recovers the RC5 encryption key.
    "McOwen placed a program on computers, that in his estimation would
    benefit him personally, including computers that has sensitive student
    financial and identity information without authorization," says
    Willard. "There is concern about the program itself compromising or
    providing the basis to compromise sensitive personal or financial
    information, there is the matter of Mr. McOwen's unauthorized
    activities on this computer, and finally there is the point that there
    was misappropriation of state property."
    McOwen says the prize money wasn't a factor. "People do these projects
    for the betterment of mankind," says McOwen. "You are not doing it for
    the prize and possibility of money, you are doing it because it is the
    right thing to do."
    "I think the prosecutor's office needs some lessons in computer
    science," says Farber. "If you want to make a point, there are much
    better examples than this guy."
    The case is set for trial on 28 January.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 06:07:51 PST