[ISN] the ever changing story of Randall Schwartz?

From: InfoSec News (alerts@private)
Date: Mon Mar 05 2007 - 22:32:47 PST


Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://news.com.com/Intel+hacker+sentence+expunged/2100-7350_3-6164113.html
: 
: A former Intel contractor has seen his conviction for hacking into the 
: company's systems expunged, after a battle lasting more than a decade.
: 
: Schwartz was arrested in 1993 after using a program called "Crack" to 
: find out the passwords of various former colleagues in the Intel 
: Supercomputer Systems Division (SSD). Schwartz had left SSD under a 
: cloud, and told the court he decided to crack the Intel passwords to 
: show that SSD's security had gone downhill since he had left, and to 
: reestablish respect he said he had lost when he left SSD.

This wording, and the wording of several other recent articles, make it 
sound like Schwartz had left Intel ("former colleagues") before cracking 
the password.

Google is fairly polluted since the case has been discussed extensively 
the last decade, but pulling up the cache for 
http://www.cyberlaw.com/cylx1195.html shows:

 Notable legal developments reported in November 1995 include the 
 following (updated 12/95):

 Randall Schwartz, a former Intel systems administrator, was convicted 
 under Oregon law on three felony counts of altering a computer system 
 without authorization and gaining access to a system with the intention 
 of committing theft. Originally hired as a contract programmer and 
 systems administrator, Schwartz conducted routine security checks using 
 a program called "Crack," which guesses user passwords. After being 
 hired by another Intel division, Schwartz performed a security check on 
 his old division, despite reprimands by Intel for two previous 
 incursions into computers at Intel and other companies. During that 
 check, Schwartz used Crack to determine the password of a user, gained 
 access to a core cluster of Intel computers, moved a password file from 
 a computer to a quicker one, where he used Crack to break 48 of 600 
 passwords. Intel conceded there was no evidence Schwartz took passwords 
 out of the system, but maintained that merely moving the passwords 
 constituted theft. Schwartz was sentenced to five years probation, a 
 deferred ninety-day jail term, 480 hours of community service, and 
 $170,000 in legal fees. He also faces a $72,000 damages claim. New York 
 Times, 11/27/95, C5.

This suggests he was still being employed by Intel, and crossed internal 
division boundaries when he cracked the passwords, and the information 
never left Intel's network. As far as I recall, the outrage at the time 
was this being charged as a 'crime' when this was standard security 
practice for security administrators.

So, over the last decade, has the story changed and are people under the 
impression he was an ex employee/contractor and did the password 
cracking after leaving Intel? Or are these articles just getting sloppy 
on wording and not painting a clear picture of what happened?


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Mar 05 2007 - 22:41:23 PST