Georgia Sues RC5 User For $415,000 453
jeroenb writes: "David McOwen posted a message to the Anandtech forums saying the State of Georgia is prosecuting him for using their computers for RC5 while he was configurator of the computers at a school system 2 years ago. Apparantly they want him in jail for 15 years and have him pay almost half a million dollars! According to the State of Georgia, one single Distributed.net client costs 59 cents per second in datatraffic. "
Re:And the problem is...? OT: But.... (Score:2)
My cousin was killed by a drunk driver. Our families were VERY close. He and a friend were riding home on their bikes one night and the got hit from behind. He got dragged over 200 feet, and the driver just kept on going. The friend was knocked clear but suffered numerous injuries. They were following all the laws including reflective clothing and headlamps for the bikes.
At the sentencing hearing, the defendants lawyer convinced the judge that he would lose his job if he was sentenced to a lengthy prison term. Why this mattered I have no idea. The judge gave this murderer 6 months in the county jail. Nights and weekends only. He got to continue working his job during the daytime. It later came out his employer and the owner of the company he worked for was also his uncle, so there was NO chance he would have lost his job. Six months PART TIME for murder, or vehicular manslaughter if you prefer.
Kind of puts the potential penalties in this case into perspective, doesn't it?
doesn't cost dick (Score:3)
59 cents per second in data trafic? First, what does a distributed client do for traffic like 5,000 bytes/hour? If you installed on 1000 machines, you're looking at perhaps 5mb/day tops? If it's a state/school institution, they're likely on a T1. So figure they can xfer 5mb in about 30 seconds maybe?
And realistic cost? A T1 should be about $850/month (commercial cost, perhaps cheaper for educational institution).
That is:
+360gb top transfer each month.
+143kb each second.
+423mb for one dollar.
+$0.01 for each 29 seconds.
So this comes out to 1/59th of the cost they claim. But let's assume it's 59 cents per second. At 5mb per day and 143kb per second, that's 34 seconds and $20/day. Or $7300/year.
So at the price they claim, 1,000 machines would have to be running dnet for at least 56 years to come out to $415k. Or alternately, he'd have to have been running dnet on 18,000 machines for three years. I find that highly unlikely.
Now, at the more likely cost basis of 1 cent per second for the T1, and the amount of time/bandwidth he'd have been using, it would actually be more like 1,000 machines running dnet for 3304 years or 18,000 machines running dnet for 1100 years or 1,000,000 machines running it for the last three years.
Re:Hrmph (Score:2)
It's the prosecutions job to prove that the operating systems involved are poorly designed, with schedulers that allow idle priority processes to use so much CPU as to be noticeable to the user.
Even so, almost all computers today are overpowered for 99.9% of the tasks for which they're called upon. A usage study could easily show that a horrid scheduling algorithm that allows idle priority processes to suck CPU would have negligable effect on the users who were using the machine. If the time difference to say... spell-check a document in word, or render a web page, is unmeasurable, or under .1sec, it becomes very difficult to prove damages. Hell, with the right lawyer it might even be possible to prove malicious prosecution and get compensated for this horrible event.
--
Hrmph (Score:5)
First thing to do, find out how much bandwidth a dnet client uses to crack N keys, and deduce how much bandwidth was actually used. Then you can show what the actual bandwidth cost was, this will be a much smaller number than $400k. Then you need to find out what kind of contract they have to pay for the bandwidth. If it's unmetered, you can probably show that the effective cost of the usage was $0.00, as it certainly didn't use enough bandwidth to require a connection upgrade.
Secondly, you'll need an expert witness familiar with process scheduling to explain why the dnet client doesn't reduce the computing power of the machines, and thus there was no cost incurred by diminishing the value of the machines for their intended use.
Lastly, beg, borrow and steal enough money to pay for a truly talented lawyer. Hopefully with some luck, the prosecutor on this case will be making coffee for the rest of his life.
--
Re:Text of post, comments (Score:2)
For the goatse scared, here are the links..
A reverse search on the phone number 770-564-1600:
http://www.anywho.com/qry/wp_rl?npa=770&telepho
A search for Joyner, David Atty:
http://www.anywho.com/qry/wp_fap?lastname=Joyne
Make sure you delete the spaces slashdot puts in...
Re:And the problem is...? (Score:2)
For a nonviolent crime from which the perpetrator did not gain financially, yes.
Lawyer: no, that's backwards (Score:2)
That's backwards. Try tracking down his terms of employment and seeing if there's anything allowing personal use of corporate assets. This could be a written manual (highly unlikely), or custom (possible, perhaps likely in many environments). At that point, he would e seafe. Without it, his position is at best awkward, and he very likely was stealing.
hawk, esq.
no, that's utter nonsense (Score:2)
When you are charged with a crime, you are charged with the crime, not the crime and a proposed penalty. You can look in the statutes, judicial manuals, or common law for the maximium penalty (probably the first iin this case).
Also, in some jurisdictions, the defendant is advised of the maximum penalty at arraignment.
Generally, it wouldn't even be *possible* to charge him with this without the 15 year maximum being out there . . .
hawk
State of Ga and cel phones (Score:2)
Some state idiot was using his cel phone a LOT for personal calls, and the local paper (Atlanta Urinal and Constipation...er Journal and Constitution) ran an article on it - typical "Your Tax Dollars at work" sorta shit.
Well, before long, if you were not the head of an institution/organization, no cel phone. We now have palm pilots with the wireless internet service...a decent, but not as good substitute.
HOWEVER, as I mentioned, even with a "Do we need milk?" call once in a while, there was $0.00 cost to the state. I guess part of their justification was "perhaps the employee didn't need one for their job function".
Okay, well, I had a second phone line to my house to dial into work and do stuff from home...never seen any reimbursement for that, nor for the power I use at my house while working on something remotely.
Though, I can get my own personal cel phone and have the state reimburse me for any minutes used for work. 450 minutes for $45, works out to
So, all in all, the state now has an unhappy employee who is less productive. All because of one poorly-written one sided article in the paper.
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
I'd be more than happy with a simple reprimand. It's a matter of fairness after all -- we think the charges against Mr. McOwen are excessive; it would behoove us not to levy similar charges against the prosecuter's office.
In both circumstances, there are quite a few others who are much more deserving of investigation.
--Dan
A Parable (Score:2)
You hire me to pick stocks. I pick bad stocks -- you fire me.
I didn't steal from you.
I didn't intentionally seek to defraud your company.
I didn't hide the stocks I purchased.
I was more aggressive than normal, but not unusually so.
I simply bought the wrong stocks, and got canned for it.
Should I go to prison for losing you money?
Now imagine I didn't actually even lose you anything -- you were merely concerned that at some point in the future, the stocks I picked might possibly expose the company negatively.
Should I have even been fired?
Possibly--but possibly not. If it's not even obvious if I should be fired, how could it be obvious that I should be imprisoned?
Something to think about.
Yours Truly,
Dan Kaminsky, CISSP
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
The trouble is that he was not mandated to do it, and it is not obvious that he had the leeway to do it. This gives him no ass-covering material. There's no piece of paper that unambiguously says he was permitted to do what he did. He can only argue about vague general principles.
I actually think the "vague general principals" are surprisingly supportive of the RC5 client, as I laid out in my second point. Here's a document that explicitly states what he can and cannot do, and he quite oddly follows it well.
I mean, seriously. There's alot of mileage to be gotten out of the fact that this document:
1) Says sysadmins are effectively autonomous
2) Lays out restrictions that are almost entirely followed to the letter(including WRT CPU usage).
Sigwinch, read the supporting documentation I provided earlier. Those are their policies. His actions are not even clearly a violation of them!
Never take a risky action in a corporation without considering how it will sound in front of a Federal jury or Congressional committee. "So, Mr. McOwen, are you're telling us that you were converting these computers to your own use to win a $1000 prize?"
http://www.theonion.com/onion3723/nobel_fever.h
Seriously though, the Nobel Prize is a much richer purse than RC5 will ever have; you don't see people being hauled off to jail for discovering the top quark!
To a jury of bums, rednecks, and career Taco Bell cooks, that $1000 prize will be damning. Ditto for newspapers and blood-n-depravity TV news shows.
Americans love two things:
1) Seeing criminals shot down by the public.
2) Seeing Goliath shot down by David.
The problem with McOwen is that it transcends the criminal-citizen barrier: Quite a few of us could imagine doing something unique and productive at work that some bureaucrat might not agree with. This self-identification means that the criminal prosecution becomes a personal threat that we'll pay (through advertising dollars) to watch allieviated.
"Piss your boss off, go to jail." The hacker/citizen barrier is *nothing* against this.
So? The humorless gentlemen in the dark polished cars, wearing nice suits and ray ban sunglasses don't give a flying fuck that the situation is bad. All they care about is the documentary evidence that *you* made it measureably worse.
Consider the opposite situation--suppose McOwen was in a tightly controlled secure environment, with all software change controlled and all decisions made through three levels of bureaucracy. Clearly McOwen would be much worse off -- not only would he be obviously and knowingly violating the decision making policies of his organization, but he'd be doing so in a manner in stark contrast to standard operating procedure.
He'd be screwed.
But that's not how it went. There was no strong top down organizational structure; it was all UGA could do to keep their sysadmins from maliciously harassing users! There was no "line in the sand" that McOwen crossed; his job was to maximizing the value of university computing resources and he did so. If he added minutely to system insecurity, the fact that he was hired to do things in an insecure manner(telnet blah) is at least a strongly mitigating factor.
Security is a process, as Bruce says. With little process in place, there was little for him to violate.
You do if you're a career state-employed academic bureaucrat. Any one of 'career', 'state-employed', 'academic', or 'bureaucrat' would be bad news. Put them all together and it's a deadly situation. The person carrying out this campaign against McOwen is certainly clueless, likely vindictive, likely monomaniacal, and *committed*. Once a person like that starts a campaign, they'll push it as far as possible. They won't know when to give up.
Couldn't have said it better myself--this is where my reluctance to entirely blame the prosecuter's office comes from.
It would arguably have been better to continue with 40-bit DES, and let the electronic pearl harbor force Congress to clean house at the NSA.
An interesting historical what-if. An electronic Pearl Harbor would plant a pernicious seed of doubt in the validity of all electronic records though, significantly destabilizing our entire system of indentured servitude / credit card debt. Given the personal profitability of being able to legitimately challenge the veracity of your entire debt history, I'm unconvinced any quality of crypto would ever be able to save an economy thrown into a tailspin by an EPH.
"Cracking DES" had the best possible effect, I think: It destroyed political opposition while leaving public trust unsullied.
Offtopic, but... WEP is an impressive accomplishment. They actually managed to design a cryptosystem that has cipher- and key-exchange-independent insecurity (the 24-bit initialization vector).
My favorite independent vulnerability right now involved keystroke password analysis in SSH1. Effectively, you monitor the timing variations between characters in a user's password as they're sent on the network and use hidden markov chains to determine the most likely keys that are being entered. It turns out that we take longer to transition between certain keys than certain other keys, and this transition distance can be indepedently analyzed.
If they really did just make up this numbers, the case could blow up in their faces.
Well, I made up the numbers WRT $200,000/yearly for a single T1--the difference is I was showing ballpark figures, whereas they're seeking felony conviction.
Big difference
During the day, the truck is *HIS*. He can pick his own routes, make a detour for a customer who is in a huge hurry, bend the traffic regulations, and generally do whatever it takes to get the job done. He job is a big one, and he therefore has a lot of leeway to make autonomous decisions. Suppose he wants to take the truck home at the end of the day to move a sofa. If he takes 10 seconds to get the boss's permission, taking the truck is perfectly OK.
Bad example--the equivalent circumstance is McOwen physically transporting the servers to his home to run some work for him there. You can't get around that -- you mention grand theft later; the reason it's grand theft is because the trucks were supposed to be there but instead disappeared!
It's not arguable that the movement of the sofa is at all within the mission of the trucking company; however it is extremely arguable that academic research and collaborative mathematical analysis is directly within the mission of a university. It does not matter if you would have made the same choice; you merely need to accept that it was a reasonable conclusion to reach for this to be an issue of internal policy disagreement and nothing more.
If it's your job to use them that way, you just do it. However, if there is a person who could say no, and you don't ask, you have done something wrong.
I'm reminded of the history of the HP Deskjet; which was fought tooth and nail by the laser printer heirarchy at HP.
There's *always* a person who could say no to something. The question is whether the general consensus is that something is not to be done -- no human organization can operate unanimously; it creates too many absolutes of power. Mr. McOwen may have known some might have disagreed with his use of the software, but there's always someone who disagrees. The question is: Who else knew of his actions, who else approved, and how does legitimate access to company hardware turn into the equivalent of a foreign hacker maliciously breaking in and subverting computer resources?
In a criminal case it is not necessary to prove substantial monetary damages, it is merely necessary to prove that the person did something they had not been given permission to do.
"Did you have passwords to these machines?"
"Yes."
"Did you steal them?"
"No."
"Who gave them to you?"
"My employer."
"To do what with?"
"Configure the machines."
"How so?"
"In a manner that maximized their usefulness."
"Any specifics?"
"Just what's in the guide."
"Did you violate the restrictions in the guide?"
"No."
If you allow fear to govern your actions, you are letting the enemy dictate your actions.
At the point of criminal prosecution, your hope for a peaceful ending (unless you wish to plea) is over.
It's funny, but I am also being serious. The Internet search engines are already starting to correlate information with specific people.
Thus why I've told a couple girls to never do porn. We're only a scant few years away from large scale eigenvector based face searches through large image databases, and the code is almost certainly going be trained against porn--there's no larger source of stock human photography!
The prosecutor is actually a good point of approach, if you can get him in touch with a clueful expert.
A guy can hope
Anyway, I understand what you're saying
Ditto.
I just think it's McOwen's fault for not establishing a paper trail showing permission.
My hope is that McOwen saved a few emails from coworkers higher than him expressing approval for the project...
"The Young Male Sysadmin's Guide To Not Going To Prison"
I feel like I'm looking at the title of one of those "World's Thinnest Books". Of course, considering the state of the economy, a chapter on how to successfully steal bread so you don't starve to death might be useful...
--Dan
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
Security is having confidence that every bit on the hardware comes from a known, approved source. You lose that when you install an untrusted program, and the only way to regain it is to delete everything and start from scratch.
Except he isn't accused of attempting to backdoor the systems. He isn't accused of attempting to hack them at all.
He's accused of running undesired software.
That's a major difference. This isn't a situation where an untrusted user got trusted access. This isn't even realistically a case where a trusted user gave untrusted users access(in the sense of others being able to do anything they wanted using the computational power of the university). A trusted user did something that others disapproved of. As long as there's no belief that he hacked the machines as well as used them for undesired tasks, simply killing the tasks is sufficient.
He wasn't even running a password cracker.
A better analogy would be if you hired a mechanic to change the oil in your street-legal drag racing car with a $30,000 racing engine, telling him to only use Mobil synthetic oil, and he used olive oil instead.
Yes, the moment I see an exact catalog of specifically what McOwen was supposed to install, and in what order, I will agree that he had no discretion to install any more or any less.
I do not expect such a list to be forthcoming.
OTOH, if you installed S@H on a live banking server 'just because', they'd beat you to death with CAT5, even if you have admin privileges.
Again, university environment, not big multibillion dollar conglomerate with a stock price to keep up. Downtime is not disaster for *any* system in most universities.
By contrast, more than a few companies have hot spare buildings. You heard that right: If, one day, the office should cease to exist, everyone may go to another.
--Dan
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
He was hired to install software. He didn't remove vast chunks of software, which would be the analogous argument. He also didn't attack the security of the systems he was using("removing the lock from the door") or attempt to view other people's information("pulled the mail from the mailbox") He did too much -- he installed extra code that wasn't actually desired.
A better example is that he was hired to clean up the dog shit, and he decided to clean up the cat shit too.
He did extra work within the constraints of his legitimate access and his job. It's that simple.
Not for security it doesn't. Security is a matter of knowing where every program on the machine came from, and knowing that no uncertified programs have even been run on the machine. It is solely a matter of trust, a matter of having a known chain of control. That trust is easy to throw away and expensive to regain.
The trust never existed.
Let me repeat that, with emphasis:
The trust that you describe, with full chain of evidence and absolute knowledge as to the source of every last byte on every last system, did not exist in this environment.
You cannot accuse somebody of losing for you what you didn't actually have!
The fact that not only did he not lose this trust, but he isn't even being accused of attempting to gain more trust than he was legitimately entitled to(via *actual* hacking) does alot to make me extraordinarily annoyed with this case.
I've seen at least one rumor that these were lab machines. Security begins with the physical, and with the vast number of people using these machines, it's literally impossible for them to have been considered anywhere even remotely within the same galactic vicinity as a "trusted base".
Yours Truly,
Dan Kaminsky, CISSP
Burden of Proof: Show He *Wasn't* Authorized. (Score:5)
====
To state that this case deserves to get thrown out of court -- with the prosecuting attorneys being reprimanded for falsifying financial figures to achieve a felony prosecution -- is not only a reasonable statement, it's possibly an obvious one. I have five arguments from which I draw these conclusions:
First, Mr. McOwen's terms of employment were easily open ended enough to consider this a valid use of network resources.
Second, University policy clearly granted Mr. McOwen permission to administer the machines as he saw fit, as long as he did so "fairly and in accordance with University policy."
Third, Mr. McOwen was acting in due diligence against billions of dollars in yearly national liability from a weak computer security environment.
Fourth, the Prosecution's numbers cannot be justified in any way, shape, or form.
Fifth, the very prosecution of this case creates a grave chilling effect against the ability for computer administrators to successfully maintain the systems they are charged with.
1) The exact job specifications of Mr. McOwen's employment were not and literally could not be set in stone; his basic task was to administer the systems according to the precepts of the site they were deployed. In this case, the site was an educational institution. Educational institutions, as opposed to even corporate workplaces, exist as nodes of "basic research" and "collaborative and non-profit volunteerism". Surely, it is not inconcievable that given the extraordinarily high degree of public works that universities are known for, that he might have come to the reasonable conclusion that installation of software that contributed to a public good (the global improvement of cryptographic quality) would be a fair extension of the mission of the university.
2) The University of Georgia's computer security policies, available at http://www.uga.edu/compsec/summary.html , clearly give Mr. McOwen wide latitude to administer systems however he saw fit. It states, "Those who administer computers and network facilities shall perform their duties fairly, in accordance with University policies." As this is the primary document describing University policies with respect to computer security, it stands by itself as a sufficient source of guidance for Mr. McOwen. Users are admonished that they "...shall take full responsibility for messages that they transmit through the University's computers and network facilities"; such responsibility refers specifically to "fraud, harassment, obscenity, and the like." Surely the analysis of simple numbers does not rise to the level of obscenity! There are admonitions against Trojan Horses and computer virii, yet both tools exist to procure access where none existed before--Mr. McOwen was granted his access legitimately. Indeed, the university specifically defines Trojan Horses in a detailed guide available at available at http://www.uga.edu/compsec/use.html : "A Trojan horse is a program with a hidden, destructive function, or a program designed to trick users into revealing confidential information such as passwords." There was nothing hidden about the RC5 code, and as for destructiveness, few would argue it is destructive to a computer to ask it to compute! Though there is a mention against "cracking", it is specifically in reference to the cracking of computers--Mr. McOwen was analyzing a code specifically authorized and designed to be analyzed. Even if he had been running a genuine system cracking utility, the detailed rules specifically authorize system administrators to do so. Mr. McOwen even actively complied with the requirement to give higher priority to users with more important work by running software that immediately yielded resources requested to any other software that requested them. Given the degree to which Mr. McOwen explicitly complied with university regulations, it is difficult to see the validity of this case.
3) Statistics have shown a multi billion dollar a year loss to the country from insufficient encryption and computer security systems. Such damage is often either concentrated or traced from machines with inadequate network security. University machines, almost always under-administered and very often forced to be publically accessable due to the academic requirements of students (one could not expect a place of higher learning to be as firewalled as the FBI!), often either directly experience financial damage or indirectly contribute to theoretical litigation expenses from being used as "jumping off points" for larger attacks. By contributing to the global awareness of the dangers of insufficient security, David expressed a degree of "due diligence" towards solving a problem the university was contributing to. Such due diligence constitutes a legitimate usage of system resources as a mitigating factor in any future litigation, much as active and genuine safety research mitigates against gross negligence in product liability circumstances.
4) No actual damage can be substantiated by the prosecution. The RC5 software, far from being heavy on network traffic, is a class of code known as "embarassingly parallelizable". In other words, the system consumes extraordinarily little network traffic for the amount of processing it does. Such processing is often done on systems with only intermittent modem connectivity; the university posessed a network connection several hundred times faster with permanent connectivity. It is beyond even the pale of conception that any communication from the RC5 system did, could have, or might have been predicted to cause any form of lesser service to any other network service. Indeed:
Suppose the school spent $200,000 on their internet connection yearly, for a single T1 interface capable of transfering one million, five hundred and fifty four thousand bits per second. Suppose the "damage" lasted over two years. This would place an upper cap of damages still at but $400K, and this would be presuming that the attack consumed the entire sum total of network resources. No such claim is being made. Lets assume that each transmission consisted of sixteen thousand bits every two days, and there were a hundred machines participating. These remain ballpark figures, but they're useful for illustrating the utter lack of direct damage. Over two years, those one hundred machines would exchange 584,000,000 bits.
This seems significant, until one realizes that the network as described posessed capacity to carry approximately 97,130,880,000,000 bits. The RC5 system, as it were, used up all of 0.0006% of the network capacity.
0.0006% of $400,000, incidentally, comes out to about $2.40.
5) Prosecution of Mr. McOwen would have a drastic chilling effect on the ability of computer administrators to do their work. When something as trivial as a pocket change's worth of network bandwidth can lead to felony prosecution, it becomes too risky to do much of anything. Mr. McOwen's judgement on the matter was trusted, and even if--in retrospect--management would have made separate selections, it's a questionable matter whether he could have fairly predicted that. His actions were questionable even as a offense worthy of termination, given the wide berth that system administrators require to be effective and the vast freedoms inherent in the academic environment. They'd be laughed out of any civil court in the country, and the fact that they've reached criminal court--at the felony level, which would deprive Mr. McOwen of his freedom, his voting rights, and even his ability to simply procure employment--is a grave insult.
This case should be thrown out of court, and the defendant's legal fees covered in full. Nobody should be allowed to abuse the power of the court in this manner.
Yours Truly,
Dan Kaminsky
Certified Information Systems Security Professional
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:5)
It is my contention that his personal goals and the mission of his company were not in conflict, and furthermore the odds of him actually winning the prize, remote enough(even with whatever rank he managed to achieve), the prize small enough, and the actual distribution of that profit distributed enough that for all intents and purposes the value of that prize goes to zero.
In terms of the prize itself, his probabilistic share probably didn't add up to the price of a can of Mountain Dew. That's a Red Herring and you know it.
That a university is publicly oriented does not give its employees license to do whatever they think is in the public interest. A university is a corporation, just like any other, and the use of its resources must be approved by management.
First of all, you're wrong. A university is not a standard corporation any more than a political party is, particularly not a university established as a branch of the government! The explicitly avowed dedication to academic freedom means a hell of alot.
Second, I haven't seen a single shred of evidence to state that he himself didn't have the discretionary authority to decide to run this software. Administrators were exhorted to behave in a manner compatible with the values of the university; as I noted, the RC5 system was extraordinarily compatible with the values as they were laid down, down to relinquishing CPU upon request.
In fact, if one examines the documents linked in the previous post in depth, one finds an extraordinary amount of power given to system administrators -- so much, in fact, that "management" sees the need to specifically warn administrators not to be overly or overtly malicious towards students. This seems to me an implication that sysadmins had an extraordinary amount of autonomy over the systems they deployed.
Whether or not you feel this is a good thing for management or even a professional thing for Mr. McOwen, the implication that the systems were under his discretionary control is quite clearly there.
He wasn't a consultant, sigwinch. He was one of the operators.
Incidentally -- these machines were going for some time, with no complaints being rendered for quite some time. This means a couple things:
1) Other admins who noticed either approved, yielded to McOwen's discretionary authority, or were able to remove it themselves. Any way you slice it, the time he was granted helps, not hurts his position. (By contrast, a genuine attack usually *hurts* a network, causing reasonably quick corrections.)
2) Management either approved, or itself issued little low-level discretionary authority. In other words, management ordered the sysadmins to keep things running. If the sysadmins extracted more value from the sunk costs, and it was (reasonably) within the mission of the university -- so be it.
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines.
Yeah, welcome to Winamp, Windows Media Player, RealPlayer, Yahoo Messenger, and Windows itself.
Give be a break. The majority of university networks are so riddled with out of date daemons and unfirewalled ports it's ludicrous to suggest a single daemon with no known polling vulnerabilities is going to outweigh it. (By contrast, simply spoofing Winamp's update page is enough to destroy it.)
And what the fuck does that have to do with this discussion? The question is whether he had permission, not whether he would have had a good justification if he had asked for permission.
The question is if he had to ask. My point is that the burden is on the university to show he actually did need to ask, because he was clearly acting within the bounds laid out in the rules the school made public in a position that demands a large amount of autonomy.
Remember, that you would have made a different choice is irrelevant; the question is whether he had the right to make such a choice. In my mind, the fact that so much time passed between his use of university resources and his eventual shutdown means that quite a few people knew of this incident and one person elected to express discretionary priveledge and can him. That's fine--it happens--but you don't send someone to jail for it.
And even if that was our discussion, brute-force cracking RC5 is a stunt. It doesn't do a damn thing for security.
Silly. You have no idea how much Cracking DES did, do you? Do you have any idea how significant the EFF's DES Cracking book was in making sure AES happened, and in forcing 3DES to be the standard of the day?
Do you understand how recent it was that the federal government was saying it would take a foreign government inordinate and unrealistic amounts of time and money to crack even one DES key?
Do you realize how many algorithms, *today*, still depend on 40 bit RC4? Most SSL sites -- that travesty that is 802.11 WEP -- the garbage is everywhere.
Are you an idiot? Do you know nothing about computers?
Ask this again two weeks from now.
Diligent recovery from this compromise would involve...
a lot of things that didn't happen. At all. Even in the slightest.
You can't charge for damages that didn't occur. It's like filing a suit for your own wrongful death because somebody coughed next to you and they might have had TB--first of all, you ain't dead, second of all, they didn't have it!
Competent professionals help the client accomplish their mission. If they have ideas for new mission objectives, or even for cool charitable projects that don't really accomplish much, they discuss it with the boss. They *don't* run off and reconfigure hundreds of pieces of high tech equipment for their own whimsy.
I claim this did help with the mission, and that it was reasonable for McOwen to believe this was within his assigned powers. If his interpretation was at odds with that of the administration, perhaps he deserved to lose his job -- but this doesn't even pass the giggle test for felony hacking. They were HIS BOXES. He had a legitimate accounts, probably even root accounts and did things that were *arguably* legitimate.
Sysadmins *never* have the right to turn hundreds of the institution's machines into zombies for their own pet projects.
Oddly enough, who do you go to if you have a project that could really use a few hundred machines? You go to management, they look at you funny and tell you to go to the guru to decide whether or not to do it.
In most places with vast amounts of computing resources, there's usually a sysadmin at the top of the pile choosing what goes where--and if there's nobody on top of everything, like there aren't at most understaffed universities, everyone who has legitimate acccess is expected to legitimately use it--however they see fit, as long as they follow the rules.
Hardly. It's vandalism, plain and simple. The alterations he performed obviously had no relevance to the organization's mission, they had a potential serious deleterious impact on the mission, and he deliberately chose not to ask permission when doing so would have required little time or effort.
I provided extensive documentation showing the compatibility of this project to the university mission. I don't need to show it's absolutely correct -- merely that it's plausible.
Whatever deleterious effect you mention *didn't happen*, and as far as I can tell hasn't *ever* happened. Complete lack of precedent for a deleterious effect has an effect in a courtroom, you know.
The law is the least of his problems. Not only did he recklessly fuck over hundreds of his client's machines, he whined about the client's consternation on the Internet.
If the prospect of a decade of prison rape wouldn't make you run screaming like a horror movie prom queen into whatever abandoned warehouse of an online forum you could find -- you're a stronger man than I.
For the rest of his life, any time a prospective employer does a web search on him this story will show up in all its tawdry glory.
Oh, this is much better than a felony conviction. It don't say, "Have you ever been mentioned on Slashdot" on the employment forms, you know
I propose a new phrase for the Internet lexicon: "Pulling a David McOwen". It will be the Darwin Award of Career Limiting Moves.
Heh. Doctors play God, admins play BOFH. Both make mistakes, but the latter almost never kills anyone. Strip root, maybe. Strip down, though? For "hacking" his own machines?
He ran rc5, not rm -rf. He used computers to compute, not to destroy. He yielded processor when needed, rather than hog it to the exclusion of all others.
Felony hacking my ass, and *everybody* knows it.
I do feel for the prosecutor, though. I don't think he realizes how badly he's being used.
--Dan
www.doxpara.com
distributed.net's position (Score:5)
However, part of the subpoena restricts us from commenting on the details of pending litigation. Especially since we do not know the details or circumstances of the alleged activity, we do not want to do anything which would endanger either party's position in this case. We trust that the community understands our position in this matter.
In the more general sense, not commenting at all on the specifics of this case, it is never a good idea to run the distributed.net client software on computers you don't own or administrate. In the four years or so that we've been in operation we've been dragged in to a handful of situations where people have lost their jobs, positions, and scholarships by thinking that forgiveness would be easier to obtain than permission. Nobody, especially distributed.net, wants to see this happen.
It's important to keep in mind that the literal resource consumption of the client (which is as close to "zero" as can be) is often not the only factor important to a business. The existence of prize money with the RC5-64 project is discomforting to many organizations. One tactic which has proven to be very effective is to provide an affidavit that you will donate any winnings to a charity if a client you installed on a company or university machine finds the winning key. In many cases, this has been key to a participant receiving permission to run the client on non-owned resources.
Another frequent stumbling block is with service and support contracts which prohibit non-certified software running on workstations or servers. Your university or employer may risk losing support on their equipment if software is installed that hasn't been explicitly mentioned in the support agreements.
The bottom line is, always get permission first. It might not be as difficult to get permission as you think. And if you can't get permission, don't install the client.
We hope for a speedy and just resolution to this case, whatever that outcome should be, and that we never have to be involved in another one.
Re:Reduced lifetime? (Score:2)
Depends on the OS. Most modernish OSes on a single processor execute a HALT rather then spin in an idle loop. Not as many do that on multiple CPUs because getting the wakeup code right is harder.
CPUs in the halt state generally use less power, and generate less heat. It may wear the CPU out a bit slower too. A box with a thermal controlled fan will use less cooling power, and in the summer less AC will be used.
Those effects should be pretty small though. The heat generated by a CPU may be the same as two office lights, and a halted CPU won't put off no heat, just a bit less. Similar for the power used. So as far as heat and power goes it would be like suing a janitor for a half mil for leaving the lights on in a bunch of offices (for a few years).
Beats me on bandwidth, but I expect that is pretty low too.
Even if damages are called for these seem totally out of line. As far as damages go, I figure this would be the kind of thing worth a stern warning, or maybe a firing, but not a lawsuit. Apparently I'm not the Stare of Georgia.
Re:Reduced lifetime? (Score:2)
Because they suck in general, or because they don't halt rather then having an idle loop (plus sucking in general as an OS)?
Re:What about spam? (Score:2)
Alternators do not produce excess power, at least not if they're operating properly, and if they go bad and do produce excess power, that excess power burns out a fusible link, which makes you have to fix the problem.
Alternators have voltage regulators that keep the voltage right around 13.8, or whatever voltage the manufacturer has designed for, despite fluctuations in the load. It does this by increasing or decreasing the magnetic field of the rotor. This rotating field induces a current in the stator that, after rectification, is the output of the alternator. When load increases it draws more current. This will cause the alternator output voltage (the pressure that forces current through the load) to drop unless the alternator is caused to produce a higher current, which results in the voltage not going down. In order to produce that higher current, the strength of that rotating magnetic field is increased. Rotating an armature in a stronger field or rotating a stronger field with the "armature" held fixed is electrically the same--you have relative movement. If the magnetic field strength increases it takes more energy to move one relative to the other. That increased energy has to come from the engine, which means it uses more gasoline.
Radios, or any other electrical load, draw current. Some draw a little, some draw a lot, but none of them run on "free" power. The more current you have to supply to all the loads on the system, the more energy you have to use to generate that current.
I'm not trying to flame you, but until you have a better understanding of how electricity works you might want to avoid endangering yourself and your equipment by not opening your system and messing with the insides. Of course I learned a lot of what I know about how electricity works by opening up stuff and messing with the insides, but fortunately I was lucky enough (not smart, lucky) to not have severely damaged myself or started a fire.
Re:Good. (Score:2)
Re:And the problem is...? (Score:2)
What about power? (Score:2)
--
Re:Reduced lifetime? (Score:2)
--
Re:What about power? (Score:2)
--
Re:And the problem is...? (Score:4)
Re:What about spam? (Score:2)
Because this is a sufficiently ambiguous case to suggest the need for a contractual restriction. Perhaps he signed one--I don't know. Either way, the car analogies REALLY need to stop: running RC5 is NOT stealing a car and never will be. Was it bad? Maybe. Was it REALLY REALLY REALLY bad?
Re:What about power? (Score:2)
Does anyone have any real information about this? (Score:2)
1. How can this be a felony, this is a civil matter. They should be sueing for damages.
2. If he was in charge of the project, he could put any software on the computers. He had full disgression on the software installed.
3. Did he agree or sign documents agreeing not to install this type of software?
4. Did he hide the Dnet software on the computers? When someone asked about the program, did he say "Oh thats the Distributed.net RC5 Program, etc..."
5. How long did it take before someone complained about the program? Why didnt they just send out an email asking them to remove the software?
6. What was the actual damages?
When working a project, as a large computer rollout, you come up with a list of common software that the end user will need. What web browser, Email client, Ftp cilent, Bookmarks preinstalled, etc.. Now I hand this project over to the IT folks to do the actual work. They want to add thier own standard troubleshooting tools, maybe PC Anywhere, Software logging, Time sync software, SSH, etc.. Did they break the companies policy by adding Time sync software? The IT department had the "implied" authority to alter the install.
The abuse of the power for both State and Federal juristiction is in the news media daily, and here is just another example. Trying to put a person away for 15 years for installing software, un- fck'ing believable.
-- A government that robs Peter to pay Paul can always depend upon the support of Paul. George Bernard Shaw (1856 - 1950)
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
Are you an idiot? Do you know nothing about computers? Diligent recovery from this compromise would involve 1) backing up all data on the compromised hard drives, 2) formatting them, 3) reinstalling them from scratch, 4) sanitizing all the backed-up data, 5) and reinstalling all the backed-up data. Assuming a $150/hour sysadmin, three labor hours per machine, and 200 machines, that's a direct recovery cost of $90k.
(Im assuming Windows since its 200+ pcs)
1. Click on the little cow icon in tooltray.
2. Click configure.
3. Click Help. Whoa look at that, URL and Name of program...
4. Close program.
5. Delete directory.
I just saved the company 679K (your quote) and sued your ass for fraud.
If I hired a mechanic to check out my engine, and he sayed I used the wrong brand of oil, and I must replace my engine, Thats fraud.
Common sense people, Any Sys-Admin, IT/IS person would know how to check out a program and figure how to uninstall it.
BTW we use seti@home to burn in our Sun servers, even our big 10K clusters. Great way to burn in the million dollar hardware complexes before we go live with customers.
--
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. Albert Einstein (1879 - 1955)
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
Sun cpus if bad, crash during the first couple of weeks, (most likely) with cache or parity errors, thats why you burn them in...
We never run seti@home on live production machines, just burn them in on pre-production machines, read the post again.
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
Exactly, the guy didnt install software on banking machines, he used uni desktop boxen. And if he did install S@H on production boxes he would be fired, not thrown in jail.
Check his resume (Score:2)
And, speaking as an ex-State o' GA employee working at a university... boy is he screwed. But, it could be worse. He could have tried to buy supplies that weren't under state contract, or done something else that is outlawed under the state's antediluvian purchasing policies for computer equipment.
--
Never knock on Death's door.
Ring the doorbell and run
(He hates that).
Re:distributed.net license agreement (Score:2)
I live in one of many areas (small town, central IL) where both residential and business lines are charged a per minute rate as well as a per/connect rate. In the city I used to live in (Urbana, only about 1 hour East of my present abode), the business line only paid per connect. That's how my dedicated dial-up connection was so affordable - it was online almost 24x7, but it only made 15-20 calls in a month. It made me feel good to be abusing the phone company, but made me feel bad to get calls at 8AM (college student, sleep until 10 normally) asking to talk to the "owner of the business". The tradeoff was acceptable.
BTW, I had a whole bunch of computers runing dnetc at the college that used to employ me. I didn't get sued. Know how? I asked permission. Then I installed the clients anyway. ;)
Re:confirmation? (Score:3)
nugget@distributed.net
[distributed.net]
Login: nugget
Name: David McNett
Directory:
:: 09-Jul-2001 00:15 (Monday)
Well, since it's hit slashdot and I'm getting lots of mails asking if
we're aware of the situation, I thought I'd post a plan explaining
distributed.net's perspective on David McOwen and the State of Georgia.
http://slashdot.org/article.pl?sid=01/07/08/21532
distributed.net can confirm that at least some part of what's being reported
is accurate. We were subpoenaed for information relating to Mr. McOwen's
participation in the RC5-64 project and supplied that information as
requested. We also spoke at length with representatives of the prosecution
to make sure they understood the actual impact of the dnetc software on
the machines and networks in question.
However, part of the subpoena restricts us from commenting on the details
of pending litigation. Especially since we do not know the details or
circumstances of the alleged activity, we do not want to do anything which
would endanger either party's position in this case. We trust that the
community understands our position in this matter.
In the more general sense, not commenting at all on the specifics of this
case, it is never a good idea to run the distributed.net client software
on computers you don't own or administrate. In the four years or so that
we've been in operation we've been dragged in to a handful of situations
where people have lost their jobs, positions, and scholarships by thinking
that forgiveness would be easier to obtain than permission. Nobody,
especially distributed.net, wants to see this happen.
It's important to keep in mind that the literal resource consumption of
the client (which is as close to "zero" as can be) is often not the only
factor important to a business. The existence of prize money with the
RC5-64 project is discomforting to many organizations. One tactic which
has proven to be very effective is to provide an affidavit that you will
donate any winnings to a charity if a client you installed on a company
or university machine finds the winning key. In many cases, this has been
key to a participant receiving permission to run the client on non-owned
resources.
Another frequent stumbling block is with service and support contracts
which prohibit non-certified software running on workstations or servers.
Your university or employer may risk losing support on their equipment if
software is installed that hasn't been explicitly mentioned in the support
agreements.
The bottom line is, always get permission first. It might not be as
difficult to get permission as you think. And if you can't get permission,
don't install the client.
We hope for a speedy and just resolution to this case, whatever that
outcome should be, and that we never have to be involved in another one.
--
Delphis
Re:Civil or Criminal? (Score:2)
Even at 5 cents a second, that would be how many computation units to use $415,000 worth of bandwidth? This is RC4, not SETI. SETI is more of a bandwidth hog (I know, I run 2 SETI processes at home connected via the same 28.8k I browse slashdot with). RC4 hardly uses any since all it needs to return is the work unit start, number of keys, the result, and any ID information. Then it gets a new work unit of about the same complexity and goes to work.
I could see how they can say the CPU time might cost that. But I sense they are twisting the facts to posture for some kind of bigger settlement or plea agreement. It could also just be gross incompetence on the part of the lawyer(s) there (and we know that never happens, right).
59 cents per second? (Score:3)
Bob: "Hello, this is Bob over in the State Attorney's office. Is this the state internet network accountant?"
Tom: "Yes it is. How can I help you?"
Bob: "I'm doing investigations on a case here, and I need to know how much the internet costs. Do you have this information?"
Tom: "Do you need the cost of a specific circuit?"
Bob: "I don't know what you mean by circuit. I'm only interested in the cost of the internet."
Tom: "Well, there are a lot of cost factors involved. For example there are costs for leases and depreciations for the routers and the servers. Then there are the circuit costs for the state network. And the costs for connecting into the actual internet itself, like our OC-192 core connections."
Bob: "So are these connections what makes the internet work?"
Tom: "Yes, they are. Is that what you are interested in?"
Bob: "I think so. What are we paying for that?"
Tom: "Do you need the exact amount? I'd have to get all the paperwork together and figure it up and get back to you tomorrow."
Bob: "Just an estimate for now. A ballpark figure is good enough. We'll ask for copies of the paperwork when we're ready to go to court on this."
Tom: "OK, well last month we budgeted somewhere around 1.53 million dollars for the internet connections."
Bob: "Great! Thanks! That's exactly what I need to know."
Re:And the problem is...? (Score:3)
--
Re:What if one has d.net running at an old job now (Score:2)
If you fess up, then there is every chance they will go after you anyway.
If you do nothing and they find it, they go after you...
Your only real option would be to break in and remove the software, or hack in and do it remotely.
Good luck.
Re:What about spam? (Score:2)
Re:distributed.net license agreement (Score:2)
Hmmm....a little cut, a little paste, and voila!
It's like people at work that that they have a
"right" not to have their bathroom breaks webcast. You're using someone elses toilet, you have to follow their rules. If you don't like it, don't use it.
So...having made my point (I hope) that employers DON'T have carte blanche to do what they like to employees simply because the employees are on their property, the question then becomes where to draw the line. That I leave as an exercise for the reader
Re:So what really defines permission? (Score:2)
Why in the fuck is this a bad thing? For chrissakes people, you are paid to do a fucking job, NOT run dnet clients on every possible fucking machine you've been given charge over.
What really pisses me off is that most of the posts here are from people bitching and whining that it doesn't really do any harm to the machines. Sure it eats up a bit of proc even at the nicest level. Sure it takes bandwidth to download new keys but not that much. YOU'RE MISSING THE FUCKING POINT. THEY WEREN'T HIS MACHINES. HE WASN'T PAID TO RUN dnet clients ON THEM.
The sad part about this whole thing is that many of the /. crowd are showing how old they really are. Grow the fuck up and just do your job.
I know I'll get modded down but not for any justifiable reason. Mostly cause I hurt the feelings of some 13 yr old kids trapped in 35 yr old bodies who never learned the difference between work and personal life.
Re:To preempt all the "it's their equiptment" trol (Score:2)
HUH? Full T1? (Score:2)
Urm. Say AGAIN? Or is somebody confusing megakeys per second with kilobits per second?
He already got *FIRED* over it. (Score:2)
Heck, even when my users do something like that, against policy, I don't request to have the fired.. perhaps I would if they repeatedly and blatantly ignored me and did it, and were jerks about it.
Yes, they aren't his computers; that's obvious. Yes, he should have know better. And as you and everyone else agrees, 15 years in prison and a million bucks (or whatever) is friggin rediculous.
Remember,though, it has to go to court, where it won't be hard in this day and age to make them show how this cost them so much.
Where do you (Score:2)
He made a MISTAKE, as MANY young people do.
And he's not saying he didn't do anything wrong.
He's saying that having a felony charge on his record, paying a half million in fines and doing 15 years is NOT right. And I have to agree.
You attitude seems to be strange: If you break the law, any law, you should be thrown in prison for 15 years and not whine about it?
Re:He already got *FIRED* over it. (Score:2)
If it did, in fact, their accounting records should show the anomaly.
GA is in the Right (Score:2)
This past year, the IT dept. learned that several faculty and staff members had Napster installed on their computers. They learned of this when professors brought in their computers complaining of lack of disk space, and they found out that the grad assistants had installed Napster and proceeded to fill up the hard drives with MP3's. While that in of itself cost money and time for the IT tech's to get rid of the software and "repair" the computer, the bandwidth used to download those files also came from a very limited connection. So between the illegality of the music, and the cost of the download, IT announced that all computers with Napster must have the software uninstalled within 2 weeks of the notice.
In any case, IT argued that these are state computers, not the property of the faculty or staff that use them. So basically, this guy IS screwed if he did not get permission. That's all there is to it.
Re:Slippery Slope (Score:2)
The difference is the average employment contract says "You will not misuse company resources, the penalty for which is disciplinary action (such as termination)".
On the other hand, the average University computer policy is "Misuse of computer equipment may make you liable for prosecution". At least that's what I remember all the uni computer systems saying on login when I was at uni.
distributed.net license agreement (Score:3)
I assume they wouldn't be suing him if he'd asked whether he could install this and use their bandwidth. So he's got no one to blame but himself.
It's like people at work that think they have a "right" to not have their email or web usage monitored. You're using someone elses resources, you have to follow their rules. If you don't like it, don't use it.
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
Some basics.
1) If they determined the computers who untrustworthy now they'd pay one junior tech to install Windows, that's 20 minutes. They'd do one install of any needed application, maybe 40 minutes, if we assume a lot of programs. Then they'd ghost it, burn the image, and ghost it onto the other terminals. Figure 10 minutes per station, but it's parallizable, burn multiple copies, have multiple techs working. At ~12 minutes (rolling in some overhead to make the math pretty) per terminal, that's 5/hour, for maybe $4 each at a junior tech's likely wage. Multiply that by 200 and you've repaired all the machines for $800...
2) If you did hire a security consultant, he'd only need to look at one machine to determine if there was a problem. He'd then pass it off to the junior techs mentioned in #1.
3) The university isn't selling bandwidth, they're claiming it was stolen. That means they can only claim their cost. As shown in many posts, this cost is just a few dollars.
4) The RC5 client isn't any more likely to become a security hole than Scandisk. It doesn't listen for an outside connection so it's a whole lot different than the type of thing you're thinking of.
5) The dnet client doesn't slow down the machines it's running on, that's the whole point in running it at IDLE priority, it only runs when the machine isn't doing anything, and it consumes about 2.5MB of memory, all of which is easily swapped out for a higher-priority process. (I saw benchmarks that showed the computer performing exactly the same with and without the RC5 client running.)
Sheesh.
As I said, I really hope you don't represent yourself as a computer expert.
key blocks (Score:2)
Re:rc5 output (Score:2)
I wonder if Georgia thinks "k" means "kilobytes".
I don't see in the FAQ any mention of how much network bandwidth an RC5 client can use, particularly with the speed of processors two years ago.
Distributed.Net Resources (Score:3)
Wow, what math... (Score:5)
I run RC5. It runs 24/7. Let's figure it out:
1500 for the system (homebuilt)(let's say 3 year lifespan, that's 500/year, or about $42/month.. I paid cash for the components)
my *total* electicity bill: 80/month
ISP + cable TV: 60/month
So, that's $182/month, a bit over $6/day in a 30 day month,
Anyone remember when the h(cr)acker stole some AT&T documents (was that Mitnick?) and AT&T priced the documents at something like half a million bucks (although it was listed in their document catalog for like $30)?
So, basically, the "cost" they incurred is bullshit, the jail time is fucking ridiculous (we can't even keep murderers in jail that long), god I'm sick of shit like this.
Yes, they weren't his computers. He should be fired. However, the fine and proposed sentence time is a gross misrepresentation of justice. Can't the State of Georgia go arrest some of them child pornographers the Government keeps talking about instead?
Should've Posted This Article Monday (Score:3)
I'm betting that the RC5 rate drops noticably this week.
Re:I agree, but a felony? (Score:2)
Re:I suspect a mistake in units... (Score:2)
I suspect a mistake in units... (Score:3)
I'm suspecting that:
bandwidth in kbytes/sec
is being confused with:
keyrate in kkeys/sec
as shown on this graph. [teamanandtech.com]
Does anyone have any idea how keys translate into messages?
Re:Wow, what math... (Score:2)
The more "efficient method" would be something like, "block #x doesn't match". That's the point of testing a whole block... so it can be eliminated a block at a time. Assuming 1K messages per block, that's only 16GB for the number of blocks you cite.
Since we've established they've got an OC-12 or better, shouldn't be too much of a problem.
Re:Wow, what math... (Score:4)
$.59
x 60 seconds
x 60 minutes
x 24 hours
x 30 days
= $1,529,280/month
That's a heck of a lot of bandwidth... I used to have a T3 at a previous job for only $15K/month.
This must be something like an OC-12. Amazing that they didn't notice him using the entire thing just for himself, either... well, I assume he was using it just for himself, since he's getting charged the full amount.
Re:And the problem is...? (Score:2)
Otherwise law enforcement turns into a for-profit business where the goal isn't to deter crime or protect society.
Welcome to the new world.
http://www.faqs.org/faqs/law/lawful-arrest/
http://www.aclunc.org/opinion/001027-seizure.ht
http://www.libertarianworld.com/Property-Seizur
3. Under the Kansas Asset Seizure and Forfeiture Act, the seizing authority is not required to prove that the money seized was a result of conduct which gave rise to the forfeiture.
This quote was found here: http://www.kscourts.org/kscases/ctapp/2000/200007
Once you get through some of this material, you'll see where this is going.
Re:And the problem is...? (Score:3)
No, you missed the point. This is all about a proscecutor for the State of Georgia justifying 18 months of his time and his waste of State resources. He must recoup these costs for the State or else it's his carreer and life that will be on the line.
What about spam? (Score:3)
So where do I go to sue the fuckers that spam me and cost *me* money. I am not a state, I'm a frickin' person. There's probably millions of dollars used in downloading spam (at least in Ireland with pay per minute Internet which is your only option really). A win in this case could be dangerous precedent for Universities that have large bandwidth with SETI clients and so on. Sort of like Napster as well (can't remember the links though when those Unviersities banned it).
Anyway I've lost track.
59cents/second can't be the right figure. (Score:2)
$0.59/second is $2124/hour.
I mean, there is prosecutorial zeal and all that, but really this would be an absurd figure to put even to an inexperienced jury. You could pay somebody to set fire to a fairly nice computer every hour at that rate, or pay for the equivalent of a T1 of bandwith in under half an hour.
Also, note that this amounts to a claim of 195 hours "stolen", which seems pretty small if this guy was in charge of configuring a large number of computers.
Perhaps the figure being asserted was 0.59 CENTS/hour, and 19,500 hours "stolen". Assuming a a hundred machines working the eighteen off hours every day, this works out to about ten or eleven days operation; or perhaps it was ten machines for a hundred days.
0.59 cents per hour is $21.24/hour, which also seems like a more presentable figure, although still quite high. This might be a standard rate for an hour of computer time quoted on grants, assuming that normally this is dominated by operator costs, and throwing in an indirect cost rate of 25-30%. I know this is unfair in this situation but I assume this wouldn't matter much to a sufficiently unscrupulous prosecutor, whereas being laughed out of court would.
Re:Wow, I almost did that... (Score:3)
One night, I was taking care of some e-mail using Pine at around 12:30 AM. I closed my e-mail client, dinked around for a little in the shell, logged out, and went to bed at around 12:40 AM. (It was an early night for me.) The following morning, I checked my e-mail. I had in my inbox, eleven times, the following note. I paraphrase, but the tone is the same.
The messages had all been sent right before I logged out and took my dnetc instances with me. However, I quickly put an end to that script right then and there. My roommate and I got a pretty good laugh out of it, too.
Re:Need more information... (Score:2)
Our legal system is broken and useless unless you are rich or a republican.
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:2)
The cases are not similar. Fabricating evidence in a criminal prosecution (the original premise was that the prosecutors would deserve a reprimand for "falsifying financial figures to achieve a felony prosecution") is a far more serious crime than anything McOwen is accused of doing.
/.
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:3)
Reprimanded, shreprimanded. It should achieve their own felony prosecution.
/.
Companies that don't suck, take two. (Score:2)
I was about to post a followup to my own followup, saying that my tone may have (upon retrospect) been a bit sharp. But then I saw your post, so this post now bears double duty...
Sweet! IBM is sounding cooler and cooler all the time. I distinctly recall the Apple TV advertisement that ran once during the '84 Olympics, announcing Macintosh, and portraying IBM as the Big Brother (1984, get it?). I guess IBM has been undergoing some revamping of their corporate culture.
And at the same time, SGI -- who was one of the neatest places to work at -- says they're killing off their employee's website. Bummer.
Really bad example there... (Score:2)
You know, actually, that doesn't strike me as so bad...
*straight face*
Well, mostly. :-)
And the problem is...? (Score:3)
Okay, so maybe the penalty is a little steep, but how many times are we going to rehash the same damn story on slashdot? (Oh yeah, I forgot that the collective attention span here lasts abou- hey, look, shiny things.)
It's very simple, folks:
non-work-related activites (Score:4)
First Law of Slashdot: Every extreme example must be countered by an equally-extreme counterexample.
*sigh* Of course not. Clearly every employer who doesn't have their heads shoved up their own arse -- and even some that do -- recognize that some company time/resources will be lost for purposes of morale. Reading slashdot is like setting aside part of an unused cubicle for a small fridge and a coffee machine, or getting a phone call from the SO to remind you to pick up milk on the way home. No, they aren't strictly work activites, and no, they don't bring in immediate revenue (or whatever).
(The number of people who like to point this out every time the topic comes up disturbs me. What's required is good judgement. My boss doesn't care if I use the web to look up movie times for that evening, but running my own MP3 streaming radio station from my office would be out of line.)
And I repeat: yes, I agree the penalty is too steep. I just don't think the guy should get off scot-free in the name of science.
Re:Huh? WTF? (Score:2)
Sorry, but the action shout be in some proportion to the case in question, meaning:
Those were probably machines, most networked together and accessible for any student who wishes to log in and has some networkwide account (i'm assuming from other Universities). In these circumstances it's near impossible to have high security projects on those machines. All in all, in university networks availability is more important than security.
The process you describe is hence inappropriate to the case. The RC5 client doesn't even have known security holes, so the additional security risk due to the running clients is very low, regarding the environment (students that access the machines without getting some lecture about security, for one). So if you consider risk due to running an application with no known security holes high enough to make all that sanitizing necessary, most universities should probably sanitize their computers on a weekly basis.
The most sensible course of action (and what probably happened) was simply deinstalling the client on the machines and be done with it.
I don't know, how much of a 'worst case' scenario you want to make out of it, i simply think you're taking it a bit far there. Anyone could make that bill even higher by saying, that all Work done on those Computers in the past two years is to be considered compromised, all of it has to be done from scratch, and billing wor all that worktime and the costs of delayed projects (like you seemed to hint at with that accountant example in another post). Noone will do that, it's simply not realistic, but it can be used to calculate arbitrarily high damages.
What about electricity use? (Score:2)
A $500K fine is ridiculous, and 15 years has *GOT* to be unconstitutional under the 8th amendment.
Re:Need more information... (Score:2)
What makes you think that's over the top? Government agencies will spend money on ANYTHING at the end of the fiscal year just to make sure their budget doesn't get cut.
Kintanon
Re:And the problem is...? (Score:3)
John Doe is a radio DJ. He is responsible for playing the hits, chatting it up between songs, etc. He has a very specific format he's required to stick to, and is absolutely prohibited from playing anything outside that. One day, he's totally taken with a certain band, and decides he'll just 'slip in' a song from them, even though it isn't on the approved playlist. Next thing you know, he's hauled off to prison for trespass, breaking and entering, etc, because he did something during his job he wasn't supposed to.
That's the meatspace equivalent of what's going on here. The man in question had a job, and MAY have violated job guidelines (stating that RC5 is 'personal use' is only borderline correct, in any event, since it is really a donation of time for community benefit. If he named the team/entry after his employer, he could be said to be doing it on their behalf, albeit unauthorized). In any event, he used his discretion to install software they did not want. This is almost certainly cause for termination of his employment, but is absolutely not criminal. His access to the machine was authorized. I'd sure like to see what he's being charged with, but I'd imagine the prosecution would have to construe his actions as willfully malicious in order to prosecute him. On a side note, at my employer, we regularly netbooted new servers with rc5, and ran it until they were prepped to go into production, and did so without permission. When our boss found out, he just said, "It's not on the production stuff?" And it wasn't. I'm sure if it HAD been, he'd have said, "Don't do that." and that would have been the end of it. He shouldn't b getting community service OR jail time, or ANY fine. He may have misperformed his job, but unless he did so in a willfully negligent manner or a malicious manner, then their only remedy should be terminating his employment. My own experience tells me that RC5-on-the-side is generally considered to be non-harmful, and in fact, at one point (in a ~400 person company, at the time), I was discussing with the MIS manager the idea of booting an RC5 client onto all boxes on the network automatically!
Not only that, but I hope we (as in, the judge and jury) are smart enough to assess real damages, notice the gross inflation by the prosecution, and consequently chastise them and dismiss the case.
First thing you need to do is.... (Score:5)
Re:This isn't the first time... (Score:5)
From the horse's mouth:
His apps ran in the background, but consumed so much CPU time that the entire directory assistance system slowed down to the point where it was unusable.
Nope. Actually the directory assistance system was slow before Blosser installed the software and after the software was removed; US West simply decided to use him as a scapegoat for their problems.
That's how he was discovered, the 411 system crashed, and sysadmins traced the apps back to him.
Again, no. The software was detected (by the network people who hadn't already given permission for it) when they suddenly noticed lots of traffic to entropia.com going through their proxy servers.
What if one has d.net running at an old job now? (Score:4)
What would be the proper way for that person to cover his/her ass?
Re:Burden of Proof: Show He *Wasn't* Authorized. (Score:3)
Unreviewed, untested, warranty-less binaries that engage in continuous communication with remote servers are a serious security threat, as well as a threat to the integrity of the machines. Many a machine has been brought to its knees because of some weird interaction between the installed packages.
A competent professional would *never* risk his client's machines for an unnecessary program.
And what the fuck does that have to do with this discussion? The question is whether he had permission, not whether he would have had a good justification if he had asked for permission.And even if that was our discussion, brute-force cracking RC5 is a stunt. It doesn't do a damn thing for security.
Are you an idiot? Do you know nothing about computers? Diligent recovery from this compromise would involve 1) backing up all data on the compromised hard drives, 2) formatting them, 3) reinstalling them from scratch, 4) sanitizing all the backed-up data, 5) and reinstalling all the backed-up data. Assuming a $150/hour sysadmin, three labor hours per machine, and 200 machines, that's a direct recovery cost of $90k.Then you've got all the people who will be sitting around with their thumbs up their asses while their machines are offline. Assuming an average downtime of 1 week, an average employee salary of $25k/year, and an overhead rate of 100%, that's an indirect recovery cost of $192k.
Then there's the investigation cost. Assuming a security expert at $500/hour, and an analysis time of 30 min/machine, that's an investigation cost of $50k.
Then there's the legal costs. Because of the severity of the compromise, and the threat to the University's IP, a top-notch law firm specializing in insider sabotage will be needed. Assuming the law firm charges 80 hours @ $200/hour, that's a legal cost of $16k.
Then there's the prosecution cost. I have no idea what DAs, judges, and courts charge, but it's gotta be a lot.
That's a total of $348k for direct and simple indirect losses.
Then there's interest. It will probably take the Uni about three years to get a judgement for the losses. At the standard 25% rate for unsecured credit, that's a net interest of 95%, which will bring the final judgement to $679k.
Then there's the potential reputation cost to the university. Insider sabotage of the IT infrastructure makes tech and biotech firms very antsy, and less likely to engage in lucrative contracts with the Uni. Likewise for alumni support. The damages from this are pretty much unlimited; if the fates are against you it could run to tens of millions of dollars.
It's their bandwidth and they can sell it for whatever price they want. It's up to you to ask for the price before you start appropriating it.But that's irrelevant. The $0.59/min figure is almost certainly an aggregate number. They added up the total losses, divided them by the duration of the compromise, and that was the number.
It will not. Competent professionals help the client accomplish their mission. If they have ideas for new mission objectives, or even for cool charitable projects that don't really accomplish much, they discuss it with the boss. They *don't* run off and reconfigure hundreds of pieces of high tech equipment for their own whimsy. Bullshit. Sysadmins *never* have the right to turn hundreds of the institution's machines into zombies for their own pet projects. The reason sysadmins have wide latitude in decisions is because *that's what it takes to accomplish the mission*, and not because the machines are part of their personal toy chest. Hardly. It's vandalism, plain and simple. The alterations he performed obviously had no relevance to the organization's mission, they had a potential serious deleterious impact on the mission, and he deliberately chose not to ask permission when doing so would have required little time or effort. The law is the least of his problems. Not only did he recklessly fuck over hundreds of his client's machines, he whined about the client's consternation on the Internet. For the rest of his life, any time a prospective employer does a web search on him this story will show up in all its tawdry glory.I propose a new phrase for the Internet lexicon: "Pulling a David McOwen". It will be the Darwin Award of Career Limiting Moves. Example usage:
Re:Text of post, comments (Score:5)
Re:And the problem is...? (Score:4)
Okay, so maybe the penalty is a little steep
Yeah, maybe. Even if you assume they bought 200 computers for 1500$ each, he was using a full T1's worth of bandwith and that the computers in qestion are all now broken beyond repair, the fine alone still outweighs the cost to purchase completely new computers. This is without mention of the prison term. Regardless of whether or not he's sentenced to that term - or even convicted - the danger here is the precedent that this sets.
You didn't ask your employer's permission to use your employer's computer for non-work-related activities.
Nor did you, I suspect, when you posted to Slashdot last week Thursday, Tuesday, and Monday. We all use our work computers for non-work-related activities. We all don't goto prison for it.
He
The danger is in the
signature smigmature
Simple (Score:3)
Q: Did he have permission from the school to install the software?
Yes: They can't touch him.
No: Stick a fork in him; he's done.
Regardless of the bandwidth costs - say it only cost 59 a day - it's still money that the school/state wouldn't have had to pay if he'd done his job (and only his job).
He's hysterical: "...the future of all that use the Internet and computers is at stake."
The future of all people who install bandwidth-sucking apps on equipment that belongs to someone else, perhaps.
"We all say so, so it must be true!"
Re:distributed.net license agreement (Score:3)
What about the company telephones? How about during the lunch hour? It is socially acceptable that employers would "monitor" voice phone calls, even personal calls to/from family members or friends, even during breaks and lunch hour?
Maybe email and voice phone calls are fundamentally different, but they're both simple human-to-human communication. Maybe it's "using someone elses resources" in your world, but at least in the US, local phone service and email are sold on a flat-fee basis. Aside from time lost from working, there is no additional cost to an employer for a brief phone call or a normal email message.
The only thing that is fundamentally different about email is that it can be easily copied, archived, searched and indexed. Today (except perhaps for the NSA), voice phone calls can't be automatically converted to text and monitored as cheaply and automatically as email can. That's today. Someday it will be possible. When that day is upon us, I certainly hope your anti-privacy opinion isn't the general public sentiment.
The one exception today, for voice phone calls, is monitoring of customer service calls to assure quality of service. It's generally accepted practice, and even required by law in some states, to disclose at the beginning of the call that it may be monitored. Saddly, email doesn't enjoy the same privacy protections as voice phone calls and postal (snail) mail.
Text of post, comments (Score:4)
Text of subject's post from Anandtech is pasted below:
This is David McOwen, dmcowen674@aol.com. I need everyone's help that possibly can. I worked at a school system 2 years ago that is part of the State of Georgia and was the configurator of the computers. They are now prosecuting me for Felony conviction with up to 15 yrs in prison and wanting $ 415,000. They are saying the Dnet client costs 59 cents per second for the Internet transmissions! If you or you know anyone that can help please contact my lawyer Mr. David Joyner at cdjoyner66@aol.com , phone number of the Law Firm 770-564-1600 . Beside my life and my family, the future of all that use the Internet and computers is at stake. Don't let them turn the good of computers into something so terrible. If it was so terrible it should be taken away from the world and not prosecuting one individual. People were panicking about rumors of the Govt tacking on a 5 cent surchange to supplement the Postal service because E-mail is taking away from their business and now the State of Georgia is saying E-mail costs 59 cents per second and this is not a rumor!
Also we need to know if anyone in the United States or the world has been prosecuted for this. We need to know for sure that they are setting this dangerous precedent, making me an example and everyone is next. They did not give me an opportunity to just turn the client off, they also said that there was no harm done after they turned it off. How can they call it a felony then and looking for nearly half a million dollars! Please help in any way that you can, whether by E-mails or any other support.
Thank you
mrgoat
Re:Confirmation? (Score:5)
Re:Permission would have been nice (Score:4)
That's the "enhanced" version of the dnet client that cracks RC5 and mirrors cdrom.com as well.
Re:First thing you need to do is.... (Score:5)
Re:And the problem is...? (Score:3)
There was the famous case of a guy in Britain who was sentenced more stiffly for dropping a crisps (chips) packet in front of a police officer and refusing to pick it up than the guy a few courts down who was found guilty of a sexual assault but managed to avoid jail time.
Then there is the side of the publicity value. If Georgia sued him sanely, they'd have a pointless day in court, persecuting some guy who's not in a position to repeat it. Sue him to hell and back and it'll get on the news, it'll be discussed in every IT dept tied in Georgia and they'll have all of their admins desperately tidying up their systems for the cost of filing a lawsuit. It's not right, it's not fair, but it certainly makes good business sense.
Simple Solution (Score:5)
The audit alone should cost a few million...
Re:Permission would have been nice (Score:3)
Thanks for the link, asshole. :)
What "the dude" states in the message is this:
"They are saying the Dnet client costs 59 cents per second for the Internet transmissions!"
He doesn't refer to "one single Distributed.net client" like the writeup says, just "the Dnet client", which can just as easily refer to every instance of the client he has installed on the school's computers.
BTW, your link is broken. Try using <A> tags next time
Re:Permission would have been nice (Score:5)
As far as I can tell, that statement only exists in the /. writeup on this story. In the message on the bulletin board that started this, he only says that they claimed that d.net was costing them 59 cents/second. No mention of how many clients he was running (being the "configurator of the computers" he must have had access to more than one machine :)
And further down that thread, someone responds to him:
"Wow, you were outputing over 60k/day at peak time. That's around 400-600 P2-300's power, 2 years ago"
I can't remember what a reasonable RC5 rate is anymore, but that doesn't sound like the output of a single client, even if that estimate is outdated by two years.
Of course, even if Georgia is getting terrible rates on bandwidth, say $20/GB, he'd have to be using 29MB/second to be costing them that much. I'm pretty sure that no d.net configuration could possibly use up that much bandwidth.
rc5 output (Score:3)
Need more information... (Score:5)
The post is kind of vague as to how specific his job duties were, and if he was just doing a bad job at his position, or whether he was in violation of his described duties. I would imagine a state agency hiring a sysadmin/IT person, would put some clause in regarding malicious or unapproved software.
Re:Wow, I almost did that... (Score:3)
You are standing in an open field west of a white house, with a boarded front door.
Re:What about spam? (Score:4)
Very interesing suggestion, as what this guy is accused of is more or less what spammers do, especially the ones who exploit open relays.
Maybe if we started calling spammers "hackers" the courts would start assfucking them like they do to anyone who gets branded with that name.
I believe this guy deserves to be punished, but what he did was at WORST a misdemenor. He deserves at worst a fine and/or community service.
The fine and punishment the prosecutors are going for are TOTALLY out of porportion to the crime. There are drug dealers and people guilty of VIOLENT crimes like assault who get FAR less.
Re:Good. (Score:5)
Don't be too sure. Most judges know more about nuclear physics than they do about how computers and networks REALLY work.
And pretty much ALL you have to do to fuck someone in the courts is to call them a "hacker". As 2600 found out in the DeCSS case. Doesn't matter what the merits of your defense are once that label is thrown out like red meat to the judge. Of course, having a corrupt and/or incompetent fool like Kaplan for a judge didn't help.
Some point (Score:4)
The problem with the 'background task' argument is that breaking RC5 is not necessarily the best use to which those cycles can be put.
The issue of authorization is the weak point in the State case. Running a codebreaking program falls pretty squarely within the normal run of academic persuits. The fact that a prize is offered does not necessarily mean that the enterprise is 'for profit'. All sorts of prizes are offered for academic research. In the case of the RSA cryptography challenge prises they were started by Ron Rivest so that he did not have to spend half an hour reading each day about the latest factoring scheme people had thought up. Peter Trei later suggested to Jim Bizdos that there might be other challenges that would be somewhat more fun and relevant.
Best chance of getting the case thrown out is likely to be demonstrating a that running a crack program is considered acceptable academic behaviour at most universities.
I don't see the terms of service giving the prosecution much help. They are so broad that they could be read to permit or prohibit practically any behavior. The defence get the benefit of the ambiguity, not as some slashdotters appear to believe the prosecution. Nobody is disputing that the guy was authorized to use the equipment, the issue is whether the specific use made was authorized. That is a very subjective question, hardly one that should be at the center of a criminal prosecution.
The reason we had to start putting up the terms of service notices was that without them the courts would not even allow prosecutions of people who broke into computer systems to abuse them in the most malicious ways you can think of.
Still the guy has only himself to blame, you go to live and work in a mickey mouse state that only gave up the swastika (oops sorry symbol of the slavers side in the civil war) on its state flag with great reluctance, you expect the type of legal system portrayed in Stir Crazy and My Cousin Vinny.
Re:confirmation? (Score:3)