Randal Schwartz was too curious for his own good. As a contractor at Intel in Oregon in the early 1990s, he poked and prodded a bit too much, especially in the area of demonstrating how poorly chosen – how weak – many account passwords were in the groups he worked for. Schwartz is best known as an expert in the programming language Perl that is widely used for Web applications alongside later arrival PHP. (In fact, big hunks of TidBITS are now powered by Perl.)
Most system administrators view testing passwords for strength as one of many tests to ensure that a network and its associated computers are resistant against infiltration and compromise. However, disputes in the manner by which Schwartz ran his password-cracking tests and the permission he had to do so led to him being released from Intel, charged with a computer crime under Oregon law, and convicted of three felonies. He also had to pay restitution to Intel and a large pile of legal costs – hundreds of thousands of dollars in all.
Those convictions have now been expunged, and I’m happy to spread the word. On 01-Feb-07, a court ordered that due to “the circumstances and behavior of the defendant since the date of conviction” and his completion of all provisions required of him, his conviction and arrest are to be removed from the record. In the words of the order, “the defendant…shall be deemed not to have been previously convicted or arrested.”
The conviction was a travesty of justice, one that I’m not convinced would have been upheld by Oregon’s Supreme Court or higher courts. The judge noted in one part of the trial that the law appeared to characterize changing the background color of a computer’s operating system display as a crime. (An appeal in 2001 resulted in a mixed bag of results.) And I don’t believe anyone has been prosecuted since in Oregon in a remotely similar manner.
The PDF of the expungement order can be found at the Friends of Randal Schwartz site, which has extensive archives of public statements on the matter by those involved, which make it pretty clear that Intel was running the prosecution, and that Schwartz was convicted partly on the basis of police recollection of one conversation while his home was being searched.
Schwartz never said he acted intelligently in the matter. He was read his rights by the police during a quasi-raid of his premises, and he spoke without a lawyer present. He had been asked multiple times to not run cracking software and to turn off software that allowed him remote access for various purposes. And he held off reporting the flaws he found for so long that it looked like he was hiding something.
But I have long maintained the prosecution was pretty much a farce. Schwartz had no criminal intent and the “restitution” he paid Intel was for them to fix problems that existed before he demonstrated them. In fact, Intel would have paid a huge price had criminal crackers gained access to their systems; they probably should have paid Schwartz a bonus rather than trying to get him put in the pokey.
Schwartz never served jail time. In fact, the judge in the case was remarkably sympathetic to him but had to follow existing law. But he was, until a few weeks ago, a felon, and that’s a cross to bear in the post-9/11 world. As an internationally recognized program-language expert, Schwartz’s ability to work on certain government and corporate contracts was restricted, and traveling outside the United States was quite difficult.
I met Schwartz through Geek Cruises‘s first Mac Mania cruise, a great week spent with lots of Mac writers I had long known or wanted to meet, and a fantastic set of attendees. Schwartz has been on every Geek Cruise, a sort of vocational hobby of his now, a fact I accidentally confirmed at Macworld Expo with CEO and “Captain” Neil Bauman, who runs the conference series.
On the last day of the cruise, as we waited to get called to disembark, Schwartz sat in the lounge from which we had Wi-Fi access to a slow Internet connection explaining to people how they were sending their passwords in the clear over the Wi-Fi connection – and he would tell them a snippet of their password to prove it. It was a startling wake-up call to those present, and an ironic callback to what led to his difficulties in the first place.
A few years ago, Schwartz asked me if I, along with a number of other people, would write a letter to the then-outgoing governor of Oregon asking for a pardon. In it, I described Schwartz’s consistent white-hat behavior, his generosity with his time, and his strict adherence to the terms set at his sentencing. The governor declined to issue a pardon, but as I wrote at the time, Schwartz demonstrably never had any intent to cause harm, only to improve security, and erred only in violating company policies. There was never any proof – nor any needed under Oregon law, unfortunately – that Schwartz obtained any information he wasn’t intended to have, either.
I’m delighted that Schwartz has been rendered unconvicted. And I wrote this article in part to spread the word, in part to note how easy it could be to be charged and convicted of a computer crime for actions that may not seem problematic at the time, and in part to file this brief with Google – so that Schwartz’s name is associated more with the absence of a conviction than the presence of one.