[iwar] [fc:The.crime.of.distributed.computing]

From: Fred Cohen (fc@all.net)
Date: 2001-12-23 06:14:45
Next message: Fred Cohen: "[iwar] [fc:Saudis.Assail.'Media.Blitz'.Against.Them.In.The.West]"
Previous message: Fred Cohen: "[iwar] News to Use from Infowar.Com 12-21-01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200112231414.fBNEEjF20501@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sun, 23 Dec 2001 06:14:45 -0800 (PST)
Subject: [iwar] [fc:The.crime.of.distributed.computing]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

The crime of distributed computing

By Ann Harrison

Posted: 20/12/2001 at 17:33 GMT

A college computer technician who offered his school's unused computer
processing power for an encryption research project will be tried next month
in Georgia for computer theft and trespassing charges that carry a potential
total of 120 years in jail.

The closely-watched case if one of the first in which state prosecutors have
lodged felony charges for allegedly downloading third-party software without
permission. 

David McOwen was working as a PC specialist at the state-run DeKalb
Technical Institute in 1998, when he learned about a project by the
non-profit organization distributed.net that allowed computer users to
donate their unused processing power to test the RC5 encryption algorithm.
Noticing that many of the machines he maintained on the seven DeKalb
campuses sat idle for long periods, McOwen installed distributed.net clients
at several of those locations while performing a Y2K upgrade on the machines
in 1999. 

According to McOwen, during the Christmas holidays in 1999 school
administrators noticed that unused machines were sending and receiving the
distributed.net data -- about the equivalent of one email a day. The school
sent McOwen a letter of suspension in January of 2000, without specifying a
grievance, and McOwen resigned shortly afterwards, believing that he had put
the incident behind him.

Instead, in June of 2001 McOwen was contacted by an investigator from the
Georgia Bureau of Investigation who informed him that he was the subject of
an 18-month computer crime investigation. In October, prosecutors from the
Georgia state attorney general's office charged McOwen with eight violations
of Georgia's tough computer crime law: one count of computer theft, and
seven counts of computer trespass -- one for each of the school offices
where McOwen downloaded the distributed.net client.

Each felony count carries a $50,000 fine and a 15-year possible prison term,
for a 120 year maximum possible sentence. The indictment also calls for
restitution equal to the amount of money paid to state workers to uninstall
the programs from 500 PCs.

As the case nears trial, it's raising eyebrows among some legal and
technology experts for the unusual application of an anti-hacking law to
actions taken by a network's legitimate administrator.

'This Is Not Hacking'
"Our problem with this kind of statute is that it is written in such broad
terms that it can reach all sorts of behavior that doesn't constitute
computer fraud, but can give the government prosecutorial discretion," says
Lee Tien, a senior staff attorney with the San Francisco-based Electronic
Frontier Foundation, who has followed McOwen's case.

"This is a hacking statute," says McOwen, "but obviously this is not
hacking." 

At an early stage in the proceedings, prosecutors claimed that McOwen had
cost the state of Georgia $415,000 in bandwidth charges, based on a
calculation that the distributed.net clients consumed precisely 59 cents
worth of bandwidth per second. The state has since backed away from the
$415,000 figure. 

Today, much of the case rests on whether McOwen violated DeKalb's policies
by downloading the distributed.net client. Russ Willard, a spokesman for
Georgia Attorney General Thurbert Baker, contends that McOwen deliberately
ignored the college's written computer usage guidelines, which were issued
to him with his first user I.D. and password. Willard says the policy
forbade McOwen from downloading any unauthorized third-party software onto
the college's machines.

McOwen claims he had permission from college officials to download the
software, and his lawyer suggests that there were no written guidelines
forbidding such installations to begin with. "If there is a policy I have
not seen it," says attorney David Joyner, who says he has received all the
discovery evidence in the case. DeKalb college president Paul Starnes and
McOwen's supervisors from the college's IS department would not comment on
the case. 

Even if there was such a policy presented to McOwen, those who work at
universities say they are often disregarded. "It think it's so common on the
academic community that nobody reads agreements like that," says David
Farber, a professor of telecommunications at the University of Pennsylvania
and former chief technologist of the FCC. "It is part and parcel of many
academics and many students that inquisitiveness motivates them to download
third-party software. If you are going to prosecute a person for that on
those grounds, than you should prosecute everybody on campus because
everyone has done it."

Financial Motive Alleged
Willard says that McOwen was singled out for prosecution partly because he
had ignored his supervisor's warnings. "In this case, Mr. McOwen was
expressively prohibited by his superiors from downloading these programs and
was informed on many occasions by his supervisors to stop downloading
programs," said Willard. "They were aware that he was doing it and he had
gone in and cleaned it up on numerous occasions." Joyner insists McOwen
received no such warning.

Prosecutors also claim that McOwen had a financial motive for volunteering
the school's machines. McOwen was a top producer on distributed.net for
"Team AnandTech," a group sponsored by a hardware forum site which is still
the second ranking contributor to the RC5 research project. The top
individual contributor in the RC5 challenge stood to earn a $1,000 prize.

"McOwen placed a program on computers, that in his estimation would benefit
him personally, including computers that has sensitive student financial and
identity information without authorization," says Willard. "There is concern
about the program itself compromising or providing the basis to compromise
sensitive personal or financial information, there is the matter of Mr.
McOwen's unauthorized activities on this computer, and finally there is the
point that there was misappropriation of state property."

McOwen says the prize money wasn't a factor. "People do these projects for
the betterment of mankind," says McOwen. "You are not doing it for the prize
and possibility of money, you are doing it because it is the right thing to
do." 

"I think the prosecutor's office needs some lessons in computer science,"
says Farber. "If you want to make a point, there are much better examples
than this guy." 

The case is set for trial on 28 January.

© 2001 SecurityFocus.com, all rights reserved.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Access Your PC from Anywhere - Full setup in 2 minutes - Free Download
http://us.click.yahoo.com/StuHlD/E6eDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Saudis.Assail.'Media.Blitz'.Against.Them.In.The.West]"
Previous message: Fred Cohen: "[iwar] News to Use from Infowar.Com 12-21-01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST