Apparently, I haven't sent a message to these groups since 2001.  Let
me bring you up to date.

In the fall of 2002, I made an application for clemency with the
then-Oregon-governor, and was denied.  This was not entire surprising, since
the GOP-party governor had granted no clemencies during his entire term. I
made no announcement about this, at first because I didn't want to tip my
hand, and then because I was sad at the result.

In the next few weeks, I'll be applying for clemency again, with a Democratic
governor who has already granted a few pardons.  I have a number of letters of
support and personal references, but if I missed anyone and you can act fast,
please contact Marc Sussman at (503)221-0520 within the next few days.

It takes about $1500 to apply for clemency, between filing fees and legal
fees.  I'm not above accepting donations to my paypal account
(merlyn@...) to help with the situation.  If you believe in me, I
could use the help.

However, if you are merely inclined to "think happy thoughts", or whatever
works for you to ensure a positive outcome, I could sure use that right now as
well.  In my view, every little bit helps.

It's clear to me, having presented my "Just another Convicted Perl Hacker"
talk at conferences and user groups all over the world, that I did what wasn't
wanted.  It's also clear that ORS 164.377 makes what I did illegal.  Had I
known those things ahead of time, I wouldn't have done what I did, because it
was never my intention to harm anyone.

It's also clear to me, having been under the influence of the court system for
roughly 13 years now, that I've suffered, substantially, in money, time, and
opportunities lost.  I'm hoping that with clemency, I can resume a productive
life and achieve even greater things, unburdened by travel restrictions,
financial obligations, and work opportunity reductions.

In short, I screwed up, and I paid the price.  I hope the Governor realizes
this, and completes my punishment phase: 13 years of pain for 15 minutes of
work.

I'm inclined to shut these mailing lists down after this run for clemency.
Either this works, and we're done discussing, or it doesn't work, and it'll be
at least 4 or 8 years before I try again.  Let me know what you think.

To my supporters over the years: thank you for standing by me in my darkest
times.

To my critics: thank you for keeping me honest.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

]
]     Put simply, the Oregon law makes any "unauthorized" "alteration"
]     of a "computer" a class C felony, punishable by up to $100K in
]     fines, plus restitution if any, plus up to five years in jail.
]     "computer" is basically everything with electrons in it these
]     days, and "unauthorized" and "alter" are not defined in the law,
]     leaving it to the interpretation of a lay jury and the court
]     system.  The problem with this is that the line is not objective.

The results of using the legal system in the conventional way
for defence so far have not been encouraging.

I would like to see people (not just Randal) try to think from
a judo perspective, and use this law's over-breadth and vagueness
against it.

Two approaches that I can see are:
(1) Oregon residents use this law to lodge a deluge of complaints
     about minor incidents (like someone visiting your web site
     without authority, or sending you email without authority)
     and see how the legal system copes with that.
(2) Use this law to attack spammers (actually do some good!).
     I mean they alter the mail spool on your computer without
     your authority, isn't that a felony too?  Bonus points if
     you get a case against a spammer who makes donations to
     Oregon politicans (the spammer might actually lobby the
     state legislature to get the law narrowed).

One of the most interesting things to come from this would be
learning how what sort of defences the legal system allows
in other cases.  These could provide some useful information
for Randal's case.

If the police/legal system decline to enforce the law when
it is used in this way, I would have thought Randal would be
able to launch legal action which basically says "why aren't
you enforcing the law on them, when you did enforce it on me?"

Especially after the legal system has had some practical
demonstrations of how broadly the law can be interpreted.

In those circumstances, Oregon may find its easier to fix
the law (narrow it) than to deal with all the complaints
about breaking the law, and defend the charge of arbitrary
enforcement of the law.

I am not a lawyer, just a Sys Admin in a foreign country
trying to think outside the box.

__________________________________________________________________________
  David Keegel <djk@...>  URL: http://www.cyber.com.au/users/djk/
Cybersource P/L: Unix Systems Administration and TCP/IP network management

[I posted this on comp.org.eff.talk and misc.legal.computing a moment
ago, so my apologies if you see it twice.]

[and darn it, it got swallowed by sending it to the wrong address,
so now it's even more timely... please give me input no later than
friday!]

I've been the defendant in an ongoing criminal case since the end of
1993, regarding my system administration activities while employed as
a contractor at Intel.  The public details of this case are published
at the "Friends of Randal Schwartz" web site at
<http://www.lightlink.com/fors/>.

The State of Oregon Appeals court gave no consideration to what we
believe is a bad law (more on that in a minute) and the Oregon Supreme
Court recently chose not to hear the case at all.  I'm looking at
options regarding a federal appeal.  I believe a federal review will
give the law itself the examination to determine why a law that makes
everyday activities an indefensible felony should be allowed to remain
on the state books, not just in Oregon, but any similar law as well.

/// sidebar - why I believe the law is flawed

     Put simply, the Oregon law makes any "unauthorized" "alteration"
     of a "computer" a class C felony, punishable by up to $100K in
     fines, plus restitution if any, plus up to five years in jail.
     "computer" is basically everything with electrons in it these
     days, and "unauthorized" and "alter" are not defined in the law,
     leaving it to the interpretation of a lay jury and the court
     system.  The problem with this is that the line is not objective.

     In fact, in my case, one of my three felonies involved activities
     which at the time were resolved simply by a conversation to clear
     up my confusion (but no further action) six months before my
     termination, and yet later resulted in a convicted felony.  The
     chalk lines were moved underneath me, from "this is bad but
     doesn't warrant early contract termination or other penalty" to
     "this is a felony", simply by fiat.

     Imagine your boss getting angry at you, and going off to Telecom
     to see what phone numbers you dialed with your company cell phone
     or desk phone during the past three months.  You made 38 "personal
     calls", when the company policy is "no personal calls with your
     desk or cell phone".  That's 38 felonies under this law!  If
     "three strikes, you're out" what does 38 strikes get you?

     Thus, I have argued in court that the law is flawed... it's
     overbroad (making illegal everyday activites) and vague (a person
     of reasonable intelligence cannot determine whether or not they
     are within the law through a reasoned reading).  Thing is, this
     isn't just written like this in Oregon... there are many states
     with similarly worded laws.

\\\ end sidebar

Now, my question to y'all is:

Given the current political climate, does it make any sense for me to
spend the time and energy to pursue a federal appeal?  Or will we have
to wait for another "$state vs $random_IT_professional" case at a
later time to get this fixed once and for all?  My personal and
business life has already been wrecked by the choices I made in 1993
while unaware of the legal climate... so this isn't about me.  It's
about y'all.  I'll fight the good fight, if there's even a chance of
winning.

I need to make a timely decision.  Deadlines are looming.

If you want to discuss this on my mailing list, see
http://groups.yahoo.com/group/fors-discuss for signup instructions and
archives.  I'll also be watching the responses here.

Thank you.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

On 23 Dec 2001 11:39:02 -0800, "Randal L. Schwartz"  <merlyn@...>
wrote:

> I just receieved a message from my lawyer that the Oregon Supreme
etc.
Randal
I have been following your battle for nearly 8 years now. I admire your
courage and determination and feel sorry taht it didn't bring you the
justage you have been seeking.
Byt Hey, there is still a lot of Perl waiting to be written!

hansr

P.s. Did you write this?
> Access Your PC from Anywhere - Full setup in 2 minutes - Free Download
> http://us.click.yahoo.com/StuHlD/E6eDAA/yigFAA/W_EolB/TM

Happy Hacking!

> I just receieved a message from my lawyer that the Oregon Supreme
> Court has declined to hear my case, thus leaving the unfavorable
> Oregon Appeals Court decision as the final authority.

Randal, I think I speak for most people on this list when I say
how sorry I am to hear this. It looks like a bad law is there to stay.

Still, it could be worse - you might be living in England, where you
can be jailed for up to two years for losing your private key ....

I just receieved a message from my lawyer that the Oregon Supreme
Court has declined to hear my case, thus leaving the unfavorable
Oregon Appeals Court decision as the final authority.

While I haven't discussed further options with my legal team yet, my
recollection is that at this point, the options were all extremely
expensive and unlikely to be fruitful.

In other words, I'm a felon for life, the restitution order stands,
and the statute used to convict me remains in place to be used to
prosecute future cases, with my court history available to assist.
I'm also higher at risk constantly, since any future conviction would
be on top of these three felonies, and I'm on the short list of
suspects for related crimes.  No chance of a civil disobedience act
for me.  Ever.

I'm greatly saddened by this news.

To those of you that have stood by me since the beginning, I thank you
deeply for your support and trust, and belief that this thing should
make sense at its conclusion.  I'm sorry it didn't.  I made my best
run at it, and got this.

To those of you who joined my side as the battle progressed, I thank
you as well.

To those of you who contributed to me financially, my banker thanks
you.

To those of you that have helped spread the word, thank you for
helping to prevent others from suffering similarly.  Please continue
to do so.  Now more than ever, apparently.

To those of you that have challenged me, I thank you for keeping me
honest.

I will continue to be available to groups to speak about my case, and
I will continue to work to change the laws that permitted my
prosecution.  A law that makes a person a felon for changing the
background color of a screen, or trying to be a good samaritan to help
the people who had paid the bills for five years, just doesn't make
sense.

But the battle for my personal legal case appears to be over, and I'm
saddened by this apparently final outcome.  I have lived for the past
eight years in the hope that the legal system was truly a justice
system, but that hope has now faded, and I'm older and wiser, but
permanently battle-scarred.

Thank you.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

* merlyn@...
|   http://www.stonehenge.com/pic/oregon-supreme-petition.pdf

I am not a lawyer, but the following caught my attention:

Paragraph marked `Reasons for review' (Page 5 in my printout), number
3), end of first paragraph:

     The state s argument,that by copying passwords,defendant stripped them
     of their value,actually describes conduct which damages the value of
     property but does constitute a taking,appropriation or withholding of
     property.

Two remarks:
- Randal did copy _password files_, not _passwords_, no?  Again, I'm
   not a lawyer, but I've seen them making a big fuzz about differences
   like these.

- in the second part of the sentence, is there a `NOT' missing in
   `...but does constitute a taking...'  i.e should this read
   `...but does NOT constitute a taking...'?

My $0.02, and good luck, Randal.
R'

Merlyn wrote:

> My legal team recently filed the petition to have the Oregon Supreme
> Court consider reviewing my case.  I've made a PDF available for the
> moment at:
>
>         http://www.stonehenge.com/pic/oregon-supreme-petition.pdf
>
> but if Steve could pick it up and put it into the main archive, I'd
> appreciate that.

It's installed @ Lightlink, on the court materials page with the appeal stuff.

-- SP

My legal team recently filed the petition to have the Oregon Supreme
Court consider reviewing my case.  I've made a PDF available for the
moment at:

         http://www.stonehenge.com/pic/oregon-supreme-petition.pdf

but if Steve could pick it up and put it into the main archive, I'd
appreciate that.

There's some really good stuff in there.  Let's hope it doesn't fall
on deaf ears.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

See <http://slashdot.org/article.pl?sid=01/09/27/017236>
and <http://www.kellybreed.com/westnews/index.htm>.

It appears that Brian was not the innocent person he claimed to be.

By his own admission (and evidence), he was using the FrontPage
hole to steal the Perl scripts of his competitor, and was rewriting
them in PHP for redistribution for his own gain.

Whoa.  Man, I'm sorry I was snookered on the first go-round with this
guy.  What he did was clearly wrong.  I'm sorry I supported him so
directly when I was being quoted by the press.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Friends,

Randal told me the other day that a number of people had asked if they could
help in any way, and I talked it over with Marc and here it is:

We are asking the Oregon Supreme Court to review and overturn Randal's
conviction.  Supreme Court review is discretionary, which means that they
are not required to take the case.  The appellate rules contain some
guidance on the factors upon which the decision to act is based, and I will
get to those in a minute.

One of the categories we must address in the Petition for Review is as follows:

"A statement of specific reasons why the issues presented have importance
beyond the particular case and require decision by the Supreme Court."

Now, I suspect that many of you have a contribution to make in this regard
because of your personal experience(s), and we would appreciate it if you
would share any ideas you might have along these lines.

Criteria for the exercise of the court's discretion include the following:

1)Whether the case presents a significant issue of law.  A significant issue
of law may include, for example: the interpretation of a statute, the
legality of an important governmental action, .  .  .

2)  Whether the issue, or a similar issue, arises often;

3)  Whether many people are affected by the decision in the case.  Whether
the consequence of the decision is important to the public, even if the
issue may not arise often.

Be aware that we may not be able to respond to each and every email you send
in response to this request, so I want to thank anyone who is willing to
contribute in advance.

Please include something about yourself, especially if you have sysadmin or
related experience, and give us an idea of why you are interested in the case.
We are kicking around the idea of submitting some affidavits, which are
sworn statements of fact, with the Petition for Review.  This is almost
unheard of, but there is no specific rule against it, and we are sailing in
seas that are basically uncharted from a legal point of view.

If we decide to do this, we will confer with some of you in cyberspace, I
will prepare the affidavit(s) and email them to those who agree to sign
them.  They will be individualized.  Signing them will require the services
of a notary, and their return must be via snail mail.  We will provide
envelopes and postage.

I know that there has been much discussion of this case already, and I
apologize for having misplaced or deleted some of the posts of the distant
past.  This is, however, a fresh, and relatively narrow, context for
renewing the discussions.

I don't recall whether or not copies of our opening and reply briefs in the
Court of Appeals were posted online, but if anyone wants to see how we
addressed the issues, I will be happy to provide copies as email attachments
in WP6 format.  The decision of the Court of Appeals is online, and the
address has been posted elsewhere on this list.

Any and all ideas are welcome, but try to withstand the temptation to
analogize as much as possible.  Arguments by analogy are not favored as a
general rule, and that is especially true in a case like this where one of
our fundamental positions is that the problem with the law is that it
analogizes between cyberspace and real property, and that the analogy is so
inept as to cause the law to be completely inapplicable to the situations
that it is intended to address.

Remember, Randal copied a password file from one Intel computer to another
Intel computer, and that was called theft.  After he had done so, the
original was still in place and working just as it had before.  The
situation simply can not be compared to stolen credit cards and trespasses,
and we must assume that the judges of the Supreme Court have no idea why
that is so.

Many of you know why that is so, and you have the credentials to explain it
to them credibly.

I will answer questions that come up as I can and as well as I can, however
there are restraints on my time so the answers may be a few days in coming.

Thanks, again, for your thoughts and good wishes.

LarryO

Friends,

Randal told me the other day that a number of people had asked if they could
help in any way, and I talked it over with Marc and here it is:

We are asking the Oregon Supreme Court to review and overturn Randal's
conviction.  Supreme Court review is discretionary, which means that they
are not required to take the case.  The appellate rules contain some
guidance on the factors upon which the decision to act is based, and I will
get to those in a minute.

One of the categories we must address in the Petition for Review is as follows:

"A statement of specific reasons why the issues presented have importance
beyond the particular case and require decision by the Supreme Court."

Now, I suspect that many of you have a contribution to make in this regard
because of your personal experience(s), and we would appreciate it if you
would share any ideas you might have along these lines.

Criteria for the exercise of the court's discretion include the following:

1)Whether the case presents a significant issue of law.  A significant issue
of law may include, for example: the interpretation of a statute, the
legality of an important governmental action, .  .  .

2)  Whether the issue, or a similar issue, arises often;

3)  Whether many people are affected by the decision in the case.  Whether
the consequence of the decision is important to the public, even if the
issue may not arise often.

Be aware that we may not be able to respond to each and every email you send
in response to this request, so I want to thank anyone who is willing to
contribute in advance.

Please include something about yourself, especially if you have sysadmin or
related experience, and give us an idea of why you are interested in the case.
We are kicking around the idea of submitting some affidavits, which are
sworn statements of fact, with the Petition for Review.  This is almost
unheard of, but there is no specific rule against it, and we are sailing in
seas that are basically uncharted from a legal point of view.

If we decide to do this, we will confer with some of you in cyberspace, I
will prepare the affidavit(s) and email them to those who agree to sign
them.  They will be individualized.  Signing them will require the services
of a notary, and their return must be via snail mail.  We will provide
envelopes and postage.

I know that there has been much discussion of this case already, and I
apologize for having misplaced or deleted some of the posts of the distant
past.  This is, however, a fresh, and relatively narrow, context for
renewing the discussions.

I don't recall whether or not copies of our opening and reply briefs in the
Court of Appeals were posted online, but if anyone wants to see how we
addressed the issues, I will be happy to provide copies as email attachments
in WP6 format.  The decision of the Court of Appeals is online, and the
address has been posted elsewhere on this list.

Any and all ideas are welcome, but try to withstand the temptation to
analogize as much as possible.  Arguments by analogy are not favored as a
general rule, and that is especially true in a case like this where one of
our fundamental positions is that the problem with the law is that it
analogizes between cyberspace and real property, and that the analogy is so
inept as to cause the law to be completely inapplicable to the situations
that it is intended to address.

Remember, Randal copied a password file from one Intel computer to another
Intel computer, and that was called theft.  After he had done so, the
original was still in place and working just as it had before.  The
situation simply can not be compared to stolen credit cards and trespasses,
and we must assume that the judges of the Supreme Court have no idea why
that is so.

Many of you know why that is so, and you have the credentials to explain it
to them credibly.

I will answer questions that come up as I can and as well as I can, however
there are restraints on my time so the answers may be a few days in coming.

Thanks, again, for your thoughts and good wishes.

LarryO

David Keegel  wrote:

>Let me quote a bit from 164.377 Computer crime.
>``
>        (4) Any person who knowingly and without authorization uses, accesses
>or attempts to access any computer, computer system, computer network, or
>any computer software, program, documentation or data contained in such
>computer, computer system or computer network, commits computer crime.
>''
>
>Could you use this wording to run a legal argument that a person didn't
>*know* that they were without authorization?  If the statue could be
>interpreted that way, it would only apply to people who knew at the
>time that they were doing something unauthorized.

That you could, if it were not for ORS 161.115(1), which provides in part:

(1) If a statute defining an offense prescribes a culpable mental state but
does not specify the element to which it applies, the prescribed culpable
mental state applies to each material element of the offense that
necessarily requires a culpable mental state.

In Randal's case, on account of that provision the judge ruled, and
instructed the jury, that the state was bound to prove beyond a reasonable
doubt that Randal knew that what he did was unauthorized.

And, of course, Randal had to admit that no one had told him it was allright
to do what he did, because no one had.

Anticipating that, we made the point (quite well I thought) that no one ever
authorized any sysadmin to do anything.  For instance, when Randal went to
work at his last post at Intel, his only direction from his immediate
superior was to get a new computer online and then to "have fun."  We had
that in writing.

Intel routinely paid Randal's bills for years, and for the most part what he
billed them for was "putting out fires."  We had that in writing, too.

These points were lost on the jury, and, IMNSHO, the most telling reason for
that was the cops' rendition of Randal's "statement."

Randal wrote:

>Since when does something that results in not even so much as a
>disciplinary action at the time it occurs, suddenly become a felony
>crime act two years later?

That, my friends, is a difficult question to answer.

LarryO

>>>>> "R" == R E Wolff <R.E.Wolff@...> writes:

R> merlyn@... wrote:
>> This is something we cannot permit the law to make illegal.  If an
>> action of mine is not damaging enough to a company to have fired my
>> ass, why is it also then a felony?

R> One of the "problems" with your trial is that you should've said "NO"
R> to the question: "Was this for personal gain?" .

R> The way you answered that question was not the way it was intended.

Yeah, I know.  In retrospect, while I know what I was thinking, that
was not the context of the question I was actually answering.

I was thinking...

         let's see, if I do a job for the company, by helping them
         with their security issue, they'll continue to hire me.
         If they hire me some more, I'll make more money.
         That'll be a gain for me... "personal" "gain".

and said...

         Yes.

It's too bad they didn't have a big thought balloon above my head.
Then the jury would have seen that reasoning that seemed so clear to
me at the time.

Fsck.  This all goes back to my first position.  Never get into
a situation where you are the defendant in a criminal proceeding
in the first place.  Ordinary people cannot prepare adequately for
the misdirection and miscontexting that can happen at a trial.

If you don't believe me, re-read the part where the prosecutor was
trying to make it look like the password file was removed knowingly
without authorization, by skipping over the words "from intel
property" as he was reading the document.  Had I not caught him
misreading the document, it could have been a very specific nail in my
coffin.  That's the kind of grueling thinking that it takes being up
on the witness stand.  I was exhausted at the end of the day.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

merlyn@... wrote:
> This is something we cannot permit the law to make illegal.  If an
> action of mine is not damaging enough to a company to have fired my
> ass, why is it also then a felony?

One of the "problems" with your trial is that you should've said "NO"
to the question: "Was this for personal gain?" .

The way you answered that question was not the way it was intended.

If you get caught taking $100 from the company cashbox, then "Was this
for personal gain?" can be answered with "NO, I had been repeatedly
told to move the excess money to the bank, I was just doing my job."

Still "trying to keep your job" is theoretically "for personal gain".

There is a big difference between "yes, but... " and "no, but... ".


			 Roger.

--
** R.E.Wolff@... ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* There are old pilots, and there are bold pilots.
* There are also old, bald pilots.

>>>>> "David" == David Keegel <djk@...> writes:

David> In that case, if you could show that you didn't realise at the time
David> that the act was "without authorization" (because you had implicit
David> authorization, or the computer allowed you to do it, or maybe it
David> seemed like a reasonable thing and no one told you not to), then
David> you could argue that you weren't knowingly without authorization.

David> If my interpretation was upheld, then good samaritans could have
David> a defense ("I didn't know that I wasn't supposed to do that").

David> But it wouldn't let all the "bad guys" off (the thing which the
David> legal system would be most worried about), because you could hardly
David> sustain an argument "I didn't know that I wasn't allowed to break
David> into the bank's secure computer system and change my account balance".

Well, there's the trouble.  If both a good guy committing a good act,
and a bad guy committing a bad act, can both say "I didn't know I
couldn't do that", we're back to the uneducated-but-easily-persuaded
jury to decide if a technical action is a valid action.  And that's
pretty much what my trial looked like... a bunch of jurors being told
*after the fact* that my actions were unauthorized, without any basis
by which to determine whose agenda was being furthered by the chalk
line of "in vs out" moving *after the fact*.

The facts of the trial show that I was convicted of a felony regarding
mink when during the time of the actions regarding mink, I was merely
given a request to change my behavior, with which I precisely complied
and nothing further was said about it (until the trial two years later).

Since when does something that results in not even so much as a
disciplinary action at the time it occurs, suddenly become a felony
crime act two years later?  Only because "authorize" can change
between the time things are actually happening, and the time a jury
reinterprets the actions.

This is something we cannot permit the law to make illegal.  If an
action of mine is not damaging enough to a company to have fired my
ass, why is it also then a felony?

This is what's broken with the law.

I'm not saying that I didn't do things that in retrospect might not
have been permitted had I asked, but I'm also darn sure that I wasn't
knowingly committing *harmful* *unauthorized* acts to the company, nor
was any harm proven, even under sworn testimony.

I think this is what leaves us all a bit confused about this case, if
any of the hundreds of emails and conversations I've had over the past
seven years is an indicator.  "No harm, no foul", they cry.  So they
wonder how I could be a felon when I was just trying to help.  I'm a
little puzzled about that as well.  The messy wording of the law seems
to be at the core of what separates the current legal system from an
ideal "justice" system on this case, and we're currently arguing that
up the appeals process for some remedy to occur in the form of a
retrial and a recasting of the syntax (and thus semantics) of the law.

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

(I'm not a lawyer.)

] Sysadmins do things every day that, if their employer decides at a later
] time any one of which was "unauthorized," subject them to misdemeanor and
] even felony jeopardy.  That is one of the touchstones of an
] unconstitutionally vague law - that it is easily susceptible of ex post
] facto application.

Let me quote a bit from 164.377 Computer crime.
``
         (4) Any person who knowingly and without authorization uses, accesses
or attempts to access any computer, computer system, computer network, or
any computer software, program, documentation or data contained in such
computer, computer system or computer network, commits computer crime.
''

Could you use this wording to run a legal argument that a person didn't
*know* that they were without authorization?  If the statue could be
interpreted that way, it would only apply to people who knew at the
time that they were doing something unauthorized.

In that case, if you could show that you didn't realise at the time
that the act was "without authorization" (because you had implicit
authorization, or the computer allowed you to do it, or maybe it
seemed like a reasonable thing and no one told you not to), then
you could argue that you weren't knowingly without authorization.

If my interpretation was upheld, then good samaritans could have
a defense ("I didn't know that I wasn't supposed to do that").

But it wouldn't let all the "bad guys" off (the thing which the
legal system would be most worried about), because you could hardly
sustain an argument "I didn't know that I wasn't allowed to break
into the bank's secure computer system and change my account balance".

I'm concerned with that because if legislators think that the law
has become totally toothless (and can't catch anybody) then they
will build a new cannon (or increase the firepower on the current
cannon), and we are worse than back to square one.

With my interpretation, Oregon could even prosecute a spammer, if you
have told them that you don't want their spam and they keep sending it.
(Otherwise, Oregon should be able to prosecute a spammer in any case.)

] As a consequence, the law has only cannons to use to swat flies, and those
] cannons do a great deal of peripheral damage.

Yes, its a good point.

Something tells me legislators aren't smart enough to build a
fly swatter, and most probably don't even realise the difference.

__________________________________________________________________________
  David Keegel <djk@...>  URL: http://www.cyber.com.au/users/djk/
Cybersource P/L: Unix Systems Administration and TCP/IP network management

>On Thu, 30 Aug 2001, Chris Nandor wrote:
>
>> Focus on the law itself being bad, not the fact that someone who broke
>> it wasn't in the country when he broke it
>
Tom Phoenix wrote:

>You're right, that this is what we should do. But there is still an
>important legal principle.
>
>The principle is _not_ that Sklyarov wasn't in the US when he broke US
>law. That's a red herring. The real principle is that each country (or,
>often, a state, province, county, or city) has to do its own laws and
>prosecutions. Each jurisdiction has that responsibility, and right; no one
>else can do their prosecutions for them.
>
>If you are successfully prosecuted for marijuana possession in Ohio, you
>repay your debt to society and you're done. You don't have to worry that,
>upon a subsequent visit to Utah, you will be prosecuted again for your
>actions in Ohio.
>
>Now, I know, you're thinking that that would be double jeopardy, which is
>unconstitutional. True. But double jeopardy is just a special case of this
>general "one-jurisdiction" rule.

I disagree.  Double jeopardy is a concept that is separate and distinct from
the notion of jurisdiction.  For instance, an actor may be prosecuted for
acts against 2 separate sovereigns, i.e., violations of state and federal
law, for exactly the same act or acts (for instance, one bank robbery).

Both sovereigns have jurisdiction - prosecution by one does not jeopardize
the defendant under the laws of the other.

Oregon and Washington *both* have jurisdiction over fishing violations
committed on the Columbia River where it divides the two states, however the
instrument that created that jurisdiction prohibits anyone for being
prosecuted by either jurisdiction for acts for which he has already been
prosecuted by the other jurisdiction.  However, there is no state or federal
jeopardy issue; both are equal sovereigns.

  To see that more clearly...
>
>Suppose you use medicinal marijuana in Oregon (where it is legal), then
>you walk across the border to Idaho (where it is not legal). You don't
>bring any marijuana with you, and you don't use it in Idaho. Again, Idaho
>can't prosecute you for a "crime" (by their standards) committed outside
>their jurisdiction. Even if you keep going into Canada, the Canadians
>can't prosecute you for the "crime" you committed in Oregon.

Quite right.  But that has to do with jurisdiction, not jeopardy.  If
marijuana were being transported across both Oregon and Idaho in violation
of the laws of both states, both states could theoretically prosecute.  If
you think that there are evidence problems with that, assume a state of
facts where the defendant, caught in Idaho with the pot, confessed to
bringing it from Portland.  Then the police, by investigating, came upon
evidence that 1) the defendant lived and worked in Portland, 2) that he had
worked a full day 2 days before his arrest and 3) he bought gasoline in
Baker City the day before his arrest.

This would be all either state would need to corroborate his confession, and
he could be convicted in both forums.




"Once in awhile you get shown the light  in the strangest of places
  if you look at it right."                           (Hunter/Garcia)

LarryO

Jason S. Wrote:

>As Randall argued in his trial, our computers (as agents of our
>bidding) access and modify the content of computers owned by other
>organizations every day, without prior authorization from those
>organizations. The computer domain is radically different than the
>physical domain, and as such, existing precedent cannot be rotely
>applied to computer cases.

Correct, but what was of equal significance, we felt, was the apparent truth
that the application of statutes which are grounded in ancient real property
concepts to what happens in cyberspace creates the potential for all kinds
of mischief.

Sysadmins do things every day that, if their employer decides at a later
time any one of which was "unauthorized," subject them to misdemeanor and
even felony jeopardy.  That is one of the touchstones of an
unconstitutionally vague law - that it is easily susceptible of ex post
facto application.
>
>Why should access to port 80 be considered perfectly legal while
>running an ssh connection on port 23 not be? Both have the potential
>to modify data on the other side of the fence, the difference is my
>intent. Most port 80 accesses are requests for information being
>made available by the organization. Someone talking to port 23 wants
>shell access, and is walking into non-public space.

Oregon law requires that the state prove a culpable mental state as an
element of any crime.  If a statute does not contain a culpable mental state
as an element, it ordinarily proscribes on a violation, which is an offense
and not a crime.  Offenses are punishable only by means of fines.

Oregon law provides for 4 culpable mental states:  Intent, knowing,
recklessness and criminal negligence (level of culpability descending).
That is, a crime that is committed knowingly or recklessly is usually
punished less severely than a crime that requires intent.

The problem with the computer crime law, in fact most computer crime laws,
is that they were drafted by, and enacted at the behest of, telephone
companies who were not concerned so much with fine statutory distinctions as
they were with getting statutes in place that would punish any attempt to
even approach their systems from the outside.

As a consequence, the law has only cannons to use to swat flies, and those
cannons do a great deal of peripheral damage.

A note on intent:  Grown-ups are presumed to intend the natural and
foreseeable consequences of their acts, and for the most part that
presumption makes sense.
One of the things that we tried to show in Randal's case was that, in the
sysadmin culture, it is routine to test one another's security arrangements
for the benefit of the entire group.  The judge was at some pains to
downplay the evidence we offered to show that, one (in particular) of the
state's witnesses lied about it shamefully, and the point was, I am afraid,
lost on the jury primarily because of the way the police portrayed Randal's
statements.  In short, they edited two hours of conversation, most of which
they admitted they did not really understand, down to 10 minutes (I am not
making this up) of bits and pieces of what he said.

You answer loaded questions for 2 hours, let me edit what you say down to 10
minutes, and I can create a confession to most anything.

"Once in awhile you get shown the light  in the strangest of places
  if you look at it right."                           (Hunter/Garcia)

LarryO

] On Thu, 30 Aug 2001, David Keegel wrote:
]
] > getting legislators to focus more on intent (eg: requiring clear
] > mal-intent for computer crime offenses) seems a realistic goal.
]
] I agree. But it won't be easy to accomplish, since I'm sure that most
] legislators (judges, juries, reporters, columnists, employers) think that
] "breaking in" to a computer shows sufficient "mal-intent" all by itself.
] "After all", they'll say, "if you broke into my _home_, we wouldn't need
] to show that you had evil intentions."
]
] So, this has convinced me (and surely just about everyone on this list)
] that we should look at the intent as well as the deed. But what can we say
] to convince all of those other folks that the intent of West (Schwartz,
] Sklyarov, you, me) was benign? Or not merely benign, but (in several
] cases) with a helpful intent?

I am trying to turn this around a little, and instead put the burden
of proof on the prosecutors to prove (beyond reasonable doubt) that
the accused had some kind of criminal intent (or bad intent, whatever).

If you believe in "innocent until proven guilty", then the onus should
be on the prosecutors, not the defense, to prove intent.

If legislators believe that the criminals they are trying to catch with
these laws do have bad intent and that it could mostly be proved, then
getting them to add this to the law may not be so difficult.  To them
it might seem as innocuous as adding the qualification "knowingly".

__________________________________________________________________________
  David Keegel <djk@...>  URL: http://www.cyber.com.au/users/djk/
Cybersource P/L: Unix Systems Administration and TCP/IP network management

Dave Sill wrote:
> I think a more appropriate action in such a case would be to notify
> the media and let them expose the bank for the idiots they are.

In that case, the bank's story IS: You only get access to the toilet,
and if you'd be able to get out of that toilet, you wouldn't get
access to anything of value.

Not the bank, but the purported "whistleblowers" are made to look like
an idiot. The media needs /proof/ that there is something
"interesting" that the bank leaves open. In this case, they took
photocopies of the amounts in people's accounts.

You sleep well because you know that your bank doesn't leave that
lying around.

			 Roger.

--
** R.E.Wolff@... ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* There are old pilots, and there are bold pilots.
* There are also old, bald pilots.

"Frossie" <frossie@...> writes:

>   "m" == merlyn  <merlyn@...> writes:
>
> >>>>>> "Tom" == Tom Phoenix <rootbeer+fors-d@...> writes:
>
> Tom> I agree. But it won't be easy to accomplish, since I'm sure that most
> Tom> legislators (judges, juries, reporters, columnists, employers) think that
> Tom> "breaking in" to a computer shows sufficient "mal-intent" all by itself.
> Tom> "After all", they'll say, "if you broke into my _home_, we wouldn't need
> Tom> to show that you had evil intentions."
>
> m> We need to show that "breaking in" is done by both white hats and
> m> black hats.  That *is* different from the way it's done in the real
> m> world.  We can design a lock, and test it in a lab, and then install
> m> it in a door, and not test that door because we know the door is
> m> correct.  But we can't build complex systems that way... we have to
> m> field-test them, and field-test them repeatedly, because systems
> m> change.
>
> It would be best if we moved away for the whole house breaking analogy
> to one where intent is relevant in the *current* body of law. Let's
> face it, theory aside, 99% of people who enter your house without your
> knowledge *will* probably want to rob you. Whereas the proportion of
> people who access your system without specifically asking for
> permission and who do not want to cause damage is, to hazard I guess,
> orders of magnitude more frequent.

Agreed.

As Randall argued in his trial, our computers (as agents of our
bidding) access and modify the content of computers owned by other
organizations every day, without prior authorization from those
organizations. The computer domain is radically different than the
physical domain, and as such, existing precedent cannot be rotely
applied to computer cases.

Why should access to port 80 be considered perfectly legal while
running an ssh connection on port 23 not be? Both have the potential
to modify data on the other side of the fence, the difference is my
intent. Most port 80 accesses are requests for information being
made available by the organization. Someone talking to port 23 wants
shell access, and is walking into non-public space.

jas.

"m" == merlyn  <merlyn@...> writes:

>>>>>> "Tom" == Tom Phoenix <rootbeer+fors-d@...> writes:

Tom> I agree. But it won't be easy to accomplish, since I'm sure that most
Tom> legislators (judges, juries, reporters, columnists, employers) think that
Tom> "breaking in" to a computer shows sufficient "mal-intent" all by itself.
Tom> "After all", they'll say, "if you broke into my _home_, we wouldn't need
Tom> to show that you had evil intentions."

m> We need to show that "breaking in" is done by both white hats and
m> black hats.  That *is* different from the way it's done in the real
m> world.  We can design a lock, and test it in a lab, and then install
m> it in a door, and not test that door because we know the door is
m> correct.  But we can't build complex systems that way... we have to
m> field-test them, and field-test them repeatedly, because systems
m> change.

It would be best if we moved away for the whole house breaking analogy
to one where intent is relevant in the *current* body of law. Let's
face it, theory aside, 99% of people who enter your house without your
knowledge *will* probably want to rob you. Whereas the proportion of
people who access your system without specifically asking for
permission and who do not want to cause damage is, to hazard I guess,
orders of magnitude more frequent.

IANAL but intent is recognised as germaine in some legal areas (eg
intent to defraud, intent to commit harm) so it might be better to see
if there are any analogies there.

That said, in my experience you don't even need analogies. I have had
good results explaining the issues to my satisfaction in such cases to
people completely outside the computer industry by going slow, trying
not to come across like a raving fanatic and avoiding technical minor
points. Plying them with alchohol also helps :-)

Aloha,

	 Frossie

--
Joint Astronomy Centre, Hawaii            http://www.jach.hawaii.edu/~frossie/
Cuteness can be overcome through sufficient bastardry --Mark 'Kamikaze' Hughes

At 10:57 -0700 2001.08.30, Tom Phoenix wrote:
>Suppose you use medicinal marijuana in Oregon (where it is legal), then
>you walk across the border to Idaho (where it is not legal). You don't
>bring any marijuana with you, and you don't use it in Idaho. Again, Idaho
>can't prosecute you for a "crime" (by their standards) committed outside
>their jurisdiction. Even if you keep going into Canada, the Canadians
>can't prosecute you for the "crime" you committed in Oregon.

Right.  But, again, the law in question is a law regarding harm done to
someone (for example) in Idaho.  If you harm someone in Idaho, then Idaho
may have some extra level of jurisdictional authority.

But now I think we are way off topic for this list.  This issue is far more
broad than this list or the Sklyarov case.  :-)

--
Chris Nandor                      pudge@...    http://pudge.net/
Open Source Development Network    pudge@...     http://osdn.com/

On Thu, 30 Aug 2001, Chris Nandor wrote:

> Focus on the law itself being bad, not the fact that someone who broke
> it wasn't in the country when he broke it

You're right, that this is what we should do. But there is still an
important legal principle.

The principle is _not_ that Sklyarov wasn't in the US when he broke US
law. That's a red herring. The real principle is that each country (or,
often, a state, province, county, or city) has to do its own laws and
prosecutions. Each jurisdiction has that responsibility, and right; no one
else can do their prosecutions for them.

If you are successfully prosecuted for marijuana possession in Ohio, you
repay your debt to society and you're done. You don't have to worry that,
upon a subsequent visit to Utah, you will be prosecuted again for your
actions in Ohio.

Now, I know, you're thinking that that would be double jeopardy, which is
unconstitutional. True. But double jeopardy is just a special case of this
general "one-jurisdiction" rule. To see that more clearly...

Suppose you use medicinal marijuana in Oregon (where it is legal), then
you walk across the border to Idaho (where it is not legal). You don't
bring any marijuana with you, and you don't use it in Idaho. Again, Idaho
can't prosecute you for a "crime" (by their standards) committed outside
their jurisdiction. Even if you keep going into Canada, the Canadians
can't prosecute you for the "crime" you committed in Oregon.

Unless, of course, they choose to disregard this principle. As we're
discussing, some jurisdictions have been known to do that, but it's dirty
pool.

--
Tom Phoenix       Perl Training and Hacking       Esperanto
Randal Schwartz Case:     http://www.rahul.net/jeffrey/ovs/

At 13:24 -0400 2001.08.30, Dave Sill wrote:
>Chris Nandor <yahoo@...> wrote:
>
>>He was in the United States.  It is a bad law, but that doesn't change the
>>fact that he was in the U.S.  If I broke Russian law, I probably wouldn't
>>go to Russia.
>
>How could he have broken a U.S. law while he was in Russia? If
>nosepicking is illegal in Denmark, does that mean I could be arrested
>if I ever go there--even if I never picked my nose is there?

If I steal Russian government secrets while I am in the United States, does
that mean they have no grounds to arrest me if I ever go there?

His actions, in the eyes of U.S. law, were against an entity protected by
U.S. law.  Therefore, he is subject to U.S. law.  This is nothing new, it
is not a surprise, it is not earth-shattering or worthy of significant
note.  This is how countries do things.

Focus on the law itself being bad, not the fact that someone who broke it
wasn't in the country when he broke it (which is debatable anyway, since
the act of copyright violation is not just in the creation of the work in
question, but in the distribution of it as well (among other things), and
he was distributing it while in the U.S.).

--
Chris Nandor                      pudge@...    http://pudge.net/
Open Source Development Network    pudge@...     http://osdn.com/

Chris Nandor <yahoo@...> wrote:

>He was in the United States.  It is a bad law, but that doesn't change the
>fact that he was in the U.S.  If I broke Russian law, I probably wouldn't
>go to Russia.

How could he have broken a U.S. law while he was in Russia? If
nosepicking is illegal in Denmark, does that mean I could be arrested
if I ever go there--even if I never picked my nose is there?

-Dave

R.E.Wolff@... wrote:

>A couple of guys here in NL noticed a window to the bank open at night
>when they were walking the dog. They notified the bank.

OK

>The bank says they will pay attention. However not much changes.  They
>notified the bank again.

OK

>A couple of weeks, the window is dutifully closed.
>
>Then one day the window is left open again.
>
>Now they climb into the window, and take pictures to prove that it's
>not just the toilet that they get acces to.

Oops. Not OK. It's not legal, and even if they have the best
intentions, it's not safe. Suppose someone sees them enter and calls
the cops? Is their story the truth, or just a cover? Even if they
could prove they notified the bank twice before, how do we know they
didn't enter the bank with the intention of stealing everything
valuable and using their cover story if they got caught?

I think a more appropriate action in such a case would be to notify
the media and let them expose the bank for the idiots they are.

>They get arrested after they report the banks mistakes.

And, of course, that's just wrong because they obviously weren't
thieves and were only trying to get a problem fixed.

-Dave

At 01:24 -0700 2001.08.30, Dmitry Kohmanyuk
=?KOI8-R?B?5M3J1NLJyiDrz8jNwc7Ayw==?= wrote:
>On Wed, Aug 29, 2001 at 09:00:42AM -0400, Chris Nandor wrote:
>> Sklyarov violated federal law by reverse-engineering software.  If you
>> focus on the fact that he is a "whistleblower," then you just emphasize
>> that he did exactly what the DMCA is designed to prevent: discovering and
>> reporting of software flaws.
>
> Dmitry wrote his program in Russia, and he is Russian citizen.
> The world is not governed by U.S. federal law.

He was in the United States.  It is a bad law, but that doesn't change the
fact that he was in the U.S.  If I broke Russian law, I probably wouldn't
go to Russia.

--
Chris Nandor                      pudge@...    http://pudge.net/
Open Source Development Network    pudge@...     http://osdn.com/

* Dave Mitchell
| The logical extension to this analogy is that having noticed the
| door is open, we step just inside the room to have a quick look - to
| see whether the rightful occupant is in the room, or whether there's
| signs of anything wrong, etc.

In the recent case the looking-around was made more problematic IMHO
because the person took some photocopies of the papers on the table in
order to proof that the door indeed _was_ open.  The copies came not
flying out of the room right into his hands...

| [ Oh no - fors-discuss is heading for another analogy-fest ;-) ]

R', adding to it ;-)