Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Has anyone been prosecuted for adding a backdoor

Google up Randal Schwartz. Caution: clickhole.



As far as I remember, he added no backdoors.

He was a consultant/sysadmin for Intel, and he did 3 things which he thought his employer would support, and was astonished to find that not only did his employer not support, but actively had him prosecuted for doing it. Ouch.

1. He ran a reverse-proxy on two machines so he could check in on them from home.

2. He used the crack program to find weak passwords.

3. He found a weak password, and used it to log into a system, which he copied the /etc/shadow file from to look for additional weak passwords.

https://www.giac.org/paper/gsec/4039/intel-v-randal-l-schwar...

https://web.archive.org/web/20160216204357/http://www.lightl...

He didn't try and hide his activities, and didn't do anything else untoward, it was literally just these things which most people wouldn't bat an eyelid at. These days, it is completely normal for a company to provide VPNs for their employees, and completely normal to continually scan for unexpected user accounts or weak passwords. But... because he didn't explain this to higher-ups and get their buy-in, they prosecuted him instead of thanking him.


To be fair, it is perfectly normal for a surgeon to cut people with a sharp knife with their permission while in the hospital.

It is kinda sus when they do it at home without consent.


I find it useful to compare the reactions of O'Reilly and Intel. Schwartz worked for both (he wrote Learning Perl and co-authored Programming Perl for O'Reilly and made them plenty of money). He cracked the passwords of both companies without first getting permission.

O'Reilly's sysadmin told him off for not getting permission, and told him not to do it again, but used his results to let people with weak passwords know to change them.

Intel's sysadmin started collecting a dossier on Schwartz and ultimately Intel pushed for state criminal charges against him.

O'Reilly's sysadmin testified in Schwartz's defense that he was an overly eager guy with no nefarious intent. So - kinda-sus or not - Intel could have resolved this with a dressing down, or even termination if they were really unhappy. Intel _chose_ to go nuclear, and invoke the Oregon computer crime laws, and demand the state prosecute him.


apparently he did that after leaving the company, which is pretty sus.


Seems a little different. Based on a quick read, he gained unauthorized access to systems.

In this case, backdoor code was offered to and accepted by xz maintainers.


Lots of things are crimes even though they're just offering something to a victim who willingly accepts it, e.g. phishing attacks, fraudulent investment schemes, contaminated food products.


Sure. I'm wondering if there is a specific law that was broken here. It seems to me that it might be beneficial if there were some legal protection against this sort of act.


Seems a little different. Based on a quick read

It is a little different but a thing that you might have missed in the quick read is that one of the things he was accused of was installing and using a backdoor.


One involves making unauthorized access, the other does not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: