Cover all bases when spying on your own network

It appears to some--if not to the jury on his case--that Schwartz's intentions were
benign.


He simply wanted to demonstrate to users of his machines that they needed to use
stronger passwords.


Too often, people use common dictionary words that can be deciphered in minutes by
password-cracking software. Schwartz wanted to persuade his users to have passwords with
alpha, numeric and special characters randomly mixed in both upper and lower case.


Many employees were using the usual and easy-to-guess names of kids, spouses, or pets.
Some even used their own names or the names of their streets, or their birthdays and
wedding anniversaries. Any of these is a piece of cake for a determined hacker to uncover.


Schwartz wrote a program to test passwords and generate e-mail notices when the program
deciphered passwords.


His mistake was in not first writing a memo to his bosses, warning them of what was
going on. When his colleagues discovered the cache of passwords he had accumulated, Intel
fired him, took him to court and won.


The company apparently did not prove any financial or intellectual property loss from
Schwartz's actions. But the Oregon law did not oblige Intel to prove Schwartz had
benefited from his activity. Nor did the law require proof of damage to find Schwartz
guilty of "altering computer systems without authorization" and "accessing
a computer with intent to commit theft."


Federal system administrators should make note of this object lesson. It is easy in the
course of supporting the innards of an electronic file cabinet to stumble across secrets.


In fact, it's often part of the administrator's explicit job description to prowl the
network to detect intruders who may have evil designs on the computers or their users. If
the systems administrator doesn't do this undercover work, who will?


But, like a person who wants to test a fire alarm system, a systems administrator must
first make absolutely certain that management is aware of and approves of this activity or
he will find himself in a hard place.


Get the approval in writing. Alternately, if management won't approve intruder
countermeasures, then document that decision. Otherwise, if and when the bad guys do
manage to penetrate the network, management may and probably will develop amnesia and
accuse the sysadmin of failing to take adequate precautions.


Who said life was fair? Not Randal Schwartz.


One e-mail systems administrator whom I hold in high regard has told me that agency
managers have asked him to monitor employees' e-mail message traffic. The administrator
asked the managers to put the request in writing on agency letterhead.


A verbal request is not sufficient basis for jeopardizing the candid atmosphere of
communication on his e-mail service.


To date, no one has complied with his request. Invariably, managers have second
thoughts about the wisdom of such a request. Even if they had made a written request, the
legal issues are murky.


After all, the computers and communications are owned by the government and are for
official use only.


Many government lawyers believe that federal employees do not have a reasonable
expectation of privacy when they use their agency e-mail.


Because most agencies ignore or forbid personal use of e-mail, non-work-related banter
could be punished. Nevertheless, most employees hold on to the illusion that their data
files and e-mail messages are private.


Suppose your supervisor declares he will periodically review your computer files.


Most of us would respond with various forms of protest. Such a measure would be as
popular as surveillance cameras in the restrooms. This, I suspect, is the real reason
Schwartz was fired.


He had collected the passwords of a number of ranking company managers and their staff,
and they were none too pleased.


The collection of passwords gave him access to sensitive company information that he
was not entitled to. Schwartz should have revised the password routine to reject simple
passwords.


He would have upset a lot of coworkers, but he would have saved himself a $68,000 fine
and a felony conviction.


Walter R. Houser, who has more than two decades of experience in federal information
management, is webmaster for a Cabinet agency. His own Web home page is at http://www.cpcug.org/user/houser.


inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above