|Problems? Is your data what you think it is?|
(ichimunki) okayby ichimunki (Priest)
|on Dec 26, 2001 at 05:49 UTC||Need Help??|
Yep. This law may be stupid. It may even be worded poorly. And thank god it is an Oregon specific law (although the DMCA may well apply to cases such as this as well).
However, when it comes to arguing about whether or not laws are good or bad, the system depends on cases where we actually consider the defendent innocent except for the unjust law. merlyn's case is nothing of the sort. My impression in reading about this over the last year or two has been that the acts in question are clearly out of bounds, thus deserving of a legal penalty.
I don't consider this a felony type of thing, though. And this is where the law and I part company. There needs to be an additional crime here: downloading informational files, damage to information, misuse of the CPUs (which some might argue running crack on them is), fraud, forgery, *something* besides simply cracking. I mean, people who beat their wives usually get to plea down to various minor misdemeanors, yet a guy who cracked a computer account or two and did nothing worth mentioning is a three time felon? Bass ackwards, IMO. Of course, IMO we should legalize a whole lot of currently forbidden stuff, so IMO ain't worth a whole lot sometimes. But apparently a bunch of Oregonians agree with this law, many of them highly trained lawyers, judges, and the like.
And it is for that reason we cannot afford to muddle the issues surrounding this by on the one hand declaring merlyn to have committed offenses as described, but then attempt to state that he is innocent because the law is no good. Clearly the law is intended to proscribe the very things he did. Is it vague about it? Yes. Is it unusually harsh? Yes. But does his case really nullify the law the way your absurd example might? OR Supreme Court says no way. So when you hear that this law was used in a way that was unintended by lawmakers (like your answering machine example), then we have a clear case where the law is too vague. If we find that someone is convicted of a felony according to this statute because they received a quick email from their mom at work (and "personal" email is forbidden), then I think we have a case that the law is way too harsh. And then maybe the lawyers for the defense will have something to use in court.
But that's not what we have here. What we have is merlyn, who seems given to outburst and unpredictability. We have him running password cracks on machines he is reportedly not to be using against password files he is not to have possession of. That either Intel, ORA, or SSD had bad password files didn't sound like it was any business of his at the time he was doing this. So what are we to think? Sounded to me like all he wanted was to read his email and help out-- those sound like good intentions, even if his methods leave a lot to be desired.
Imagine if I, in the interest of making sure my web hosting service is "secure enough", decide to run crack on their machine against the local /etc/passwd. Or what if I ran that utility that scans websites for vulnerabilities like old versions of formmail.pl? Sure I can say I was doing this to protect them and to protect myself, but it is not my place to do such a thing without clear communication and permission. I cannot help but think that monks the world over would rally around the hosting service for kicking a cracker (the hypothetical me) off the system. Especially if I was looking for formmail.pl! That would clearly mark me as a spammer looking for open relays! I mean in that case jail time is warranted, right?
And FWIW, I do think this is Perl news, because for better or worse (mostly better *grin*), merlyn is one of the top ten names in Perl history. But *that* is the reason the story is perhaps appropriate here, not because of its far reaching implications for sysadmins or Perl users. Of those I see none.
Addendum: having read merlyn's answers to princepawn in So why did you crack..., I just want to say that obviously things have changed since the good old days, and I doubt any of us on the outside can judge the nature of the working relationships he had with the Intel people (among others) and so will have an impossible time judging whether or not (even in hindsight) this or that action or that action was appropriate or expected or whatever. The warning is clear, though. The people who write these laws are serious, but does this mean that I think a sysadmin should suddenly fear to do his job? No.