Feeds

The crime of distributed computing

Hapless network admin facing decades in slammer

  • alert
  • submit to reddit

Mobile application security vulnerability report

A college computer technician who offered his school's unused computer processing power for an encryption research project will be tried next month in Georgia for computer theft and trespassing charges that carry a potential total of 120 years in jail.

The closely-watched case if one of the first in which state prosecutors have lodged felony charges for allegedly downloading third-party software without permission.

David McOwen was working as a PC specialist at the state-run DeKalb Technical Institute in 1998, when he learned about a project by the non-profit organization distributed.net that allowed computer users to donate their unused processing power to test the RC5 encryption algorithm. Noticing that many of the machines he maintained on the seven DeKalb campuses sat idle for long periods, McOwen installed distributed.net clients at several of those locations while performing a Y2K upgrade on the machines in 1999.

According to McOwen, during the Christmas holidays in 1999 school administrators noticed that unused machines were sending and receiving the distributed.net data -- about the equivalent of one email a day. The school sent McOwen a letter of suspension in January of 2000, without specifying a grievance, and McOwen resigned shortly afterwards, believing that he had put the incident behind him.

Instead, in June of 2001 McOwen was contacted by an investigator from the Georgia Bureau of Investigation who informed him that he was the subject of an 18-month computer crime investigation. In October, prosecutors from the Georgia state attorney general's office charged McOwen with eight violations of Georgia's tough computer crime law: one count of computer theft, and seven counts of computer trespass -- one for each of the school offices where McOwen downloaded the distributed.net client.

Each felony count carries a $50,000 fine and a 15-year possible prison term, for a 120 year maximum possible sentence. The indictment also calls for restitution equal to the amount of money paid to state workers to uninstall the programs from 500 PCs.

As the case nears trial, it's raising eyebrows among some legal and technology experts for the unusual application of an anti-hacking law to actions taken by a network's legitimate administrator.

'This Is Not Hacking'
"Our problem with this kind of statute is that it is written in such broad terms that it can reach all sorts of behavior that doesn't constitute computer fraud, but can give the government prosecutorial discretion," says Lee Tien, a senior staff attorney with the San Francisco-based Electronic Frontier Foundation, who has followed McOwen's case.

"This is a hacking statute," says McOwen, "but obviously this is not hacking." At an early stage in the proceedings, prosecutors claimed that McOwen had cost the state of Georgia $415,000 in bandwidth charges, based on a calculation that the distributed.net clients consumed precisely 59 cents worth of bandwidth per second. The state has since backed away from the $415,000 figure.

Today, much of the case rests on whether McOwen violated DeKalb's policies by downloading the distributed.net client. Russ Willard, a spokesman for Georgia Attorney General Thurbert Baker, contends that McOwen deliberately ignored the college's written computer usage guidelines, which were issued to him with his first user I.D. and password. Willard says the policy forbade McOwen from downloading any unauthorized third-party software onto the college's machines.

McOwen claims he had permission from college officials to download the software, and his lawyer suggests that there were no written guidelines forbidding such installations to begin with. "If there is a policy I have not seen it," says attorney David Joyner, who says he has received all the discovery evidence in the case. DeKalb college president Paul Starnes and McOwen's supervisors from the college's IS department would not comment on the case.

Even if there was such a policy presented to McOwen, those who work at universities say they are often disregarded. "It think it's so common on the academic community that nobody reads agreements like that," says David Farber, a professor of telecommunications at the University of Pennsylvania and former chief technologist of the FCC. "It is part and parcel of many academics and many students that inquisitiveness motivates them to download third-party software. If you are going to prosecute a person for that on those grounds, than you should prosecute everybody on campus because everyone has done it."

Financial Motive Alleged

Willard says that McOwen was singled out for prosecution partly because he had ignored his supervisor's warnings. "In this case, Mr. McOwen was expressively prohibited by his superiors from downloading these programs and was informed on many occasions by his supervisors to stop downloading programs," said Willard. "They were aware that he was doing it and he had gone in and cleaned it up on numerous occasions." Joyner insists McOwen received no such warning.

Prosecutors also claim that McOwen had a financial motive for volunteering the school's machines. McOwen was a top producer on distributed.net for "Team AnandTech," a group sponsored by a hardware forum site which is still the second ranking contributor to the RC5 research project. A $1,000 prize goes to the individual contributor who recovers the RC5 encryption key.

"McOwen placed a program on computers, that in his estimation would benefit him personally, including computers that has sensitive student financial and identity information without authorization," says Willard. "There is concern about the program itself compromising or providing the basis to compromise sensitive personal or financial information, there is the matter of Mr. McOwen's unauthorized activities on this computer, and finally there is the point that there was misappropriation of state property."

McOwen says the prize money wasn't a factor. "People do these projects for the betterment of mankind," says McOwen. "You are not doing it for the prize and possibility of money, you are doing it because it is the right thing to do."

"I think the prosecutor's office needs some lessons in computer science," says Farber. "If you want to make a point, there are much better examples than this guy."

The case is set for trial on 28 January.

© 2001 SecurityFocus.com, all rights reserved.

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.