home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
norge.freeshell.org (192.94.73.8)
/
192.94.73.8.tar
/
192.94.73.8
/
pub
/
computers
/
historical
/
hc
/
cracker3.txt
< prev
next >
Wrap
Text File
|
1999-04-14
|
154KB
|
2,724 lines
Bruce Sterling
bruces@well.sf.ca.us
Literary Freeware: Not for Commercial Use
THE HACKER CRACKDOWN: Law and Disorder on the Electronic Frontier
PART THREE: LAW AND ORDER
Of the various anti-hacker activities of 1990, "Operation Sundevil"
had by far the highest public profile. The sweeping, nationwide computer
seizures of May 8, 1990 were unprecedented in scope and highly, if rather
selectively, publicized.
Unlike the efforts of the Chicago Computer Fraud and Abuse Task
Force, "Operation Sundevil" was not intended to combat "hacking" in the
sense of computer intrusion or sophisticated raids on telco switching
stations. Nor did it have anything to do with hacker misdeeds with AT&T's
software, or with Southern Bell's proprietary documents.
Instead, "Operation Sundevil" was a crackdown on those traditional
scourges of the digital underground: credit-card theft and telephone code
abuse. The ambitious activities out of Chicago, and the somewhat
lesser-known but vigorous anti- hacker actions of the New York State
Police in 1990, were never a part of "Operation Sundevil" per se, which
was based in Arizona.
Nevertheless, after the spectacular May 8 raids, the public, misled
by police secrecy, hacker panic, and a puzzled national press-corps,
conflated all aspects of the nationwide crackdown in 1990 under the
blanket term "Operation Sundevil." "Sundevil" is still the best-known
synonym for the crackdown of 1990. But the Arizona organizers of
"Sundevil" did not really deserve this reputation -- any more, for
instance, than all hackers deserve a reputation as "hackers."
There was some justice in this confused perception, though. For one
thing, the confusion was abetted by the Washington office of the Secret
Service, who responded to Freedom of Information Act requests on
"Operation Sundevil" by referring investigators to the publicly known
cases of Knight Lightning and the Atlanta Three. And "Sundevil" was
certainly the largest aspect of the Crackdown, the most deliberate and the
best-organized. As a crackdown on electronic fraud, "Sundevil" lacked the
frantic pace of the war on the Legion of Doom; on the contrary, Sundevil's
targets were picked out with cool deliberation over an elaborate
investigation lasting two full years.
And once again the targets were bulletin board systems.
Boards can be powerful aids to organized fraud. Underground boards
carry lively, extensive, detailed, and often quite flagrant "discussions"
of lawbreaking techniques and lawbreaking activities. "Discussing" crime
in the abstract, or "discussing" the particulars of criminal cases, is not
illegal -- but there are stern state and federal laws against
coldbloodedly conspiring in groups in order to commit crimes.
In the eyes of police, people who actively conspire to break the law
are not regarded as "clubs," "debating salons," "users' groups," or "free
speech advocates." Rather, such people tend to find themselves formally
indicted by prosecutors as "gangs," "racketeers," "corrupt organizations"
and "organized crime figures."
What's more, the illicit data contained on outlaw boards goes well
beyond mere acts of speech and/or possible criminal conspiracy. As we
have seen, it was common practice in the digital underground to post
purloined telephone codes on boards, for any phreak or hacker who cared to
abuse them. Is posting digital booty of this sort supposed to be
protected by the First Amendment? Hardly -- though the issue, like most
issues in cyberspace, is not entirely resolved. Some theorists argue that
to merely *recite* a number publicly is not illegal -- only its *use* is
illegal. But anti-hacker police point out that magazines and newspapers
(more traditional forms of free expression) never publish stolen telephone
codes (even though this might well raise their circulation).
Stolen credit card numbers, being riskier and more valuable, were
less often publicly posted on boards -- but there is no question that some
underground boards carried "carding" traffic, generally exchanged through
private mail.
Underground boards also carried handy programs for "scanning"
telephone codes and raiding credit card companies, as well as the usual
obnoxious galaxy of pirated software, cracked passwords, blue-box
schematics, intrusion manuals, anarchy files, porn files, and so forth.
But besides their nuisance potential for the spread of illicit
knowledge, bulletin boards have another vitally interesting aspect for the
professional investigator. Bulletin boards are cram-full of *evidence.*
All that busy trading of electronic mail, all those hacker boasts, brags
and struts, even the stolen codes and cards, can be neat, electronic,
real- time recordings of criminal activity.
As an investigator, when you seize a pirate board, you have scored a
coup as effective as tapping phones or intercepting mail. However, you
have not actually tapped a phone or intercepted a letter. The rules of
evidence regarding phone-taps and mail interceptions are old, stern and
well- understood by police, prosecutors and defense attorneys alike. The
rules of evidence regarding boards are new, waffling, and understood by
nobody at all.
Sundevil was the largest crackdown on boards in world history. On
May 7, 8, and 9, 1990, about forty- two computer systems were seized. Of
those forty- two computers, about twenty-five actually were running
boards. (The vagueness of this estimate is attributable to the vagueness
of (a) what a "computer system" is, and (b) what it actually means to "run
a board" with one -- or with two computers, or with three.)
About twenty-five boards vanished into police custody in May 1990.
As we have seen, there are an estimated 30,000 boards in America today.
If we assume that one board in a hundred is up to no good with codes and
cards (which rather flatters the honesty of the board-using community),
then that would leave 2,975 outlaw boards untouched by Sundevil. Sundevil
seized about one tenth of one percent of all computer bulletin boards in
America. Seen objectively, this is something less than a comprehensive
assault. In 1990, Sundevil's organizers -- the team at the Phoenix Secret
Service office, and the Arizona Attorney General's office -- had a list of
at least *three hundred* boards that they considered fully deserving of
search and seizure warrants. The twenty-five boards actually seized were
merely among the most obvious and egregious of this much larger list of
candidates. All these boards had been examined beforehand -- either by
informants, who had passed printouts to the Secret Service, or by Secret
Service agents themselves, who not only come equipped with modems but know
how to use them.
There were a number of motives for Sundevil. First, it offered a
chance to get ahead of the curve on wire-fraud crimes. Tracking back
credit-card ripoffs to their perpetrators can be appallingly difficult.
If these miscreants have any kind of electronic sophistication, they can
snarl their tracks through the phone network into a mind-boggling,
untraceable mess, while still managing to "reach out and rob someone."
Boards, however, full of brags and boasts, codes and cards, offer evidence
in the handy congealed form.
Seizures themselves -- the mere physical removal of machines -- tends
to take the pressure off. During Sundevil, a large number of code kids,
warez d00dz, and credit card thieves would be deprived of those boards --
their means of community and conspiracy -- in one swift blow. As for the
sysops themselves (commonly among the boldest offenders) they would be
directly stripped of their computer equipment, and rendered digitally mute
and blind.
And this aspect of Sundevil was carried out with great success.
Sundevil seems to have been a complete tactical surprise -- unlike the
fragmentary and continuing seizures of the war on the Legion of Doom,
Sundevil was precisely timed and utterly overwhelming. At least forty
"computers" were seized during May 7, 8 and 9, 1990, in Cincinnati,
Detroit, Los Angeles, Miami, Newark, Phoenix, Tucson, Richmond, San Diego,
San Jose, Pittsburgh and San Francisco. Some cities saw multiple raids,
such as the five separate raids in the New York City environs. Plano,
Texas (essentially a suburb of the Dallas/Fort Worth metroplex, and a hub
of the telecommunications industry) saw four computer seizures. Chicago,
ever in the forefront, saw its own local Sundevil raid, briskly carried
out by Secret Service agents Timothy Foley and Barbara Golden.
Many of these raids occurred, not in the cities proper, but in
associated white-middle class suburbs -- places like Mount Lebanon,
Pennsylvania and Clark Lake, Michigan. There were a few raids on offices;
most took place in people's homes, the classic hacker basements and
bedrooms.
The Sundevil raids were searches and seizures, not a group of mass
arrests. There were only four arrests during Sundevil. "Tony the
Trashman," a longtime teenage bete noire of the Arizona Racketeering unit,
was arrested in Tucson on May 9. "Dr. Ripco," sysop of an outlaw board
with the misfortune to exist in Chicago itself, was also arrested -- on
illegal weapons charges. Local units also arrested a 19-year-old female
phone phreak named "Electra" in Pennsylvania, and a male juvenile in
California. Federal agents however were not seeking arrests, but
computers.
Hackers are generally not indicted (if at all) until the evidence in
their seized computers is evaluated -- a process that can take weeks,
months -- even years. When hackers are arrested on the spot, it's
generally an arrest for other reasons. Drugs and/or illegal weapons show
up in a good third of anti-hacker computer seizures (though not during
Sundevil).
That scofflaw teenage hackers (or their parents) should have
marijuana in their homes is probably not a shocking revelation, but the
surprisingly common presence of illegal firearms in hacker dens is a bit
disquieting. A Personal Computer can be a great equalizer for the
techno-cowboy -- much like that more traditional American "Great
Equalizer," the Personal Sixgun. Maybe it's not all that surprising that
some guy obsessed with power through illicit technology would also have a
few illicit high-velocity-impact devices around. An element of the
digital underground particularly dotes on those "anarchy philes," and
this element tends to shade into the crackpot milieu of survivalists,
gun-nuts, anarcho-leftists and the ultra-libertarian right-wing.
This is not to say that hacker raids to date have uncovered any major
crack-dens or illegal arsenals; but Secret Service agents do not regard
"hackers" as "just kids." They regard hackers as unpredictable people,
bright and slippery. It doesn't help matters that the hacker himself has
been "hiding behind his keyboard" all this time. Commonly, police have no
idea what he looks like. This makes him an unknown quantity, someone best
treated with proper caution.
To date, no hacker has come out shooting, though they do sometimes
brag on boards that they will do just that. Threats of this sort are
taken seriously. Secret Service hacker raids tend to be swift,
comprehensive, well-manned (even over- manned); and agents generally
burst through every door in the home at once, sometimes with drawn guns.
Any potential resistance is swiftly quelled. Hacker raids are usually
raids on people's homes. It can be a very dangerous business to raid an
American home; people can panic when strangers invade their sanctum.
Statistically speaking, the most dangerous thing a policeman can do is to
enter someone's home. (The second most dangerous thing is to stop a car
in traffic.) People have guns in their homes. More cops are hurt in homes
than are ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during Sundevil, or indeed during
any part of the Hacker Crackdown.
Nor were there any allegations of any physical mistreatment of a
suspect. Guns were pointed, interrogations were sharp and prolonged; but
no one in 1990 claimed any act of brutality by any crackdown raider.
In addition to the forty or so computers, Sundevil reaped floppy
disks in particularly great abundance -- an estimated 23,000 of them,
which naturally included every manner of illegitimate data: pirated
games, stolen codes, hot credit card numbers, the complete text and
software of entire pirate bulletin-boards. These floppy disks, which
remain in police custody today, offer a gigantic, almost embarrassingly
rich source of possible criminal indictments. These 23,000 floppy disks
also include a thus-far unknown quantity of legitimate computer games,
legitimate software, purportedly "private" mail from boards, business
records, and personal correspondence of all kinds.
Standard computer-crime search warrants lay great emphasis on seizing
written documents as well as computers -- specifically including
photocopies, computer printouts, telephone bills, address books, logs,
notes, memoranda and correspondence. In practice, this has meant that
diaries, gaming magazines, software documentation, nonfiction books on
hacking and computer security, sometimes even science fiction novels, have
all vanished out the door in police custody. A wide variety of electronic
items have been known to vanish as well, including telephones,
televisions, answering machines, Sony Walkmans, desktop printers, compact
disks, and audiotapes.
No fewer than 150 members of the Secret Service were sent into the
field during Sundevil. They were commonly accompanied by squads of local
and/or state police. Most of these officers -- especially the locals --
had never been on an anti- hacker raid before. (This was one good reason,
in fact, why so many of them were invited along in the first place.) Also,
the presence of a uniformed police officer assures the raidees that the
people entering their homes are, in fact, police. Secret Service agents
wear plain clothes. So do the telco security experts who commonly
accompany the Secret Service on raids (and who make no particular effort
to identify themselves as mere employees of telephone companies).
A typical hacker raid goes something like this. First, police storm
in rapidly, through every entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a minimum. Second,
possible suspects are immediately removed from the vicinity of any and all
computer systems, so that they will have no chance to purge or destroy
computer evidence. Suspects are herded into a room without computers,
commonly the living room, and kept under guard -- not *armed* guard, for
the guns are swiftly holstered, but under guard nevertheless. They are
presented with the search warrant and warned that anything they say may be
held against them. Commonly they have a great deal to say, especially if
they are unsuspecting parents.
Somewhere in the house is the "hot spot" -- a computer tied to a
phone line (possibly several computers and several phones). Commonly it's
a teenager's bedroom, but it can be anywhere in the house; there may be
several such rooms. This "hot spot" is put in charge of a two-agent team,
the "finder" and the "recorder." The "finder" is computer-trained,
commonly the case agent who has actually obtained the search warrant from
a judge. He or she understands what is being sought, and actually carries
out the seizures: unplugs machines, opens drawers, desks, files,
floppy-disk containers, etc. The "recorder" photographs all the
equipment, just as it stands -- especially the tangle of wired connections
in the back, which can otherwise be a real nightmare to restore. The
recorder will also commonly photograph every room in the house, lest some
wily criminal claim that the police had robbed him during the search.
Some recorders carry videocams or tape recorders; however, it's more
common for the recorder to simply take written notes. Objects are
described and numbered as the finder seizes them, generally on standard
preprinted police inventory forms.
Even Secret Service agents were not, and are not, expert computer
users. They have not made, and do not make, judgements on the fly about
potential threats posed by various forms of equipment. They may exercise
discretion; they may leave Dad his computer, for instance, but they don't
*have* to. Standard computer-crime search warrants, which date back to
the early 80s, use a sweeping language that targets computers, most
anything attached to a computer, most anything used to operate a computer
-- most anything that remotely resembles a computer -- plus most any and
all written documents surrounding it. Computer-crime investigators have
strongly urged agents to seize the works.
In this sense, Operation Sundevil appears to have been a complete
success. Boards went down all over America, and were shipped en masse to
the computer investigation lab of the Secret Service, in Washington DC,
along with the 23,000 floppy disks and unknown quantities of printed
material.
But the seizure of twenty-five boards, and the multi-megabyte
mountains of possibly useful evidence contained in these boards (and in
their owners' other computers, also out the door), were far from the only
motives for Operation Sundevil. An unprecedented action of great ambition
and size, Sundevil's motives can only be described as political. It was a
public-relations effort, meant to pass certain messages, meant to make
certain situations clear: both in the mind of the general public, and in
the minds of various constituencies of the electronic community.
First -- and this motivation was vital -- a "message" would be sent
from law enforcement to the digital underground. This very message was
recited in so many words by Garry M. Jenkins, the Assistant Director of
the US Secret Service, at the Sundevil press conference in Phoenix on May
9, 1990, immediately after the raids. In brief, hackers were mistaken in
their foolish belief that they could hide behind the "relative anonymity
of their computer terminals." On the contrary, they should fully
understand that state and federal cops were actively patrolling the beat
in cyberspace -- that they were on the watch everywhere, even in those
sleazy and secretive dens of cybernetic vice, the underground boards.
This is not an unusual message for police to publicly convey to
crooks. The message is a standard message; only the context is new.
In this respect, the Sundevil raids were the digital equivalent of
the standard vice-squad crackdown on massage parlors, porno bookstores,
head-shops, or floating crap-games. There may be few or no arrests in a
raid of this sort; no convictions, no trials, no interrogations. In cases
of this sort, police may well walk out the door with many pounds of sleazy
magazines, X-rated videotapes, sex toys, gambling equipment, baggies of
marijuana....
Of course, if something truly horrendous is discovered by the
raiders, there will be arrests and prosecutions. Far more likely,
however, there will simply be a brief but sharp disruption of the closed
and secretive world of the nogoodniks. There will be "street hassle."
"Heat." "Deterrence." And, of course, the immediate loss of the seized
goods. It is very unlikely that any of this seized material will ever be
returned. Whether charged or not, whether convicted or not, the
perpetrators will almost surely lack the nerve ever to ask for this stuff
to be given back.
Arrests and trials -- putting people in jail -- may involve all kinds
of formal legalities; but dealing with the justice system is far from the
only task of police. Police do not simply arrest people. They don't
simply put people in jail. That is not how the police perceive their
jobs. Police "protect and serve." Police "keep the peace," they "keep
public order." Like other forms of public relations, keeping public order
is not an exact science. Keeping public order is something of an
art-form.
If a group of tough-looking teenage hoodlums was loitering on a
street-corner, no one would be surprised to see a street-cop arrive and
sternly order them to "break it up." On the contrary, the surprise would
come if one of these ne'er-do-wells stepped briskly into a phone-booth,
called a civil rights lawyer, and instituted a civil suit in defense of
his Constitutional rights of free speech and free assembly. But something
much along this line was one of the many anomolous outcomes of the Hacker
Crackdown.
Sundevil also carried useful "messages" for other constituents of the
electronic community. These messages may not have been read aloud from the
Phoenix podium in front of the press corps, but there was little mistaking
their meaning. There was a message of reassurance for the primary victims
of coding and carding: the telcos, and the credit companies. Sundevil
was greeted with joy by the security officers of the electronic business
community. After years of high-tech harassment and spiralling revenue
losses, their complaints of rampant outlawry were being taken seriously by
law enforcement. No more head-scratching or dismissive shrugs; no more
feeble excuses about "lack of computer-trained officers" or the low
priority of "victimless" white-collar telecommunication crimes.
Computer-crime experts have long believed that computer-related
offenses are drastically under-reported. They regard this as a major open
scandal of their field. Some victims are reluctant to come forth, because
they believe that police and prosecutors are not computer-literate, and
can and will do nothing. Others are embarrassed by their vulnerabilities,
and will take strong measures to avoid any publicity; this is especially
true of banks, who fear a loss of investor confidence should an
embezzlement-case or wire-fraud surface. And some victims are so
helplessly confused by their own high technology that they never even
realize that a crime has occurred -- even when they have been fleeced to
the bone.
The results of this situation can be dire. Criminals escape
apprehension and punishment. The computer-crime units that do exist, can't
get work. The true scope of computer-crime: its size, its real nature,
the scope of its threats, and the legal remedies for it -- all remain
obscured.
Another problem is very little publicized, but it is a cause of
genuine concern. Where there is persistent crime, but no effective police
protection, then vigilantism can result. Telcos, banks, credit companies,
the major corporations who maintain extensive computer networks vulnerable
to hacking -- these organizations are powerful, wealthy, and politically
influential. They are disinclined to be pushed around by crooks (or by
most anyone else, for that matter). They often maintain well-organized
private security forces, commonly run by experienced veterans of military
and police units, who have left public service for the greener pastures of
the private sector. For police, the corporate security manager can be a
powerful ally; but if this gentleman finds no allies in the police, and
the pressure is on from his board-of-directors, he may quietly take
certain matters into his own hands.
Nor is there any lack of disposable hired-help in the corporate
security business. Private security agencies -- the 'security business'
generally -- grew explosively in the 1980s. Today there are spooky
gumshoed armies of "security consultants," "rent-a- cops," "private eyes,"
"outside experts" -- every manner of shady operator who retails in
"results" and discretion. Or course, many of these gentlemen and ladies
may be paragons of professional and moral rectitude. But as anyone who
has read a hard-boiled detective novel knows, police tend to be less than
fond of this sort of private-sector competition.
Companies in search of computer-security have even been known to hire
hackers. Police shudder at this prospect.
Police treasure good relations with the business community. Rarely
will you see a policeman so indiscreet as to allege publicly that some
major employer in his state or city has succumbed to paranoia and gone off
the rails. Nevertheless, police -- and computer police in particular --
are aware of this possibility. Computer-crime police can and do spend up
to half of their business hours just doing public relations: seminars,
"dog and pony shows," sometimes with parents' groups or computer users,
but generally with their core audience: the likely victims of hacking
crimes. These, of course, are telcos, credit card companies and large
computer- equipped corporations. The police strongly urge these people,
as good citizens, to report offenses and press criminal charges; they pass
the message that there is someone in authority who cares, understands,
and, best of all, will take useful action should a computer-crime occur.
But reassuring talk is cheap. Sundevil offered action.
The final message of Sundevil was intended for internal consumption
by law enforcement. Sundevil was offered as proof that the community of
American computer-crime police had come of age. Sundevil was proof that
enormous things like Sundevil itself could now be accomplished. Sundevil
was proof that the Secret Service and its local law-enforcement allies
could act like a well- oiled machine -- (despite the hampering use of
those scrambled phones). It was also proof that the Arizona Organized
Crime and Racketeering Unit -- the sparkplug of Sundevil -- ranked with
the best in the world in ambition, organization, and sheer conceptual
daring.
And, as a final fillip, Sundevil was a message from the Secret
Service to their longtime rivals in the Federal Bureau of Investigation.
By Congressional fiat, both USSS and FBI formally share jurisdiction over
federal computer-crimebusting activities. Neither of these groups has ever
been remotely happy with this muddled situation. It seems to suggest that
Congress cannot make up its mind as to which of these groups is better
qualified. And there is scarcely a G-man or a Special Agent anywhere
without a very firm opinion on that topic.
#
For the neophyte, one of the most puzzling aspects of the
crackdown on hackers is why the United States Secret Service has anything
at all to do with this matter.
The Secret Service is best known for its primary public role: its
agents protect the President of the United States. They also guard the
President's family, the Vice President and his family, former Presidents,
and Presidential candidates. They sometimes guard foreign dignitaries who
are visiting the United States, especially foreign heads of state, and
have been known to accompany American officials on diplomatic missions
overseas.
Special Agents of the Secret Service don't wear uniforms, but the
Secret Service also has two uniformed police agencies. There's the former
White House Police (now known as the Secret Service Uniformed Division,
since they currently guard foreign embassies in Washington, as well as the
White House itself). And there's the uniformed Treasury Police Force.
The Secret Service has been charged by Congress with a number of
little-known duties. They guard the precious metals in Treasury vaults.
They guard the most valuable historical documents of the United States:
originals of the Constitution, the Declaration of Independence, Lincoln's
Second Inaugural Address, an American-owned copy of the Magna Carta, and
so forth. Once they were assigned to guard the Mona Lisa, on her American
tour in the 1960s.
The entire Secret Service is a division of the Treasury Department.
Secret Service Special Agents (there are about 1,900 of them) are
bodyguards for the President et al, but they all work for the Treasury.
And the Treasury (through its divisions of the U.S. Mint and the Bureau of
Engraving and Printing) prints the nation's money.
As Treasury police, the Secret Service guards the nation's currency;
it is the only federal law enforcement agency with direct jurisdiction
over counterfeiting and forgery. It analyzes documents for authenticity,
and its fight against fake cash is still quite lively (especially since
the skilled counterfeiters of Medellin, Columbia have gotten into the
act). Government checks, bonds, and other obligations, which exist in
untold millions and are worth untold billions, are common targets for
forgery, which the Secret Service also battles. It even handles forgery
of postage stamps.
But cash is fading in importance today as money has become
electronic. As necessity beckoned, the Secret Service moved from fighting
the counterfeiting of paper currency and the forging of checks, to the
protection of funds transferred by wire.
From wire-fraud, it was a simple skip-and-jump to what is formally
known as "access device fraud." Congress granted the Secret Service the
authority to investigate "access device fraud" under Title 18 of the
United States Code (U.S.C. Section 1029).
The term "access device" seems intuitively simple. It's some kind of
high-tech gizmo you use to get money with. It makes good sense to put
this sort of thing in the charge of counterfeiting and wire- fraud
experts.
However, in Section 1029, the term "access device" is very generously
defined. An access device is: "any card, plate, code, account number, or
other means of account access that can be used, alone or in conjunction
with another access device, to obtain money, goods, services, or any other
thing of value, or that can be used to initiate a transfer of funds."
"Access device" can therefore be construed to include credit cards
themselves (a popular forgery item nowadays). It also includes credit
card account *numbers,* those standards of the digital underground. The
same goes for telephone charge cards (an increasingly popular item with
telcos, who are tired of being robbed of pocket change by phone-booth
thieves). And also telephone access *codes,* those *other* standards of
the digital underground. (Stolen telephone codes may not "obtain money,"
but they certainly do obtain valuable "services," which is specifically
forbidden by Section 1029.)
We can now see that Section 1029 already pits the United States
Secret Service directly against the digital underground, without any
mention at all of the word "computer."
Standard phreaking devices, like "blue boxes," used to steal phone
service from old-fashioned mechanical switches, are unquestionably
"counterfeit access devices." Thanks to Sec.1029, it is not only illegal
to *use* counterfeit access devices, but it is even illegal to *build*
them. "Producing," "designing" "duplicating" or "assembling" blue boxes
are all federal crimes today, and if you do this, the Secret Service has
been charged by Congress to come after you.
Automatic Teller Machines, which replicated all over America during
the 1980s, are definitely "access devices," too, and an attempt to tamper
with their punch-in codes and plastic bank cards falls directly under Sec.
1029.
Section 1029 is remarkably elastic. Suppose you find a computer
password in somebody's trash. That password might be a "code" -- it's
certainly a "means of account access." Now suppose you log on to a
computer and copy some software for yourself. You've certainly obtained
"service" (computer service) and a "thing of value" (the software).
Suppose you tell a dozen friends about your swiped password, and let them
use it, too. Now you're "trafficking in unauthorized access devices."
And when the Prophet, a member of the Legion of Doom, passed a stolen
telephone company document to Knight Lightning at *Phrack* magazine, they
were both charged under Sec. 1029!
There are two limitations on Section 1029. First, the offense must
"affect interstate or foreign commerce" in order to become a matter of
federal jurisdiction. The term "affecting commerce" is not well defined;
but you may take it as a given that the Secret Service can take an
interest if you've done most anything that happens to cross a state line.
State and local police can be touchy about their jurisdictions, and can
sometimes be mulish when the feds show up. But when it comes to computer-
crime, the local police are pathetically grateful for federal help -- in
fact they complain that they can't get enough of it. If you're stealing
long-distance service, you're almost certainly crossing state lines, and
you're definitely "affecting the interstate commerce" of the telcos. And
if you're abusing credit cards by ordering stuff out of glossy catalogs
from, say, Vermont, you're in for it.
The second limitation is money. As a rule, the feds don't pursue
penny-ante offenders. Federal judges will dismiss cases that appear to
waste their time. Federal crimes must be serious; Section 1029 specifies
a minimum loss of a thousand dollars.
We now come to the very next section of Title 18, which is Section
1030, "Fraud and related activity in connection with computers." This
statute gives the Secret Service direct jurisdiction over acts of computer
intrusion. On the face of it, the Secret Service would now seem to
command the field. Section 1030, however, is nowhere near so ductile as
Section 1029.
The first annoyance is Section 1030(d), which reads:
"(d) The United States Secret Service shall, *in addition to any
other agency having such authority,* have the authority to investigate
offenses under this section. Such authority of the United States Secret
Service shall be exercised in accordance with an agreement which shall be
entered into by the Secretary of the Treasury *and the Attorney General.*"
(Author's italics.)
The Secretary of the Treasury is the titular head of the Secret
Service, while the Attorney General is in charge of the FBI. In Section
(d), Congress shrugged off responsibility for the computer-crime
turf-battle between the Service and the Bureau, and made them fight it out
all by themselves. The result was a rather dire one for the Secret
Service, for the FBI ended up with exclusive jurisdiction over computer
break-ins having to do with national security, foreign espionage,
federally insured banks, and U.S. military bases, while retaining joint
jurisdiction over all the other computer intrusions. Essentially, when it
comes to Section 1030, the FBI not only gets the real glamor stuff for
itself, but can peer over the shoulder of the Secret Service and barge in
to meddle whenever it suits them.
The second problem has to do with the dicey term "Federal interest
computer." Section 1030(a)(2) makes it illegal to "access a computer
without authorization" if that computer belongs to a financial institution
or an issuer of credit cards (fraud cases, in other words). Congress was
quite willing to give the Secret Service jurisdiction over
money-transferring computers, but Congress balked at letting them
investigate any and all computer intrusions. Instead, the USSS had to
settle for the money machines and the "Federal interest computers." A
"Federal interest computer" is a computer which the government itself
owns, or is using. Large networks of interstate computers, linked over
state lines, are also considered to be of "Federal interest." (This
notion of "Federal interest" is legally rather foggy and has never been
clearly defined in the courts. The Secret Service has never yet had its
hand slapped for investigating computer break-ins that were *not* of
"Federal interest," but conceivably someday this might happen.)
So the Secret Service's authority over "unauthorized access" to
computers covers a lot of territory, but by no means the whole ball of
cyberspatial wax. If you are, for instance, a *local* computer retailer,
or the owner of a *local* bulletin board system, then a malicious *local*
intruder can break in, crash your system, trash your files and scatter
viruses, and the U.S. Secret Service cannot do a single thing about it.
At least, it can't do anything *directly.* But the Secret Service
will do plenty to help the local people who can.
The FBI may have dealt itself an ace off the bottom of the deck when
it comes to Section 1030; but that's not the whole story; that's not the
street. What's Congress thinks is one thing, and Congress has been known
to change its mind. The *real* turf- struggle is out there in the streets
where it's happening. If you're a local street-cop with a computer
problem, the Secret Service wants you to know where you can find the real
expertise. While the Bureau crowd are off having their favorite shoes
polished -- (wing-tips) -- and making derisive fun of the Service's
favorite shoes -- ("pansy-ass tassels") -- the tassel-toting Secret
Service has a crew of ready- and-able hacker-trackers installed in the
capital of every state in the Union. Need advice? They'll give you
advice, or at least point you in the right direction. Need training?
They can see to that, too.
If you're a local cop and you call in the FBI, the FBI (as is widely
and slanderously rumored) will order you around like a coolie, take all
the credit for your busts, and mop up every possible scrap of reflected
glory. The Secret Service, on the other hand, doesn't brag a lot.
They're the quiet types. *Very* quiet. Very cool. Efficient. High-tech.
Mirrorshades, icy stares, radio ear-plugs, an Uzi machine-pistol tucked
somewhere in that well-cut jacket. American samurai, sworn to give their
lives to protect our President. "The granite agents." Trained in martial
arts, absolutely fearless. Every single one of 'em has a top-secret
security clearance. Something goes a little wrong, you're not gonna hear
any whining and moaning and political buck- passing out of these guys.
The facade of the granite agent is not, of course, the reality.
Secret Service agents are human beings. And the real glory in Service work
is not in battling computer crime -- not yet, anyway -- but in protecting
the President. The real glamour of Secret Service work is in the White
House Detail. If you're at the President's side, then the kids and the
wife see you on television; you rub shoulders with the most powerful
people in the world. That's the real heart of Service work, the number
one priority. More than one computer investigation has stopped dead in
the water when Service agents vanished at the President's need.
There's romance in the work of the Service. The intimate access to
circles of great power; the esprit- de-corps of a highly trained and
disciplined elite; the high responsibility of defending the Chief
Executive; the fulfillment of a patriotic duty. And as police work goes,
the pay's not bad. But there's squalor in Service work, too. You may get
spat upon by protesters howling abuse -- and if they get violent, if they
get too close, sometimes you have to knock one of them down -- discreetly.
The real squalor in Service work is drudgery such as "the
quarterlies," traipsing out four times a year, year in, year out, to
interview the various pathetic wretches, many of them in prisons and
asylums, who have seen fit to threaten the President's life. And then
there's the grinding stress of searching all those faces in the endless
bustling crowds, looking for hatred, looking for psychosis, looking for
the tight, nervous face of an Arthur Bremer, a Squeaky Fromme, a Lee
Harvey Oswald. It's watching all those grasping, waving hands for sudden
movements, while your ears strain at your radio headphone for the
long-rehearsed cry of "Gun!"
It's poring, in grinding detail, over the biographies of every rotten
loser who ever shot at a President. It's the unsung work of the
Protective Research Section, who study scrawled, anonymous death threats
with all the meticulous tools of anti- forgery techniques.
And it's maintaining the hefty computerized files on anyone who ever
threatened the President's life. Civil libertarians have become
increasingly concerned at the Government's use of computer files to track
American citizens -- but the Secret Service file of potential Presidential
assassins, which has upward of twenty thousand names, rarely causes a peep
of protest. If you *ever* state that you intend to kill the President,
the Secret Service will want to know and record who you are, where you
are, what you are, and what you're up to. If you're a serious threat --
if you're officially considered "of protective interest" -- then the
Secret Service may well keep tabs on you for the rest of your natural
life.
Protecting the President has first call on all the Service's
resources. But there's a lot more to the Service's traditions and history
than standing guard outside the Oval Office.
The Secret Service is the nation's oldest general federal
law-enforcement agency. Compared to the Secret Service, the FBI are
new-hires and the CIA are temps. The Secret Service was founded 'way back
in 1865, at the suggestion of Hugh McCulloch, Abraham Lincoln's Secretary
of the Treasury. McCulloch wanted a specialized Treasury police to combat
counterfeiting. Abraham Lincoln agreed that this seemed a good idea, and,
with a terrible irony, Abraham Lincoln was shot that very night by John
Wilkes Booth.
The Secret Service originally had nothing to do with protecting
Presidents. They didn't take this on as a regular assignment until after
the Garfield assassination in 1881. And they didn't get any Congressional
money for it until President McKinley was shot in 1901. The Service was
originally designed for one purpose: destroying counterfeiters.
#
There are interesting parallels between the Service's
nineteenth-century entry into counterfeiting, and America's
twentieth-century entry into computer-crime.
In 1865, America's paper currency was a terrible muddle. Security
was drastically bad. Currency was printed on the spot by local banks in
literally hundreds of different designs. No one really knew what the heck
a dollar bill was supposed to look like. Bogus bills passed easily. If
some joker told you that a one-dollar bill from the Railroad Bank of
Lowell, Massachusetts had a woman leaning on a shield, with a locomotive,
a cornucopia, a compass, various agricultural implements, a railroad
bridge, and some factories, then you pretty much had to take his word for
it. (And in fact he was telling the truth!)
*Sixteen hundred* local American banks designed and printed their
own paper currency, and there were no general standards for security.
Like a badly guarded node in a computer network, badly designed bills were
easy to fake, and posed a security hazard for the entire monetary system.
No one knew the exact extent of the threat to the currency. There
were panicked estimates that as much as a third of the entire national
currency was faked. Counterfeiters -- known as "boodlers" in the
underground slang of the time -- were mostly technically skilled printers
who had gone to the bad. Many had once worked printing legitimate
currency. Boodlers operated in rings and gangs. Technical experts
engraved the bogus plates -- commonly in basements in New York City.
Smooth confidence men passed large wads of high-quality, high-
denomination fakes, including the really sophisticated stuff -- government
bonds, stock certificates, and railway shares. Cheaper, botched fakes
were sold or sharewared to low-level gangs of boodler wannabes. (The
really cheesy lowlife boodlers merely upgraded real bills by altering face
values, changing ones to fives, tens to hundreds, and so on.)
The techniques of boodling were little-known and regarded with a
certain awe by the mid- nineteenth-century public. The ability to
manipulate the system for rip-off seemed diabolically clever. As the
skill and daring of the boodlers increased, the situation became
intolerable. The federal government stepped in, and began offering its
own federal currency, which was printed in fancy green ink, but only on
the back - - the original "greenbacks." And at first, the improved
security of the well-designed, well-printed federal greenbacks seemed to
solve the problem; but then the counterfeiters caught on. Within a few
years things were worse than ever: a *centralized* system where *all*
security was bad!
The local police were helpless. The Government tried offering blood
money to potential informants, but this met with little success. Banks,
plagued by boodling, gave up hope of police help and hired private
security men instead. Merchants and bankers queued up by the thousands to
buy privately-printed manuals on currency security, slim little books like
Laban Heath's *Infallible Government Counterfeit Detector.* The back of
the book offered Laban Heath's patent microscope for five bucks.
Then the Secret Service entered the picture. The first agents were a
rough and ready crew. Their chief was one William P. Wood, a former
guerilla in the Mexican War who'd won a reputation busting contractor
fraudsters for the War Department during the Civil War. Wood, who was
also Keeper of the Capital Prison, had a sideline as a counterfeiting
expert, bagging boodlers for the federal bounty money.
Wood was named Chief of the new Secret Service in July 1865. There
were only ten Secret Service agents in all: Wood himself, a handful who'd
worked for him in the War Department, and a few former private
investigators -- counterfeiting experts -- whom Wood had won over to
public service. (The Secret Service of 1865 was much the size of the
Chicago Computer Fraud Task Force or the Arizona Racketeering Unit of
1990.) These ten "Operatives" had an additional twenty or so "Assistant
Operatives" and "Informants." Besides salary and per diem, each Secret
Service employee received a whopping twenty-five dollars for each boodler
he captured.
Wood himself publicly estimated that at least *half* of America's
currency was counterfeit, a perhaps pardonable perception. Within a year
the Secret Service had arrested over 200 counterfeiters. They busted about
two hundred boodlers a year for four years straight.
Wood attributed his success to travelling fast and light, hitting the
bad-guys hard, and avoiding bureaucratic baggage. "Because my raids were
made without military escort and I did not ask the assistance of state
officers, I surprised the professional counterfeiter."
Wood's social message to the once-impudent boodlers bore an eerie
ring of Sundevil: "It was also my purpose to convince such characters
that it would no longer be healthy for them to ply their vocation without
being handled roughly, a fact they soon discovered."
William P. Wood, the Secret Service's guerilla pioneer, did not end
well. He succumbed to the lure of aiming for the really big score. The
notorious Brockway Gang of New York City, headed by William E. Brockway,
the "King of the Counterfeiters," had forged a number of government bonds.
They'd passed these brilliant fakes on the prestigious Wall Street
investment firm of Jay Cooke and Company. The Cooke firm were frantic and
offered a huge reward for the forgers' plates.
Laboring diligently, Wood confiscated the plates (though not Mr.
Brockway) and claimed the reward. But the Cooke company treacherously
reneged. Wood got involved in a down-and-dirty lawsuit with the Cooke
capitalists. Wood's boss, Secretary of the Treasury McCulloch, felt that
Wood's demands for money and glory were unseemly, and even when the reward
money finally came through, McCulloch refused to pay Wood anything. Wood
found himself mired in a seemingly endless round of federal suits and
Congressional lobbying.
Wood never got his money. And he lost his job to boot. He resigned
in 1869.
Wood's agents suffered, too. On May 12, 1869, the second Chief of
the Secret Service took over, and almost immediately fired most of Wood's
pioneer Secret Service agents: Operatives, Assistants and Informants
alike. The practice of receiving $25 per crook was abolished. And the
Secret Service began the long, uncertain process of thorough
professionalization.
Wood ended badly. He must have felt stabbed in the back. In fact
his entire organization was mangled.
On the other hand, William P. Wood *was* the first head of the Secret
Service. William Wood was the pioneer. People still honor his name. Who
remembers the name of the *second* head of the Secret Service?
As for William Brockway (also known as "Colonel Spencer"), he was
finally arrested by the Secret Service in 1880. He did five years in
prison, got out, and was still boodling at the age of seventy- four.
#
Anyone with an interest in Operation Sundevil - - or in American
computer-crime generally -- could scarcely miss the presence of Gail
Thackeray, Assistant Attorney General of the State of Arizona.
Computer-crime training manuals often cited Thackeray's group and her
work; she was the highest-ranking state official to specialize in
computer-related offenses. Her name had been on the Sundevil press
release (though modestly ranked well after the local federal prosecuting
attorney and the head of the Phoenix Secret Service office).
As public commentary, and controversy, began to mount about the
Hacker Crackdown, this Arizonan state official began to take a higher and
higher public profile. Though uttering almost nothing specific about the
Sundevil operation itself, she coined some of the most striking soundbites
of the growing propaganda war: "Agents are operating in good faith, and I
don't think you can say that for the hacker community," was one. Another
was the memorable "I am not a mad dog prosecutor" (*Houston Chronicle,*
Sept 2, 1990.) In the meantime, the Secret Service maintained its usual
extreme discretion; the Chicago Unit, smarting from the backlash of the
Steve Jackson scandal, had gone completely to earth.
As I collated my growing pile of newspaper clippings, Gail Thackeray
ranked as a comparative fount of public knowledge on police operations.
I decided that I had to get to know Gail Thackeray. I wrote to her
at the Arizona Attorney General's Office. Not only did she kindly reply
to me, but, to my astonishment, she knew very well what "cyberpunk"
science fiction was.
Shortly after this, Gail Thackeray lost her job. And I temporarily
misplaced my own career as a science-fiction writer, to become a full-time
computer-crime journalist. In early March, 1991, I flew to Phoenix,
Arizona, to interview Gail Thackeray for my book on the hacker crackdown.
#
"Credit cards didn't used to cost anything to get," says Gail
Thackeray. "Now they cost forty bucks -- and that's all just to cover the
costs from *rip-off artists.*"
Electronic nuisance criminals are parasites. One by one they're not
much harm, no big deal. But they never come just one by one. They come in
swarms, heaps, legions, sometimes whole subcultures. And they bite.
Every time we buy a credit card today, we lose a little financial vitality
to a particular species of bloodsucker.
What, in her expert opinion, are the worst forms of electronic crime,
I ask, consulting my notes. Is it -- credit card fraud? Breaking into
ATM bank machines? Phone-phreaking? Computer intrusions? Software
viruses? Access-code theft? Records tampering? Software piracy?
Pornographic bulletin boards? Satellite TV piracy? Theft of cable
service? It's a long list. By the time I reach the end of it I feel
rather depressed.
"Oh no," says Gail Thackeray, leaning forward over the table, her
whole body gone stiff with energetic indignation, "the biggest damage is
telephone fraud. Fake sweepstakes, fake charities. Boiler-room con
operations. You could pay off the national debt with what these guys
steal.... They target old people, they get hold of credit ratings and
demographics, they rip off the old and the weak." The words come tumbling
out of her.
It's low-tech stuff, your everyday boiler-room fraud. Grifters,
conning people out of money over the phone, have been around for decades.
This is where the word "phony" came from!
It's just that it's so much *easier* now, horribly facilitated by
advances in technology and the byzantine structure of the modern phone
system. The same professional fraudsters do it over and over, Thackeray
tells me, they hide behind dense onion-shells of fake companies.... fake
holding corporations nine or ten layers deep, registered all over the map.
They get a phone installed under a false name in an empty safe-house. And
then they call-forward everything out of that phone to yet another phone,
a phone that may even be in another *state.* And they don't even pay the
charges on their phones; after a month or so, they just split. Set up
somewhere else in another Podunkville with the same seedy crew of veteran
phone-crooks. They buy or steal commercial credit card reports, slap them
on the PC, have a program pick out people over sixty-five who pay a lot to
charities. A whole subculture living off this, merciless folks on the
con.
"The 'light-bulbs for the blind' people," Thackeray muses, with a
special loathing. "There's just no end to them."
We're sitting in a downtown diner in Phoenix, Arizona. It's a tough
town, Phoenix. A state capital seeing some hard times. Even to a Texan
like myself, Arizona state politics seem rather baroque. There was, and
remains, endless trouble over the Martin Luther King holiday, the sort of
stiff-necked, foot-shooting incident for which Arizona politics seem
famous. There was Evan Mecham, the eccentric Republican millionaire
governor who was impeached, after reducing state government to a ludicrous
shambles. Then there was the national Keating scandal, involving Arizona
savings and loans, in which both of Arizona's U.S. senators, DeConcini and
McCain, played sadly prominent roles.
And the very latest is the bizarre AzScam case, in which state
legislators were videotaped, eagerly taking cash from an informant of the
Phoenix city police department, who was posing as a Vegas mobster.
"Oh," says Thackeray cheerfully. "These people are amateurs here,
they thought they were finally getting to play with the big boys. They
don't have the least idea how to take a bribe! It's not institutional
corruption. It's not like back in Philly."
Gail Thackeray was a former prosecutor in Philadelphia. Now she's a
former assistant attorney general of the State of Arizona. Since moving
to Arizona in 1986, she had worked under the aegis of Steve Twist, her
boss in the Attorney General's office. Steve Twist wrote Arizona's
pioneering computer crime laws and naturally took an interest in seeing
them enforced. It was a snug niche, and Thackeray's Organized Crime and
Racketeering Unit won a national reputation for ambition and technical
knowledgeability.... Until the latest election in Arizona. Thackeray's
boss ran for the top job, and lost. The victor, the new Attorney General,
apparently went to some pains to eliminate the bureaucratic traces of his
rival, including his pet group -- Thackeray's group. Twelve people got
their walking papers.
Now Thackeray's painstakingly assembled computer lab sits gathering
dust somewhere in the glass-and-concrete Attorney General's HQ on 1275
Washington Street. Her computer-crime books, her painstakingly garnered
back issues of phreak and hacker zines, all bought at her own expense --
are piled in boxes somewhere. The State of Arizona is simply not
particularly interested in electronic racketeering at the moment.
At the moment of our interview, Gail Thackeray, officially
unemployed, is working out of the county sheriff's office, living on her
savings, and prosecuting several cases -- working 60-hour weeks, just as
always -- for no pay at all. "I'm trying to train people," she mutters.
Half her life seems to be spent training people - - merely pointing
out, to the naive and incredulous (such as myself) that this stuff is
*actually going on out there.* It's a small world, computer crime. A
young world. Gail Thackeray, a trim blonde Baby- Boomer who favors Grand
Canyon white-water rafting to kill some slow time, is one of the world's
most senior, most veteran "hacker-trackers." Her mentor was Donn Parker,
the California think-tank theorist who got it all started 'way back in the
mid- 70s, the "grandfather of the field," "the great bald eagle of
computer crime."
And what she has learned, Gail Thackeray teaches. Endlessly.
Tirelessly. To anybody. To Secret Service agents and state police, at
the Glynco, Georgia federal training center. To local police, on
"roadshows" with her slide projector and notebook. To corporate security
personnel. To journalists. To parents.
Even *crooks* look to Gail Thackeray for advice. Phone-phreaks call
her at the office. They know very well who she is. They pump her for
information on what the cops are up to, how much they know. Sometimes
whole *crowds* of phone phreaks, hanging out on illegal conference calls,
will call Gail Thackeray up. They taunt her. And, as always, they boast.
Phone-phreaks, real stone phone-phreaks, simply *cannot shut up.* They
natter on for hours.
Left to themselves, they mostly talk about the intricacies of
ripping-off phones; it's about as interesting as listening to hot-rodders
talk about suspension and distributor-caps. They also gossip cruelly
about each other. And when talking to Gail Thackeray, they incriminate
themselves. "I have tapes," Thackeray says coolly.
Phone phreaks just talk like crazy. "Dial-Tone" out in Alabama has
been known to spend half-an- hour simply reading stolen phone-codes aloud
into voice-mail answering machines. Hundreds, thousands of numbers,
recited in a monotone, without a break -- an eerie phenomenon. When
arrested, it's a rare phone phreak who doesn't inform at endless length on
everybody he knows.
Hackers are no better. What other group of criminals, she asks
rhetorically, publishes newsletters and holds conventions? She seems
deeply nettled by the sheer brazenness of this behavior, though to an
outsider, this activity might make one wonder whether hackers should be
considered "criminals" at all. Skateboarders have magazines, and they
trespass a lot. Hot rod people have magazines and they break speed limits
and sometimes kill people....
I ask her whether it would be any loss to society if phone phreaking
and computer hacking, as hobbies, simply dried up and blew away, so that
nobody ever did it again.
She seems surprised. "No," she says swiftly. "Maybe a little... in
the old days... the MIT stuff... But there's a lot of wonderful, legal
stuff you can do with computers now, you don't have to break into somebody
else's just to learn. You don't have that excuse. You can learn all you
like."
Did you ever hack into a system? I ask.
The trainees do it at Glynco. Just to demonstrate system
vulnerabilities. She's cool to the notion. Genuinely indifferent.
"What kind of computer do you have?"
"A Compaq 286LE," she mutters.
"What kind do you *wish* you had?"
At this question, the unmistakable light of true hackerdom flares in
Gail Thackeray's eyes. She becomes tense, animated, the words pour out:
"An Amiga 2000 with an IBM card and Mac emulation! The most common hacker
machines are Amigas and Commodores. And Apples." If she had the Amiga,
she enthuses, she could run a whole galaxy of seized computer-evidence
disks on one convenient multifunctional machine. A cheap one, too. Not
like the old Attorney General lab, where they had an ancient CP/M machine,
assorted Amiga flavors and Apple flavors, a couple IBMS, all the utility
software... but no Commodores. The workstations down at the Attorney
General's are Wang dedicated word-processors. Lame machines tied in to an
office net -- though at least they get on- line to the Lexis and Westlaw
legal data services.
I don't say anything. I recognize the syndrome, though. This
computer-fever has been running through segments of our society for years
now. It's a strange kind of lust: K-hunger, Meg-hunger; but it's a shared
disease; it can kill parties dead, as conversation spirals into the
deepest and most deviant recesses of software releases and expensive
peripherals.... The mark of the hacker beast. I have it too. The whole
"electronic community," whatever the hell that is, has it. Gail Thackeray
has it. Gail Thackeray is a hacker cop. My immediate reaction is a
strong rush of indignant pity: *why doesn't somebody buy this woman her
Amiga?!* It's not like she's asking for a Cray X-MP supercomputer
mainframe; an Amiga's a sweet little cookie-box thing. We're losing
zillions in organized fraud; prosecuting and defending a single hacker
case in court can cost a hundred grand easy. How come nobody can come up
with four lousy grand so this woman can do her job? For a hundred grand
we could buy every computer cop in America an Amiga. There aren't that
many of 'em.
Computers. The lust, the hunger, for computers. The loyalty they
inspire, the intense sense of possessiveness. The culture they have bred.
I myself am sitting in downtown Phoenix, Arizona because it suddenly
occurred to me that the police might -- just *might* -- come and take away
my computer. The prospect of this, the mere *implied threat,* was
unbearable. It literally changed my life. It was changing the lives of
many others. Eventually it would change everybody's life.
Gail Thackeray was one of the top computer- crime people in America.
And I was just some novelist, and yet I had a better computer than hers.
*Practically everybody I knew* had a better computer than Gail Thackeray
and her feeble laptop 286. It was like sending the sheriff in to clean up
Dodge City and arming her with a slingshot cut from an old rubber tire.
But then again, you don't need a howitzer to enforce the law. You
can do a lot just with a badge. With a badge alone, you can basically
wreak havoc, take a terrible vengeance on wrongdoers. Ninety percent of
"computer crime investigation" is just "crime investigation:" names,
places, dossiers, modus operandi, search warrants, victims, complainants,
informants...
What will computer crime look like in ten years? Will it get better?
Did "Sundevil" send 'em reeling back in confusion?
It'll be like it is now, only worse, she tells me with perfect
conviction. Still there in the background, ticking along, changing with
the times: the criminal underworld. It'll be like drugs are. Like our
problems with alcohol. All the cops and laws in the world never solved
our problems with alcohol. If there's something people want, a certain
percentage of them are just going to take it. Fifteen percent of the
populace will never steal. Fifteen percent will steal most anything not
nailed down. The battle is for the hearts and minds of the remaining
seventy percent.
And criminals catch on fast. If there's not "too steep a learning
curve" -- if it doesn't require a baffling amount of expertise and
practice -- then criminals are often some of the first through the gate of
a new technology. Especially if it helps them to hide. They have tons of
cash, criminals. The new communications tech -- like pagers, cellular
phones, faxes, Federal Express -- were pioneered by rich corporate people,
and by criminals. In the early years of pagers and beepers, dope dealers
were so enthralled this technology that owing a beeper was practically
prima facie evidence of cocaine dealing. CB radio exploded when the speed
limit hit 55 and breaking the highway law became a national pastime. Dope
dealers send cash by Federal Express, despite, or perhaps *because of,*
the warnings in FedEx offices that tell you never to try this. Fed Ex
uses X-rays and dogs on their mail, to stop drug shipments. That doesn't
work very well.
Drug dealers went wild over cellular phones. There are simple methods
of faking ID on cellular phones, making the location of the call mobile,
free of charge, and effectively untraceable. Now victimized cellular
companies routinely bring in vast toll-lists of calls to Colombia and
Pakistan.
Judge Greene's fragmentation of the phone company is driving law
enforcement nuts. Four thousand telecommunications companies. Fraud
skyrocketing. Every temptation in the world available with a phone and a
credit card number. Criminals untraceable. A galaxy of "new neat rotten
things to do."
If there were one thing Thackeray would like to have, it would be an
effective legal end-run through this new fragmentation minefield.
It would be a new form of electronic search warrant, an "electronic
letter of marque" to be issued by a judge. It would create a new category
of "electronic emergency." Like a wiretap, its use would be rare, but it
would cut across state lines and force swift cooperation from all
concerned. Cellular, phone, laser, computer network, PBXes, AT&T, Baby
Bells, long-distance entrepreneurs, packet radio. Some document, some
mighty court-order, that could slice through four thousand separate forms
of corporate red-tape, and get her at once to the source of calls, the
source of email threats and viruses, the sources of bomb threats,
kidnapping threats. "From now on," she says, "the Lindberg baby will
always die."
Something that would make the Net sit still, if only for a moment.
Something that would get her up to speed. Seven league boots. That's
what she really needs. "Those guys move in nanoseconds and I'm on the
Pony Express."
And then, too, there's the coming international angle. Electronic
crime has never been easy to localize, to tie to a physical jurisdiction.
And phone- phreaks and hackers loathe boundaries, they jump them whenever
they can. The English. The Dutch. And the Germans, especially the
ubiquitous Chaos Computer Club. The Australians. They've all learned
phone-phreaking from America. It's a growth mischief industry. The
multinational networks are global, but governments and the police simply
aren't. Neither are the laws. Or the legal frameworks for citizen
protection.
One language is global, though -- English. Phone phreaks speak
English; it's their native tongue even if they're Germans. English may
have started in England but now it's the Net language; it might as well be
called "CNNese."
Asians just aren't much into phone phreaking. They're the world
masters at organized software piracy. The French aren't into
phone-phreaking either. The French are into computerized industrial
espionage.
In the old days of the MIT righteous hackerdom, crashing systems
didn't hurt anybody. Not all that much, anyway. Not permanently. Now the
players are more venal. Now the consequences are worse. Hacking will
begin killing people soon. Already there are methods of stacking calls
onto 911 systems, annoying the police, and possibly causing the death of
some poor soul calling in with a genuine emergency. Hackers in Amtrak
computers, or air- traffic control computers, will kill somebody someday.
Maybe a lot of people. Gail Thackeray expects it.
And the viruses are getting nastier. The "Scud" virus is the latest
one out. It wipes hard-disks.
According to Thackeray, the idea that phone- phreaks are Robin Hoods
is a fraud. They don't deserve this repute. Basically, they pick on the
weak. AT&T now protects itself with the fearsome ANI (Automatic Number
Identification) trace capability. When AT&T wised up and tightened
security generally, the phreaks drifted into the Baby Bells. The Baby
Bells lashed out in 1989 and 1990, so the phreaks switched to smaller
long-distance entrepreneurs. Today, they are moving into locally owned
PBXes and voice-mail systems, which are full of security holes, dreadfully
easy to hack. These victims aren't the moneybags Sheriff of Nottingham or
Bad King John, but small groups of innocent people who find it hard to
protect themselves, and who really suffer from these depredations. Phone
phreaks pick on the weak. They do it for power. If it were legal, they
wouldn't do it. They don't want service, or knowledge, they want the
thrill of power- tripping. There's plenty of knowledge or service around,
if you're willing to pay. Phone phreaks don't pay, they steal. It's
because it is illegal that it feels like power, that it gratifies their
vanity.
I leave Gail Thackeray with a handshake at the door of her office
building -- a vast International- Style office building downtown. The
Sheriff's office is renting part of it. I get the vague impression that
quite a lot of the building is empty -- real estate crash.
In a Phoenix sports apparel store, in a downtown mall, I meet the
"Sun Devil" himself. He is the cartoon mascot of Arizona State
University, whose football stadium, "Sundevil," is near the local Secret
Service HQ -- hence the name Operation Sundevil. The Sun Devil himself is
named "Sparky." Sparky the Sun Devil is maroon and bright yellow, the
school colors. Sparky brandishes a three-tined yellow pitchfork. He has
a small mustache, pointed ears, a barbed tail, and is dashing forward
jabbing the air with the pitchfork, with an expression of devilish glee.
Phoenix was the home of Operation Sundevil. The Legion of Doom ran a
hacker bulletin board called "The Phoenix Project." An Australian hacker
named "Phoenix" once burrowed through the Internet to attack Cliff Stoll,
then bragged and boasted about it to *The New York Times.* This net of
coincidence is both odd and meaningless.
The headquarters of the Arizona Attorney General, Gail Thackeray's
former workplace, is on 1275 Washington Avenue. Many of the downtown
streets in Phoenix are named after prominent American presidents:
Washington, Jefferson, Madison....
After dark, all the employees go home to their suburbs. Washington,
Jefferson and Madison -- what would be the Phoenix inner city, if there
were an inner city in this sprawling automobile-bred town -- become the
haunts of transients and derelicts. The homeless. The sidewalks along
Washington are lined with orange trees. Ripe fallen fruit lies scattered
like croquet balls on the sidewalks and gutters. No one seems to be
eating them. I try a fresh one. It tastes unbearably bitter.
The Attorney General's office, built in 1981 during the Babbitt
administration, is a long low two- story building of white cement and
wall-sized sheets of curtain-glass. Behind each glass wall is a lawyer's
office, quite open and visible to anyone strolling by. Across the street
is a dour government building labelled simply ECONOMIC SECURITY, something
that has not been in great supply in the American Southwest lately.
The offices are about twelve feet square. They feature tall wooden
cases full of red-spined lawbooks; Wang computer monitors; telephones;
Post-it notes galore. Also framed law diplomas and a general excess of
bad Western landscape art. Ansel Adams photos are a big favorite, perhaps
to compensate for the dismal specter of the parking- lot, two acres of
striped black asphalt, which features gravel landscaping and some
sickly-looking barrel cacti.
It has grown dark. Gail Thackeray has told me that the people who
work late here, are afraid of muggings in the parking lot. It seems
cruelly ironic that a woman tracing electronic racketeers across the
interstate labyrinth of Cyberspace should fear an assault by a homeless
derelict in the parking lot of her own workplace.
Perhaps this is less than coincidence. Perhaps these two seemingly
disparate worlds are somehow generating one another. The poor and
disenfranchised take to the streets, while the rich and computer-equipped,
safe in their bedrooms, chatter over their modems. Quite often the
derelicts kick the glass out and break in to the lawyers' offices, if they
see something they need or want badly enough.
I cross the parking lot to the street behind the Attorney General's
office. A pair of young tramps are bedding down on flattened sheets of
cardboard, under an alcove stretching over the sidewalk. One tramp wears
a glitter-covered T-shirt reading "CALIFORNIA" in Coca-Cola cursive. His
nose and cheeks look chafed and swollen; they glisten with what seems to
be Vaseline. The other tramp has a ragged long-sleeved shirt and lank
brown hair parted in the middle. They both wear blue jeans coated in
grime. They are both drunk.
"You guys crash here a lot?" I ask them.
They look at me warily. I am wearing black jeans, a black pinstriped
suit jacket and a black silk tie. I have odd shoes and a funny haircut.
"It's our first time here," says the red-nosed tramp unconvincingly.
There is a lot of cardboard stacked here. More than any two people could
use.
"We usually stay at the Vinnie's down the street," says the
brown-haired tramp, puffing a Marlboro with a meditative air, as he
sprawls with his head on a blue nylon backpack. "The Saint Vincent's."
"You know who works in that building over there?" I ask, pointing.
The brown-haired tramp shrugs. "Some kind of attorneys, it says."
We urge one another to take it easy. I give them five bucks.
A block down the street I meet a vigorous workman who is wheeling
along some kind of industrial trolley; it has what appears to be a tank of
propane on it.
We make eye contact. We nod politely. I walk past him. "Hey!
Excuse me sir!" he says.
"Yes?" I say, stopping and turning.
"Have you seen," the guy says rapidly, "a black guy, about 6'7",
scars on both his cheeks like this --" he gestures -- "wears a black
baseball cap on backwards, wandering around here anyplace?"
"Sounds like I don't much *want* to meet him," I say.
"He took my wallet," says my new acquaintance. "Took it this morning.
Y'know, some people would be *scared* of a guy like that. But I'm not
scared. I'm from Chicago. I'm gonna hunt him down. We do things like
that in Chicago."
"Yeah?"
"I went to the cops and now he's got an APB out on his ass," he says
with satisfaction. "You run into him, you let me know."
"Okay," I say. "What is your name, sir?"
"Stanley...."
"And how can I reach you?"
"Oh," Stanley says, in the same rapid voice, "you don't have to
reach, uh, me. You can just call the cops. Go straight to the cops." He
reaches into a pocket and pulls out a greasy piece of pasteboard. "See,
here's my report on him."
I look. The "report," the size of an index card, is labelled
PRO-ACT: Phoenix Residents Opposing Active Crime Threat.... or is it
Organized Against Crime Threat? In the darkening street it's hard to
read. Some kind of vigilante group? Neighborhood watch? I feel very
puzzled.
"Are you a police officer, sir?"
He smiles, seems very pleased by the question.
"No," he says.
"But you are a 'Phoenix Resident?'"
"Would you believe a homeless person," Stanley says.
"Really? But what's with the..." For the first time I take a close
look at Stanley's trolley. It's a rubber-wheeled thing of industrial
metal, but the device I had mistaken for a tank of propane is in fact a
water-cooler. Stanley also has an Army duffel-bag, stuffed tight as a
sausage with clothing or perhaps a tent, and, at the base of his trolley,
a cardboard box and a battered leather briefcase.
"I see," I say, quite at a loss. For the first time I notice that
Stanley has a wallet. He has not lost his wallet at all. It is in his
back pocket and chained to his belt. It's not a new wallet. It seems to
have seen a lot of wear.
"Well, you know how it is, brother," says Stanley. Now that I know
that he is homeless -- *a possible threat* -- my entire perception of him
has changed in an instant. His speech, which once seemed just bright and
enthusiastic, now seems to have a dangerous tang of mania. "I have to do
this!" he assures me. "Track this guy down... It's a thing I do... you
know... to keep myself together!" He smiles, nods, lifts his trolley by
its decaying rubber handgrips.
"Gotta work together, y'know, " Stanley booms, his face alight with
cheerfulness, "the police can't do everything!"
The gentlemen I met in my stroll in downtown Phoenix are the only
computer illiterates in this book. To regard them as irrelevant, however,
would be a grave mistake.
As computerization spreads across society, the populace at large is
subjected to wave after wave of future shock. But, as a necessary
converse, the "computer community" itself is subjected to wave after wave
of incoming computer illiterates. How will those currently enjoying
America's digital bounty regard, and treat, all this teeming refuse
yearning to breathe free? Will the electronic frontier be another Land of
Opportunity -- or an armed and monitored enclave, where the
disenfranchised snuggle on their cardboard at the locked doors of our
houses of justice?
Some people just don't get along with computers. They can't read.
They can't type. They just don't have it in their heads to master arcane
instructions in wirebound manuals. Somewhere, the process of
computerization of the populace will reach a limit. Some people -- quite
decent people maybe, who might have thrived in any other situation -- will
be left irretrievably outside the bounds. What's to be done with these
people, in the bright new shiny electroworld? How will they be regarded,
by the mouse-whizzing masters of cyberspace? With contempt?
Indifference? Fear?
In retrospect, it astonishes me to realize how quickly poor Stanley
became a perceived threat. Surprise and fear are closely allied feelings.
And the world of computing is full of surprises.
I met one character in the streets of Phoenix whose role in those
book is supremely and directly relevant. That personage was Stanley's
giant thieving scarred phantom. This phantasm is everywhere in this book.
He is the specter haunting cyberspace.
Sometimes he's a maniac vandal ready to smash the phone system for no
sane reason at all. Sometimes he's a fascist fed, coldly programming his
mighty mainframes to destroy our Bill of Rights. Sometimes he's a telco
bureaucrat, covertly conspiring to register all modems in the service of
an Orwellian surveillance regime. Mostly, though, this fearsome phantom
is a "hacker." He's strange, he doesn't belong, he's not authorized, he
doesn't smell right, he's not keeping his proper place, he's not one of
us. The focus of fear is the hacker, for much the same reasons that
Stanley's fancied assailant is black.
Stanley's demon can't go away, because he doesn't exist. Despite
singleminded and tremendous effort, he can't be arrested, sued, jailed, or
fired. The only constructive way to do *anything* about him is to learn
more about Stanley himself. This learning process may be repellent, it may
be ugly, it may involve grave elements of paranoiac confusion, but it's
necessary. Knowing Stanley requires something more than class-crossing
condescension. It requires more than steely legal objectivity. It
requires human compassion and sympathy.
To know Stanley is to know his demon. If you know the other guy's
demon, then maybe you'll come to know some of your own. You'll be able to
separate reality from illusion. And then you won't do your cause, and
yourself, more harm than good. Like poor damned Stanley from Chicago did.
#
The Federal Computer Investigations Committee (FCIC) is the most
important and influential organization in the realm of American
computer-crime. Since the police of other countries have largely taken
their computer-crime cues from American methods, the FCIC might well be
called the most important computer crime group in the world.
It is also, by federal standards, an organization of great
unorthodoxy. State and local investigators mix with federal agents.
Lawyers, financial auditors and computer-security programmers trade notes
with street cops. Industry vendors and telco security people show up to
explain their gadgetry and plead for protection and justice. Private
investigators, think-tank experts and industry pundits throw in their two
cents' worth. The FCIC is the antithesis of a formal bureaucracy.
Members of the FCIC are obscurely proud of this fact; they recognize
their group as aberrant, but are entirely convinced that this, for them,
outright *weird* behavior is nevertheless *absolutely necessary* to get
their jobs done.
FCIC regulars -- from the Secret Service, the FBI, the IRS, the
Department of Labor, the offices of federal attorneys, state police, the
Air Force, from military intelligence -- often attend meetings, held
hither and thither across the country, at their own expense. The FCIC
doesn't get grants. It doesn't charge membership fees. It doesn't have a
boss. It has no headquarters -- just a mail drop in Washington DC, at the
Fraud Division of the Secret Service. It doesn't have a budget. It
doesn't have schedules. It meets three times a year -- sort of. Sometimes
it issues publications, but the FCIC has no regular publisher, no
treasurer, not even a secretary. There are no minutes of FCIC meetings.
Non-federal people are considered "non-voting members," but there's not
much in the way of elections. There are no badges, lapel pins or
certificates of membership. Everyone is on a first- name basis. There
are about forty of them. Nobody knows how many, exactly. People come,
people go -- sometimes people "go" formally but still hang around anyway.
Nobody has ever exactly figured out what "membership" of this "Committee"
actually entails.
Strange as this may seem to some, to anyone familiar with the social
world of computing, the "organization" of the FCIC is very recognizable.
For years now, economists and management theorists have speculated
that the tidal wave of the information revolution would destroy rigid,
pyramidal bureaucracies, where everything is top- down and centrally
controlled. Highly trained "employees" would take on much greater
autonomy, being self-starting, and self-motivating, moving from place to
place, task to task, with great speed and fluidity. "Ad-hocracy" would
rule, with groups of people spontaneously knitting together across
organizational lines, tackling the problem at hand, applying intense
computer-aided expertise to it, and then vanishing whence they came.
This is more or less what has actually happened in the world of
federal computer investigation. With the conspicuous exception of the
phone companies, which are after all over a hundred years old, practically
*every* organization that plays any important role in this book functions
just like the FCIC. The Chicago Task Force, the Arizona Racketeering
Unit, the Legion of Doom, the Phrack crowd, the Electronic Frontier
Foundation -- they *all* look and act like "tiger teams" or "user's
groups." They are all electronic ad-hocracies leaping up spontaneously to
attempt to meet a need.
Some are police. Some are, by strict definition, criminals. Some
are political interest-groups. But every single group has that same
quality of apparent spontaneity -- "Hey, gang! My uncle's got a barn --
let's put on a show!"
Every one of these groups is embarrassed by this "amateurism," and,
for the sake of their public image in a world of non-computer people, they
all attempt to look as stern and formal and impressive as possible. These
electronic frontier-dwellers resemble groups of nineteenth-century
pioneers hankering after the respectability of statehood. There are
however, two crucial differences in the historical experience of these
"pioneers" of the nineteeth and twenty-first centuries.
First, powerful information technology *does* play into the hands
of small, fluid, loosely organized groups. There have always been
"pioneers," "hobbyists," "amateurs," "dilettantes," "volunteers,"
"movements," "users' groups" and "blue-ribbon panels of experts" around.
But a group of this kind - - when technically equipped to ship huge
amounts of specialized information, at lightning speed, to its members, to
government, and to the press -- is simply a different kind of animal.
It's like the difference between an eel and an electric eel.
The second crucial change is that American society is currently in a
state approaching permanent technological revolution. In the world of
computers particularly, it is practically impossible to *ever* stop being
a "pioneer," unless you either drop dead or deliberately jump off the bus.
The scene has never slowed down enough to become well-institutionalized.
And after twenty, thirty, forty years the "computer revolution" continues
to spread, to permeate new corners of society. Anything that really works
is already obsolete.
If you spend your entire working life as a "pioneer," the word
"pioneer" begins to lose its meaning. Your way of life looks less and
less like an introduction to "something else" more stable and organized,
and more and more like *just the way things are.* A "permanent revolution"
is really a contradiction in terms. If "turmoil" lasts long enough, it
simply becomes *a new kind of society* -- still the same game of history,
but new players, new rules.
Apply this to the world of late twentieth-century law enforcement,
and the implications are novel and puzzling indeed. Any bureaucratic
rulebook you write about computer-crime will be flawed when you write it,
and almost an antique by the time it sees print. The fluidity and fast
reactions of the FCIC give them a great advantage in this regard, which
explains their success. Even with the best will in the world (which it
does not, in fact, possess) it is impossible for an organization the size
of the U.S. Federal Bureau of Investigation to get up to speed on the
theory and practice of computer crime. If they tried to train all their
agents to do this, it would be *suicidal,* as they would *never be able to
do anything else.*
The FBI does try to train its agents in the basics of electronic
crime, at their base in Quantico, Virginia. And the Secret Service, along
with many other law enforcement groups, runs quite successful and
well-attended training courses on wire fraud, business crime, and computer
intrusion at the Federal Law Enforcement Training Center (FLETC,
pronounced "fletsy") in Glynco, Georgia. But the best efforts of these
bureaucracies does not remove the absolute need for a "cutting-edge mess"
like the FCIC.
For you see -- the members of FCIC *are* the trainers of the rest of
law enforcement. Practically and literally speaking, they are the Glynco
computer-crime faculty by another name. If the FCIC went over a cliff on
a bus, the U.S. law enforcement community would be rendered deaf dumb and
blind in the world of computer crime, and would swiftly feel a desperate
need to reinvent them. And this is no time to go starting from scratch.
On June 11, 1991, I once again arrived in Phoenix, Arizona, for the
latest meeting of the Federal Computer Investigations Committee. This was
more or less the twentieth meeting of this stellar group. The count was
uncertain, since nobody could figure out whether to include the meetings
of "the Colluquy," which is what the FCIC was called in the mid-1980s
before it had even managed to obtain the dignity of its own acronym.
Since my last visit to Arizona, in May, the local AzScam bribery
scandal had resolved itself in a general muddle of humiliation. The
Phoenix chief of police, whose agents had videotaped nine state
legislators up to no good, had resigned his office in a tussle with the
Phoenix city council over the propriety of his undercover operations.
The Phoenix Chief could now join Gail Thackeray and eleven of her
closest associates in the shared experience of politically motivated
unemployment. As of June, resignations were still continuing at the
Arizona Attorney General's office, which could be interpreted as either a
New Broom Sweeping Clean or a Night of the Long Knives Part II, depending
on your point of view.
The meeting of FCIC was held at the Scottsdale Hilton Resort.
Scottsdale is a wealthy suburb of Phoenix, known as "Scottsdull" to
scoffing local trendies, but well-equipped with posh shopping- malls and
manicured lawns, while conspicuously undersupplied with homeless
derelicts. The Scottsdale Hilton Resort was a sprawling hotel in
postmodern crypto-Southwestern style. It featured a "mission bell tower"
plated in turquoise tile and vaguely resembling a Saudi minaret.
Inside it was all barbarically striped Santa Fe Style decor. There
was a health spa downstairs and a large oddly-shaped pool in the patio. A
poolside umbrella-stand offered Ben and Jerry's politically correct Peace
Pops.
I registered as a member of FCIC, attaining a handy discount rate,
then went in search of the Feds. Sure enough, at the back of the hotel
grounds came the unmistakable sound of Gail Thackeray holding forth.
Since I had also attended the Computers Freedom and Privacy
conference (about which more later), this was the second time I had seen
Thackeray in a group of her law enforcement colleagues. Once again I was
struck by how simply pleased they seemed to see her. It was natural that
she'd get *some* attention, as Gail was one of two women in a group of
some thirty men; but there was a lot more to it than that.
Gail Thackeray personifies the social glue of the FCIC. They could
give a damn about her losing her job with the Attorney General. They were
sorry about it, of course, but hell, they'd all lost jobs. If they were
the kind of guys who liked steady boring jobs, they would never have
gotten into computer work in the first place.
I wandered into her circle and was immediately introduced to five
strangers. The conditions of my visit at FCIC were reviewed. I would not
quote anyone directly. I would not tie opinions expressed to the agencies
of the attendees. I would not (a purely hypothetical example) report the
conversation of a guy from the Secret Service talking quite civilly to a
guy from the FBI, as these two agencies *never* talk to each other, and
the IRS (also present, also hypothetical) *never talks to anybody.*
Worse yet, I was forbidden to attend the first conference. And I
didn't. I have no idea what the FCIC was up to behind closed doors that
afternoon. I rather suspect that they were engaging in a frank and
thorough confession of their errors, goof-ups and blunders, as this has
been a feature of every FCIC meeting since their legendary Memphis beer-
bust of 1986. Perhaps the single greatest attraction of FCIC is that it
is a place where you can go, let your hair down, and completely level with
people who actually comprehend what you are talking about. Not only do
they understand you, but they *really pay attention,* they are *grateful
for your insights,* and they *forgive you,* which in nine cases out of ten
is something even your boss can't do, because as soon as you start talking
"ROM," "BBS," or "T-1 trunk," his eyes glaze over.
I had nothing much to do that afternoon. The FCIC were beavering
away in their conference room. Doors were firmly closed, windows too dark
to peer through. I wondered what a real hacker, a computer intruder,
would do at a meeting like this.
The answer came at once. He would "trash" the place. Not reduce the
place to trash in some orgy of vandalism; that's not the use of the term
in the hacker milieu. No, he would quietly *empty the trash baskets* and
silently raid any valuable data indiscreetly thrown away.
Journalists have been known to do this. (Journalists hunting
information have been known to do almost every single unethical thing that
hackers have ever done. They also throw in a few awful techniques all
their own.) The legality of 'trashing' is somewhat dubious but it is not
in fact flagrantly illegal. It was, however, absurd to contemplate
trashing the FCIC. These people knew all about trashing. I wouldn't last
fifteen seconds.
The idea sounded interesting, though. I'd been hearing a lot about
the practice lately. On the spur of the moment, I decided I would try
trashing the office *across the hall* from the FCIC, an area which had
nothing to do with the investigators.
The office was tiny; six chairs, a table.... Nevertheless, it was
open, so I dug around in its plastic trash can.
To my utter astonishment, I came up with the torn scraps of a SPRINT
long-distance phone bill. More digging produced a bank statement and the
scraps of a hand-written letter, along with gum, cigarette ashes, candy
wrappers and a day-old-issue of USA TODAY.
The trash went back in its receptacle while the scraps of data went
into my travel bag. I detoured through the hotel souvenir shop for some
Scotch tape and went up to my room.
Coincidence or not, it was quite true. Some poor soul had, in fact,
thrown a SPRINT bill into the hotel's trash. Date May 1991, total amount
due: $252.36. Not a business phone, either, but a residential bill, in
the name of someone called Evelyn (not her real name). Evelyn's records
showed a ## PAST DUE BILL ##! Here was her nine-digit account ID. Here
was a stern computer-printed warning:
"TREAT YOUR FONCARD AS YOU WOULD ANY CREDIT CARD. TO SECURE AGAINST
FRAUD, NEVER GIVE YOUR FONCARD NUMBER OVER THE PHONE UNLESS YOU INITIATED
THE CALL. IF YOU RECEIVE SUSPICIOUS CALLS PLEASE NOTIFY CUSTOMER SERVICE
IMMEDIATELY!"
I examined my watch. Still plenty of time left for the FCIC to carry
on. I sorted out the scraps of Evelyn's SPRINT bill and re-assembled them
with fresh Scotch tape. Here was her ten-digit FONCARD number. Didn't
seem to have the ID number necessary to cause real fraud trouble.
I did, however, have Evelyn's home phone number. And the phone
numbers for a whole crowd of Evelyn's long-distance friends and
acquaintances. In San Diego, Folsom, Redondo, Las Vegas, La Jolla, Topeka,
and Northampton Massachusetts. Even somebody in Australia!
I examined other documents. Here was a bank statement. It was
Evelyn's IRA account down at a bank in San Mateo California (total balance
$1877.20). Here was a charge-card bill for $382.64. She was paying it off
bit by bit.
Driven by motives that were completely unethical and prurient, I now
examined the handwritten notes. They had been torn fairly thoroughly, so
much so that it took me almost an entire five minutes to reassemble them.
They were drafts of a love letter. They had been written on the
lined stationery of Evelyn's employer, a biomedical company. Probably
written at work when she should have been doing something else.
"Dear Bob," (not his real name) "I guess in everyone's life there
comes a time when hard decisions have to be made, and this is a difficult
one for me -- very upsetting. Since you haven't called me, and I don't
understand why, I can only surmise it's because you don't want to. I
thought I would have heard from you Friday. I did have a few unusual
problems with my phone and possibly you tried, I hope so.
"Robert, you asked me to 'let go'..."
The first note ended. *Unusual problems with her phone?* I looked
swiftly at the next note.
"Bob, not hearing from you for the whole weekend has left me very
perplexed..."
Next draft.
"Dear Bob, there is so much I don't understand right now, and I wish
I did. I wish I could talk to you, but for some unknown reason you have
elected not to call -- this is so difficult for me to understand..."
She tried again.
"Bob, Since I have always held you in such high esteem, I had every
hope that we could remain good friends, but now one essential ingredient
is missing - - respect. Your ability to discard people when their purpose
is served is appalling to me. The kindest thing you could do for me now
is to leave me alone. You are no longer welcome in my heart or home..."
Try again.
"Bob, I wrote a very factual note to you to say how much respect I
had lost for you, by the way you treat people, me in particular, so
uncaring and cold. The kindest thing you can do for me is to leave me
alone entirely, as you are no longer welcome in my heart or home. I would
appreciate it if you could retire your debt to me as soon as possible -- I
wish no link to you in any way. Sincerely, Evelyn."
Good heavens, I thought, the bastard actually owes her money! I
turned to the next page.
"Bob: very simple. GOODBYE! No more mind games -- no more
fascination -- no more coldness -- no more respect for you! It's over --
Finis. Evie"
There were two versions of the final brushoff letter, but they read
about the same. Maybe she hadn't sent it. The final item in my illicit
and shameful booty was an envelope addressed to "Bob" at his home address,
but it had no stamp on it and it hadn't been mailed.
Maybe she'd just been blowing off steam because her rascal boyfriend
had neglected to call her one weekend. Big deal. Maybe they'd kissed and
made up, maybe she and Bob were down at Pop's Chocolate Shop now, sharing
a malted. Sure.
Easy to find out. All I had to do was call Evelyn up. With a
half-clever story and enough brass- plated gall I could probably trick the
truth out of her. Phone-phreaks and hackers deceive people over the phone
all the time. It's called "social engineering." Social engineering is a
very common practice in the underground, and almost magically effective.
Human beings are almost always the weakest link in computer security. The
simplest way to learn Things You Are Not Meant To Know is simply to call
up and exploit the knowledgeable people. With social engineering, you use
the bits of specialized knowledge you already have as a key, to manipulate
people into believing that you are legitimate. You can then coax,
flatter, or frighten them into revealing almost anything you want to know.
Deceiving people (especially over the phone) is easy and fun. Exploiting
their gullibility is very gratifying; it makes you feel very superior to
them.
If I'd been a malicious hacker on a trashing raid, I would now have
Evelyn very much in my power. Given all this inside data, it wouldn't
take much effort at all to invent a convincing lie. If I were ruthless
enough, and jaded enough, and clever enough, this momentary indiscretion
of hers -- maybe committed in tears, who knows -- could cause her a whole
world of confusion and grief.
I didn't even have to have a *malicious* motive. Maybe I'd be "on her
side," and call up Bob instead, and anonymously threaten to break both his
kneecaps if he didn't take Evelyn out for a steak dinner pronto. It was
still profoundly *none of my business.* To have gotten this knowledge at
all was a sordid act and to use it would be to inflict a sordid injury.
To do all these awful things would require exactly zero high-tech
expertise. All it would take was the willingness to do it and a certain
amount of bent imagination.
I went back downstairs. The hard-working FCIC, who had labored
forty-five minutes over their schedule, were through for the day, and
adjourned to the hotel bar. We all had a beer.
I had a chat with a guy about "Isis," or rather IACIS, the
International Association of Computer Investigation Specialists. They're
into "computer forensics," the techniques of picking computer- systems
apart without destroying vital evidence. IACIS, currently run out of
Oregon, is comprised of investigators in the U.S., Canada, Taiwan and
Ireland. "Taiwan and Ireland?" I said. Are *Taiwan* and *Ireland*
really in the forefront of this stuff? Well not exactly, my informant
admitted. They just happen to have been the first ones to have caught on
by word of mouth. Still, the international angle counts, because this is
obviously an international problem. Phone-lines go everywhere.
There was a Mountie here from the Royal Canadian Mounted Police. He
seemed to be having quite a good time. Nobody had flung this Canadian out
because he might pose a foreign security risk. These are cyberspace cops.
They still worry a lot about "jurisdictions," but mere geography is the
least of their troubles.
NASA had failed to show. NASA suffers a lot from computer
intrusions, in particular from Australian raiders and a well-trumpeted
Chaos Computer Club case, and in 1990 there was a brief press flurry when
it was revealed that one of NASA's Houston branch-exchanges had been
systematically ripped off by a gang of phone-phreaks. But the NASA guys
had had their funding cut. They were stripping everything.
Air Force OSI, its Office of Special Investigations, is the *only*
federal entity dedicated full-time to computer security. They'd been
expected to show up in force, but some of them had cancelled -- a Pentagon
budget pinch.
As the empties piled up, the guys began joshing around and telling
war-stories. "These are cops," Thackeray said tolerantly. "If they're
not talking shop they talk about women and beer."
I heard the story about the guy who, asked for "a copy" of a computer
disk, *photocopied the label on it.* He put the floppy disk onto the glass
plate of a photocopier. The blast of static when the copier worked
completely erased all the real information on the disk.
Some other poor souls threw a whole bag of confiscated diskettes into
the squad-car trunk next to the police radio. The powerful radio signal
blasted them, too.
We heard a bit about Dave Geneson, the first computer prosecutor, a
mainframe-runner in Dade County, turned lawyer. Dave Geneson was one guy
who had hit the ground running, a signal virtue in making the transition
to computer-crime. It was generally agreed that it was easier to learn
the world of computers first, then police or prosecutorial work. You could
take certain computer people and train 'em to successful police work --
but of course they had to have the *cop mentality.* They had to have
street smarts. Patience. Persistence. And discretion. You've got to
make sure they're not hot- shots, show-offs, "cowboys."
Most of the folks in the bar had backgrounds in military
intelligence, or drugs, or homicide. It was rudely opined that "military
intelligence" was a contradiction in terms, while even the grisly world of
homicide was considered cleaner than drug enforcement. One guy had been
'way undercover doing dope-work in Europe for four years straight. "I'm
almost recovered now," he said deadpan, with the acid black humor that is
pure cop. "Hey, now I can say *fucker* without putting *mother* in front
of it."
"In the cop world," another guy said earnestly, "everything is good
and bad, black and white. In the computer world everything is gray."
One guy -- a founder of the FCIC, who'd been with the group since it
was just the Colluquy -- described his own introduction to the field.
He'd been a Washington DC homicide guy called in on a "hacker" case. From
the word "hacker," he naturally assumed he was on the trail of a
knife-wielding marauder, and went to the computer center expecting blood
and a body. When he finally figured out what was happening there (after
loudly demanding, in vain, that the programmers "speak English"), he
called headquarters and told them he was clueless about computers. They
told him nobody else knew diddly either, and to get the hell back to work.
So, he said, he had proceeded by comparisons. By analogy. By
metaphor. "Somebody broke in to your computer, huh?" Breaking and
entering; I can understand that. How'd he get in? "Over the phone-
lines." Harassing phone-calls, I can understand that! What we need here
is a tap and a trace!
It worked. It was better than nothing. And it worked a lot faster
when he got hold of another cop who'd done something similar. And then
the two of them got another, and another, and pretty soon the Colluquy was
a happening thing. It helped a lot that everybody seemed to know Carlton
Fitzpatrick, the data-processing trainer in Glynco.
The ice broke big-time in Memphis in '86. The Colluquy had attracted
a bunch of new guys -- Secret Service, FBI, military, other feds, heavy
guys. Nobody wanted to tell anybody anything. They suspected that if word
got back to the home office they'd all be fired. They passed an
uncomfortably guarded afternoon.
The formalities got them nowhere. But after the formal session was
over, the organizers brought in a case of beer. As soon as the
participants knocked it off with the bureaucratic ranks and turf-fighting,
everything changed. "I bared my soul," one veteran reminisced proudly.
By nightfall they were building pyramids of empty beer-cans and doing
everything but composing a team fight song.
FCIC were not the only computer-crime people around. There was DATTA
(District Attorneys' Technology Theft Association), though they mostly
specialized in chip theft, intellectual property, and black-market cases.
There was HTCIA (High Tech Computer Investigators Association), also out
in Silicon Valley, a year older than FCIC and featuring brilliant people
like Donald Ingraham. There was LEETAC (Law Enforcement Electronic
Technology Assistance Committee) in Florida, and computer- crime units in
Illinois and Maryland and Texas and Ohio and Colorado and Pennsylvania.
But these were local groups. FCIC were the first to really network
nationally and on a federal level.
FCIC people live on the phone lines. Not on bulletin board systems
-- they know very well what boards are, and they know that boards aren't
secure. Everyone in the FCIC has a voice-phone bill like you wouldn't
believe. FCIC people have been tight with the telco people for a long
time. Telephone cyberspace is their native habitat.
FCIC has three basic sub-tribes: the trainers, the security people,
and the investigators. That's why it's called an "Investigations
Committee" with no mention of the term "computer-crime" -- the dreaded
"C-word." FCIC, officially, is "an association of agencies rather than
individuals;" unofficially, this field is small enough that the influence
of individuals and individual expertise is paramount. Attendance is by
invitation only, and most everyone in FCIC considers himself a prophet
without honor in his own house.
Again and again I heard this, with different terms but identical
sentiments. "I'd been sitting in the wilderness talking to myself." "I
was totally isolated." "I was desperate." "FCIC is the best thing there
is about computer crime in America." "FCIC is what really works." "This
is where you hear real people telling you what's really happening out
there, not just lawyers picking nits." "We taught each other everything
we knew."
The sincerity of these statements convinces me that this is true.
FCIC is the real thing and it is invaluable. It's also very sharply at
odds with the rest of the traditions and power structure in American law
enforcement. There probably hasn't been anything around as loose and
go-getting as the FCIC since the start of the U.S. Secret Service in the
1860s. FCIC people are living like twenty-first- century people in a
twentieth-century environment, and while there's a great deal to be said
for that, there's also a great deal to be said against it, and those
against it happen to control the budgets.
I listened to two FCIC guys from Jersey compare life histories. One
of them had been a biker in a fairly heavy-duty gang in the 1960s. "Oh,
did you know so-and-so?" said the other guy from Jersey. "Big guy,
heavyset?"
"Yeah, I knew him."
"Yeah, he was one of ours. He was our plant in the gang."
"Really? Wow! Yeah, I knew him. Helluva guy."
Thackeray reminisced at length about being tear-gassed blind in the
November 1969 antiwar protests in Washington Circle, covering them for her
college paper. "Oh yeah, I was there," said another cop. "Glad to hear
that tear gas hit somethin'. Haw haw haw." He'd been so blind himself,
he confessed, that later that day he'd arrested a small tree.
FCIC are an odd group, sifted out by coincidence and necessity, and
turned into a new kind of cop. There are a lot of specialized cops in the
world -- your bunco guys, your drug guys, your tax guys, but the only
group that matches FCIC for sheer isolation are probably the
child-pornography people. Because they both deal with conspirators who
are desperate to exchange forbidden data and also desperate to hide; and
because nobody else in law enforcement even wants to hear about it.
FCIC people tend to change jobs a lot. They tend not to get the
equipment and training they want and need. And they tend to get sued
quite often.
As the night wore on and a band set up in the bar, the talk grew
darker. Nothing ever gets done in government, someone opined, until
there's a *disaster.* Computing disasters are awful, but there's no
denying that they greatly help the credibility of FCIC people. The
Internet Worm, for instance. "For years we'd been warning about that --
but it's nothing compared to what's coming." They expect horrors, these
people. They know that nothing will really get done until there is a
horror.
#
Next day we heard an extensive briefing from a guy who'd been a
computer cop, gotten into hot water with an Arizona city council, and now
installed computer networks for a living (at a considerable rise in pay).
He talked about pulling fiber-optic networks apart.
Even a single computer, with enough peripherals, is a literal
"network" -- a bunch of machines all cabled together, generally with a
complexity that puts stereo units to shame. FCIC people invent and
publicize methods of seizing computers and maintaining their evidence.
Simple things, sometimes, but vital rules of thumb for street cops, who
nowadays often stumble across a busy computer in the midst of a drug
investigation or a white-collar bust. For instance: Photograph the
system before you touch it. Label the ends of all the cables before you
detach anything. "Park" the heads on the disk drives before you move
them. Get the diskettes. Don't put the diskettes in magnetic fields.
Don't write on diskettes with ballpoint pens. Get the manuals. Get the
printouts. Get the handwritten notes. Copy data before you look at it,
and then examine the copy instead of the original.
Now our lecturer distributed copied diagrams of a typical LAN or
"Local Area Network", which happened to be out of Connecticut. *One
hundred and fifty-nine* desktop computers, each with its own peripherals.
Three "file servers." Five "star couplers" each with thirty-two ports.
One sixteen- port coupler off in the corner office. All these machines
talking to each other, distributing electronic mail, distributing
software, distributing, quite possibly, criminal evidence. All linked by
high- capacity fiber-optic cable. A bad guy -- cops talk a lot about "bad
guys" -- might be lurking on PC #47 or #123 and distributing his ill
doings onto some dupe's "personal" machine in another office -- or
another floor -- or, quite possibly, two or three miles away! Or,
conceivably, the evidence might be "data-striped" -- split up into
meaningless slivers stored, one by one, on a whole crowd of different disk
drives.
The lecturer challenged us for solutions. I for one was utterly
clueless. As far as I could figure, the Cossacks were at the gate; there
were probably more disks in this single building than were seized during
the entirety of Operation Sundevil.
"Inside informant," somebody said. Right. There's always the human
angle, something easy to forget when contemplating the arcane recesses of
high technology. Cops are skilled at getting people to talk, and computer
people, given a chair and some sustained attention, will talk about their
computers till their throats go raw. There's a case on record of a single
question -- "How'd you do it?" -- eliciting a forty-five-minute videotaped
confession from a computer criminal who not only completely incriminated
himself but drew helpful diagrams.
Computer people talk. Hackers *brag.* Phone- phreaks talk
*pathologically* -- why else are they stealing phone-codes, if not to
natter for ten hours straight to their friends on an opposite seaboard?
Computer-literate people do in fact possess an arsenal of nifty gadgets
and techniques that would allow them to conceal all kinds of exotic
skullduggery, and if they could only *shut up* about it, they could
probably get away with all manner of amazing information-crimes. But
that's just not how it works -- or at least, that's not how it's worked
*so far.*
Most every phone-phreak ever busted has swiftly implicated his
mentors, his disciples, and his friends. Most every white-collar
computer-criminal, smugly convinced that his clever scheme is bulletproof,
swiftly learns otherwise when, for the first time in his life, an actual
no-kidding policeman leans over, grabs the front of his shirt, looks him
right in the eye and says: "All right, *asshole* -- you and me are going
downtown!" All the hardware in the world will not insulate your nerves
from these actual real-life sensations of terror and guilt.
Cops know ways to get from point A to point Z without thumbing
through every letter in some smart-ass bad-guy's alphabet. Cops know how
to cut to the chase. Cops know a lot of things other people don't know.
Hackers know a lot of things other people don't know, too. Hackers
know, for instance, how to sneak into your computer through the
phone-lines. But cops can show up *right on your doorstep* and carry off
*you* and your computer in separate steel boxes. A cop interested in
hackers can grab them and grill them. A hacker interested in cops has to
depend on hearsay, underground legends, and what cops are willing to
publicly reveal. And the Secret Service didn't get named "the *Secret*
Service" because they blab a lot.
Some people, our lecturer informed us, were under the mistaken
impression that it was "impossible" to tap a fiber-optic line. Well, he
announced, he and his son had just whipped up a fiber-optic tap in his
workshop at home. He passed it around the audience, along with a
circuit-covered LAN plug-in card so we'd all recognize one if we saw it on
a case. We all had a look.
The tap was a classic "Goofy Prototype" -- a thumb-length rounded
metal cylinder with a pair of plastic brackets on it. From one end
dangled three thin black cables, each of which ended in a tiny black
plastic cap. When you plucked the safety-cap off the end of a cable, you
could see the glass fiber - - no thicker than a pinhole.
Our lecturer informed us that the metal cylinder was a "wavelength
division multiplexer." Apparently, what one did was to cut the fiber-optic
cable, insert two of the legs into the cut to complete the network again,
and then read any passing data on the line by hooking up the third leg to
some kind of monitor. Sounded simple enough. I wondered why nobody had
thought of it before. I also wondered whether this guy's son back at the
workshop had any teenage friends.
We had a break. The guy sitting next to me was wearing a giveaway
baseball cap advertising the Uzi submachine gun. We had a desultory chat
about the merits of Uzis. Long a favorite of the Secret Service, it seems
Uzis went out of fashion with the advent of the Persian Gulf War, our Arab
allies taking some offense at Americans toting Israeli weapons. Besides,
I was informed by another expert, Uzis jam. The equivalent weapon of
choice today is the Heckler & Koch, manufactured in Germany.
The guy with the Uzi cap was a forensic photographer. He also did
a lot of photographic surveillance work in computer crime cases. He used
to, that is, until the firings in Phoenix. He was now a private
investigator and, with his wife, ran a photography salon specializing in
weddings and portrait photos. At -- one must repeat -- a considerable
rise in income.
He was still FCIC. If you were FCIC, and you needed to talk to an
expert about forensic photography, well, there he was, willing and able.
If he hadn't shown up, people would have missed him.
Our lecturer had raised the point that preliminary investigation of a
computer system is vital before any seizure is undertaken. It's vital to
understand how many machines are in there, what kinds there are, what kind
of operating system they use, how many people use them, where the actual
data itself is stored. To simply barge into an office demanding "all the
computers" is a recipe for swift disaster.
This entails some discreet inquiries beforehand. In fact, what it
entails is basically undercover work. An intelligence operation.
*Spying,* not to put too fine a point on it.
In a chat after the lecture, I asked an attendee whether "trashing"
might work.
I received a swift briefing on the theory and practice of "trash
covers." Police "trash covers," like "mail covers" or like wiretaps,
require the agreement of a judge. This obtained, the "trashing" work of
cops is just like that of hackers, only more so and much better organized.
So much so, I was informed, that mobsters in Phoenix make extensive use of
locked garbage cans picked up by a specialty high-security trash company.
In one case, a tiger team of Arizona cops had trashed a local
residence for four months. Every week they showed up on the municipal
garbage truck, disguised as garbagemen, and carried the contents of the
suspect cans off to a shade tree, where they combed through the garbage --
a messy task, especially considering that one of the occupants was
undergoing kidney dialysis. All useful documents were cleaned, dried and
examined. A discarded typewriter-ribbon was an especially valuable source
of data, as its long one- strike ribbon of film contained the contents of
every letter mailed out of the house. The letters were neatly retyped by
a police secretary equipped with a large desk-mounted magnifying glass.
There is something weirdly disquieting about the whole subject of
"trashing" -- an unsuspected and indeed rather disgusting mode of deep
personal vulnerability. Things that we pass by every day, that we take
utterly for granted, can be exploited with so little work. Once
discovered, the knowledge of these vulnerabilities tend to spread.
Take the lowly subject of *manhole covers.* The humble manhole cover
reproduces many of the dilemmas of computer-security in miniature. Manhole
covers are, of course, technological artifacts, access-points to our
buried urban infrastructure. To the vast majority of us, manhole covers
are invisible. They are also vulnerable. For many years now, the Secret
Service has made a point of caulking manhole covers along all routes of
the Presidential motorcade. This is, of course, to deter terrorists from
leaping out of underground ambush or, more likely, planting remote-control
car- smashing bombs beneath the street.
Lately, manhole covers have seen more and more criminal exploitation,
especially in New York City. Recently, a telco in New York City
discovered that a cable television service had been sneaking into telco
manholes and installing cable service alongside the phone-lines --
*without paying royalties.* New York companies have also suffered a
general plague of (a) underground copper cable theft; (b) dumping of
garbage, including toxic waste, and (c) hasty dumping of murder victims.
Industry complaints reached the ears of an innovative New England
industrial-security company, and the result was a new product known as
"the Intimidator," a thick titanium-steel bolt with a precisely machined
head that requires a special device to unscrew. All these "keys" have
registered serial numbers kept on file with the manufacturer. There are
now some thousands of these "Intimidator" bolts being sunk into American
pavements wherever our President passes, like some macabre parody of
strewn roses. They are also spreading as fast as steel dandelions around
US military bases and many centers of private industry.
Quite likely it has never occurred to you to peer under a manhole
cover, perhaps climb down and walk around down there with a flashlight,
just to see what it's like. Formally speaking, this might be trespassing,
but if you didn't hurt anything, and didn't make an absolute habit of it,
nobody would really care. The freedom to sneak under manholes was likely
a freedom you never intended to exercise.
You now are rather less likely to have that freedom at all. You may
never even have missed it until you read about it here, but if you're in
New York City it's gone, and elsewhere it's likely going. This is one of
the things that crime, and the reaction to crime, does to us.
The tenor of the meeting now changed as the Electronic Frontier
Foundation arrived. The EFF, whose personnel and history will be examined
in detail in the next chapter, are a pioneering civil liberties group who
arose in direct response to the Hacker Crackdown of 1990.
Now Mitchell Kapor, the Foundation's president, and Michael Godwin,
its chief attorney, were confronting federal law enforcement *mano a mano*
for the first time ever. Ever alert to the manifold uses of publicity,
Mitch Kapor and Mike Godwin had brought their own journalist in tow:
Robert Draper, from Austin, whose recent well- received book about ROLLING
STONE magazine was still on the stands. Draper was on assignment for
TEXAS MONTHLY.
The Steve Jackson/EFF civil lawsuit against the Chicago Computer
Fraud and Abuse Task Force was a matter of considerable regional interest
in Texas. There were now two Austinite journalists here on the case. In
fact, counting Godwin (a former Austinite and former journalist) there
were three of us. Lunch was like Old Home Week.
Later, I took Draper up to my hotel room. We had a long frank talk
about the case, networking earnestly like a miniature freelance-journo
version of the FCIC: privately confessing the numerous blunders of
journalists covering the story, and trying hard to figure out who was who
and what the hell was really going on out there. I showed Draper
everything I had dug out of the Hilton trashcan. We pondered the ethics
of "trashing" for a while, and agreed that they were dismal. We also
agreed that finding a SPRINT bill on your first time out was a heck of a
coincidence.
First I'd "trashed" -- and now, mere hours later, I'd bragged to
someone else. Having entered the lifestyle of hackerdom, I was now,
unsurprisingly, following its logic. Having discovered something
remarkable through a surreptitious action, I of course *had* to "brag,"
and to drag the passing Draper into my iniquities. I felt I needed a
witness. Otherwise nobody would have believed what I'd discovered....
Back at the meeting, Thackeray cordially, if rather tentatively,
introduced Kapor and Godwin to her colleagues. Papers were distributed.
Kapor took center stage. The brilliant Bostonian high-tech entrepreneur,
normally the hawk in his own administration and quite an effective public
speaker, seemed visibly nervous, and frankly admitted as much. He began
by saying he consided computer-intrusion to be morally wrong, and that the
EFF was not a "hacker defense fund," despite what had appeared in print.
Kapor chatted a bit about the basic motivations of his group, emphasizing
their good faith and willingness to listen and seek common ground with law
enforcement -- when, er, possible.
Then, at Godwin's urging, Kapor suddenly remarked that EFF's own
Internet machine had been "hacked" recently, and that EFF did not consider
this incident amusing.
After this surprising confession, things began to loosen up quite
rapidly. Soon Kapor was fielding questions, parrying objections,
challenging definitions, and juggling paradigms with something akin to his
usual gusto.
Kapor seemed to score quite an effect with his shrewd and skeptical
analysis of the merits of telco "Caller-ID" services. (On this topic,
FCIC and EFF have never been at loggerheads, and have no particular
established earthworks to defend.) Caller-ID has generally been promoted
as a privacy service for consumers, a presentation Kapor described as a
"smokescreen," the real point of Caller-ID being to *allow corporate
customers to build extensive commercial databases on everybody who phones
or faxes them.* Clearly, few people in the room had considered this
possibility, except perhaps for two late-arrivals from US WEST RBOC
security, who chuckled nervously.
Mike Godwin then made an extensive presentation on "Civil Liberties
Implications of Computer Searches and Seizures." Now, at last, we were
getting to the real nitty-gritty here, real political horse-trading. The
audience listened with close attention, angry mutters rising occasionally:
"He's trying to teach us our jobs!" "We've been thinking about this for
years! We think about these issues every day!" "If I didn't seize the
works, I'd be sued by the guy's victims!" "I'm violating the law if I
leave ten thousand disks full of illegal *pirated software* and *stolen
codes!*" "It's our job to make sure people don't trash the Constitution
-- we're the *defenders* of the Constitution!" "We seize stuff when we
know it will be forfeited anyway as restitution for the victim!"
"If it's forfeitable, then don't get a search warrant, get a
forfeiture warrant," Godwin suggested coolly. He further remarked that
most suspects in computer crime don't *want* to see their computers vanish
out the door, headed God knew where, for who knows how long. They might
not mind a search, even an extensive search, but they want their machines
searched on-site.
"Are they gonna feed us?" somebody asked sourly.
"How about if you take copies of the data?" Godwin parried.
"That'll never stand up in court."
"Okay, you make copies, give *them* the copies, and take the
originals."
Hmmm.
Godwin championed bulletin-board systems as repositories of First
Amendment protected free speech. He complained that federal computer-
crime training manuals gave boards a bad press, suggesting that they are
hotbeds of crime haunted by pedophiles and crooks, whereas the vast
majority of the nation's thousands of boards are completely innocuous, and
nowhere near so romantically suspicious.
People who run boards violently resent it when their systems are
seized, and their dozens (or hundreds) of users look on in abject horror.
Their rights of free expression are cut short. Their right to associate
with other people is infringed. And their privacy is violated as their
private electronic mail becomes police property.
Not a soul spoke up to defend the practice of seizing boards. The
issue passed in chastened silence. Legal principles aside -- (and those
principles cannot be settled without laws passed or court precedents) --
seizing bulletin boards has become public-relations poison for American
computer police.
And anyway, it's not entirely necessary. If you're a cop, you can
get 'most everything you need from a pirate board, just by using an inside
informant. Plenty of vigilantes -- well, *concerned citizens* -- will
inform police the moment they see a pirate board hit their area (and will
tell the police all about it, in such technical detail, actually, that you
kinda wish they'd shut up). They will happily supply police with
extensive downloads or printouts. It's *impossible* to keep this fluid
electronic information out of the hands of police.
Some people in the electronic community become enraged at the
prospect of cops "monitoring" bulletin boards. This does have touchy
aspects, as Secret Service people in particular examine bulletin boards
with some regularity. But to expect electronic police to be deaf dumb and
blind in regard to this particular medium rather flies in the face of
common sense. Police watch television, listen to radio, read newspapers
and magazines; why should the new medium of boards be different? Cops can
exercise the same access to electronic information as everybody else. As
we have seen, quite a few computer police maintain *their own* bulletin
boards, including anti-hacker "sting" boards, which have generally proven
quite effective.
As a final clincher, their Mountie friends in Canada (and colleagues
in Ireland and Taiwan) don't have First Amendment or American
constitutional restrictions, but they do have phone lines, and can call
any bulletin board in America whenever they please. The same
technological determinants that play into the hands of hackers, phone
phreaks and software pirates can play into the hands of police.
"Technological determinants" don't have *any* human allegiances. They're
not black or white, or Establishment or Underground, or pro-or-anti
anything.
Godwin complained at length about what he called "the Clever Hobbyist
hypothesis" -- the assumption that the "hacker" you're busting is clearly
a technical genius, and must therefore by searched with extreme
thoroughness. So: from the law's point of view, why risk missing
anything? Take the works. Take the guy's computer. Take his books. Take
his notebooks. Take the electronic drafts of his love letters. Take his
Walkman. Take his wife's computer. Take his dad's computer. Take his
kid sister's computer. Take his employer's computer. Take his compact
disks -- they *might* be CD-ROM disks, cunningly disguised as pop music.
Take his laser printer -- he might have hidden something vital in the
printer's 5meg of memory. Take his software manuals and hardware
documentation. Take his science-fiction novels and his simulation- gaming
books. Take his Nintendo Game-Boy and his Pac-Man arcade game. Take his
answering machine, take his telephone out of the wall. Take anything
remotely suspicious.
Godwin pointed out that most "hackers" are not, in fact, clever
genius hobbyists. Quite a few are crooks and grifters who don't have much
in the way of technical sophistication; just some rule-of-thumb rip-off
techniques. The same goes for most fifteen- year-olds who've downloaded a
code-scanning program from a pirate board. There's no real need to seize
everything in sight. It doesn't require an entire computer system and ten
thousand disks to prove a case in court.
What if the computer is the instrumentality of a crime? someone
demanded.
Godwin admitted quietly that the doctrine of seizing the
instrumentality of a crime was pretty well established in the American
legal system.
The meeting broke up. Godwin and Kapor had to leave. Kapor was
testifying next morning before the Massachusetts Department Of Public
Utility, about ISDN narrowband wide-area networking.
As soon as they were gone, Thackeray seemed elated. She had taken a
great risk with this. Her colleagues had not, in fact, torn Kapor and
Godwin's heads off. She was very proud of them, and told them so.
"Did you hear what Godwin said about *instrumentality of a crime?*"
she exulted, to nobody in particular. "Wow, that means *Mitch isn't going
to sue me.*"
#
America's computer police are an interesting group. As a social
phenomenon they are far more interesting, and far more important, than
teenage phone phreaks and computer hackers. First, they're older and
wiser; not dizzy hobbyists with leaky morals, but seasoned adult
professionals with all the responsibilities of public service. And,
unlike hackers, they possess not merely *technical* power alone, but
heavy-duty legal and social authority.
And, very interestingly, they are just as much at sea in cyberspace
as everyone else. They are not happy about this. Police are
authoritarian by nature, and prefer to obey rules and precedents. (Even
those police who secretly enjoy a fast ride in rough territory will
soberly disclaim any "cowboy" attitude.) But in cyberspace there *are* no
rules and precedents. They are groundbreaking pioneers, Cyberspace
Rangers, whether they like it or not.
In my opinion, any teenager enthralled by computers, fascinated by
the ins and outs of computer security, and attracted by the lure of
specialized forms of knowledge and power, would do well to forget all
about "hacking" and set his (or her) sights on becoming a fed. Feds can
trump hackers at almost every single thing hackers do, including gathering
intelligence, undercover disguise, trashing, phone-tapping, building
dossiers, networking, and infiltrating computer systems -- *criminal*
computer systems. Secret Service agents know more about phreaking, coding
and carding than most phreaks can find out in years, and when it comes to
viruses, break-ins, software bombs and trojan horses, Feds have direct
access to red-hot confidential information that is only vague rumor in the
underground.
And if it's an impressive public rep you're after, there are few
people in the world who can be so chillingly impressive as a well-trained,
well-armed United States Secret Service agent.
Of course, a few personal sacrifices are necessary in order to
obtain that power and knowledge. First, you'll have the galling
discipline of belonging to a large organization; but the world of
computer crime is still so small, and so amazingly fast-moving, that it
will remain spectacularly fluid for years to come. The second sacrifice
is that you'll have to give up ripping people off. This is not a great
loss. Abstaining from the use of illegal drugs, also necessary, will be a
boon to your health.
A career in computer security is not a bad choice for a young man or
woman today. The field will almost certainly expand drastically in years
to come. If you are a teenager today, by the time you become a
professional, the pioneers you have read about in this book will be the
grand old men and women of the field, swamped by their many disciples and
successors. Of course, some of them, like William P. Wood of the 1865
Secret Service, may well be mangled in the whirring machinery of legal
controversy; but by the time you enter the computer-crime field, it may
have stabilized somewhat, while remaining entertainingly challenging.
But you can't just have a badge. You have to win it. First, there's
the federal law enforcement training. And it's hard -- it's a challenge.
A real challenge -- not for wimps and rodents.
Every Secret Service agent must complete gruelling courses at the
Federal Law Enforcement Training Center. (In fact, Secret Service agents
are periodically re-trained during their entire careers.)
In order to get a glimpse of what this might be like, I myself
travelled to FLETC.
#
The Federal Law Enforcement Training Center is a 1500-acre facility
on Georgia's Atlantic coast. It's a milieu of marshgrass, seabirds, damp,
clinging sea-breezes, palmettos, mosquitos, and bats. Until 1974, it was
a Navy Air Base, and still features a working runway, and some WWII
vintage blockhouses and officers' quarters. The Center has since
benefitted by a forty-million-dollar retrofit, but there's still enough
forest and swamp on the facility for the Border Patrol to put in tracking
practice.
As a town, "Glynco" scarcely exists. The nearest real town is
Brunswick, a few miles down Highway 17, where I stayed at the aptly named
Marshview Holiday Inn. I had Sunday dinner at a seafood restaurant called
"Jinright's," where I feasted on deep-fried alligator tail. This local
favorite was a heaped basket of bite-sized chunks of white, tender, almost
fluffy reptile meat, steaming in a peppered batter crust. Alligator makes
a culinary experience that's hard to forget, especially when liberally
basted with homemade cocktail sauce from a Jinright squeeze-bottle.
The crowded clientele were tourists, fishermen, local black folks in
their Sunday best, and white Georgian locals who all seemed to bear an
uncanny resemblance to Georgia humorist Lewis Grizzard.
The 2,400 students from 75 federal agencies who make up the FLETC
population scarcely seem to make a dent in the low-key local scene. The
students look like tourists, and the teachers seem to have taken on much
of the relaxed air of the Deep South. My host was Mr. Carlton
Fitzpatrick, the Program Coordinator of the Financial Fraud Institute.
Carlton Fitzpatrick is a mustached, sinewy, well-tanned Alabama native
somewhere near his late forties, with a fondness for chewing tobacco,
powerful computers, and salty, down-home homilies. We'd met before, at
FCIC in Arizona.
The Financial Fraud Institute is one of the nine divisions at FLETC.
Besides Financial Fraud, there's Driver & Marine, Firearms, and Physical
Training. These are specialized pursuits. There are also five general
training divisions: Basic Training, Operations, Enforcement Techniques,
Legal Division, and Behavioral Science.
Somewhere in this curriculum is everything necessary to turn green
college graduates into federal agents. First they're given ID cards. Then
they get the rather miserable-looking blue coveralls known as "smurf
suits." The trainees are assigned a barracks and a cafeteria, and
immediately set on FLETC's bone-grinding physical training routine.
Besides the obligatory daily jogging -- (the trainers run up danger flags
beside the track when the humidity rises high enough to threaten heat
stroke) - - there's the Nautilus machines, the martial arts, the survival
skills....
The eighteen federal agencies who maintain on- site academies at
FLETC employ a wide variety of specialized law enforcement units, some of
them rather arcane. There's Border Patrol, IRS Criminal Investigation
Division, Park Service, Fish and Wildlife, Customs, Immigration, Secret
Service and the Treasury's uniformed subdivisions.... If you're a federal
cop and you don't work for the FBI, you train at FLETC. This includes
people as apparently obscure as the agents of the Railroad Retirement
Board Inspector General. Or the Tennessee Valley Authority Police, who
are in fact federal police officers, and can and do arrest criminals on
the federal property of the Tennessee Valley Authority.
And then there are the computer-crime people. All sorts, all
backgrounds. Mr. Fitzpatrick is not jealous of his specialized knowledge.
Cops all over, in every branch of service, may feel a need to learn what
he can teach. Backgrounds don't matter much. Fitzpatrick himself was
originally a Border Patrol veteran, then became a Border Patrol instructor
at FLETC. His Spanish is still fluent -- but he found himself strangely
fascinated when the first computers showed up at the Training Center.
Fitzpatrick did have a background in electrical engineering, and though he
never considered himself a computer hacker, he somehow found himself
writing useful little programs for this new and promising gizmo.
He began looking into the general subject of computers and crime,
reading Donn Parker's books and articles, keeping an ear cocked for war
stories, useful insights from the field, the up-and-coming people of the
local computer-crime and high- technology units.... Soon he got a
reputation around FLETC as the resident "computer expert," and that
reputation alone brought him more exposure, more experience -- until one
day he looked around, and sure enough he *was* a federal computer-crime
expert.
In fact, this unassuming, genial man may be *the* federal
computer-crime expert. There are plenty of very good computer people, and
plenty of very good federal investigators, but the area where these worlds
of expertise overlap is very slim. And Carlton Fitzpatrick has been right
at the center of that since 1985, the first year of the Colluquy, a group
which owes much to his influence.
He seems quite at home in his modest, acoustic-tiled office, with its
Ansel Adams-style Western photographic art, a gold-framed Senior
Instructor Certificate, and a towering bookcase crammed with three-ring
binders with ominous titles such as *Datapro Reports on Information
Security* and *CFCA Telecom Security '90.*
The phone rings every ten minutes; colleagues show up at the door to
chat about new developments in locksmithing or to shake their heads over
the latest dismal developments in the BCCI global banking scandal.
Carlton Fitzpatrick is a fount of computer-crime war-stories, related
in an acerbic drawl. He tells me the colorful tale of a hacker caught in
California some years back. He'd been raiding systems, typing code
without a detectable break, for twenty, twenty-four, thirty-six hours
straight. Not just logged on -- *typing.* Investigators were baffled.
Nobody could do that. Didn't he have to go to the bathroom? Was it some
kind of automatic keyboard-whacking device that could actually type code?
A raid on the suspect's home revealed a situation of astonishing
squalor. The hacker turned out to be a Pakistani computer-science student
who had flunked out of a California university. He'd gone completely
underground as an illegal electronic immigrant, and was selling stolen
phone- service to stay alive. The place was not merely messy and dirty,
but in a state of psychotic disorder. Powered by some weird mix of culture
shock, computer addiction, and amphetamines, the suspect had in fact been
sitting in front of his computer for a day and a half straight, with
snacks and drugs at hand on the edge of his desk and a chamber-pot under
his chair.
Word about stuff like this gets around in the hacker-tracker
community.
Carlton Fitzpatrick takes me for a guided tour by car around the
FLETC grounds. One of our first sights is the biggest indoor firing range
in the world. There are federal trainees in there, Fitzpatrick assures me
politely, blasting away with a wide variety of automatic weapons: Uzis,
Glocks, AK-47s.... He's willing to take me inside. I tell him I'm sure
that's really interesting, but I'd rather see his computers. Carlton
Fitzpatrick seems quite surprised and pleased. I'm apparently the first
journalist he's ever seen who has turned down the shooting gallery in
favor of microchips.
Our next stop is a favorite with touring Congressmen: the three-mile
long FLETC driving range. Here trainees of the Driver & Marine Division
are taught high-speed pursuit skills, setting and breaking road-blocks,
diplomatic security driving for VIP limousines.... A favorite FLETC
pastime is to strap a passing Senator into the passenger seat beside a
Driver & Marine trainer, hit a hundred miles an hour, then take it right
into "the skid-pan," a section of greased track where two tons of Detroit
iron can whip and spin like a hockey puck.
Cars don't fare well at FLETC. First they're rifled again and again
for search practice. Then they do 25,000 miles of high-speed pursuit
training; they get about seventy miles per set of steel-belted radials.
Then it's off to the skid pan, where sometimes they roll and tumble
headlong in the grease. When they're sufficiently grease-stained, dented,
and creaky, they're sent to the roadblock unit, where they're battered
without pity. And finally then they're sacrificed to the Bureau of
Alcohol, Tobacco and Firearms, whose trainees learn the ins and outs of
car-bomb work by blowing them into smoking wreckage.
There's a railroad box-car on the FLETC grounds, and a large grounded
boat, and a propless plane; all training-grounds for searches. The plane
sits forlornly on a patch of weedy tarmac next to an eerie blockhouse
known as the "ninja compound," where anti-terrorism specialists practice
hostage rescues. As I gaze on this creepy paragon of modern low-intensity
warfare, my nerves are jangled by a sudden staccato outburst of automatic
weapons fire, somewhere in the woods to my right. "Nine- millimeter,"
Fitzpatrick judges calmly.
Even the eldritch ninja compound pales somewhat compared to the truly
surreal area known as "the raid-houses." This is a street lined on both
sides with nondescript concrete-block houses with flat pebbled roofs.
They were once officers' quarters. Now they are training grounds. The
first one to our left, Fitzpatrick tells me, has been specially adapted
for computer search-and-seizure practice. Inside it has been wired for
video from top to bottom, with eighteen pan-and-tilt remotely controlled
videocams mounted on walls and in corners. Every movement of the trainee
agent is recorded live by teachers, for later taped analysis. Wasted
movements, hesitations, possibly lethal tactical mistakes -- all are gone
over in detail.
Perhaps the weirdest single aspect of this building is its front
door, scarred and scuffed all along the bottom, from the repeated impact,
day after day, of federal shoe-leather.
Down at the far end of the row of raid-houses some people are
practicing a murder. We drive by slowly as some very young and rather
nervous- looking federal trainees interview a heavyset bald man on the
raid-house lawn. Dealing with murder takes a lot of practice; first you
have to learn to control your own instinctive disgust and panic, then you
have to learn to control the reactions of a nerve- shredded crowd of
civilians, some of whom may have just lost a loved one, some of whom may
be murderers -- quite possibly both at once.
A dummy plays the corpse. The roles of the bereaved, the morbidly
curious, and the homicidal are played, for pay, by local Georgians:
waitresses, musicians, most anybody who needs to moonlight and can learn a
script. These people, some of whom are FLETC regulars year after year,
must surely have one of the strangest jobs in the world.
Something about the scene: "normal" people in a weird situation,
standing around talking in bright Georgia sunshine, unsuccessfully
pretending that something dreadful has gone on, while a dummy lies inside
on faked bloodstains.... While behind this weird masquerade, like a
nested set of Russian dolls, are grim future realities of real death, real
violence, real murders of real people, that these young agents will really
investigate, many times during their careers.... Over and over.... Will
those anticipated murders look like this, feel like this -- not as "real"
as these amateur actors are trying to make it seem, but both as "real,"
and as numbingly unreal, as watching fake people standing around on a fake
lawn? Something about this scene unhinges me. It seems nightmarish to me,
Kafkaesque. I simply don't know how to take it; my head is turned around;
I don't know whether to laugh, cry, or just shudder.
When the tour is over, Carlton Fitzpatrick and I talk about
computers. For the first time cyberspace seems like quite a comfortable
place. It seems very real to me suddenly, a place where I know what I'm
talking about, a place I'm used to. It's real. "Real." Whatever.
Carlton Fitzpatrick is the only person I've met in cyberspace circles
who is happy with his present equipment. He's got a 5 Meg RAM PC with a
112 meg hard disk; a 660 meg's on the way. He's got a Compaq 386 desktop,
and a Zenith 386 laptop with 120 meg. Down the hall is a NEC Multi-Sync
2A with a CD-ROM drive and a 9600 baud modem with four com-lines. There's
a training minicomputer, and a 10-meg local mini just for the Center, and
a lab-full of student PC clones and half-a-dozen Macs or so. There's a
Data General MV 2500 with 8 meg on board and a 370 meg disk.
Fitzpatrick plans to run a UNIX board on the Data General when he's
finished beta-testing the software for it, which he wrote himself. It'll
have E- mail features, massive files on all manner of computer-crime and
investigation procedures, and will follow the computer-security specifics
of the Department of Defense "Orange Book." He thinks it will be the
biggest BBS in the federal government.
Will it have *Phrack* on it? I ask wryly.
Sure, he tells me. *Phrack,* *TAP,* *Computer Underground Digest,*
all that stuff. With proper disclaimers, of course.
I ask him if he plans to be the sysop. Running a system that size is
very time-consuming, and Fitzpatrick teaches two three-hour courses every
day.
No, he says seriously, FLETC has to get its money worth out of the
instructors. He thinks he can get a local volunteer to do it, a
high-school student.
He says a bit more, something I think about an Eagle Scout
law-enforcement liaison program, but my mind has rocketed off in
disbelief.
"You're going to put a *teenager* in charge of a federal security
BBS?" I'm speechless. It hasn't escaped my notice that the FLETC
Financial Fraud Institute is the *ultimate* hacker-trashing target; there
is stuff in here, stuff of such utter and consummate cool by every
standard of the digital underground.... I imagine the hackers of my
acquaintance, fainting dead-away from forbidden- knowledge greed-fits, at
the mere prospect of cracking the superultra top-secret computers used to
train the Secret Service in computer-crime....
"Uhm, Carlton," I babble, "I'm sure he's a really nice kid and all,
but that's a terrible temptation to set in front of somebody who's, you
know, into computers and just starting out..."
"Yeah," he says, "that did occur to me." For the first time I begin
to suspect that he's pulling my leg.
He seems proudest when he shows me an ongoing project called JICC,
Joint Intelligence Control Council. It's based on the services provided
by EPIC, the El Paso Intelligence Center, which supplies data and
intelligence to the Drug Enforcement Administration, the Customs Service,
the Coast Guard, and the state police of the four southern border states.
Certain EPIC files can now be accessed by drug-enforcement police of
Central America, South America and the Caribbean, who can also trade
information among themselves. Using a telecom program called "White Hat,"
written by two brothers named Lopez from the Dominican Republic, police
can now network internationally on inexpensive PCs. Carlton Fitzpatrick
is teaching a class of drug-war agents from the Third World, and he's very
proud of their progress. Perhaps soon the sophisticated smuggling
networks of the Medellin Cartel will be matched by a sophisticated
computer network of the Medellin Cartel's sworn enemies. They'll track
boats, track contraband, track the international drug-lords who now leap
over borders with great ease, defeating the police through the clever use
of fragmented national jurisdictions.
JICC and EPIC must remain beyond the scope of this book. They seem
to me to be very large topics fraught with complications that I am not fit
to judge. I do know, however, that the international, computer-assisted
networking of police, across national boundaries, is something that
Carlton Fitzpatrick considers very important, a harbinger of a desirable
future. I also know that networks by their nature ignore physical
boundaries. And I also know that where you put communications you put a
community, and that when those communities become self-aware they will
fight to preserve themselves and to expand their influence. I make no
judgements whether this is good or bad. It's just cyberspace; it's just
the way things are.
I asked Carlton Fitzpatrick what advice he would have for a
twenty-year-old who wanted to shine someday in the world of electronic law
enforcement.
He told me that the number one rule was simply not to be scared of
computers. You don't need to be an obsessive "computer weenie," but you
mustn't be buffaloed just because some machine looks fancy. The
advantages computers give smart crooks are matched by the advantages they
give smart cops. Cops in the future will have to enforce the law "with
their heads, not their holsters." Today you can make good cases without
ever leaving your office. In the future, cops who resist the computer
revolution will never get far beyond walking a beat.
I asked Carlton Fitzpatrick if he had some single message for the
public; some single thing that he would most like the American public to
know about his work.
He thought about it while. "Yes," he said finally. "*Tell* me the
rules, and I'll *teach* those rules!" He looked me straight in the eye.
"I do the best that I can."
