home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.ee.pdx.edu
/
2014.02.ftp.ee.pdx.edu.tar
/
ftp.ee.pdx.edu
/
pub
/
books
/
BruceSterling
/
HackerCrackdown
/
cracker3
< prev
next >
Wrap
Text File
|
1994-01-25
|
156KB
|
3,637 lines
Bruce Sterling
bruces@well.sf.ca.us
Literary Freeware: Not for Commercial Use
THE HACKER CRACKDOWN: Law and Disorder
on the Electronic Frontier
PART THREE: LAW AND ORDER
Of the various anti-hacker activities of 1990,
"Operation Sundevil" had by far the highest public
profile. The sweeping, nationwide computer
seizures of May 8, 1990 were unprecedented in
scope and highly, if rather selectively, publicized.
Unlike the efforts of the Chicago Computer
Fraud and Abuse Task Force, "Operation Sundevil"
was not intended to combat "hacking" in the sense
of computer intrusion or sophisticated raids on telco
switching stations. Nor did it have anything to do
with hacker misdeeds with AT&T's software, or with
Southern Bell's proprietary documents.
Instead, "Operation Sundevil" was a crackdown
on those traditional scourges of the digital
underground: credit-card theft and telephone code
abuse. The ambitious activities out of Chicago, and
the somewhat lesser-known but vigorous anti-
hacker actions of the New York State Police in 1990,
were never a part of "Operation Sundevil" per se,
which was based in Arizona.
Nevertheless, after the spectacular May 8 raids,
the public, misled by police secrecy, hacker panic,
and a puzzled national press-corps, conflated all
aspects of the nationwide crackdown in 1990 under
the blanket term "Operation Sundevil." "Sundevil" is
still the best-known synonym for the crackdown of
1990. But the Arizona organizers of "Sundevil" did
not really deserve this reputation -- any more, for
instance, than all hackers deserve a reputation as
"hackers."
There was some justice in this confused
perception, though. For one thing, the confusion
was abetted by the Washington office of the Secret
Service, who responded to Freedom of Information
Act requests on "Operation Sundevil" by referring
investigators to the publicly known cases of Knight
Lightning and the Atlanta Three. And "Sundevil"
was certainly the largest aspect of the Crackdown,
the most deliberate and the best-organized. As a
crackdown on electronic fraud, "Sundevil" lacked
the frantic pace of the war on the Legion of Doom;
on the contrary, Sundevil's targets were picked out
with cool deliberation over an elaborate
investigation lasting two full years.
And once again the targets were bulletin board
systems.
Boards can be powerful aids to organized fraud.
Underground boards carry lively, extensive,
detailed, and often quite flagrant "discussions" of
lawbreaking techniques and lawbreaking activities.
"Discussing" crime in the abstract, or "discussing"
the particulars of criminal cases, is not illegal -- but
there are stern state and federal laws against
coldbloodedly conspiring in groups in order to
commit crimes.
In the eyes of police, people who actively
conspire to break the law are not regarded as
"clubs," "debating salons," "users' groups," or "free
speech advocates." Rather, such people tend to
find themselves formally indicted by prosecutors as
"gangs," "racketeers," "corrupt organizations" and
"organized crime figures."
What's more, the illicit data contained on
outlaw boards goes well beyond mere acts of speech
and/or possible criminal conspiracy. As we have
seen, it was common practice in the digital
underground to post purloined telephone codes on
boards, for any phreak or hacker who cared to abuse
them. Is posting digital booty of this sort supposed
to be protected by the First Amendment? Hardly --
though the issue, like most issues in cyberspace, is
not entirely resolved. Some theorists argue that to
merely *recite* a number publicly is not illegal --
only its *use* is illegal. But anti-hacker police point
out that magazines and newspapers (more
traditional forms of free expression) never publish
stolen telephone codes (even though this might well
raise their circulation).
Stolen credit card numbers, being riskier and
more valuable, were less often publicly posted on
boards -- but there is no question that some
underground boards carried "carding" traffic,
generally exchanged through private mail.
Underground boards also carried handy
programs for "scanning" telephone codes and
raiding credit card companies, as well as the usual
obnoxious galaxy of pirated software, cracked
passwords, blue-box schematics, intrusion manuals,
anarchy files, porn files, and so forth.
But besides their nuisance potential for the
spread of illicit knowledge, bulletin boards have
another vitally interesting aspect for the professional
investigator. Bulletin boards are cram-full of
*evidence.* All that busy trading of electronic mail,
all those hacker boasts, brags and struts, even the
stolen codes and cards, can be neat, electronic, real-
time recordings of criminal activity.
As an investigator, when you seize a pirate
board, you have scored a coup as effective as
tapping phones or intercepting mail. However, you
have not actually tapped a phone or intercepted a
letter. The rules of evidence regarding phone-taps
and mail interceptions are old, stern and well-
understood by police, prosecutors and defense
attorneys alike. The rules of evidence regarding
boards are new, waffling, and understood by nobody
at all.
Sundevil was the largest crackdown on boards in
world history. On May 7, 8, and 9, 1990, about forty-
two computer systems were seized. Of those forty-
two computers, about twenty-five actually were
running boards. (The vagueness of this estimate is
attributable to the vagueness of (a) what a
"computer system" is, and (b) what it actually means
to "run a board" with one -- or with two computers, or
with three.)
About twenty-five boards vanished into police
custody in May 1990. As we have seen, there are an
estimated 30,000 boards in America today. If we
assume that one board in a hundred is up to no good
with codes and cards (which rather flatters the
honesty of the board-using community), then that
would leave 2,975 outlaw boards untouched by
Sundevil. Sundevil seized about one tenth of one
percent of all computer bulletin boards in America.
Seen objectively, this is something less than a
comprehensive assault. In 1990, Sundevil's
organizers -- the team at the Phoenix Secret Service
office, and the Arizona Attorney General's office --
had a list of at least *three hundred* boards that
they considered fully deserving of search and
seizure warrants. The twenty-five boards actually
seized were merely among the most obvious and
egregious of this much larger list of candidates. All
these boards had been examined beforehand --
either by informants, who had passed printouts to
the Secret Service, or by Secret Service agents
themselves, who not only come equipped with
modems but know how to use them.
There were a number of motives for Sundevil.
First, it offered a chance to get ahead of the curve on
wire-fraud crimes. Tracking back credit-card ripoffs
to their perpetrators can be appallingly difficult. If
these miscreants have any kind of electronic
sophistication, they can snarl their tracks through
the phone network into a mind-boggling,
untraceable mess, while still managing to "reach out
and rob someone." Boards, however, full of brags
and boasts, codes and cards, offer evidence in the
handy congealed form.
Seizures themselves -- the mere physical
removal of machines -- tends to take the pressure
off. During Sundevil, a large number of code kids,
warez d00dz, and credit card thieves would be
deprived of those boards -- their means of
community and conspiracy -- in one swift blow. As
for the sysops themselves (commonly among the
boldest offenders) they would be directly stripped of
their computer equipment, and rendered digitally
mute and blind.
And this aspect of Sundevil was carried out with
great success. Sundevil seems to have been a
complete tactical surprise -- unlike the fragmentary
and continuing seizures of the war on the Legion of
Doom, Sundevil was precisely timed and utterly
overwhelming. At least forty "computers" were
seized during May 7, 8 and 9, 1990, in Cincinnati,
Detroit, Los Angeles, Miami, Newark, Phoenix,
Tucson, Richmond, San Diego, San Jose, Pittsburgh
and San Francisco. Some cities saw multiple raids,
such as the five separate raids in the New York City
environs. Plano, Texas (essentially a suburb of the
Dallas/Fort Worth metroplex, and a hub of the
telecommunications industry) saw four computer
seizures. Chicago, ever in the forefront, saw its own
local Sundevil raid, briskly carried out by Secret
Service agents Timothy Foley and Barbara Golden.
Many of these raids occurred, not in the cities
proper, but in associated white-middle class suburbs
-- places like Mount Lebanon, Pennsylvania and
Clark Lake, Michigan. There were a few raids on
offices; most took place in people's homes, the
classic hacker basements and bedrooms.
The Sundevil raids were searches and seizures,
not a group of mass arrests. There were only four
arrests during Sundevil. "Tony the Trashman," a
longtime teenage bete noire of the Arizona
Racketeering unit, was arrested in Tucson on May 9.
"Dr. Ripco," sysop of an outlaw board with the
misfortune to exist in Chicago itself, was also
arrested -- on illegal weapons charges. Local units
also arrested a 19-year-old female phone phreak
named "Electra" in Pennsylvania, and a male
juvenile in California. Federal agents however were
not seeking arrests, but computers.
Hackers are generally not indicted (if at all)
until the evidence in their seized computers is
evaluated -- a process that can take weeks, months --
even years. When hackers are arrested on the
spot, it's generally an arrest for other reasons. Drugs
and/or illegal weapons show up in a good third of
anti-hacker computer seizures (though not during
Sundevil).
That scofflaw teenage hackers (or their parents)
should have marijuana in their homes is probably
not a shocking revelation, but the surprisingly
common presence of illegal firearms in hacker dens
is a bit disquieting. A Personal Computer can be a
great equalizer for the techno-cowboy -- much like
that more traditional American "Great Equalizer,"
the Personal Sixgun. Maybe it's not all that
surprising that some guy obsessed with power
through illicit technology would also have a few illicit
high-velocity-impact devices around. An element of
the digital underground particularly dotes on those
"anarchy philes," and this element tends to shade
into the crackpot milieu of survivalists, gun-nuts,
anarcho-leftists and the ultra-libertarian right-wing.
This is not to say that hacker raids to date have
uncovered any major crack-dens or illegal arsenals;
but Secret Service agents do not regard "hackers" as
"just kids." They regard hackers as unpredictable
people, bright and slippery. It doesn't help matters
that the hacker himself has been "hiding behind his
keyboard" all this time. Commonly, police have no
idea what he looks like. This makes him an
unknown quantity, someone best treated with
proper caution.
To date, no hacker has come out shooting,
though they do sometimes brag on boards that they
will do just that. Threats of this sort are taken
seriously. Secret Service hacker raids tend to be
swift, comprehensive, well-manned (even over-
manned); and agents generally burst through every
door in the home at once, sometimes with drawn
guns. Any potential resistance is swiftly quelled.
Hacker raids are usually raids on people's homes.
It can be a very dangerous business to raid an
American home; people can panic when strangers
invade their sanctum. Statistically speaking, the
most dangerous thing a policeman can do is to enter
someone's home. (The second most dangerous
thing is to stop a car in traffic.) People have guns in
their homes. More cops are hurt in homes than are
ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during
Sundevil, or indeed during any part of the Hacker
Crackdown.
Nor were there any allegations of any physical
mistreatment of a suspect. Guns were pointed,
interrogations were sharp and prolonged; but no one
in 1990 claimed any act of brutality by any
crackdown raider.
In addition to the forty or so computers,
Sundevil reaped floppy disks in particularly great
abundance -- an estimated 23,000 of them, which
naturally included every manner of illegitimate
data: pirated games, stolen codes, hot credit card
numbers, the complete text and software of entire
pirate bulletin-boards. These floppy disks, which
remain in police custody today, offer a gigantic,
almost embarrassingly rich source of possible
criminal indictments. These 23,000 floppy disks also
include a thus-far unknown quantity of legitimate
computer games, legitimate software, purportedly
"private" mail from boards, business records, and
personal correspondence of all kinds.
Standard computer-crime search warrants lay
great emphasis on seizing written documents as well
as computers -- specifically including photocopies,
computer printouts, telephone bills, address books,
logs, notes, memoranda and correspondence. In
practice, this has meant that diaries, gaming
magazines, software documentation, nonfiction
books on hacking and computer security,
sometimes even science fiction novels, have all
vanished out the door in police custody. A wide
variety of electronic items have been known to
vanish as well, including telephones, televisions,
answering machines, Sony Walkmans, desktop
printers, compact disks, and audiotapes.
No fewer than 150 members of the Secret
Service were sent into the field during Sundevil.
They were commonly accompanied by squads of
local and/or state police. Most of these officers --
especially the locals -- had never been on an anti-
hacker raid before. (This was one good reason, in
fact, why so many of them were invited along in the
first place.) Also, the presence of a uniformed
police officer assures the raidees that the people
entering their homes are, in fact, police. Secret
Service agents wear plain clothes. So do the telco
security experts who commonly accompany the
Secret Service on raids (and who make no particular
effort to identify themselves as mere employees of
telephone companies).
A typical hacker raid goes something like this.
First, police storm in rapidly, through every
entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a
minimum. Second, possible suspects are
immediately removed from the vicinity of any and
all computer systems, so that they will have no
chance to purge or destroy computer evidence.
Suspects are herded into a room without computers,
commonly the living room, and kept under guard --
not *armed* guard, for the guns are swiftly
holstered, but under guard nevertheless. They are
presented with the search warrant and warned that
anything they say may be held against them.
Commonly they have a great deal to say, especially
if they are unsuspecting parents.
Somewhere in the house is the "hot spot" -- a
computer tied to a phone line (possibly several
computers and several phones). Commonly it's a
teenager's bedroom, but it can be anywhere in the
house; there may be several such rooms. This "hot
spot" is put in charge of a two-agent team, the
"finder" and the "recorder." The "finder" is
computer-trained, commonly the case agent who
has actually obtained the search warrant from a
judge. He or she understands what is being sought,
and actually carries out the seizures: unplugs
machines, opens drawers, desks, files, floppy-disk
containers, etc. The "recorder" photographs all the
equipment, just as it stands -- especially the tangle
of wired connections in the back, which can
otherwise be a real nightmare to restore. The
recorder will also commonly photograph every room
in the house, lest some wily criminal claim that the
police had robbed him during the search. Some
recorders carry videocams or tape recorders;
however, it's more common for the recorder to
simply take written notes. Objects are described
and numbered as the finder seizes them, generally
on standard preprinted police inventory forms.
Even Secret Service agents were not, and are
not, expert computer users. They have not made,
and do not make, judgements on the fly about
potential threats posed by various forms of
equipment. They may exercise discretion; they may
leave Dad his computer, for instance, but they don't
*have* to. Standard computer-crime search
warrants, which date back to the early 80s, use a
sweeping language that targets computers, most
anything attached to a computer, most anything
used to operate a computer -- most anything that
remotely resembles a computer -- plus most any
and all written documents surrounding it.
Computer-crime investigators have strongly urged
agents to seize the works.
In this sense, Operation Sundevil appears to
have been a complete success. Boards went down
all over America, and were shipped en masse to the
computer investigation lab of the Secret Service, in
Washington DC, along with the 23,000 floppy disks
and unknown quantities of printed material.
But the seizure of twenty-five boards, and the
multi-megabyte mountains of possibly useful
evidence contained in these boards (and in their
owners' other computers, also out the door), were far
from the only motives for Operation Sundevil. An
unprecedented action of great ambition and size,
Sundevil's motives can only be described as
political. It was a public-relations effort, meant to
pass certain messages, meant to make certain
situations clear: both in the mind of the general
public, and in the minds of various constituencies of
the electronic community.
First -- and this motivation was vital -- a
"message" would be sent from law enforcement to
the digital underground. This very message was
recited in so many words by Garry M. Jenkins, the
Assistant Director of the US Secret Service, at the
Sundevil press conference in Phoenix on May 9,
1990, immediately after the raids. In brief, hackers
were mistaken in their foolish belief that they could
hide behind the "relative anonymity of their
computer terminals." On the contrary, they should
fully understand that state and federal cops were
actively patrolling the beat in cyberspace -- that they
were on the watch everywhere, even in those sleazy
and secretive dens of cybernetic vice, the
underground boards.
This is not an unusual message for police to
publicly convey to crooks. The message is a
standard message; only the context is new.
In this respect, the Sundevil raids were the
digital equivalent of the standard vice-squad
crackdown on massage parlors, porno bookstores,
head-shops, or floating crap-games. There may be
few or no arrests in a raid of this sort; no convictions,
no trials, no interrogations. In cases of this sort,
police may well walk out the door with many pounds
of sleazy magazines, X-rated videotapes, sex toys,
gambling equipment, baggies of marijuana....
Of course, if something truly horrendous is
discovered by the raiders, there will be arrests and
prosecutions. Far more likely, however, there will
simply be a brief but sharp disruption of the closed
and secretive world of the nogoodniks. There will be
"street hassle." "Heat." "Deterrence." And, of
course, the immediate loss of the seized goods. It is
very unlikely that any of this seized material will ever
be returned. Whether charged or not, whether
convicted or not, the perpetrators will almost surely
lack the nerve ever to ask for this stuff to be given
back.
Arrests and trials -- putting people in jail -- may
involve all kinds of formal legalities; but dealing with
the justice system is far from the only task of police.
Police do not simply arrest people. They don't
simply put people in jail. That is not how the police
perceive their jobs. Police "protect and serve."
Police "keep the peace," they "keep public order."
Like other forms of public relations, keeping public
order is not an exact science. Keeping public order
is something of an art-form.
If a group of tough-looking teenage hoodlums
was loitering on a street-corner, no one would be
surprised to see a street-cop arrive and sternly order
them to "break it up." On the contrary, the surprise
would come if one of these ne'er-do-wells stepped
briskly into a phone-booth, called a civil rights
lawyer, and instituted a civil suit in defense of his
Constitutional rights of free speech and free
assembly. But something much along this line was
one of the many anomolous outcomes of the Hacker
Crackdown.
Sundevil also carried useful "messages" for
other constituents of the electronic community.
These messages may not have been read aloud
from the Phoenix podium in front of the press corps,
but there was little mistaking their meaning. There
was a message of reassurance for the primary
victims of coding and carding: the telcos, and the
credit companies. Sundevil was greeted with joy by
the security officers of the electronic business
community. After years of high-tech harassment
and spiralling revenue losses, their complaints of
rampant outlawry were being taken seriously by law
enforcement. No more head-scratching or
dismissive shrugs; no more feeble excuses about
"lack of computer-trained officers" or the low priority
of "victimless" white-collar telecommunication
crimes.
Computer-crime experts have long believed
that computer-related offenses are drastically
under-reported. They regard this as a major open
scandal of their field. Some victims are reluctant to
come forth, because they believe that police and
prosecutors are not computer-literate, and can and
will do nothing. Others are embarrassed by their
vulnerabilities, and will take strong measures to
avoid any publicity; this is especially true of banks,
who fear a loss of investor confidence should an
embezzlement-case or wire-fraud surface. And
some victims are so helplessly confused by their own
high technology that they never even realize that a
crime has occurred -- even when they have been
fleeced to the bone.
The results of this situation can be dire.
Criminals escape apprehension and punishment.
The computer-crime units that do exist, can't get
work. The true scope of computer-crime: its size, its
real nature, the scope of its threats, and the legal
remedies for it -- all remain obscured.
Another problem is very little publicized, but it
is a cause of genuine concern. Where there is
persistent crime, but no effective police protection,
then vigilantism can result. Telcos, banks, credit
companies, the major corporations who maintain
extensive computer networks vulnerable to hacking
-- these organizations are powerful, wealthy, and
politically influential. They are disinclined to be
pushed around by crooks (or by most anyone else,
for that matter). They often maintain well-organized
private security forces, commonly run by
experienced veterans of military and police units,
who have left public service for the greener pastures
of the private sector. For police, the corporate
security manager can be a powerful ally; but if this
gentleman finds no allies in the police, and the
pressure is on from his board-of-directors, he may
quietly take certain matters into his own hands.
Nor is there any lack of disposable hired-help in
the corporate security business. Private security
agencies -- the 'security business' generally -- grew
explosively in the 1980s. Today there are spooky
gumshoed armies of "security consultants," "rent-a-
cops," "private eyes," "outside experts" -- every
manner of shady operator who retails in "results"
and discretion. Or course, many of these
gentlemen and ladies may be paragons of
professional and moral rectitude. But as anyone
who has read a hard-boiled detective novel knows,
police tend to be less than fond of this sort of
private-sector competition.
Companies in search of computer-security have
even been known to hire hackers. Police shudder at
this prospect.
Police treasure good relations with the business
community. Rarely will you see a policeman so
indiscreet as to allege publicly that some major
employer in his state or city has succumbed to
paranoia and gone off the rails. Nevertheless, police
-- and computer police in particular -- are aware of
this possibility. Computer-crime police can and do
spend up to half of their business hours just doing
public relations: seminars, "dog and pony shows,"
sometimes with parents' groups or computer users,
but generally with their core audience: the likely
victims of hacking crimes. These, of course, are
telcos, credit card companies and large computer-
equipped corporations. The police strongly urge
these people, as good citizens, to report offenses and
press criminal charges; they pass the message that
there is someone in authority who cares,
understands, and, best of all, will take useful action
should a computer-crime occur.
But reassuring talk is cheap. Sundevil offered
action.
The final message of Sundevil was intended for
internal consumption by law enforcement. Sundevil
was offered as proof that the community of
American computer-crime police had come of age.
Sundevil was proof that enormous things like
Sundevil itself could now be accomplished.
Sundevil was proof that the Secret Service and its
local law-enforcement allies could act like a well-
oiled machine -- (despite the hampering use of
those scrambled phones). It was also proof that the
Arizona Organized Crime and Racketeering Unit --
the sparkplug of Sundevil -- ranked with the best in
the world in ambition, organization, and sheer
conceptual daring.
And, as a final fillip, Sundevil was a message
from the Secret Service to their longtime rivals in the
Federal Bureau of Investigation. By Congressional
fiat, both USSS and FBI formally share jurisdiction
over federal computer-crimebusting activities.
Neither of these groups has ever been remotely
happy with this muddled situation. It seems to
suggest that Congress cannot make up its mind as to
which of these groups is better qualified. And there
is scarcely a G-man or a Special Agent anywhere
without a very firm opinion on that topic.
#
For the neophyte, one of the most puzzling
aspects of the crackdown on hackers is why the
United States Secret Service has anything at all to do
with this matter.
The Secret Service is best known for its primary
public role: its agents protect the President of the
United States. They also guard the President's
family, the Vice President and his family, former
Presidents, and Presidential candidates. They
sometimes guard foreign dignitaries who are visiting
the United States, especially foreign heads of state,
and have been known to accompany American
officials on diplomatic missions overseas.
Special Agents of the Secret Service don't wear
uniforms, but the Secret Service also has two
uniformed police agencies. There's the former
White House Police (now known as the Secret
Service Uniformed Division, since they currently
guard foreign embassies in Washington, as well as
the White House itself). And there's the uniformed
Treasury Police Force.
The Secret Service has been charged by
Congress with a number of little-known duties.
They guard the precious metals in Treasury vaults.
They guard the most valuable historical documents
of the United States: originals of the Constitution,
the Declaration of Independence, Lincoln's Second
Inaugural Address, an American-owned copy of the
Magna Carta, and so forth. Once they were
assigned to guard the Mona Lisa, on her American
tour in the 1960s.
The entire Secret Service is a division of the
Treasury Department. Secret Service Special
Agents (there are about 1,900 of them) are
bodyguards for the President et al, but they all work
for the Treasury. And the Treasury (through its
divisions of the U.S. Mint and the Bureau of
Engraving and Printing) prints the nation's money.
As Treasury police, the Secret Service guards
the nation's currency; it is the only federal law
enforcement agency with direct jurisdiction over
counterfeiting and forgery. It analyzes documents
for authenticity, and its fight against fake cash is still
quite lively (especially since the skilled
counterfeiters of Medellin, Columbia have gotten
into the act). Government checks, bonds, and other
obligations, which exist in untold millions and are
worth untold billions, are common targets for
forgery, which the Secret Service also battles. It
even handles forgery of postage stamps.
But cash is fading in importance today as
money has become electronic. As necessity
beckoned, the Secret Service moved from fighting
the counterfeiting of paper currency and the forging
of checks, to the protection of funds transferred by
wire.
From wire-fraud, it was a simple skip-and-jump
to what is formally known as "access device fraud."
Congress granted the Secret Service the authority to
investigate "access device fraud" under Title 18 of
the United States Code (U.S.C. Section 1029).
The term "access device" seems intuitively
simple. It's some kind of high-tech gizmo you use to
get money with. It makes good sense to put this sort
of thing in the charge of counterfeiting and wire-
fraud experts.
However, in Section 1029, the term "access
device" is very generously defined. An access device
is: "any card, plate, code, account number, or other
means of account access that can be used, alone or
in conjunction with another access device, to obtain
money, goods, services, or any other thing of value,
or that can be used to initiate a transfer of funds."
"Access device" can therefore be construed to
include credit cards themselves (a popular forgery
item nowadays). It also includes credit card account
*numbers,* those standards of the digital
underground. The same goes for telephone charge
cards (an increasingly popular item with telcos, who
are tired of being robbed of pocket change by
phone-booth thieves). And also telephone access
*codes,* those *other* standards of the digital
underground. (Stolen telephone codes may not
"obtain money," but they certainly do obtain
valuable "services," which is specifically forbidden
by Section 1029.)
We can now see that Section 1029 already pits
the United States Secret Service directly against the
digital underground, without any mention at all of
the word "computer."
Standard phreaking devices, like "blue boxes,"
used to steal phone service from old-fashioned
mechanical switches, are unquestionably
"counterfeit access devices." Thanks to Sec.1029, it
is not only illegal to *use* counterfeit access devices,
but it is even illegal to *build* them. "Producing,"
"designing" "duplicating" or "assembling" blue
boxes are all federal crimes today, and if you do this,
the Secret Service has been charged by Congress to
come after you.
Automatic Teller Machines, which replicated all
over America during the 1980s, are definitely "access
devices," too, and an attempt to tamper with their
punch-in codes and plastic bank cards falls directly
under Sec. 1029.
Section 1029 is remarkably elastic. Suppose you
find a computer password in somebody's trash. That
password might be a "code" -- it's certainly a "means
of account access." Now suppose you log on to a
computer and copy some software for yourself.
You've certainly obtained "service" (computer
service) and a "thing of value" (the software).
Suppose you tell a dozen friends about your swiped
password, and let them use it, too. Now you're
"trafficking in unauthorized access devices." And
when the Prophet, a member of the Legion of Doom,
passed a stolen telephone company document to
Knight Lightning at *Phrack* magazine, they were
both charged under Sec. 1029!
There are two limitations on Section 1029. First,
the offense must "affect interstate or foreign
commerce" in order to become a matter of federal
jurisdiction. The term "affecting commerce" is not
well defined; but you may take it as a given that the
Secret Service can take an interest if you've done
most anything that happens to cross a state line.
State and local police can be touchy about their
jurisdictions, and can sometimes be mulish when
the feds show up. But when it comes to computer-
crime, the local police are pathetically grateful for
federal help -- in fact they complain that they can't
get enough of it. If you're stealing long-distance
service, you're almost certainly crossing state lines,
and you're definitely "affecting the interstate
commerce" of the telcos. And if you're abusing
credit cards by ordering stuff out of glossy catalogs
from, say, Vermont, you're in for it.
The second limitation is money. As a rule, the
feds don't pursue penny-ante offenders. Federal
judges will dismiss cases that appear to waste their
time. Federal crimes must be serious; Section 1029
specifies a minimum loss of a thousand dollars.
We now come to the very next section of Title
18, which is Section 1030, "Fraud and related activity
in connection with computers." This statute gives
the Secret Service direct jurisdiction over acts of
computer intrusion. On the face of it, the Secret
Service would now seem to command the field.
Section 1030, however, is nowhere near so ductile as
Section 1029.
The first annoyance is Section 1030(d), which
reads:
"(d) The United States Secret Service shall, *in
addition to any other agency having such authority,*
have the authority to investigate offenses under this
section. Such authority of the United States Secret
Service shall be exercised in accordance with an
agreement which shall be entered into by the
Secretary of the Treasury *and the Attorney
General.*" (Author's italics.)
The Secretary of the Treasury is the titular head
of the Secret Service, while the Attorney General is
in charge of the FBI. In Section (d), Congress
shrugged off responsibility for the computer-crime
turf-battle between the Service and the Bureau, and
made them fight it out all by themselves. The result
was a rather dire one for the Secret Service, for the
FBI ended up with exclusive jurisdiction over
computer break-ins having to do with national
security, foreign espionage, federally insured banks,
and U.S. military bases, while retaining joint
jurisdiction over all the other computer intrusions.
Essentially, when it comes to Section 1030, the FBI
not only gets the real glamor stuff for itself, but can
peer over the shoulder of the Secret Service and
barge in to meddle whenever it suits them.
The second problem has to do with the dicey
term "Federal interest computer." Section 1030(a)(2)
makes it illegal to "access a computer without
authorization" if that computer belongs to a
financial institution or an issuer of credit cards
(fraud cases, in other words). Congress was quite
willing to give the Secret Service jurisdiction over
money-transferring computers, but Congress balked
at letting them investigate any and all computer
intrusions. Instead, the USSS had to settle for the
money machines and the "Federal interest
computers." A "Federal interest computer" is a
computer which the government itself owns, or is
using. Large networks of interstate computers,
linked over state lines, are also considered to be of
"Federal interest." (This notion of "Federal interest"
is legally rather foggy and has never been clearly
defined in the courts. The Secret Service has never
yet had its hand slapped for investigating computer
break-ins that were *not* of "Federal interest," but
conceivably someday this might happen.)
So the Secret Service's authority over
"unauthorized access" to computers covers a lot of
territory, but by no means the whole ball of
cyberspatial wax. If you are, for instance, a *local*
computer retailer, or the owner of a *local* bulletin
board system, then a malicious *local* intruder can
break in, crash your system, trash your files and
scatter viruses, and the U.S. Secret Service cannot
do a single thing about it.
At least, it can't do anything *directly.* But the
Secret Service will do plenty to help the local people
who can.
The FBI may have dealt itself an ace off the
bottom of the deck when it comes to Section 1030;
but that's not the whole story; that's not the street.
What's Congress thinks is one thing, and Congress
has been known to change its mind. The *real* turf-
struggle is out there in the streets where it's
happening. If you're a local street-cop with a
computer problem, the Secret Service wants you to
know where you can find the real expertise. While
the Bureau crowd are off having their favorite shoes
polished -- (wing-tips) -- and making derisive fun of
the Service's favorite shoes -- ("pansy-ass tassels") --
the tassel-toting Secret Service has a crew of ready-
and-able hacker-trackers installed in the capital of
every state in the Union. Need advice? They'll give
you advice, or at least point you in the right
direction. Need training? They can see to that, too.
If you're a local cop and you call in the FBI, the
FBI (as is widely and slanderously rumored) will
order you around like a coolie, take all the credit for
your busts, and mop up every possible scrap of
reflected glory. The Secret Service, on the other
hand, doesn't brag a lot. They're the quiet types.
*Very* quiet. Very cool. Efficient. High-tech.
Mirrorshades, icy stares, radio ear-plugs, an Uzi
machine-pistol tucked somewhere in that well-cut
jacket. American samurai, sworn to give their lives
to protect our President. "The granite agents."
Trained in martial arts, absolutely fearless. Every
single one of 'em has a top-secret security clearance.
Something goes a little wrong, you're not gonna hear
any whining and moaning and political buck-
passing out of these guys.
The facade of the granite agent is not, of course,
the reality. Secret Service agents are human beings.
And the real glory in Service work is not in battling
computer crime -- not yet, anyway -- but in
protecting the President. The real glamour of Secret
Service work is in the White House Detail. If you're
at the President's side, then the kids and the wife see
you on television; you rub shoulders with the most
powerful people in the world. That's the real heart
of Service work, the number one priority. More than
one computer investigation has stopped dead in the
water when Service agents vanished at the
President's need.
There's romance in the work of the Service. The
intimate access to circles of great power; the esprit-
de-corps of a highly trained and disciplined elite; the
high responsibility of defending the Chief Executive;
the fulfillment of a patriotic duty. And as police
work goes, the pay's not bad. But there's squalor in
Service work, too. You may get spat upon by
protesters howling abuse -- and if they get violent, if
they get too close, sometimes you have to knock one
of them down -- discreetly.
The real squalor in Service work is drudgery
such as "the quarterlies," traipsing out four times a
year, year in, year out, to interview the various
pathetic wretches, many of them in prisons and
asylums, who have seen fit to threaten the
President's life. And then there's the grinding stress
of searching all those faces in the endless bustling
crowds, looking for hatred, looking for psychosis,
looking for the tight, nervous face of an Arthur
Bremer, a Squeaky Fromme, a Lee Harvey Oswald.
It's watching all those grasping, waving hands for
sudden movements, while your ears strain at your
radio headphone for the long-rehearsed cry of
"Gun!"
It's poring, in grinding detail, over the
biographies of every rotten loser who ever shot at a
President. It's the unsung work of the Protective
Research Section, who study scrawled, anonymous
death threats with all the meticulous tools of anti-
forgery techniques.
And it's maintaining the hefty computerized
files on anyone who ever threatened the President's
life. Civil libertarians have become increasingly
concerned at the Government's use of computer
files to track American citizens -- but the Secret
Service file of potential Presidential assassins, which
has upward of twenty thousand names, rarely
causes a peep of protest. If you *ever* state that you
intend to kill the President, the Secret Service will
want to know and record who you are, where you are,
what you are, and what you're up to. If you're a
serious threat -- if you're officially considered "of
protective interest" -- then the Secret Service may
well keep tabs on you for the rest of your natural life.
Protecting the President has first call on all the
Service's resources. But there's a lot more to the
Service's traditions and history than standing guard
outside the Oval Office.
The Secret Service is the nation's oldest general
federal law-enforcement agency. Compared to the
Secret Service, the FBI are new-hires and the CIA
are temps. The Secret Service was founded 'way
back in 1865, at the suggestion of Hugh McCulloch,
Abraham Lincoln's Secretary of the Treasury.
McCulloch wanted a specialized Treasury police to
combat counterfeiting. Abraham Lincoln agreed
that this seemed a good idea, and, with a terrible
irony, Abraham Lincoln was shot that very night by
John Wilkes Booth.
The Secret Service originally had nothing to do
with protecting Presidents. They didn't take this on
as a regular assignment until after the Garfield
assassination in 1881. And they didn't get any
Congressional money for it until President McKinley
was shot in 1901. The Service was originally
designed for one purpose: destroying counterfeiters.
#
There are interesting parallels between the
Service's nineteenth-century entry into
counterfeiting, and America's twentieth-century
entry into computer-crime.
In 1865, America's paper currency was a terrible
muddle. Security was drastically bad. Currency was
printed on the spot by local banks in literally
hundreds of different designs. No one really knew
what the heck a dollar bill was supposed to look like.
Bogus bills passed easily. If some joker told you that
a one-dollar bill from the Railroad Bank of Lowell,
Massachusetts had a woman leaning on a shield,
with a locomotive, a cornucopia, a compass, various
agricultural implements, a railroad bridge, and
some factories, then you pretty much had to take his
word for it. (And in fact he was telling the truth!)
*Sixteen hundred* local American banks
designed and printed their own paper currency, and
there were no general standards for security. Like a
badly guarded node in a computer network, badly
designed bills were easy to fake, and posed a
security hazard for the entire monetary system.
No one knew the exact extent of the threat to
the currency. There were panicked estimates that as
much as a third of the entire national currency was
faked. Counterfeiters -- known as "boodlers" in the
underground slang of the time -- were mostly
technically skilled printers who had gone to the bad.
Many had once worked printing legitimate currency.
Boodlers operated in rings and gangs. Technical
experts engraved the bogus plates -- commonly in
basements in New York City. Smooth confidence
men passed large wads of high-quality, high-
denomination fakes, including the really
sophisticated stuff -- government bonds, stock
certificates, and railway shares. Cheaper, botched
fakes were sold or sharewared to low-level gangs of
boodler wannabes. (The really cheesy lowlife
boodlers merely upgraded real bills by altering face
values, changing ones to fives, tens to hundreds, and
so on.)
The techniques of boodling were little-known
and regarded with a certain awe by the mid-
nineteenth-century public. The ability to
manipulate the system for rip-off seemed
diabolically clever. As the skill and daring of the
boodlers increased, the situation became
intolerable. The federal government stepped in,
and began offering its own federal currency, which
was printed in fancy green ink, but only on the back -
- the original "greenbacks." And at first, the
improved security of the well-designed, well-printed
federal greenbacks seemed to solve the problem;
but then the counterfeiters caught on. Within a few
years things were worse than ever: a *centralized*
system where *all* security was bad!
The local police were helpless. The
Government tried offering blood money to potential
informants, but this met with little success. Banks,
plagued by boodling, gave up hope of police help
and hired private security men instead. Merchants
and bankers queued up by the thousands to buy
privately-printed manuals on currency security, slim
little books like Laban Heath's *Infallible
Government Counterfeit Detector.* The back of the
book offered Laban Heath's patent microscope for
five bucks.
Then the Secret Service entered the picture.
The first agents were a rough and ready crew. Their
chief was one William P. Wood, a former guerilla in
the Mexican War who'd won a reputation busting
contractor fraudsters for the War Department
during the Civil War. Wood, who was also Keeper
of the Capital Prison, had a sideline as a
counterfeiting expert, bagging boodlers for the
federal bounty money.
Wood was named Chief of the new Secret
Service in July 1865. There were only ten Secret
Service agents in all: Wood himself, a handful
who'd worked for him in the War Department, and a
few former private investigators -- counterfeiting
experts -- whom Wood had won over to public
service. (The Secret Service of 1865 was much the
size of the Chicago Computer Fraud Task Force or
the Arizona Racketeering Unit of 1990.) These ten
"Operatives" had an additional twenty or so
"Assistant Operatives" and "Informants." Besides
salary and per diem, each Secret Service employee
received a whopping twenty-five dollars for each
boodler he captured.
Wood himself publicly estimated that at least
*half* of America's currency was counterfeit, a
perhaps pardonable perception. Within a year the
Secret Service had arrested over 200 counterfeiters.
They busted about two hundred boodlers a year for
four years straight.
Wood attributed his success to travelling fast
and light, hitting the bad-guys hard, and avoiding
bureaucratic baggage. "Because my raids were
made without military escort and I did not ask the
assistance of state officers, I surprised the
professional counterfeiter."
Wood's social message to the once-impudent
boodlers bore an eerie ring of Sundevil: "It was also
my purpose to convince such characters that it
would no longer be healthy for them to ply their
vocation without being handled roughly, a fact they
soon discovered."
William P. Wood, the Secret Service's guerilla
pioneer, did not end well. He succumbed to the lure
of aiming for the really big score. The notorious
Brockway Gang of New York City, headed by
William E. Brockway, the "King of the
Counterfeiters," had forged a number of
government bonds. They'd passed these brilliant
fakes on the prestigious Wall Street investment firm
of Jay Cooke and Company. The Cooke firm were
frantic and offered a huge reward for the forgers'
plates.
Laboring diligently, Wood confiscated the
plates (though not Mr. Brockway) and claimed the
reward. But the Cooke company treacherously
reneged. Wood got involved in a down-and-dirty
lawsuit with the Cooke capitalists. Wood's boss,
Secretary of the Treasury McCulloch, felt that
Wood's demands for money and glory were
unseemly, and even when the reward money finally
came through, McCulloch refused to pay Wood
anything. Wood found himself mired in a
seemingly endless round of federal suits and
Congressional lobbying.
Wood never got his money. And he lost his job
to boot. He resigned in 1869.
Wood's agents suffered, too. On May 12, 1869,
the second Chief of the Secret Service took over, and
almost immediately fired most of Wood's pioneer
Secret Service agents: Operatives, Assistants and
Informants alike. The practice of receiving $25 per
crook was abolished. And the Secret Service began
the long, uncertain process of thorough
professionalization.
Wood ended badly. He must have felt stabbed
in the back. In fact his entire organization was
mangled.
On the other hand, William P. Wood *was* the
first head of the Secret Service. William Wood was
the pioneer. People still honor his name. Who
remembers the name of the *second* head of the
Secret Service?
As for William Brockway (also known as
"Colonel Spencer"), he was finally arrested by the
Secret Service in 1880. He did five years in prison,
got out, and was still boodling at the age of seventy-
four.
#
Anyone with an interest in Operation Sundevil -
- or in American computer-crime generally -- could
scarcely miss the presence of Gail Thackeray,
Assistant Attorney General of the State of Arizona.
Computer-crime training manuals often cited
Thackeray's group and her work; she was the
highest-ranking state official to specialize in
computer-related offenses. Her name had been on
the Sundevil press release (though modestly ranked
well after the local federal prosecuting attorney and
the head of the Phoenix Secret Service office).
As public commentary, and controversy, began
to mount about the Hacker Crackdown, this
Arizonan state official began to take a higher and
higher public profile. Though uttering almost
nothing specific about the Sundevil operation itself,
she coined some of the most striking soundbites of
the growing propaganda war: "Agents are operating
in good faith, and I don't think you can say that for
the hacker community," was one. Another was the
memorable "I am not a mad dog prosecutor"
(*Houston Chronicle,* Sept 2, 1990.) In the
meantime, the Secret Service maintained its usual
extreme discretion; the Chicago Unit, smarting from
the backlash of the Steve Jackson scandal, had gone
completely to earth.
As I collated my growing pile of newspaper
clippings, Gail Thackeray ranked as a comparative
fount of public knowledge on police operations.
I decided that I had to get to know Gail
Thackeray. I wrote to her at the Arizona Attorney
General's Office. Not only did she kindly reply to
me, but, to my astonishment, she knew very well
what "cyberpunk" science fiction was.
Shortly after this, Gail Thackeray lost her job.
And I temporarily misplaced my own career as a
science-fiction writer, to become a full-time
computer-crime journalist. In early March, 1991, I
flew to Phoenix, Arizona, to interview Gail Thackeray
for my book on the hacker crackdown.
#
"Credit cards didn't used to cost anything to
get," says Gail Thackeray. "Now they cost forty
bucks -- and that's all just to cover the costs from
*rip-off artists.*"
Electronic nuisance criminals are parasites.
One by one they're not much harm, no big deal. But
they never come just one by one. They come in
swarms, heaps, legions, sometimes whole
subcultures. And they bite. Every time we buy a
credit card today, we lose a little financial vitality to a
particular species of bloodsucker.
What, in her expert opinion, are the worst forms
of electronic crime, I ask, consulting my notes. Is it --
credit card fraud? Breaking into ATM bank
machines? Phone-phreaking? Computer
intrusions? Software viruses? Access-code theft?
Records tampering? Software piracy? Pornographic
bulletin boards? Satellite TV piracy? Theft of cable
service? It's a long list. By the time I reach the end
of it I feel rather depressed.
"Oh no," says Gail Thackeray, leaning forward
over the table, her whole body gone stiff with
energetic indignation, "the biggest damage is
telephone fraud. Fake sweepstakes, fake charities.
Boiler-room con operations. You could pay off the
national debt with what these guys steal.... They
target old people, they get hold of credit ratings and
demographics, they rip off the old and the weak."
The words come tumbling out of her.
It's low-tech stuff, your everyday boiler-room
fraud. Grifters, conning people out of money over
the phone, have been around for decades. This is
where the word "phony" came from!
It's just that it's so much *easier* now, horribly
facilitated by advances in technology and the
byzantine structure of the modern phone system.
The same professional fraudsters do it over and
over, Thackeray tells me, they hide behind dense
onion-shells of fake companies.... fake holding
corporations nine or ten layers deep, registered all
over the map. They get a phone installed under a
false name in an empty safe-house. And then they
call-forward everything out of that phone to yet
another phone, a phone that may even be in
another *state.* And they don't even pay the
charges on their phones; after a month or so, they
just split. Set up somewhere else in another
Podunkville with the same seedy crew of veteran
phone-crooks. They buy or steal commercial credit
card reports, slap them on the PC, have a program
pick out people over sixty-five who pay a lot to
charities. A whole subculture living off this,
merciless folks on the con.
"The 'light-bulbs for the blind' people,"
Thackeray muses, with a special loathing. "There's
just no end to them."
We're sitting in a downtown diner in Phoenix,
Arizona. It's a tough town, Phoenix. A state capital
seeing some hard times. Even to a Texan like
myself, Arizona state politics seem rather baroque.
There was, and remains, endless trouble over the
Martin Luther King holiday, the sort of stiff-necked,
foot-shooting incident for which Arizona politics
seem famous. There was Evan Mecham, the
eccentric Republican millionaire governor who was
impeached, after reducing state government to a
ludicrous shambles. Then there was the national
Keating scandal, involving Arizona savings and
loans, in which both of Arizona's U.S. senators,
DeConcini and McCain, played sadly prominent
roles.
And the very latest is the bizarre AzScam case,
in which state legislators were videotaped, eagerly
taking cash from an informant of the Phoenix city
police department, who was posing as a Vegas
mobster.
"Oh," says Thackeray cheerfully. "These people
are amateurs here, they thought they were finally
getting to play with the big boys. They don't have the
least idea how to take a bribe! It's not institutional
corruption. It's not like back in Philly."
Gail Thackeray was a former prosecutor in
Philadelphia. Now she's a former assistant attorney
general of the State of Arizona. Since moving to
Arizona in 1986, she had worked under the aegis of
Steve Twist, her boss in the Attorney General's
office. Steve Twist wrote Arizona's pioneering
computer crime laws and naturally took an interest
in seeing them enforced. It was a snug niche, and
Thackeray's Organized Crime and Racketeering
Unit won a national reputation for ambition and
technical knowledgeability.... Until the latest
election in Arizona. Thackeray's boss ran for the top
job, and lost. The victor, the new Attorney General,
apparently went to some pains to eliminate the
bureaucratic traces of his rival, including his pet
group -- Thackeray's group. Twelve people got their
walking papers.
Now Thackeray's painstakingly assembled
computer lab sits gathering dust somewhere in the
glass-and-concrete Attorney General's HQ on 1275
Washington Street. Her computer-crime books, her
painstakingly garnered back issues of phreak and
hacker zines, all bought at her own expense -- are
piled in boxes somewhere. The State of Arizona is
simply not particularly interested in electronic
racketeering at the moment.
At the moment of our interview, Gail Thackeray,
officially unemployed, is working out of the county
sheriff's office, living on her savings, and prosecuting
several cases -- working 60-hour weeks, just as always
-- for no pay at all. "I'm trying to train people," she
mutters.
Half her life seems to be spent training people -
- merely pointing out, to the naive and incredulous
(such as myself) that this stuff is *actually going on
out there.* It's a small world, computer crime. A
young world. Gail Thackeray, a trim blonde Baby-
Boomer who favors Grand Canyon white-water
rafting to kill some slow time, is one of the world's
most senior, most veteran "hacker-trackers." Her
mentor was Donn Parker, the California think-tank
theorist who got it all started 'way back in the mid-
70s, the "grandfather of the field," "the great bald
eagle of computer crime."
And what she has learned, Gail Thackeray
teaches. Endlessly. Tirelessly. To anybody. To
Secret Service agents and state police, at the Glynco,
Georgia federal training center. To local police, on
"roadshows" with her slide projector and notebook.
To corporate security personnel. To journalists. To
parents.
Even *crooks* look to Gail Thackeray for advice.
Phone-phreaks call her at the office. They know very
well who she is. They pump her for information on
what the cops are up to, how much they know.
Sometimes whole *crowds* of phone phreaks,
hanging out on illegal conference calls, will call Gail
Thackeray up. They taunt her. And, as always, they
boast. Phone-phreaks, real stone phone-phreaks,
simply *cannot shut up.* They natter on for hours.
Left to themselves, they mostly talk about the
intricacies of ripping-off phones; it's about as
interesting as listening to hot-rodders talk about
suspension and distributor-caps. They also gossip
cruelly about each other. And when talking to Gail
Thackeray, they incriminate themselves. "I have
tapes," Thackeray says coolly.
Phone phreaks just talk like crazy. "Dial-Tone"
out in Alabama has been known to spend half-an-
hour simply reading stolen phone-codes aloud into
voice-mail answering machines. Hundreds,
thousands of numbers, recited in a monotone,
without a break -- an eerie phenomenon. When
arrested, it's a rare phone phreak who doesn't
inform at endless length on everybody he knows.
Hackers are no better. What other group of
criminals, she asks rhetorically, publishes
newsletters and holds conventions? She seems
deeply nettled by the sheer brazenness of this
behavior, though to an outsider, this activity might
make one wonder whether hackers should be
considered "criminals" at all. Skateboarders have
magazines, and they trespass a lot. Hot rod people
have magazines and they break speed limits and
sometimes kill people....
I ask her whether it would be any loss to society
if phone phreaking and computer hacking, as
hobbies, simply dried up and blew away, so that
nobody ever did it again.
She seems surprised. "No," she says swiftly.
"Maybe a little... in the old days... the MIT stuff... But
there's a lot of wonderful, legal stuff you can do with
computers now, you don't have to break into
somebody else's just to learn. You don't have that
excuse. You can learn all you like."
Did you ever hack into a system? I ask.
The trainees do it at Glynco. Just to
demonstrate system vulnerabilities. She's cool to
the notion. Genuinely indifferent.
"What kind of computer do you have?"
"A Compaq 286LE," she mutters.
"What kind do you *wish* you had?"
At this question, the unmistakable light of true
hackerdom flares in Gail Thackeray's eyes. She
becomes tense, animated, the words pour out: "An
Amiga 2000 with an IBM card and Mac emulation!
The most common hacker machines are Amigas
and Commodores. And Apples." If she had the
Amiga, she enthuses, she could run a whole galaxy
of seized computer-evidence disks on one
convenient multifunctional machine. A cheap one,
too. Not like the old Attorney General lab, where
they had an ancient CP/M machine, assorted
Amiga flavors and Apple flavors, a couple IBMS, all
the utility software... but no Commodores. The
workstations down at the Attorney General's are
Wang dedicated word-processors. Lame machines
tied in to an office net -- though at least they get on-
line to the Lexis and Westlaw legal data services.
I don't say anything. I recognize the syndrome,
though. This computer-fever has been running
through segments of our society for years now. It's a
strange kind of lust: K-hunger, Meg-hunger; but it's
a shared disease; it can kill parties dead, as
conversation spirals into the deepest and most
deviant recesses of software releases and expensive
peripherals.... The mark of the hacker beast. I have
it too. The whole "electronic community," whatever
the hell that is, has it. Gail Thackeray has it. Gail
Thackeray is a hacker cop. My immediate reaction
is a strong rush of indignant pity: *why doesn't
somebody buy this woman her Amiga?!* It's not
like she's asking for a Cray X-MP supercomputer
mainframe; an Amiga's a sweet little cookie-box
thing. We're losing zillions in organized fraud;
prosecuting and defending a single hacker case in
court can cost a hundred grand easy. How come
nobody can come up with four lousy grand so this
woman can do her job? For a hundred grand we
could buy every computer cop in America an Amiga.
There aren't that many of 'em.
Computers. The lust, the hunger, for
computers. The loyalty they inspire, the intense
sense of possessiveness. The culture they have
bred. I myself am sitting in downtown Phoenix,
Arizona because it suddenly occurred to me that the
police might -- just *might* -- come and take away
my computer. The prospect of this, the mere
*implied threat,* was unbearable. It literally
changed my life. It was changing the lives of many
others. Eventually it would change everybody's life.
Gail Thackeray was one of the top computer-
crime people in America. And I was just some
novelist, and yet I had a better computer than hers.
*Practically everybody I knew* had a better
computer than Gail Thackeray and her feeble
laptop 286. It was like sending the sheriff in to clean
up Dodge City and arming her with a slingshot cut
from an old rubber tire.
But then again, you don't need a howitzer to
enforce the law. You can do a lot just with a badge.
With a badge alone, you can basically wreak havoc,
take a terrible vengeance on wrongdoers. Ninety
percent of "computer crime investigation" is just
"crime investigation:" names, places, dossiers,
modus operandi, search warrants, victims,
complainants, informants...
What will computer crime look like in ten
years? Will it get better? Did "Sundevil" send 'em
reeling back in confusion?
It'll be like it is now, only worse, she tells me
with perfect conviction. Still there in the
background, ticking along, changing with the times:
the criminal underworld. It'll be like drugs are. Like
our problems with alcohol. All the cops and laws in
the world never solved our problems with alcohol. If
there's something people want, a certain percentage
of them are just going to take it. Fifteen percent of
the populace will never steal. Fifteen percent will
steal most anything not nailed down. The battle is
for the hearts and minds of the remaining seventy
percent.
And criminals catch on fast. If there's not "too
steep a learning curve" -- if it doesn't require a
baffling amount of expertise and practice -- then
criminals are often some of the first through the gate
of a new technology. Especially if it helps them to
hide. They have tons of cash, criminals. The new
communications tech -- like pagers, cellular phones,
faxes, Federal Express -- were pioneered by rich
corporate people, and by criminals. In the early
years of pagers and beepers, dope dealers were so
enthralled this technology that owing a beeper was
practically prima facie evidence of cocaine dealing.
CB radio exploded when the speed limit hit 55 and
breaking the highway law became a national
pastime. Dope dealers send cash by Federal
Express, despite, or perhaps *because of,* the
warnings in FedEx offices that tell you never to try
this. Fed Ex uses X-rays and dogs on their mail, to
stop drug shipments. That doesn't work very well.
Drug dealers went wild over cellular phones.
There are simple methods of faking ID on cellular
phones, making the location of the call mobile, free
of charge, and effectively untraceable. Now
victimized cellular companies routinely bring in vast
toll-lists of calls to Colombia and Pakistan.
Judge Greene's fragmentation of the phone
company is driving law enforcement nuts. Four
thousand telecommunications companies. Fraud
skyrocketing. Every temptation in the world
available with a phone and a credit card number.
Criminals untraceable. A galaxy of "new neat rotten
things to do."
If there were one thing Thackeray would like to
have, it would be an effective legal end-run through
this new fragmentation minefield.
It would be a new form of electronic search
warrant, an "electronic letter of marque" to be issued
by a judge. It would create a new category of
"electronic emergency." Like a wiretap, its use
would be rare, but it would cut across state lines and
force swift cooperation from all concerned. Cellular,
phone, laser, computer network, PBXes, AT&T, Baby
Bells, long-distance entrepreneurs, packet radio.
Some document, some mighty court-order, that
could slice through four thousand separate forms of
corporate red-tape, and get her at once to the source
of calls, the source of email threats and viruses, the
sources of bomb threats, kidnapping threats. "From
now on," she says, "the Lindberg baby will always
die."
Something that would make the Net sit still, if
only for a moment. Something that would get her up
to speed. Seven league boots. That's what she really
needs. "Those guys move in nanoseconds and I'm
on the Pony Express."
And then, too, there's the coming international
angle. Electronic crime has never been easy to
localize, to tie to a physical jurisdiction. And phone-
phreaks and hackers loathe boundaries, they jump
them whenever they can. The English. The Dutch.
And the Germans, especially the ubiquitous Chaos
Computer Club. The Australians. They've all
learned phone-phreaking from America. It's a
growth mischief industry. The multinational
networks are global, but governments and the police
simply aren't. Neither are the laws. Or the legal
frameworks for citizen protection.
One language is global, though -- English.
Phone phreaks speak English; it's their native
tongue even if they're Germans. English may have
started in England but now it's the Net language; it
might as well be called "CNNese."
Asians just aren't much into phone phreaking.
They're the world masters at organized software
piracy. The French aren't into phone-phreaking
either. The French are into computerized industrial
espionage.
In the old days of the MIT righteous
hackerdom, crashing systems didn't hurt anybody.
Not all that much, anyway. Not permanently. Now
the players are more venal. Now the consequences
are worse. Hacking will begin killing people soon.
Already there are methods of stacking calls onto 911
systems, annoying the police, and possibly causing
the death of some poor soul calling in with a genuine
emergency. Hackers in Amtrak computers, or air-
traffic control computers, will kill somebody
someday. Maybe a lot of people. Gail Thackeray
expects it.
And the viruses are getting nastier. The "Scud"
virus is the latest one out. It wipes hard-disks.
According to Thackeray, the idea that phone-
phreaks are Robin Hoods is a fraud. They don't
deserve this repute. Basically, they pick on the
weak. AT&T now protects itself with the fearsome
ANI (Automatic Number Identification) trace
capability. When AT&T wised up and tightened
security generally, the phreaks drifted into the Baby
Bells. The Baby Bells lashed out in 1989 and 1990, so
the phreaks switched to smaller long-distance
entrepreneurs. Today, they are moving into locally
owned PBXes and voice-mail systems, which are full
of security holes, dreadfully easy to hack. These
victims aren't the moneybags Sheriff of Nottingham
or Bad King John, but small groups of innocent
people who find it hard to protect themselves, and
who really suffer from these depredations. Phone
phreaks pick on the weak. They do it for power. If it
were legal, they wouldn't do it. They don't want
service, or knowledge, they want the thrill of power-
tripping. There's plenty of knowledge or service
around, if you're willing to pay. Phone phreaks don't
pay, they steal. It's because it is illegal that it feels
like power, that it gratifies their vanity.
I leave Gail Thackeray with a handshake at the
door of her office building -- a vast International-
Style office building downtown. The Sheriff's office is
renting part of it. I get the vague impression that
quite a lot of the building is empty -- real estate
crash.
In a Phoenix sports apparel store, in a downtown
mall, I meet the "Sun Devil" himself. He is the
cartoon mascot of Arizona State University, whose
football stadium, "Sundevil," is near the local Secret
Service HQ -- hence the name Operation Sundevil.
The Sun Devil himself is named "Sparky." Sparky
the Sun Devil is maroon and bright yellow, the
school colors. Sparky brandishes a three-tined
yellow pitchfork. He has a small mustache, pointed
ears, a barbed tail, and is dashing forward jabbing
the air with the pitchfork, with an expression of
devilish glee.
Phoenix was the home of Operation Sundevil.
The Legion of Doom ran a hacker bulletin board
called "The Phoenix Project." An Australian hacker
named "Phoenix" once burrowed through the
Internet to attack Cliff Stoll, then bragged and
boasted about it to *The New York Times.* This net
of coincidence is both odd and meaningless.
The headquarters of the Arizona Attorney
General, Gail Thackeray's former workplace, is on
1275 Washington Avenue. Many of the downtown
streets in Phoenix are named after prominent
American presidents: Washington, Jefferson,
Madison....
After dark, all the employees go home to their
suburbs. Washington, Jefferson and Madison --
what would be the Phoenix inner city, if there were
an inner city in this sprawling automobile-bred town
-- become the haunts of transients and derelicts.
The homeless. The sidewalks along Washington are
lined with orange trees. Ripe fallen fruit lies
scattered like croquet balls on the sidewalks and
gutters. No one seems to be eating them. I try a
fresh one. It tastes unbearably bitter.
The Attorney General's office, built in 1981
during the Babbitt administration, is a long low two-
story building of white cement and wall-sized sheets
of curtain-glass. Behind each glass wall is a lawyer's
office, quite open and visible to anyone strolling by.
Across the street is a dour government building
labelled simply ECONOMIC SECURITY, something
that has not been in great supply in the American
Southwest lately.
The offices are about twelve feet square. They
feature tall wooden cases full of red-spined
lawbooks; Wang computer monitors; telephones;
Post-it notes galore. Also framed law diplomas and a
general excess of bad Western landscape art. Ansel
Adams photos are a big favorite, perhaps to
compensate for the dismal specter of the parking-
lot, two acres of striped black asphalt, which features
gravel landscaping and some sickly-looking barrel
cacti.
It has grown dark. Gail Thackeray has told me
that the people who work late here, are afraid of
muggings in the parking lot. It seems cruelly ironic
that a woman tracing electronic racketeers across
the interstate labyrinth of Cyberspace should fear
an assault by a homeless derelict in the parking lot
of her own workplace.
Perhaps this is less than coincidence. Perhaps
these two seemingly disparate worlds are somehow
generating one another. The poor and
disenfranchised take to the streets, while the rich
and computer-equipped, safe in their bedrooms,
chatter over their modems. Quite often the derelicts
kick the glass out and break in to the lawyers' offices,
if they see something they need or want badly
enough.
I cross the parking lot to the street behind the
Attorney General's office. A pair of young tramps
are bedding down on flattened sheets of cardboard,
under an alcove stretching over the sidewalk. One
tramp wears a glitter-covered T-shirt reading
"CALIFORNIA" in Coca-Cola cursive. His nose and
cheeks look chafed and swollen; they glisten with
what seems to be Vaseline. The other tramp has a
ragged long-sleeved shirt and lank brown hair
parted in the middle. They both wear blue jeans
coated in grime. They are both drunk.
"You guys crash here a lot?" I ask them.
They look at me warily. I am wearing black
jeans, a black pinstriped suit jacket and a black silk
tie. I have odd shoes and a funny haircut.
"It's our first time here," says the red-nosed
tramp unconvincingly. There is a lot of cardboard
stacked here. More than any two people could use.
"We usually stay at the Vinnie's down the
street," says the brown-haired tramp, puffing a
Marlboro with a meditative air, as he sprawls with his
head on a blue nylon backpack. "The Saint
Vincent's."
"You know who works in that building over
there?" I ask, pointing.
The brown-haired tramp shrugs. "Some kind of
attorneys, it says."
` We urge one another to take it easy. I give
them five bucks.
A block down the street I meet a vigorous
workman who is wheeling along some kind of
industrial trolley; it has what appears to be a tank of
propane on it.
We make eye contact. We nod politely. I walk
past him. "Hey! Excuse me sir!" he says.
"Yes?" I say, stopping and turning.
"Have you seen," the guy says rapidly, "a black
guy, about 6'7", scars on both his cheeks like this --"
he gestures -- "wears a black baseball cap on
backwards, wandering around here anyplace?"
"Sounds like I don't much *want* to meet him," I
say.
"He took my wallet," says my new acquaintance.
"Took it this morning. Y'know, some people would
be *scared* of a guy like that. But I'm not scared.
I'm from Chicago. I'm gonna hunt him down. We
do things like that in Chicago."
"Yeah?"
"I went to the cops and now he's got an APB out
on his ass," he says with satisfaction. "You run into
him, you let me know."
"Okay," I say. "What is your name, sir?"
"Stanley...."
"And how can I reach you?"
"Oh," Stanley says, in the same rapid voice, "you
don't have to reach, uh, me. You can just call the
cops. Go straight to the cops." He reaches into a
pocket and pulls out a greasy piece of pasteboard.
"See, here's my report on him."
I look. The "report," the size of an index card, is
labelled PRO-ACT: Phoenix Residents Opposing
Active Crime Threat.... or is it Organized Against
Crime Threat? In the darkening street it's hard to
read. Some kind of vigilante group? Neighborhood
watch? I feel very puzzled.
"Are you a police officer, sir?"
He smiles, seems very pleased by the question.
"No," he says.
` "But you are a 'Phoenix Resident?'"
"Would you believe a homeless person,"
Stanley says.
"Really? But what's with the..." For the first
time I take a close look at Stanley's trolley. It's a
rubber-wheeled thing of industrial metal, but the
device I had mistaken for a tank of propane is in fact
a water-cooler. Stanley also has an Army duffel-bag,
stuffed tight as a sausage with clothing or perhaps a
tent, and, at the base of his trolley, a cardboard box
and a battered leather briefcase.
"I see," I say, quite at a loss. For the first time I
notice that Stanley has a wallet. He has not lost his
wallet at all. It is in his back pocket and chained to
his belt. It's not a new wallet. It seems to have seen
a lot of wear.
"Well, you know how it is, brother," says Stanley.
Now that I know that he is homeless -- *a possible
threat* -- my entire perception of him has changed
in an instant. His speech, which once seemed just
bright and enthusiastic, now seems to have a
dangerous tang of mania. "I have to do this!" he
assures me. "Track this guy down... It's a thing I do...
you know... to keep myself together!" He smiles,
nods, lifts his trolley by its decaying rubber
handgrips.
"Gotta work together, y'know, " Stanley booms,
his face alight with cheerfulness, "the police can't do
everything!"
The gentlemen I met in my stroll in downtown
Phoenix are the only computer illiterates in this
book. To regard them as irrelevant, however, would
be a grave mistake.
As computerization spreads across society, the
populace at large is subjected to wave after wave of
future shock. But, as a necessary converse, the
"computer community" itself is subjected to wave
after wave of incoming computer illiterates. How
will those currently enjoying America's digital
bounty regard, and treat, all this teeming refuse
yearning to breathe free? Will the electronic
frontier be another Land of Opportunity -- or an
armed and monitored enclave, where the
disenfranchised snuggle on their cardboard at the
locked doors of our houses of justice?
Some people just don't get along with
computers. They can't read. They can't type. They
just don't have it in their heads to master arcane
instructions in wirebound manuals. Somewhere,
the process of computerization of the populace will
reach a limit. Some people -- quite decent people
maybe, who might have thrived in any other
situation -- will be left irretrievably outside the
bounds. What's to be done with these people, in
the bright new shiny electroworld? How will they be
regarded, by the mouse-whizzing masters of
cyberspace? With contempt? Indifference? Fear?
In retrospect, it astonishes me to realize how
quickly poor Stanley became a perceived threat.
Surprise and fear are closely allied feelings. And the
world of computing is full of surprises.
I met one character in the streets of Phoenix
whose role in those book is supremely and directly
relevant. That personage was Stanley's giant
thieving scarred phantom. This phantasm is
everywhere in this book. He is the specter haunting
cyberspace.
Sometimes he's a maniac vandal ready to
smash the phone system for no sane reason at all.
Sometimes he's a fascist fed, coldly programming
his mighty mainframes to destroy our Bill of Rights.
Sometimes he's a telco bureaucrat, covertly
conspiring to register all modems in the service of
an Orwellian surveillance regime. Mostly, though,
this fearsome phantom is a "hacker." He's strange,
he doesn't belong, he's not authorized, he doesn't
smell right, he's not keeping his proper place, he's
not one of us. The focus of fear is the hacker, for
much the same reasons that Stanley's fancied
assailant is black.
Stanley's demon can't go away, because he
doesn't exist. Despite singleminded and
tremendous effort, he can't be arrested, sued, jailed,
or fired. The only constructive way to do *anything*
about him is to learn more about Stanley himself.
This learning process may be repellent, it may be
ugly, it may involve grave elements of paranoiac
confusion, but it's necessary. Knowing Stanley
requires something more than class-crossing
condescension. It requires more than steely legal
objectivity. It requires human compassion and
sympathy.
To know Stanley is to know his demon. If you
know the other guy's demon, then maybe you'll
come to know some of your own. You'll be able to
separate reality from illusion. And then you won't
do your cause, and yourself, more harm than good.
Like poor damned Stanley from Chicago did.
#
The Federal Computer Investigations
Committee (FCIC) is the most important and
influential organization in the realm of American
computer-crime. Since the police of other countries
have largely taken their computer-crime cues from
American methods, the FCIC might well be called
the most important computer crime group in the
world.
It is also, by federal standards, an organization
of great unorthodoxy. State and local investigators
mix with federal agents. Lawyers, financial auditors
and computer-security programmers trade notes
with street cops. Industry vendors and telco security
people show up to explain their gadgetry and plead
for protection and justice. Private investigators,
think-tank experts and industry pundits throw in
their two cents' worth. The FCIC is the antithesis of
a formal bureaucracy.
Members of the FCIC are obscurely proud of
this fact; they recognize their group as aberrant, but
are entirely convinced that this, for them, outright
*weird* behavior is nevertheless *absolutely
necessary* to get their jobs done.
FCIC regulars -- from the Secret Service, the
FBI, the IRS, the Department of Labor, the offices of
federal attorneys, state police, the Air Force, from
military intelligence -- often attend meetings, held
hither and thither across the country, at their own
expense. The FCIC doesn't get grants. It doesn't
charge membership fees. It doesn't have a boss. It
has no headquarters -- just a mail drop in
Washington DC, at the Fraud Division of the Secret
Service. It doesn't have a budget. It doesn't have
schedules. It meets three times a year -- sort of.
Sometimes it issues publications, but the FCIC has
no regular publisher, no treasurer, not even a
secretary. There are no minutes of FCIC meetings.
Non-federal people are considered "non-voting
members," but there's not much in the way of
elections. There are no badges, lapel pins or
certificates of membership. Everyone is on a first-
name basis. There are about forty of them. Nobody
knows how many, exactly. People come, people go --
sometimes people "go" formally but still hang
around anyway. Nobody has ever exactly figured
out what "membership" of this "Committee"
actually entails.
Strange as this may seem to some, to anyone
familiar with the social world of computing, the
"organization" of the FCIC is very recognizable.
For years now, economists and management
theorists have speculated that the tidal wave of the
information revolution would destroy rigid,
pyramidal bureaucracies, where everything is top-
down and centrally controlled. Highly trained
"employees" would take on much greater autonomy,
being self-starting, and self-motivating, moving
from place to place, task to task, with great speed
and fluidity. "Ad-hocracy" would rule, with groups of
people spontaneously knitting together across
organizational lines, tackling the problem at hand,
applying intense computer-aided expertise to it, and
then vanishing whence they came.
This is more or less what has actually happened
in the world of federal computer investigation. With
the conspicuous exception of the phone companies,
which are after all over a hundred years old,
practically *every* organization that plays any
important role in this book functions just like the
FCIC. The Chicago Task Force, the Arizona
Racketeering Unit, the Legion of Doom, the Phrack
crowd, the Electronic Frontier Foundation -- they
*all* look and act like "tiger teams" or "user's
groups." They are all electronic ad-hocracies
leaping up spontaneously to attempt to meet a
need.
Some are police. Some are, by strict definition,
criminals. Some are political interest-groups. But
every single group has that same quality of apparent
spontaneity -- "Hey, gang! My uncle's got a barn --
let's put on a show!"
Every one of these groups is embarrassed by
this "amateurism," and, for the sake of their public
image in a world of non-computer people, they all
attempt to look as stern and formal and impressive
as possible. These electronic frontier-dwellers
resemble groups of nineteenth-century pioneers
hankering after the respectability of statehood.
There are however, two crucial differences in the
historical experience of these "pioneers" of the
nineteeth and twenty-first centuries.
First, powerful information technology *does*
play into the hands of small, fluid, loosely organized
groups. There have always been "pioneers,"
"hobbyists," "amateurs," "dilettantes," "volunteers,"
"movements," "users' groups" and "blue-ribbon
panels of experts" around. But a group of this kind -
- when technically equipped to ship huge amounts
of specialized information, at lightning speed, to its
members, to government, and to the press -- is
simply a different kind of animal. It's like the
difference between an eel and an electric eel.
The second crucial change is that American
society is currently in a state approaching
permanent technological revolution. In the world of
computers particularly, it is practically impossible to
*ever* stop being a "pioneer," unless you either
drop dead or deliberately jump off the bus. The
scene has never slowed down enough to become
well-institutionalized. And after twenty, thirty, forty
years the "computer revolution" continues to spread,
to permeate new corners of society. Anything that
really works is already obsolete.
If you spend your entire working life as a
"pioneer," the word "pioneer" begins to lose its
meaning. Your way of life looks less and less like an
introduction to ╥something else" more stable and
organized, and more and more like *just the way
things are.* A "permanent revolution" is really a
contradiction in terms. If "turmoil" lasts long
enough, it simply becomes *a new kind of society* --
still the same game of history, but new players, new
rules.
Apply this to the world of late twentieth-century
law enforcement, and the implications are novel
and puzzling indeed. Any bureaucratic rulebook
you write about computer-crime will be flawed when
you write it, and almost an antique by the time it
sees print. The fluidity and fast reactions of the
FCIC give them a great advantage in this regard,
which explains their success. Even with the best will
in the world (which it does not, in fact, possess) it is
impossible for an organization the size of the U.S.
Federal Bureau of Investigation to get up to speed
on the theory and practice of computer crime. If
they tried to train all their agents to do this, it would
be *suicidal,* as they would *never be able to do
anything else.*
The FBI does try to train its agents in the basics
of electronic crime, at their base in Quantico,
Virginia. And the Secret Service, along with many
other law enforcement groups, runs quite successful
and well-attended training courses on wire fraud,
business crime, and computer intrusion at the
Federal Law Enforcement Training Center (FLETC,
pronounced "fletsy") in Glynco, Georgia. But the
best efforts of these bureaucracies does not remove
the absolute need for a "cutting-edge mess" like the
FCIC.
For you see -- the members of FCIC *are* the
trainers of the rest of law enforcement. Practically
and literally speaking, they are the Glynco
computer-crime faculty by another name. If the
FCIC went over a cliff on a bus, the U.S. law
enforcement community would be rendered deaf
dumb and blind in the world of computer crime, and
would swiftly feel a desperate need to reinvent them.
And this is no time to go starting from scratch.
On June 11, 1991, I once again arrived in
Phoenix, Arizona, for the latest meeting of the
Federal Computer Investigations Committee. This
was more or less the twentieth meeting of this stellar
group. The count was uncertain, since nobody
could figure out whether to include the meetings of
"the Colluquy," which is what the FCIC was called in
the mid-1980s before it had even managed to obtain
the dignity of its own acronym.
Since my last visit to Arizona, in May, the local
AzScam bribery scandal had resolved itself in a
general muddle of humiliation. The Phoenix chief of
police, whose agents had videotaped nine state
legislators up to no good, had resigned his office in a
tussle with the Phoenix city council over the
propriety of his undercover operations.
The Phoenix Chief could now join Gail
Thackeray and eleven of her closest associates in
the shared experience of politically motivated
unemployment. As of June, resignations were still
continuing at the Arizona Attorney General's office,
which could be interpreted as either a New Broom
Sweeping Clean or a Night of the Long Knives Part
II, depending on your point of view.
The meeting of FCIC was held at the Scottsdale
Hilton Resort. Scottsdale is a wealthy suburb of
Phoenix, known as "Scottsdull" to scoffing local
trendies, but well-equipped with posh shopping-
malls and manicured lawns, while conspicuously
undersupplied with homeless derelicts. The
Scottsdale Hilton Resort was a sprawling hotel in
postmodern crypto-Southwestern style. It featured
a "mission bell tower" plated in turquoise tile and
vaguely resembling a Saudi minaret.
Inside it was all barbarically striped Santa Fe
Style decor. There was a health spa downstairs and
a large oddly-shaped pool in the patio. A poolside
umbrella-stand offered Ben and Jerry's politically
correct Peace Pops.
I registered as a member of FCIC, attaining a
handy discount rate, then went in search of the Feds.
Sure enough, at the back of the hotel grounds came
the unmistakable sound of Gail Thackeray holding
forth.
Since I had also attended the Computers
Freedom and Privacy conference (about which more
later), this was the second time I had seen
Thackeray in a group of her law enforcement
colleagues. Once again I was struck by how simply
pleased they seemed to see her. It was natural that
she'd get *some* attention, as Gail was one of two
women in a group of some thirty men; but there was
a lot more to it than that.
Gail Thackeray personifies the social glue of the
FCIC. They could give a damn about her losing her
job with the Attorney General. They were sorry
about it, of course, but hell, they'd all lost jobs. If
they were the kind of guys who liked steady boring
jobs, they would never have gotten into computer
work in the first place.
I wandered into her circle and was immediately
introduced to five strangers. The conditions of my
visit at FCIC were reviewed. I would not quote
anyone directly. I would not tie opinions expressed
to the agencies of the attendees. I would not (a
purely hypothetical example) report the
conversation of a guy from the Secret Service talking
quite civilly to a guy from the FBI, as these two
agencies *never* talk to each other, and the IRS
(also present, also hypothetical) *never talks to
anybody.*
Worse yet, I was forbidden to attend the first
conference. And I didn't. I have no idea what the
FCIC was up to behind closed doors that afternoon.
I rather suspect that they were engaging in a frank
and thorough confession of their errors, goof-ups
and blunders, as this has been a feature of every
FCIC meeting since their legendary Memphis beer-
bust of 1986. Perhaps the single greatest attraction
of FCIC is that it is a place where you can go, let your
hair down, and completely level with people who
actually comprehend what you are talking about.
Not only do they understand you, but they *really
pay attention,* they are *grateful for your insights,*
and they *forgive you,* which in nine cases out of
ten is something even your boss can't do, because as
soon as you start talking "ROM," "BBS," or "T-1
trunk," his eyes glaze over.
I had nothing much to do that afternoon. The
FCIC were beavering away in their conference
room. Doors were firmly closed, windows too dark to
peer through. I wondered what a real hacker, a
computer intruder, would do at a meeting like this.
The answer came at once. He would "trash" the
place. Not reduce the place to trash in some orgy of
vandalism; that's not the use of the term in the
hacker milieu. No, he would quietly *empty the
trash baskets* and silently raid any valuable data
indiscreetly thrown away.
Journalists have been known to do this.
(Journalists hunting information have been known
to do almost every single unethical thing that
hackers have ever done. They also throw in a few
awful techniques all their own.) The legality of
'trashing' is somewhat dubious but it is not in fact
flagrantly illegal. It was, however, absurd to
contemplate trashing the FCIC. These people knew
all about trashing. I wouldn't last fifteen seconds.
The idea sounded interesting, though. I'd been
hearing a lot about the practice lately. On the spur
of the moment, I decided I would try trashing the
office *across the hall* from the FCIC, an area
which had nothing to do with the investigators.
The office was tiny; six chairs, a table....
Nevertheless, it was open, so I dug around in its
plastic trash can.
To my utter astonishment, I came up with the
torn scraps of a SPRINT long-distance phone bill.
More digging produced a bank statement and the
scraps of a hand-written letter, along with gum,
cigarette ashes, candy wrappers and a day-old-issue
of USA TODAY.
The trash went back in its receptacle while the
scraps of data went into my travel bag. I detoured
through the hotel souvenir shop for some Scotch
tape and went up to my room.
Coincidence or not, it was quite true. Some poor
soul had, in fact, thrown a SPRINT bill into the
hotel's trash. Date May 1991, total amount due:
$252.36. Not a business phone, either, but a
residential bill, in the name of someone called
Evelyn (not her real name). Evelyn's records showed
a ## PAST DUE BILL ##! Here was her nine-digit
account ID. Here was a stern computer-printed
warning:
"TREAT YOUR FONCARD AS YOU WOULD ANY
CREDIT CARD. TO SECURE AGAINST FRAUD,
NEVER GIVE YOUR FONCARD NUMBER OVER
THE PHONE UNLESS YOU INITIATED THE
CALL. IF YOU RECEIVE SUSPICIOUS CALLS
PLEASE NOTIFY CUSTOMER SERVICE
IMMEDIATELY!"
I examined my watch. Still plenty of time left for
the FCIC to carry on. I sorted out the scraps of
Evelyn's SPRINT bill and re-assembled them with
fresh Scotch tape. Here was her ten-digit
FONCARD number. Didn't seem to have the ID
number necessary to cause real fraud trouble.
I did, however, have Evelyn's home phone
number. And the phone numbers for a whole crowd
of Evelyn's long-distance friends and acquaintances.
In San Diego, Folsom, Redondo, Las Vegas, La Jolla,
Topeka, and Northampton Massachusetts. Even
somebody in Australia!
I examined other documents. Here was a bank
statement. It was Evelyn's IRA account down at a
bank in San Mateo California (total balance
$1877.20). Here was a charge-card bill for $382.64.
She was paying it off bit by bit.
Driven by motives that were completely
unethical and prurient, I now examined the
handwritten notes. They had been torn fairly
thoroughly, so much so that it took me almost an
entire five minutes to reassemble them.
They were drafts of a love letter. They had been
written on the lined stationery of Evelyn's employer,
a biomedical company. Probably written at work
when she should have been doing something else.
"Dear Bob," (not his real name) "I guess in
everyone's life there comes a time when hard
decisions have to be made, and this is a difficult one
for me -- very upsetting. Since you haven't called
me, and I don't understand why, I can only surmise
it's because you don't want to. I thought I would
have heard from you Friday. I did have a few
unusual problems with my phone and possibly you
tried, I hope so.
"Robert, you asked me to 'let go'..."
The first note ended. *Unusual problems with
her phone?* I looked swiftly at the next note.
"Bob, not hearing from you for the whole
weekend has left me very perplexed..."
Next draft.
"Dear Bob, there is so much I don't understand
right now, and I wish I did. I wish I could talk to you,
but for some unknown reason you have elected not
to call -- this is so difficult for me to understand..."
She tried again.
"Bob, Since I have always held you in such high
esteem, I had every hope that we could remain good
friends, but now one essential ingredient is missing -
- respect. Your ability to discard people when their
purpose is served is appalling to me. The kindest
thing you could do for me now is to leave me alone.
You are no longer welcome in my heart or home..."
Try again.
"Bob, I wrote a very factual note to you to say
how much respect I had lost for you, by the way you
treat people, me in particular, so uncaring and cold.
The kindest thing you can do for me is to leave me
alone entirely, as you are no longer welcome in my
heart or home. I would appreciate it if you could
retire your debt to me as soon as possible -- I wish no
link to you in any way. Sincerely, Evelyn."
Good heavens, I thought, the bastard actually
owes her money! I turned to the next page.
"Bob: very simple. GOODBYE! No more mind
games -- no more fascination -- no more coldness --
no more respect for you! It's over -- Finis. Evie"
There were two versions of the final brushoff
letter, but they read about the same. Maybe she
hadn't sent it. The final item in my illicit and
shameful booty was an envelope addressed to "Bob"
at his home address, but it had no stamp on it and it
hadn't been mailed.
Maybe she'd just been blowing off steam
because her rascal boyfriend had neglected to call
her one weekend. Big deal. Maybe they'd kissed
and made up, maybe she and Bob were down at
Pop's Chocolate Shop now, sharing a malted. Sure.
Easy to find out. All I had to do was call Evelyn
up. With a half-clever story and enough brass-
plated gall I could probably trick the truth out of her.
Phone-phreaks and hackers deceive people over the
phone all the time. It's called "social engineering."
Social engineering is a very common practice in the
underground, and almost magically effective.
Human beings are almost always the weakest link in
computer security. The simplest way to learn Things
You Are Not Meant To Know is simply to call up
and exploit the knowledgeable people. With social
engineering, you use the bits of specialized
knowledge you already have as a key, to manipulate
people into believing that you are legitimate. You
can then coax, flatter, or frighten them into revealing
almost anything you want to know. Deceiving
people (especially over the phone) is easy and fun.
Exploiting their gullibility is very gratifying; it makes
you feel very superior to them.
If I'd been a malicious hacker on a trashing
raid, I would now have Evelyn very much in my
power. Given all this inside data, it wouldn't take
much effort at all to invent a convincing lie. If I were
ruthless enough, and jaded enough, and clever
enough, this momentary indiscretion of hers --
maybe committed in tears, who knows -- could cause
her a whole world of confusion and grief.
I didn't even have to have a *malicious* motive.
Maybe I'd be "on her side," and call up Bob instead,
and anonymously threaten to break both his
kneecaps if he didn't take Evelyn out for a steak
dinner pronto. It was still profoundly *none of my
business.* To have gotten this knowledge at all was
a sordid act and to use it would be to inflict a sordid
injury.
To do all these awful things would require
exactly zero high-tech expertise. All it would take
was the willingness to do it and a certain amount of
bent imagination.
I went back downstairs. The hard-working FCIC,
who had labored forty-five minutes over their
schedule, were through for the day, and adjourned
to the hotel bar. We all had a beer.
I had a chat with a guy about "Isis," or rather
IACIS, the International Association of Computer
Investigation Specialists. They're into "computer
forensics," the techniques of picking computer-
systems apart without destroying vital evidence.
IACIS, currently run out of Oregon, is comprised of
investigators in the U.S., Canada, Taiwan and
Ireland. "Taiwan and Ireland?" I said. Are *Taiwan*
and *Ireland* really in the forefront of this stuff?
Well not exactly, my informant admitted. They just
happen to have been the first ones to have caught
on by word of mouth. Still, the international angle
counts, because this is obviously an international
problem. Phone-lines go everywhere.
There was a Mountie here from the Royal
Canadian Mounted Police. He seemed to be having
quite a good time. Nobody had flung this Canadian
out because he might pose a foreign security risk.
These are cyberspace cops. They still worry a lot
about "jurisdictions," but mere geography is the
least of their troubles.
NASA had failed to show. NASA suffers a lot
from computer intrusions, in particular from
Australian raiders and a well-trumpeted Chaos
Computer Club case, and in 1990 there was a brief
press flurry when it was revealed that one of NASA's
Houston branch-exchanges had been systematically
ripped off by a gang of phone-phreaks. But the
NASA guys had had their funding cut. They were
stripping everything.
Air Force OSI, its Office of Special
Investigations, is the *only* federal entity dedicated
full-time to computer security. They'd been
expected to show up in force, but some of them had
cancelled -- a Pentagon budget pinch.
As the empties piled up, the guys began joshing
around and telling war-stories. "These are cops,"
Thackeray said tolerantly. "If they're not talking
shop they talk about women and beer."
I heard the story about the guy who, asked for "a
copy" of a computer disk, *photocopied the label on
it.* He put the floppy disk onto the glass plate of a
photocopier. The blast of static when the copier
worked completely erased all the real information
on the disk.
Some other poor souls threw a whole bag of
confiscated diskettes into the squad-car trunk next
to the police radio. The powerful radio signal
blasted them, too.
We heard a bit about Dave Geneson, the first
computer prosecutor, a mainframe-runner in Dade
County, turned lawyer. Dave Geneson was one guy
who had hit the ground running, a signal virtue in
making the transition to computer-crime. It was
generally agreed that it was easier to learn the world
of computers first, then police or prosecutorial work.
You could take certain computer people and train
'em to successful police work -- but of course they
had to have the *cop mentality.* They had to have
street smarts. Patience. Persistence. And
discretion. You've got to make sure they're not hot-
shots, show-offs, "cowboys."
Most of the folks in the bar had backgrounds in
military intelligence, or drugs, or homicide. It was
rudely opined that "military intelligence" was a
contradiction in terms, while even the grisly world of
homicide was considered cleaner than drug
enforcement. One guy had been 'way undercover
doing dope-work in Europe for four years straight.
"I'm almost recovered now," he said deadpan, with
the acid black humor that is pure cop. "Hey, now I
can say *fucker* without putting *mother* in front
of it."
"In the cop world," another guy said earnestly,
"everything is good and bad, black and white. In the
computer world everything is gray."
One guy -- a founder of the FCIC, who'd been
with the group since it was just the Colluquy --
described his own introduction to the field. He'd
been a Washington DC homicide guy called in on a
"hacker" case. From the word "hacker," he naturally
assumed he was on the trail of a knife-wielding
marauder, and went to the computer center
expecting blood and a body. When he finally
figured out what was happening there (after loudly
demanding, in vain, that the programmers "speak
English"), he called headquarters and told them he
was clueless about computers. They told him
nobody else knew diddly either, and to get the hell
back to work.
So, he said, he had proceeded by comparisons.
By analogy. By metaphor. "Somebody broke in to
your computer, huh?" Breaking and entering; I can
understand that. How'd he get in? "Over the phone-
lines." Harassing phone-calls, I can understand
that! What we need here is a tap and a trace!
It worked. It was better than nothing. And it
worked a lot faster when he got hold of another cop
who'd done something similar. And then the two of
them got another, and another, and pretty soon the
Colluquy was a happening thing. It helped a lot that
everybody seemed to know Carlton Fitzpatrick, the
data-processing trainer in Glynco.
The ice broke big-time in Memphis in '86. The
Colluquy had attracted a bunch of new guys -- Secret
Service, FBI, military, other feds, heavy guys.
Nobody wanted to tell anybody anything. They
suspected that if word got back to the home office
they'd all be fired. They passed an uncomfortably
guarded afternoon.
The formalities got them nowhere. But after the
formal session was over, the organizers brought in a
case of beer. As soon as the participants knocked it
off with the bureaucratic ranks and turf-fighting,
everything changed. "I bared my soul," one veteran
reminisced proudly. By nightfall they were building
pyramids of empty beer-cans and doing everything
but composing a team fight song.
FCIC were not the only computer-crime people
around. There was DATTA (District Attorneys'
Technology Theft Association), though they mostly
specialized in chip theft, intellectual property, and
black-market cases. There was HTCIA (High Tech
Computer Investigators Association), also out in
Silicon Valley, a year older than FCIC and featuring
brilliant people like Donald Ingraham. There was
LEETAC (Law Enforcement Electronic Technology
Assistance Committee) in Florida, and computer-
crime units in Illinois and Maryland and Texas and
Ohio and Colorado and Pennsylvania. But these
were local groups. FCIC were the first to really
network nationally and on a federal level.
FCIC people live on the phone lines. Not on
bulletin board systems -- they know very well what
boards are, and they know that boards aren't secure.
Everyone in the FCIC has a voice-phone bill like you
wouldn't believe. FCIC people have been tight with
the telco people for a long time. Telephone
cyberspace is their native habitat.
FCIC has three basic sub-tribes: the trainers,
the security people, and the investigators. That's
why it's called an "Investigations Committee" with
no mention of the term "computer-crime" -- the
dreaded "C-word." FCIC, officially, is "an
association of agencies rather than individuals;"
unofficially, this field is small enough that the
influence of individuals and individual expertise is
paramount. Attendance is by invitation only, and
most everyone in FCIC considers himself a prophet
without honor in his own house.
Again and again I heard this, with different
terms but identical sentiments. "I'd been sitting in
the wilderness talking to myself." "I was totally
isolated." "I was desperate." "FCIC is the best thing
there is about computer crime in America." "FCIC
is what really works." "This is where you hear real
people telling you what's really happening out there,
not just lawyers picking nits." "We taught each
other everything we knew."
The sincerity of these statements convinces me
that this is true. FCIC is the real thing and it is
invaluable. It's also very sharply at odds with the
rest of the traditions and power structure in
American law enforcement. There probably hasn't
been anything around as loose and go-getting as the
FCIC since the start of the U.S. Secret Service in the
1860s. FCIC people are living like twenty-first-
century people in a twentieth-century environment,
and while there's a great deal to be said for that,
there's also a great deal to be said against it, and
those against it happen to control the budgets.
I listened to two FCIC guys from Jersey compare
life histories. One of them had been a biker in a
fairly heavy-duty gang in the 1960s. "Oh, did you
know so-and-so?" said the other guy from Jersey.
"Big guy, heavyset?"
"Yeah, I knew him."
"Yeah, he was one of ours. He was our plant in
the gang."
"Really? Wow! Yeah, I knew him. Helluva guy."
Thackeray reminisced at length about being
tear-gassed blind in the November 1969 antiwar
protests in Washington Circle, covering them for
her college paper. "Oh yeah, I was there," said
another cop. "Glad to hear that tear gas hit
somethin'. Haw haw haw." He'd been so blind
himself, he confessed, that later that day he'd
arrested a small tree.
FCIC are an odd group, sifted out by
coincidence and necessity, and turned into a new
kind of cop. There are a lot of specialized cops in
the world -- your bunco guys, your drug guys, your
tax guys, but the only group that matches FCIC for
sheer isolation are probably the child-pornography
people. Because they both deal with conspirators
who are desperate to exchange forbidden data and
also desperate to hide; and because nobody else in
law enforcement even wants to hear about it.
FCIC people tend to change jobs a lot. They
tend not to get the equipment and training they
want and need. And they tend to get sued quite
often.
As the night wore on and a band set up in the
bar, the talk grew darker. Nothing ever gets done in
government, someone opined, until there's a
*disaster.* Computing disasters are awful, but
there's no denying that they greatly help the
credibility of FCIC people. The Internet Worm, for
instance. "For years we'd been warning about that --
but it's nothing compared to what's coming." They
expect horrors, these people. They know that
nothing will really get done until there is a horror.
#
Next day we heard an extensive briefing from a
guy who'd been a computer cop, gotten into hot
water with an Arizona city council, and now installed
computer networks for a living (at a considerable
rise in pay). He talked about pulling fiber-optic
networks apart.
Even a single computer, with enough
peripherals, is a literal "network" -- a bunch of
machines all cabled together, generally with a
complexity that puts stereo units to shame. FCIC
people invent and publicize methods of seizing
computers and maintaining their evidence. Simple
things, sometimes, but vital rules of thumb for street
cops, who nowadays often stumble across a busy
computer in the midst of a drug investigation or a
white-collar bust. For instance: Photograph the
system before you touch it. Label the ends of all the
cables before you detach anything. "Park" the heads
on the disk drives before you move them. Get the
diskettes. Don't put the diskettes in magnetic fields.
Don't write on diskettes with ballpoint pens. Get the
manuals. Get the printouts. Get the handwritten
notes. Copy data before you look at it, and then
examine the copy instead of the original.
Now our lecturer distributed copied diagrams of
a typical LAN or "Local Area Network", which
happened to be out of Connecticut. *One hundred
and fifty-nine* desktop computers, each with its own
peripherals. Three "file servers." Five "star
couplers" each with thirty-two ports. One sixteen-
port coupler off in the corner office. All these
machines talking to each other, distributing
electronic mail, distributing software, distributing,
quite possibly, criminal evidence. All linked by high-
capacity fiber-optic cable. A bad guy -- cops talk a
lot about "bad guys" -- might be lurking on PC #47
or #123 and distributing his ill doings onto some
dupe's "personal" machine in another office -- or
another floor -- or, quite possibly, two or three miles
away! Or, conceivably, the evidence might be
"data-striped" -- split up into meaningless slivers
stored, one by one, on a whole crowd of different disk
drives.
The lecturer challenged us for solutions. I for
one was utterly clueless. As far as I could figure, the
Cossacks were at the gate; there were probably more
disks in this single building than were seized during
the entirety of Operation Sundevil.
"Inside informant," somebody said. Right.
There's always the human angle, something easy to
forget when contemplating the arcane recesses of
high technology. Cops are skilled at getting people
to talk, and computer people, given a chair and
some sustained attention, will talk about their
computers till their throats go raw. There's a case on
record of a single question -- "How'd you do it?" --
eliciting a forty-five-minute videotaped confession
from a computer criminal who not only completely
incriminated himself but drew helpful diagrams.
Computer people talk. Hackers *brag.* Phone-
phreaks talk *pathologically* -- why else are they
stealing phone-codes, if not to natter for ten hours
straight to their friends on an opposite seaboard?
Computer-literate people do in fact possess an
arsenal of nifty gadgets and techniques that would
allow them to conceal all kinds of exotic
skullduggery, and if they could only *shut up* about
it, they could probably get away with all manner of
amazing information-crimes. But that's just not how
it works -- or at least, that's not how it's worked *so
far.*
Most every phone-phreak ever busted has
swiftly implicated his mentors, his disciples, and his
friends. Most every white-collar computer-criminal,
smugly convinced that his clever scheme is
bulletproof, swiftly learns otherwise when, for the
first time in his life, an actual no-kidding policeman
leans over, grabs the front of his shirt, looks him
right in the eye and says: "All right, *asshole* -- you
and me are going downtown!" All the hardware in
the world will not insulate your nerves from these
actual real-life sensations of terror and guilt.
Cops know ways to get from point A to point Z
without thumbing through every letter in some
smart-ass bad-guy's alphabet. Cops know how to
cut to the chase. Cops know a lot of things other
people don't know.
Hackers know a lot of things other people don't
know, too. Hackers know, for instance, how to sneak
into your computer through the phone-lines. But
cops can show up *right on your doorstep* and
carry off *you* and your computer in separate steel
boxes. A cop interested in hackers can grab them
and grill them. A hacker interested in cops has to
depend on hearsay, underground legends, and what
cops are willing to publicly reveal. And the Secret
Service didn't get named "the *Secret* Service"
because they blab a lot.
Some people, our lecturer informed us, were
under the mistaken impression that it was
"impossible" to tap a fiber-optic line. Well, he
announced, he and his son had just whipped up a
fiber-optic tap in his workshop at home. He passed
it around the audience, along with a circuit-covered
LAN plug-in card so we'd all recognize one if we saw
it on a case. We all had a look.
The tap was a classic "Goofy Prototype" -- a
thumb-length rounded metal cylinder with a pair of
plastic brackets on it. From one end dangled three
thin black cables, each of which ended in a tiny
black plastic cap. When you plucked the safety-cap
off the end of a cable, you could see the glass fiber -
- no thicker than a pinhole.
Our lecturer informed us that the metal
cylinder was a "wavelength division multiplexer."
Apparently, what one did was to cut the fiber-optic
cable, insert two of the legs into the cut to complete
the network again, and then read any passing data
on the line by hooking up the third leg to some kind
of monitor. Sounded simple enough. I wondered
why nobody had thought of it before. I also
wondered whether this guy's son back at the
workshop had any teenage friends.
We had a break. The guy sitting next to me was
wearing a giveaway baseball cap advertising the Uzi
submachine gun. We had a desultory chat about
the merits of Uzis. Long a favorite of the Secret
Service, it seems Uzis went out of fashion with the
advent of the Persian Gulf War, our Arab allies
taking some offense at Americans toting Israeli
weapons. Besides, I was informed by another
expert, Uzis jam. The equivalent weapon of choice
today is the Heckler & Koch, manufactured in
Germany.
The guy with the Uzi cap was a forensic
photographer. He also did a lot of photographic
surveillance work in computer crime cases. He
used to, that is, until the firings in Phoenix. He was
now a private investigator and, with his wife, ran a
photography salon specializing in weddings and
portrait photos. At -- one must repeat -- a
considerable rise in income.
He was still FCIC. If you were FCIC, and you
needed to talk to an expert about forensic
photography, well, there he was, willing and able. If
he hadn't shown up, people would have missed him.
Our lecturer had raised the point that
preliminary investigation of a computer system is
vital before any seizure is undertaken. It's vital to
understand how many machines are in there, what
kinds there are, what kind of operating system they
use, how many people use them, where the actual
data itself is stored. To simply barge into an office
demanding "all the computers" is a recipe for swift
disaster.
This entails some discreet inquiries beforehand.
In fact, what it entails is basically undercover work.
An intelligence operation. *Spying,* not to put too
fine a point on it.
In a chat after the lecture, I asked an attendee
whether "trashing" might work.
I received a swift briefing on the theory and
practice of "trash covers." Police "trash covers," like
"mail covers" or like wiretaps, require the agreement
of a judge. This obtained, the "trashing" work of cops
is just like that of hackers, only more so and much
better organized. So much so, I was informed, that
mobsters in Phoenix make extensive use of locked
garbage cans picked up by a specialty high-security
trash company.
In one case, a tiger team of Arizona cops had
trashed a local residence for four months. Every
week they showed up on the municipal garbage
truck, disguised as garbagemen, and carried the
contents of the suspect cans off to a shade tree,
where they combed through the garbage -- a messy
task, especially considering that one of the
occupants was undergoing kidney dialysis. All
useful documents were cleaned, dried and
examined. A discarded typewriter-ribbon was an
especially valuable source of data, as its long one-
strike ribbon of film contained the contents of every
letter mailed out of the house. The letters were
neatly retyped by a police secretary equipped with a
large desk-mounted magnifying glass.
There is something weirdly disquieting about
the whole subject of "trashing" -- an unsuspected
and indeed rather disgusting mode of deep personal
vulnerability. Things that we pass by every day, that
we take utterly for granted, can be exploited with so
little work. Once discovered, the knowledge of these
vulnerabilities tend to spread.
Take the lowly subject of *manhole covers.* The
humble manhole cover reproduces many of the
dilemmas of computer-security in miniature.
Manhole covers are, of course, technological
artifacts, access-points to our buried urban
infrastructure. To the vast majority of us, manhole
covers are invisible. They are also vulnerable. For
many years now, the Secret Service has made a
point of caulking manhole covers along all routes of
the Presidential motorcade. This is, of course, to
deter terrorists from leaping out of underground
ambush or, more likely, planting remote-control car-
smashing bombs beneath the street.
Lately, manhole covers have seen more and
more criminal exploitation, especially in New York
City. Recently, a telco in New York City discovered
that a cable television service had been sneaking
into telco manholes and installing cable service
alongside the phone-lines -- *without paying
royalties.* New York companies have also suffered
a general plague of (a) underground copper cable
theft; (b) dumping of garbage, including toxic waste,
and (c) hasty dumping of murder victims.
Industry complaints reached the ears of an
innovative New England industrial-security
company, and the result was a new product known
as "the Intimidator," a thick titanium-steel bolt with
a precisely machined head that requires a special
device to unscrew. All these "keys" have registered
serial numbers kept on file with the manufacturer.
There are now some thousands of these
"Intimidator" bolts being sunk into American
pavements wherever our President passes, like
some macabre parody of strewn roses. They are
also spreading as fast as steel dandelions around US
military bases and many centers of private industry.
Quite likely it has never occurred to you to peer
under a manhole cover, perhaps climb down and
walk around down there with a flashlight, just to see
what it's like. Formally speaking, this might be
trespassing, but if you didn't hurt anything, and
didn't make an absolute habit of it, nobody would
really care. The freedom to sneak under manholes
was likely a freedom you never intended to exercise.
You now are rather less likely to have that
freedom at all. You may never even have missed it
until you read about it here, but if you're in New
York City it's gone, and elsewhere it's likely going.
This is one of the things that crime, and the reaction
to crime, does to us.
The tenor of the meeting now changed as the
Electronic Frontier Foundation arrived. The EFF,
whose personnel and history will be examined in
detail in the next chapter, are a pioneering civil
liberties group who arose in direct response to the
Hacker Crackdown of 1990.
Now Mitchell Kapor, the Foundation's
president, and Michael Godwin, its chief attorney,
were confronting federal law enforcement *mano a
mano* for the first time ever. Ever alert to the
manifold uses of publicity, Mitch Kapor and Mike
Godwin had brought their own journalist in tow:
Robert Draper, from Austin, whose recent well-
received book about ROLLING STONE magazine
was still on the stands. Draper was on assignment
for TEXAS MONTHLY.
The Steve Jackson/EFF civil lawsuit against the
Chicago Computer Fraud and Abuse Task Force was
a matter of considerable regional interest in Texas.
There were now two Austinite journalists here on the
case. In fact, counting Godwin (a former Austinite
and former journalist) there were three of us. Lunch
was like Old Home Week.
Later, I took Draper up to my hotel room. We
had a long frank talk about the case, networking
earnestly like a miniature freelance-journo version
of the FCIC: privately confessing the numerous
blunders of journalists covering the story, and trying
hard to figure out who was who and what the hell was
really going on out there. I showed Draper
everything I had dug out of the Hilton trashcan. We
pondered the ethics of "trashing" for a while, and
agreed that they were dismal. We also agreed that
finding a SPRINT bill on your first time out was a
heck of a coincidence.
First I'd "trashed" -- and now, mere hours later,
I'd bragged to someone else. Having entered the
lifestyle of hackerdom, I was now, unsurprisingly,
following its logic. Having discovered something
remarkable through a surreptitious action, I of
course *had* to "brag," and to drag the passing
Draper into my iniquities. I felt I needed a witness.
Otherwise nobody would have believed what I'd
discovered....
Back at the meeting, Thackeray cordially, if
rather tentatively, introduced Kapor and Godwin to
her colleagues. Papers were distributed. Kapor took
center stage. The brilliant Bostonian high-tech
entrepreneur, normally the hawk in his own
administration and quite an effective public
speaker, seemed visibly nervous, and frankly
admitted as much. He began by saying he
consided computer-intrusion to be morally wrong,
and that the EFF was not a "hacker defense fund,"
despite what had appeared in print. Kapor chatted
a bit about the basic motivations of his group,
emphasizing their good faith and willingness to
listen and seek common ground with law
enforcement -- when, er, possible.
Then, at Godwin's urging, Kapor suddenly
remarked that EFF's own Internet machine had
been "hacked" recently, and that EFF did not
consider this incident amusing.
After this surprising confession, things began to
loosen up quite rapidly. Soon Kapor was fielding
questions, parrying objections, challenging
definitions, and juggling paradigms with something
akin to his usual gusto.
Kapor seemed to score quite an effect with his
shrewd and skeptical analysis of the merits of telco
"Caller-ID" services. (On this topic, FCIC and EFF
have never been at loggerheads, and have no
particular established earthworks to defend.)
Caller-ID has generally been promoted as a privacy
service for consumers, a presentation Kapor
described as a "smokescreen," the real point of
Caller-ID being to *allow corporate customers to
build extensive commercial databases on
everybody who phones or faxes them.* Clearly, few
people in the room had considered this possibility,
except perhaps for two late-arrivals from US WEST
RBOC security, who chuckled nervously.
Mike Godwin then made an extensive
presentation on "Civil Liberties Implications of
Computer Searches and Seizures." Now, at last, we
were getting to the real nitty-gritty here, real political
horse-trading. The audience listened with close
attention, angry mutters rising occasionally: "He's
trying to teach us our jobs!" "We've been thinking
about this for years! We think about these issues
every day!" "If I didn't seize the works, I'd be sued by
the guy's victims!" "I'm violating the law if I leave
ten thousand disks full of illegal *pirated software*
and *stolen codes!*" "It's our job to make sure
people don't trash the Constitution -- we're the
*defenders* of the Constitution!" "We seize stuff
when we know it will be forfeited anyway as
restitution for the victim!"
"If it's forfeitable, then don't get a search
warrant, get a forfeiture warrant," Godwin suggested
coolly. He further remarked that most suspects in
computer crime don't *want* to see their computers
vanish out the door, headed God knew where, for
who knows how long. They might not mind a search,
even an extensive search, but they want their
machines searched on-site.
"Are they gonna feed us?" somebody asked
sourly.
"How about if you take copies of the data?"
Godwin parried.
"That'll never stand up in court."
"Okay, you make copies, give *them* the
copies, and take the originals."
Hmmm.
Godwin championed bulletin-board systems as
repositories of First Amendment protected free
speech. He complained that federal computer-
crime training manuals gave boards a bad press,
suggesting that they are hotbeds of crime haunted
by pedophiles and crooks, whereas the vast majority
of the nation's thousands of boards are completely
innocuous, and nowhere near so romantically
suspicious.
People who run boards violently resent it when
their systems are seized, and their dozens (or
hundreds) of users look on in abject horror. Their
rights of free expression are cut short. Their right to
associate with other people is infringed. And their
privacy is violated as their private electronic mail
becomes police property.
Not a soul spoke up to defend the practice of
seizing boards. The issue passed in chastened
silence. Legal principles aside -- (and those
principles cannot be settled without laws passed or
court precedents) -- seizing bulletin boards has
become public-relations poison for American
computer police.
And anyway, it's not entirely necessary. If you're
a cop, you can get 'most everything you need from a
pirate board, just by using an inside informant.
Plenty of vigilantes -- well, *concerned citizens* --
will inform police the moment they see a pirate
board hit their area (and will tell the police all about
it, in such technical detail, actually, that you kinda
wish they'd shut up). They will happily supply police
with extensive downloads or printouts. It's
*impossible* to keep this fluid electronic
information out of the hands of police.
Some people in the electronic community
become enraged at the prospect of cops
"monitoring" bulletin boards. This does have
touchy aspects, as Secret Service people in
particular examine bulletin boards with some
regularity. But to expect electronic police to be
deaf dumb and blind in regard to this particular
medium rather flies in the face of common sense.
Police watch television, listen to radio, read
newspapers and magazines; why should the new
medium of boards be different? Cops can exercise
the same access to electronic information as
everybody else. As we have seen, quite a few
computer police maintain *their own* bulletin
boards, including anti-hacker "sting" boards, which
have generally proven quite effective.
As a final clincher, their Mountie friends in
Canada (and colleagues in Ireland and Taiwan)
don't have First Amendment or American
constitutional restrictions, but they do have phone
lines, and can call any bulletin board in America
whenever they please. The same technological
determinants that play into the hands of hackers,
phone phreaks and software pirates can play into
the hands of police. "Technological determinants"
don't have *any* human allegiances. They're not
black or white, or Establishment or Underground, or
pro-or-anti anything.
Godwin complained at length about what he
called "the Clever Hobbyist hypothesis" -- the
assumption that the "hacker" you're busting is
clearly a technical genius, and must therefore by
searched with extreme thoroughness. So: from the
law's point of view, why risk missing anything? Take
the works. Take the guy's computer. Take his books.
Take his notebooks. Take the electronic drafts of his
love letters. Take his Walkman. Take his wife's
computer. Take his dad's computer. Take his kid
sister's computer. Take his employer's computer.
Take his compact disks -- they *might* be CD-ROM
disks, cunningly disguised as pop music. Take his
laser printer -- he might have hidden something
vital in the printer's 5meg of memory. Take his
software manuals and hardware documentation.
Take his science-fiction novels and his simulation-
gaming books. Take his Nintendo Game-Boy and
his Pac-Man arcade game. Take his answering
machine, take his telephone out of the wall. Take
anything remotely suspicious.
Godwin pointed out that most "hackers" are not,
in fact, clever genius hobbyists. Quite a few are
crooks and grifters who don't have much in the way
of technical sophistication; just some rule-of-thumb
rip-off techniques. The same goes for most fifteen-
year-olds who've downloaded a code-scanning
program from a pirate board. There's no real need
to seize everything in sight. It doesn't require an
entire computer system and ten thousand disks to
prove a case in court.
What if the computer is the instrumentality of a
crime? someone demanded.
Godwin admitted quietly that the doctrine of
seizing the instrumentality of a crime was pretty well
established in the American legal system.
The meeting broke up. Godwin and Kapor had
to leave. Kapor was testifying next morning before
the Massachusetts Department Of Public Utility,
about ISDN narrowband wide-area networking.
As soon as they were gone, Thackeray seemed
elated. She had taken a great risk with this. Her
colleagues had not, in fact, torn Kapor and Godwin's
heads off. She was very proud of them, and told
them so.
"Did you hear what Godwin said about
*instrumentality of a crime?*" she exulted, to
nobody in particular. "Wow, that means *Mitch isn't
going to sue me.*"
#
America's computer police are an interesting
group. As a social phenomenon they are far more
interesting, and far more important, than teenage
phone phreaks and computer hackers. First, they're
older and wiser; not dizzy hobbyists with leaky
morals, but seasoned adult professionals with all the
responsibilities of public service. And, unlike
hackers, they possess not merely *technical* power
alone, but heavy-duty legal and social authority.
And, very interestingly, they are just as much at
sea in cyberspace as everyone else. They are not
happy about this. Police are authoritarian by nature,
and prefer to obey rules and precedents. (Even
those police who secretly enjoy a fast ride in rough
territory will soberly disclaim any "cowboy" attitude.)
But in cyberspace there *are* no rules and
precedents. They are groundbreaking pioneers,
Cyberspace Rangers, whether they like it or not.
In my opinion, any teenager enthralled by
computers, fascinated by the ins and outs of
computer security, and attracted by the lure of
specialized forms of knowledge and power, would do
well to forget all about "hacking" and set his (or her)
sights on becoming a fed. Feds can trump hackers
at almost every single thing hackers do, including
gathering intelligence, undercover disguise,
trashing, phone-tapping, building dossiers,
networking, and infiltrating computer systems --
*criminal* computer systems. Secret Service agents
know more about phreaking, coding and carding
than most phreaks can find out in years, and when it
comes to viruses, break-ins, software bombs and
trojan horses, Feds have direct access to red-hot
confidential information that is only vague rumor in
the underground.
And if it's an impressive public rep you're after,
there are few people in the world who can be so
chillingly impressive as a well-trained, well-armed
United States Secret Service agent.
Of course, a few personal sacrifices are
necessary in order to obtain that power and
knowledge. First, you'll have the galling discipline of
belonging to a large organization; but the world of
computer crime is still so small, and so amazingly
fast-moving, that it will remain spectacularly fluid for
years to come. The second sacrifice is that you'll
have to give up ripping people off. This is not a great
loss. Abstaining from the use of illegal drugs, also
necessary, will be a boon to your health.
A career in computer security is not a bad
choice for a young man or woman today. The field
will almost certainly expand drastically in years to
come. If you are a teenager today, by the time you
become a professional, the pioneers you have read
about in this book will be the grand old men and
women of the field, swamped by their many
disciples and successors. Of course, some of them,
like William P. Wood of the 1865 Secret Service,
may well be mangled in the whirring machinery of
legal controversy; but by the time you enter the
computer-crime field, it may have stabilized
somewhat, while remaining entertainingly
challenging.
But you can't just have a badge. You have to win
it. First, there's the federal law enforcement
training. And it's hard -- it's a challenge. A real
challenge -- not for wimps and rodents.
Every Secret Service agent must complete
gruelling courses at the Federal Law Enforcement
Training Center. (In fact, Secret Service agents are
periodically re-trained during their entire careers.)
In order to get a glimpse of what this might be
like, I myself travelled to FLETC.
#
The Federal Law Enforcement Training Center
is a 1500-acre facility on Georgia's Atlantic coast. It's
a milieu of marshgrass, seabirds, damp, clinging
sea-breezes, palmettos, mosquitos, and bats. Until
1974, it was a Navy Air Base, and still features a
working runway, and some WWII vintage
blockhouses and officers' quarters. The Center has
since benefitted by a forty-million-dollar retrofit, but
there's still enough forest and swamp on the facility
for the Border Patrol to put in tracking practice.
As a town, "Glynco" scarcely exists. The nearest
real town is Brunswick, a few miles down Highway 17,
where I stayed at the aptly named Marshview
Holiday Inn. I had Sunday dinner at a seafood
restaurant called "Jinright's," where I feasted on
deep-fried alligator tail. This local favorite was a
heaped basket of bite-sized chunks of white, tender,
almost fluffy reptile meat, steaming in a peppered
batter crust. Alligator makes a culinary experience
that's hard to forget, especially when liberally basted
with homemade cocktail sauce from a Jinright
squeeze-bottle.
The crowded clientele were tourists, fishermen,
local black folks in their Sunday best, and white
Georgian locals who all seemed to bear an uncanny
resemblance to Georgia humorist Lewis Grizzard.
The 2,400 students from 75 federal agencies who
make up the FLETC population scarcely seem to
make a dent in the low-key local scene. The
students look like tourists, and the teachers seem to
have taken on much of the relaxed air of the Deep
South. My host was Mr. Carlton Fitzpatrick, the
Program Coordinator of the Financial Fraud
Institute. Carlton Fitzpatrick is a mustached, sinewy,
well-tanned Alabama native somewhere near his
late forties, with a fondness for chewing tobacco,
powerful computers, and salty, down-home homilies.
We'd met before, at FCIC in Arizona.
The Financial Fraud Institute is one of the nine
divisions at FLETC. Besides Financial Fraud, there's
Driver & Marine, Firearms, and Physical Training.
These are specialized pursuits. There are also five
general training divisions: Basic Training,
Operations, Enforcement Techniques, Legal
Division, and Behavioral Science.
Somewhere in this curriculum is everything
necessary to turn green college graduates into
federal agents. First they're given ID cards. Then
they get the rather miserable-looking blue coveralls
known as "smurf suits." The trainees are assigned a
barracks and a cafeteria, and immediately set on
FLETC's bone-grinding physical training routine.
Besides the obligatory daily jogging -- (the trainers
run up danger flags beside the track when the
humidity rises high enough to threaten heat stroke) -
- there's the Nautilus machines, the martial arts, the
survival skills....
The eighteen federal agencies who maintain on-
site academies at FLETC employ a wide variety of
specialized law enforcement units, some of them
rather arcane. There's Border Patrol, IRS Criminal
Investigation Division, Park Service, Fish and
Wildlife, Customs, Immigration, Secret Service and
the Treasury's uniformed subdivisions.... If you're a
federal cop and you don't work for the FBI, you train
at FLETC. This includes people as apparently
obscure as the agents of the Railroad Retirement
Board Inspector General. Or the Tennessee Valley
Authority Police, who are in fact federal police
officers, and can and do arrest criminals on the
federal property of the Tennessee Valley Authority.
And then there are the computer-crime people.
All sorts, all backgrounds. Mr. Fitzpatrick is not
jealous of his specialized knowledge. Cops all over,
in every branch of service, may feel a need to learn
what he can teach. Backgrounds don't matter
much. Fitzpatrick himself was originally a Border
Patrol veteran, then became a Border Patrol
instructor at FLETC. His Spanish is still fluent -- but
he found himself strangely fascinated when the first
computers showed up at the Training Center.
Fitzpatrick did have a background in electrical
engineering, and though he never considered
himself a computer hacker, he somehow found
himself writing useful little programs for this new
and promising gizmo.
He began looking into the general subject of
computers and crime, reading Donn Parker's books
and articles, keeping an ear cocked for war stories,
useful insights from the field, the up-and-coming
people of the local computer-crime and high-
technology units.... Soon he got a reputation around
FLETC as the resident "computer expert," and that
reputation alone brought him more exposure, more
experience -- until one day he looked around, and
sure enough he *was* a federal computer-crime
expert.
In fact, this unassuming, genial man may be
*the* federal computer-crime expert. There are
plenty of very good computer people, and plenty of
very good federal investigators, but the area where
these worlds of expertise overlap is very slim. And
Carlton Fitzpatrick has been right at the center of
that since 1985, the first year of the Colluquy, a group
which owes much to his influence.
He seems quite at home in his modest,
acoustic-tiled office, with its Ansel Adams-style
Western photographic art, a gold-framed Senior
Instructor Certificate, and a towering bookcase
crammed with three-ring binders with ominous titles
such as *Datapro Reports on Information Security*
and *CFCA Telecom Security '90.*
The phone rings every ten minutes; colleagues
show up at the door to chat about new developments
in locksmithing or to shake their heads over the
latest dismal developments in the BCCI global
banking scandal.
Carlton Fitzpatrick is a fount of computer-crime
war-stories, related in an acerbic drawl. He tells me
the colorful tale of a hacker caught in California
some years back. He'd been raiding systems,
typing code without a detectable break, for twenty,
twenty-four, thirty-six hours straight. Not just logged
on -- *typing.* Investigators were baffled. Nobody
could do that. Didn't he have to go to the bathroom?
Was it some kind of automatic keyboard-whacking
device that could actually type code?
A raid on the suspect's home revealed a
situation of astonishing squalor. The hacker turned
out to be a Pakistani computer-science student who
had flunked out of a California university. He'd
gone completely underground as an illegal
electronic immigrant, and was selling stolen phone-
service to stay alive. The place was not merely
messy and dirty, but in a state of psychotic disorder.
Powered by some weird mix of culture shock,
computer addiction, and amphetamines, the
suspect had in fact been sitting in front of his
computer for a day and a half straight, with snacks
and drugs at hand on the edge of his desk and a
chamber-pot under his chair.
Word about stuff like this gets around in the
hacker-tracker community.
Carlton Fitzpatrick takes me for a guided tour
by car around the FLETC grounds. One of our first
sights is the biggest indoor firing range in the world.
There are federal trainees in there, Fitzpatrick
assures me politely, blasting away with a wide variety
of automatic weapons: Uzis, Glocks, AK-47s.... He's
willing to take me inside. I tell him I'm sure that's
really interesting, but I'd rather see his computers.
Carlton Fitzpatrick seems quite surprised and
pleased. I'm apparently the first journalist he's ever
seen who has turned down the shooting gallery in
favor of microchips.
Our next stop is a favorite with touring
Congressmen: the three-mile long FLETC driving
range. Here trainees of the Driver & Marine
Division are taught high-speed pursuit skills, setting
and breaking road-blocks, diplomatic security
driving for VIP limousines.... A favorite FLETC
pastime is to strap a passing Senator into the
passenger seat beside a Driver & Marine trainer, hit
a hundred miles an hour, then take it right into "the
skid-pan," a section of greased track where two tons
of Detroit iron can whip and spin like a hockey puck.
Cars don't fare well at FLETC. First they're
rifled again and again for search practice. Then they
do 25,000 miles of high-speed pursuit training; they
get about seventy miles per set of steel-belted
radials. Then it's off to the skid pan, where
sometimes they roll and tumble headlong in the
grease. When they're sufficiently grease-stained,
dented, and creaky, they're sent to the roadblock
unit, where they're battered without pity. And finally
then they're sacrificed to the Bureau of Alcohol,
Tobacco and Firearms, whose trainees learn the ins
and outs of car-bomb work by blowing them into
smoking wreckage.
There's a railroad box-car on the FLETC
grounds, and a large grounded boat, and a propless
plane; all training-grounds for searches. The plane
sits forlornly on a patch of weedy tarmac next to an
eerie blockhouse known as the "ninja compound,"
where anti-terrorism specialists practice hostage
rescues. As I gaze on this creepy paragon of modern
low-intensity warfare, my nerves are jangled by a
sudden staccato outburst of automatic weapons fire,
somewhere in the woods to my right. "Nine-
millimeter," Fitzpatrick judges calmly.
Even the eldritch ninja compound pales
somewhat compared to the truly surreal area known
as "the raid-houses." This is a street lined on both
sides with nondescript concrete-block houses with
flat pebbled roofs. They were once officers' quarters.
Now they are training grounds. The first one to our
left, Fitzpatrick tells me, has been specially adapted
for computer search-and-seizure practice. Inside it
has been wired for video from top to bottom, with
eighteen pan-and-tilt remotely controlled
videocams mounted on walls and in corners. Every
movement of the trainee agent is recorded live by
teachers, for later taped analysis. Wasted
movements, hesitations, possibly lethal tactical
mistakes -- all are gone over in detail.
Perhaps the weirdest single aspect of this
building is its front door, scarred and scuffed all
along the bottom, from the repeated impact, day
after day, of federal shoe-leather.
Down at the far end of the row of raid-houses
some people are practicing a murder. We drive by
slowly as some very young and rather nervous-
looking federal trainees interview a heavyset bald
man on the raid-house lawn. Dealing with murder
takes a lot of practice; first you have to learn to
control your own instinctive disgust and panic, then
you have to learn to control the reactions of a nerve-
shredded crowd of civilians, some of whom may
have just lost a loved one, some of whom may be
murderers -- quite possibly both at once.
A dummy plays the corpse. The roles of the
bereaved, the morbidly curious, and the homicidal
are played, for pay, by local Georgians: waitresses,
musicians, most anybody who needs to moonlight
and can learn a script. These people, some of whom
are FLETC regulars year after year, must surely have
one of the strangest jobs in the world.
Something about the scene: "normal" people in
a weird situation, standing around talking in bright
Georgia sunshine, unsuccessfully pretending that
something dreadful has gone on, while a dummy lies
inside on faked bloodstains.... While behind this
weird masquerade, like a nested set of Russian dolls,
are grim future realities of real death, real violence,
real murders of real people, that these young agents
will really investigate, many times during their
careers.... Over and over.... Will those anticipated
murders look like this, feel like this -- not as "real" as
these amateur actors are trying to make it seem, but
both as "real," and as numbingly unreal, as watching
fake people standing around on a fake lawn?
Something about this scene unhinges me. It seems
nightmarish to me, Kafkaesque. I simply don't
know how to take it; my head is turned around; I
don't know whether to laugh, cry, or just shudder.
When the tour is over, Carlton Fitzpatrick and I
talk about computers. For the first time cyberspace
seems like quite a comfortable place. It seems very
real to me suddenly, a place where I know what I'm
talking about, a place I'm used to. It's real. "Real."
Whatever.
Carlton Fitzpatrick is the only person I've met in
cyberspace circles who is happy with his present
equipment. He's got a 5 Meg RAM PC with a 112
meg hard disk; a 660 meg's on the way. He's got a
Compaq 386 desktop, and a Zenith 386 laptop with
120 meg. Down the hall is a NEC Multi-Sync 2A with
a CD-ROM drive and a 9600 baud modem with four
com-lines. There's a training minicomputer, and a
10-meg local mini just for the Center, and a lab-full
of student PC clones and half-a-dozen Macs or so.
There's a Data General MV 2500 with 8 meg on
board and a 370 meg disk.
Fitzpatrick plans to run a UNIX board on the
Data General when he's finished beta-testing the
software for it, which he wrote himself. It'll have E-
mail features, massive files on all manner of
computer-crime and investigation procedures, and
will follow the computer-security specifics of the
Department of Defense "Orange Book." He thinks
it will be the biggest BBS in the federal government.
Will it have *Phrack* on it? I ask wryly.
Sure, he tells me. *Phrack,* *TAP,* *Computer
Underground Digest,* all that stuff. With proper
disclaimers, of course.
I ask him if he plans to be the sysop. Running a
system that size is very time-consuming, and
Fitzpatrick teaches two three-hour courses every
day.
No, he says seriously, FLETC has to get its
money worth out of the instructors. He thinks he
can get a local volunteer to do it, a high-school
student.
He says a bit more, something I think about an
Eagle Scout law-enforcement liaison program, but
my mind has rocketed off in disbelief.
"You're going to put a *teenager* in charge of a
federal security BBS?" I'm speechless. It hasn't
escaped my notice that the FLETC Financial Fraud
Institute is the *ultimate* hacker-trashing target;
there is stuff in here, stuff of such utter and
consummate cool by every standard of the digital
underground.... I imagine the hackers of my
acquaintance, fainting dead-away from forbidden-
knowledge greed-fits, at the mere prospect of
cracking the superultra top-secret computers used
to train the Secret Service in computer-crime....
"Uhm, Carlton," I babble, "I'm sure he's a really
nice kid and all, but that's a terrible temptation to
set in front of somebody who's, you know, into
computers and just starting out..."
"Yeah," he says, "that did occur to me." For the
first time I begin to suspect that he's pulling my leg.
He seems proudest when he shows me an
ongoing project called JICC, Joint Intelligence
Control Council. It's based on the services provided
by EPIC, the El Paso Intelligence Center, which
supplies data and intelligence to the Drug
Enforcement Administration, the Customs Service,
the Coast Guard, and the state police of the four
southern border states. Certain EPIC files can now
be accessed by drug-enforcement police of Central
America, South America and the Caribbean, who
can also trade information among themselves.
Using a telecom program called "White Hat,"
written by two brothers named Lopez from the
Dominican Republic, police can now network
internationally on inexpensive PCs. Carlton
Fitzpatrick is teaching a class of drug-war agents
from the Third World, and he's very proud of their
progress. Perhaps soon the sophisticated
smuggling networks of the Medellin Cartel will be
matched by a sophisticated computer network of the
Medellin Cartel's sworn enemies. They'll track
boats, track contraband, track the international
drug-lords who now leap over borders with great
ease, defeating the police through the clever use of
fragmented national jurisdictions.
JICC and EPIC must remain beyond the scope
of this book. They seem to me to be very large
topics fraught with complications that I am not fit to
judge. I do know, however, that the international,
computer-assisted networking of police, across
national boundaries, is something that Carlton
Fitzpatrick considers very important, a harbinger of
a desirable future. I also know that networks by their
nature ignore physical boundaries. And I also know
that where you put communications you put a
community, and that when those communities
become self-aware they will fight to preserve
themselves and to expand their influence. I make
no judgements whether this is good or bad. It's just
cyberspace; it's just the way things are.
I asked Carlton Fitzpatrick what advice he
would have for a twenty-year-old who wanted to
shine someday in the world of electronic law
enforcement.
He told me that the number one rule was
simply not to be scared of computers. You don't
need to be an obsessive "computer weenie," but you
mustn't be buffaloed just because some machine
looks fancy. The advantages computers give smart
crooks are matched by the advantages they give
smart cops. Cops in the future will have to enforce
the law "with their heads, not their holsters." Today
you can make good cases without ever leaving your
office. In the future, cops who resist the computer
revolution will never get far beyond walking a beat.
I asked Carlton Fitzpatrick if he had some single
message for the public; some single thing that he
would most like the American public to know about
his work.
He thought about it while. "Yes," he said finally.
"*Tell* me the rules, and I'll *teach* those rules!" He
looked me straight in the eye. "I do the best that I
can."
