Secret service raids

Once upon a time at Atari, I helped the Secret Service bust some bad guys.  Let me be up front about this: It was related to my work, it was kind of fun at first, and if offered the chance to do it again, I’d refuse for reasons that I’ll try to make clear.

Mid 80s.  I was working for Atari, the Atari that Jack Tramiel had purchased, and we’d shipped the ST about a year earlier (this would have been 1986 or so).  One fine day Jack got a call from an old buddy, along the lines of: Can you help us out, we’re up against some computer stuff that we have no idea how to handle.

Years earlier, Jack had been the subject of some kind of stalker / kook threat, and some of his corporate security (which was Commodore at the time) had some buddies in the Secret Service.  Phone calls were made and the stalker / kook was dealt with — I don’t know details.  Now the Secret Service guys were calling in the favor.

There were some people in North Carolina who were using computerized bulletin board systems to trade Sprint access codes and stolen credit card numbers.  The systems were running on Atari hardware, which is why they had called Jack.

The Service Service is often called in on fraud situations (it’s one of their charters).  But they were clueless about personal computers, especially Atari computers.  So they asked for expert help.  Back at Atari, after a bunch of discussion, I was identified as the person best able to help out the Secret Service with technical matters in the field.  I got some computer gear together, packed my bags and took a plane to Raleigh-Durham airport in North Carolina.

—-

A couple of agents picked me up at the airport.  On the way to the hotel they explained what was going on: There were five or six “operations” scheduled for the next week, and the goal of each was to gather better evidence of credit card and phone code fraud, and also the involvement of computers.  They already had enough independent evidence of the fraud (which had been necessary to obtain the search warrants), so most of the week’s operations were icing on the cake of the investigation.  Any “situation” I was involved with would be “sanitized” before I went in and helped the agents identify what to take.

A perk of being an independent consultant: I got my own hotel room.

The next morning started pretty early.  At 5 AM a small convoy of black cars and vans left Raleigh and headed out into the North Carolina countryside.  After stopping at an iHop for breakfast we got on the road again and started going through smaller and smaller towns.  They had all seen better days.  There signs of old tabbaco production everywhere, from factories to the names of streets.  Most of the factories looked used-up and closed, the streets were ill-kept, and the houses needed work.

After a few hours of driving, the cars and vans pulled up in front of a small house in a town whose name I cannot remember.  We milled around a while.  This was a Monday morning, and the owner of the house that was about to be raided was at work.  A couple of agents had been sent to fetch the guy.

Neighbors started to gather around, quite curious.  A couple of local cops kept them away.  It was all pretty quiet.

While we were waiting an agent spoke to me about the procedure.  “We serve the warrant, then we video tape and photograph everything.  Then the idea is that we go in and bag everything computer-related.  If it has anything to do with a computer, even if it’s just a book or a magazine, tell us and we’ll label and bag it.  We also need the computers taken apart so we can put them back together at the field office.”

After maybe an hour the car with the ‘guy’ pulled up — I was told that it was not necessary that he be there, but they really wanted him to be — they served the warrant, and a few agents went into the house.  A bit later a camera crew went in. About an hour after that I was told to go in and help.

The house was a mess, but it didn’t have anything to do with the search itself; the guy was just untidy.  For instance, there was a closet with the kind of doors that slide on tracks; the closet was half full of stuff and the doors were bulging from the pressure of a couple cubic yards of unwashed clothes.  He was a smoker, and the place smelled terrible.  Dishes and bric-a-brac were everywhere.  But the Atari 800 computer was on a desk by itself, in a Zone of Clean that had been established and somehow kept inviolate.  The equipment and the wiring were well organized, disks were clearly labeled, and books and manuals were neatly shelved.  The Atari 800 itself was clean, and next to it hummed a TEN MEGABYTE HARD DISK, clearly the pride and joy of its owner.

I drew a diagram and took some notes.  I started taking things apart and described what I was doing as an agent snapped photos.  I told a couple of agents what to bag.

“That’s a modem cable.  That’s a modem.  Wait, I need to shut the computer down.”  I think someone dialed in as I was talking.  By modern standards my forensics were laughable, but this was before the day of encrypted file systems and logic bombs, and I knew the hardware and software pretty well.  “Okay, be really careful with this hard disk.  No, we don’t need those power cables.”  They insisted on taking stuff all the way down the power strips; I think one of them might have been for the stereo.

It took a few hours to disassemble things in such a way that I was confident the system could be put back together.  Then we took off to the field office, dropped the evidence boxes off, and went to a local hotel.

At 5 O’clock, work stopped.  The Secret Service is, after all, made up of government employees.  Everyone went for a beer.

Over one of the rounds, an agent told me this:

“Okay, you were off in the living room taking apart his computer, right?”

I remembered seeing the guy at his kitchen table, kind of hunched over and looking really depressed as he watched us.  A couple of agents were sitting with him and talking with him, taking notes.  I couldn’t hear what they were saying, since I was busy going through his stuff.

“Sure.”

“He was pretty blue.  We told him he was going to go to jail.  So I mentioned that you were from Atari.  And he brightened up and said, ‘Gosh, really?!'”

Laughter.

—-

The next day didn’t start out as early.  This time the raid was at an apartment in a town in the southern part of the state.  By the time we got there the warrant had already been served by another team, and they were already going through the apartment looking for evidence.  I think the suspect in this case had been taken away or had simply left; in any event, he wasn’t around.

The computer setup was pretty basic, and the guy just had a small number of floppy disks.  But I found some stuff that the agents had missed: A printout with some Sprint codes and a list of phone numbers and names of people who I recognized from the prior bulletin board, and a package of some kind from the first guy we’d raided.

Then the search got a bit personal; one agent found some (shall we say) disturbing photos in a drawer and passed them around.  There was some rough laughter.  More embarrassing things were found.  I found myself going through stuff, doing an actual search for things that were computer-related, and this made me feel out of control and filthy; I got out of the apartment soon after that.  Some more agents came by; apparently another team had done two other busts in the state that day, leaving one for the next day.

—-

The final day was the worst.  This was at a nice house in well kept neighborhood just outside of Raleigh.  When the warrant was served, it was on the suspect’s wife — the suspect himself was on a business trip.  There were two or three children in the house.  The woman was soon in hysterics, the children were crying, and the agents’ attempts to calm them down weren’t really succeeding.

“Man, that’s upsetting,” I said, over the crying.

One of the agents agreed.  The computer setup in this house was again simple and neat, and I was able to box it up pretty quickly.  We had the procedure down now.

“Why don’t you go with Wilkie [a made-up name; he was one of the "techie" support guys who worked in a basement in DC] to see him take out the pen register?” said the agent in charge.  So I took a quick ride with ‘Wilkie’ to a phone box by the side of the road, about a mile away from the house.

He unlocked the box and showed me the pen register and a bit of the printout.  Every number that had been dialed from the residence was on the tape, and I could see some of the Sprint codes that had been used.  He disconnected the register and stowed it.

—-

At the field office there were dozens of boxes of evidence, including the first computer that I’d taken apart.  The question in the air was an unsaid “Well, now what do we do with all this stuff?”  Some bosses had arrived and were pushing to get something concrete out of all the stuff that had been seized.

I unboxed the BBS system, hooked it all together (they recorded a video presentation of me doing this, in which I gave achingly detailed and nerdy and condescending instructions on how to hook up an Atari computer).  Then I wrote a simple program in BASIC to search the hard disk for patterns of credit card numbers and Sprint codes.  My program found a lot of them, in bulletin board messages tagged with the names of the suspects.

That was it, pretty much.  I had a few pages of paper with numbers.

Before I left (to hook up with my dad, who happened to be working at Duke University that week) they handed me $200 in cash.

“What’s this?”

“That’s your $50 a day.”

“But I didn’t spend any money!”  Indeed, I’d not had to spend anything on meals (and though I don’t recall, I hope I’d had the sense to buy a round or two of beer).

“It’s your money.  If you don’t take it, it gets accounting all upset.”

I didn’t argue.

—-

A year later, one of the agents visited Atari in Sunnyvale.  He and Jack Tramiel stopped by my office and handed me a certificate thanking Atari for its cooperation in sending me out to help.  I have it somewhere in my files.

“All of the folks we raided went to jail for a year and a day,” the agent said.

“A year and a day?”

“Over a year makes it a felony.”

“Oh.”

I went back to typing.

—-

This was one of those experiences that quite honestly was a lot of fun at the start, but that got nasty and brutal and a lot less cool as the reality of what was going on sunk in.  After the third bust I was really glad there wouldn’t be any more.

In retrospect the operation was pretty ham-handed.  I didn’t have any experience with computer forensics, and a simple logic bomb could have destroyed evidence past the point of retrieval by my skills.  Even a light dusting of crypto would have held me up for days.  I wasn’t given any legal advice at all, just “Tell us what to box up, and make sure the computers will still work.”  I wasn’t involved in the trial at all; for all I know they didn’t use any of the stuff that was seized.

So, after the nastiness of the process became clear, why did I go back to the field office and write code to extract the damning numbers?  I suspect it’s because it was a solvable problem, a quick hack, and it got me back to the comfortable world of slamming out code: Here is your hard evidence, your efforts have not been wasted.  At that point I had the proof in front of me; they’d been stealing credit card numbers (and though I did not see any proof that they’d used them, well, c’mon) and making thousands of dollars of phone calls on other people’s accounts.  In this case there had been independent corroboration of this (via the pen register tapes); even without my help these folks would have gone to jail.  But this made it very real to me.

—-

I have since worked next to people who may have made better moral choices than I did.  At Apple, we had requests of police departments to retrieve data from locked Newton PDAs; I believe that Apple’s policy was to release the tools for this, but not to do any actual forensics.  I had a long discussion with one of the dev managers in Newton about the first request we had — we were initially going to refuse to cooperate, but ultimately realized that the company would just be forced to cough up something, and that it was better on our terms than theirs,.  I have had cow-orkers who claimed they stood up to pressure from the NSA on putting back doors in cryptographic functions.  Other instances, which I will not mention.x

While I am a firm believer that crypto is the second best way to go if you want to keep a secret [the best way? don't put it in a computer to begin with], I also know that the physical world is a lot more cruel and far-reaching than the safety of numbers can encompass, and saying “Ha ha ha, I have 4096 bit crypto, you can’t touch me” is merely a form of denial.

—-

Reading:

Bruce Sterling’s _The Hacker Crackdown_.  (One or two of the people I met on my little adventure also appear in his book).

Cory Doctorow’s _Little Brother_.  The tech is pollyanna, but it’s a good, fun, angry book.

Steven Levy’s _Crypto_.

John Ross’ novel _Unintended Consequences_.  (Nothing to do with computers, everything to do with abuse of authority.  Yes, you may find the book’s cover offensive, and if you don’t like guns, you won’t like this book).

This entry was posted in Rantage. Bookmark the permalink.

19 Responses to Secret service raids

  1. NFG says:

    I think I’d have done the same thing you did, and felt the same by the end.

    Great story. Thanks for sharing.

  2. Dan Hulton says:

    4096-bit crypto is effectively unbreakable. The password you use to lock up that key though, is likely far easier to guess, brute-force, or torture out of you (worst-case).

  3. landon says:

    @Pollyanna: http://en.wikipedia.org/wiki/Pollyanna_principle

    Extreme optimism, nothing can go wrong. A bit like Voltaire’s “This is the best of all possible worlds,” but with none of the sarcasm.

    @Dan: That’s right; 4096 bit keys are effectively unbreakable, but the surrounding infrastructure (including your quality of life) is not…

  4. Craig says:

    Yep – you need a “release” password that generates a bunch of harmless crap and deletes the other stuff.

  5. Kevin says:

    I understand why you felt the way you did, but I have no sympathy for someone stealing credit card numbers. I’ve been on the other side of that experience, and it’s not pleasant. The good guys won in your story, in my humble opinion…

    I love all of your stories, by the way!

    :-)

  6. Joe Cassara says:

    Do you recall which hard drive the first fellow was using on his 800?

  7. landon says:

    @Joe: I don’t remember. They were more common in 1986 or so than they had been (in ’84 they were rocket science, at least for the Atari scene). I don’t think it was a Corvus, though.

  8. J says:

    I did computer forensics for three or so years before moving on to straight programming two years ago.

    It can be fun, but mostly it is a tedious job. And as time went on, it got more tedious. At first I was just examining 20g or 40g drives from older computers, but in the end I was usually examining 200g drives, and in cases with multiple computers, sometimes over a terabyte. The process is a lot more automated now than your story above, but just making a forensic copy (bit for bit image without altering the original, generally with a hardware write-blocker) of the drives can take an entire day for one case.

    Also, like your story, these cases rarely go to trial. Usually, because the evidence is pretty clear-cut and they know they’ll get better deals when they plead guilty. And even when they do go to trial, prosecutors will tend to rely on the physical evidence, since juries, judges and the prosecutors still have a hard time mentally processing computer evidence. Over my three years, I went to court … twice, I think, for the computer stuff. And one was a divorce case that just happened to intertwine with our criminal investigation (we wouldn’t work on a non-criminal case). Both times, the courts didn’t know what questions to ask. However, as I was leaving the field, the prosecutors were getting much better. And now most have special teams to prosecute the computer cases.

    All that said, I’m not sure why you had a moral problem with it. If the police had moral problems with arresting armed robbers or killers, we’d all be in trouble. Maybe because you worked for the company that produced the hardware, so these guys were your customers. That I can understand. Anyway, you did the right thing. I don’t, however, agree with putting backdoors into crypto functions or violating the rights of the customer to serve law enforcement purposes. Really, the criminals are dumb enough that law enforcement doesn’t need the help. In fact, out of the 200-300 cases I worked, only two had encryption of any sort. One we guessed the password within … 3 tries, and in the other case the suspect just gave the password in an interview (he wasn’t arrested, or coerced, he just told the investigator when asked). So, like I said, criminals are pretty dumb… otherwise they wouldn’t be criminals in the first place.

    J

  9. Seth Tisue says:

    Interesting story. Thanks for posting it.

  10. TC says:

    “4096-bit crypto is effectively unbreakable.”

    Really? What if the “4096-bit crypto” is a 4096-bit string, repeated to match the message length, then XORd with the message?

    Your statement is like saying, “cars have 2 doors and go extremely fast”. Some of them do – some of them don’t.

  11. JSmith says:

    Have you bought a Rodda 4 bore yet?

  12. landon says:

    @JSmith: Haven’t seen one for sale :-)

  13. Thanks for taking the time to write another great article, Landon. I’m subscribed to the RSS feed and check it daily. I can’t wait for the next one. You should write a novel of all of your experiences. Us nerds would eat it up :).

  14. Andrew says:

    “4096-bit crypto is effectively unbreakable”

    The point is that the *crypto* might be unbreakable, but you can still be thrown in gaol for contempt of court if you don’t hand over the key.

  15. Joe Mohaa says:

    The way to have perfect crypto is to have two identical USB memory sticks that have a file on it that is full of completely random bits – NOT pseudo-random. After copying one stick to the other, send (physically) one of the memory sticks to the party with which you want to communicate. Agree ahead of time that all messages will be, say, 4096 bits. Take the first 4096 bits, xor with your 512-byte message, and send the xor’d bits over the open communications channel (e.g. email). Now, on the receiving end, xor the received bits with the first 4096 bits of the file – and there is your message, decrypted. Now, for the NEXT message, you must use the NEXT chunk of 4096 bits – you must NEVER re-use ANY of the random bits. When you’ve used up your 8 GB memory stick, you’ll need to start at the top and generate another completely random file, duplicate it onto a memory stick, send the memory stick, etc. Clearly, it’s best if you physically hand the memory stick to your communicant, so you don’t have to deal with people opening up your package in the mail and copying the contents of the memory stick, etc.

    There are many many ways to send information securely, as long as you understand the algorithms, write you own software, and take precautions like I mentioned about data dissemination.

  16. Foone says:

    @Joe:
    That’s really missing the point being made at the end of the blog. What happens when the secret service comes into your house and takes your USB key?

    Oh, your security just went out the window. The secret service now has the key and can easily decrypt all your messages.

  17. Omer says:

    Great reading.

  18. You only ever hear the stories of the guys who got caught.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>