DANGEROUS IDEAS

by Leigh Lundin

Are you writing your first techno-thriller? Want to tell your audience how to steal money, identities, votes, or more? Want to explore how to kill a victim remotely inside a locked room? Does what you have to say embarrass government agencies or big corporations?

Are you ready to face those same government agencies and corporations willing to muzzle you in court?

It happens more often than you think. This story is a huge ball of twine, one which I’ve spent several hours deciding which threads to pull. Sitting in my files are notes from real-life cases I uncovered or solved:

• Financial institutions that shaved pennies from customer accounts.
• Banks that manipulated deposits and withdrawals to maximize customer overdrafts.
• A large Wall Street brokerage house that, with the complicity of one of the Big Eight accounting firms (involved with Enron), robbed its pension fund.
• Most personally satisfying, a bankshares group defrauded by an idiosyncratic guy seeking revenge.

These crimes involved two weapons: brains and that mysterious WMD, computer software.

In the News

How often do you hear of criminals who’ve hacked into financial institutions and stolen identities?

How often do you not hear of criminals who’ve hacked into financial institutions and stolen their money?

For the institutions themselves, I have not one iota of sympathy. Am I compassionate towards the criminals?

Not in the least. In talks I’ve given, I posited the following questions:

• If your bank president went home each night and left the door unlocked…
• If your banker was too lazy to fix the broken alarm…
• If your banker left the key under the mat…
• If your banker left the window open a crack…
• If your banker installed a vault that was mere window dressing…
  • … who’s the real criminal?

Because, if you’ve read about them in the news, that’s probably what happened in their computer center.

Brokerage houses, savings & loans, and other financial institutions depend upon secrecy. You may not realize that banks, stores, suppliers, and shippers no longer shuffle quotes, purchase orders, invoices, payments, and shipping documents on paper. It’s done electronically, computers talking to computers, a process called eCommerce. The prevailing belief is that secrecy guards against crime; the less you know the safer everyone will be.

I argue secrecy makes crime possible.

Boston T Party

Earlier this week, the Commonwealth of Massachusetts and Boston’s MBTA went to federal court and succeeded in getting a judge to set aside the First Amendment rights of three MIT students who were to speak at a computer conference.

Why? The nominal reason is that the MBTA potentially stood to lose, um, tens of dollars. Okay, maybe hundreds, maybe more. But in this era of the Orwellian US PATRIOT Acts I and II and the casual setting aside of constitutional liberties to "protect America", such strictures happen too easily. This hasn’t been the first time government or even companies have gone to court to seek gag orders against dangerous ideas.

The ‘danger’ is the exposure of what we call software vulnerabilities, meaning flaws that can be exploited by ‘black hats’– the crackers, the bad guys. In the case of the MBTA, management has known for at least two years that their system is flawed, badly flawed. They didn’t merely leave the key in the lock, they barely bothered to close their screen door to keep flies out.

The government and MBTA don’t worry a few people might ride the rail for free. The real reason is they don’t want public embarrassment: They don’t want you to know.

This cycle of bright geeky guys pointing out flaws in the system and corporate or government suits trying to silence them has been going on a long time, and I predict that it will continue long into the future.

The Glass House

James related to us last Monday Herodotus’ tale of Ramesses III (Rhampsinitus or Rhampsinitos), a perfect illustration of government secrecy to address a problem that simply failed.

Consider the opposite model. What if the Pharaoh’s wealth had been placed behind glass walls? Thick walls to be sure, preferably of Egyptian lexan or tempered lucite, but on public display? What if banks were glass houses that were transparent to the public? (‘Glass houses’ in this context is not to be confused with the term for computer rooms.)

Florida Voting Fiasco, Part 279.236(a)

Never mind the 2000 election and Florida’s voting disaster that sidelined Al Gore, Florida doesn’t know for sure which candidate won one and possibly two of our most recent 2008 congressional races.

After the departure of Katherine Harris as Florida’s Secretary of State and Supervisor of Elections, Orlando’s unindicted mayor Glenda Hood took over. She ordered Diebold voting machines, which had been controversial for a number of reasons. When Senator Bill Nelson questioned the purchase, she told him to mind his own business.

He was minding our business and Glenda Hood failed us. In one race alone, voting machines ‘lost’ 20,000 votes. Worse, the machines don’t know how they lost the votes. The Supervisor of Elections’ official line is that 20,000 citizens showed up to vote– but chose not to. [UPDATE: Diebold admits machines drop votes.]

Florida should have been paying attention. Maryland’s House of Delegates voted to ban Diebold machines and California decertified them. Diebold placed Georgia in a terrible position after sneaking patches onto their machines. According to a report, "People working for Diebold were told to keep this quiet so (Secretary of State Cathy) Cox would not find out. They knew she was in over her head and had come to completely rely on Diebold. They controlled the warehouse, the machines, and the certification. There were no state employees."

It’s long been reported Diebold machines are vulnerable and could be hacked in less than a minute, despite Diebold’s attempts to suppress the knowledge and even change its name to Premier Election Solutions, and again to Election Systems & Software. However, darker suspicions lingered. Diebold and in particular its CEO Walden O’Dell were strong supporters of the Republican Party and especially George W. Bush. O’Dell attended election strategy meetings at the President’s home in Crawford, Texas and hosted GOP functions in his own Upper Arlington mansion where he promised to "deliver the vote" for Bush.

You don’t have to be a Democrat to understand concerns. (Here I append my disclaimer that I am an obstinate independent, dedicated to annoying both major parties.) As shown in challenges brought by Sequoia Voting Systems, the political beneficiaries of O’Dell’s largess had a habit of disqualifying Diebold’s competitors when it came to purchasing voting machines.

Then there was this ‘oopsie’: a year and a half ago, O’Dell resigned when it was revealed he and Diebold, maker of money and voting machines, faced securities fraud investigations.

These are the people we trust to count our votes.

Sterling Example

Intent doesn’t have to be malicious. It can merely be lackadaisical. Companies may be aware of product defects, but deem the fix too expensive or inconvenient to address immediately or figure no one will find out. Alternatively, they may not know how to deal with the problem or even isolate it. Upon occasion, bureaucrats will calculate the cost of fixing versus the cost of lawsuits and make the decision financial rather than ethical.

Corporate culture affects decisions. Sterling Commerce is a company that facilitates eCommerce, the electronic business exchanges mentioned above. At one time, Sterling supported IBM mainframe, IBM midrange, Unix, Macintosh, and Windows. In the course of events, a problem fell into the lap of a mid-level manager. He thought data from a mainframe appeared as ‘garbage’ on his Windows box. He didn’t understand it was a simple matter of character encoding, so he made an ‘executive decision’ to drop support for all computers other than Windows.

Because of one man’s ignorance, Sterling Commerce, responsible for the security of transactions throughout North America’s financial infrastructure, unilaterally began to dismantle all the most secure systems and settle upon the most vulnerable, solely because it was the only computer he knew. He cast his lot with Microsoft’s proprietary OS which has been plagued with known security problems, some which have gone as long as a year without being plugged until hackers shown a light on them.

No Harm, No Foul

My technical speciality is intricate operating systems software. Westinghouse asked me to make a change that affected their timeshare billing. I don’t recall if it was I or my colleague, Kevin Beauregard, who discovered the long-existing process for capturing data had a fallacy that resulted in Westinghouse over-billing customers.

Westinghouse faced the difficult dilemma of revealing to its customers that for years it inadvertently over-charged them –or– quietly correcting the problem and letting the matter die. Naturally some firms would have embraced a third alternative of allowing over-billing to continue since no customer had discovered the error.

Ask yourself, could you tell if your phone company overcharged you? Probably not, since a study showed most accountants aren’t able to decipher their own bills. Phone company invoices are designed to present an appearance of forthrightness while deliberately obscuring machinations behind the scenes. Recently, a mother discovered Verizon routinely and wrongly overbilled millions of customers two dollars a month for web access. $2 x millions …

The Man from T.H.R.U.S.H

From the early days of the web, it frustrated me my bank and credit card companies had weaker protection than more trivial sites. My bank actually allowed a six character password, while some eMail and discussion sites required tougher, harder to crack passwords. Porn sites probably had better protection.

My friend Thrush has enough computing power to run Bulgaria. He comes by digital megalomania honestly, from leading a robotics team to being the technical partner in Orlando’s first internet service provider.

He’s also a major proponent of ‘open software’, deploying a Unix variant called OpenBSD, reputedly highly secure. Underpinning the Macintosh OS-X is FreeBSD, a similar open source project.

In preparation for this article, Thrush brought to my attention Eric Raymond‘s paper, The Cathedral and The Bazaar, which lays out the philosophical and practical case for open software. He analogises closed, proprietary software to cathedrals and open software to bazaars.

I made my living from proprietary software and I had the satisfaction of building elegant cathedrals. ‘Elegance’ is an engineering term implying a design that is so perfect that it has a beauty, an elegance. I also worked to build a reputation consulting, solving impossible problems.

Proprietary software has its place. Great creativity seldom comes naturally from group-think and most great inventions have been the brainchildren of lone workmen, toiling long into the night when company men have gone to bed. It’s also a place for those like me who don’t play well with authority figures.

Yet, I appreciate open software. A thousand eyes can spot a problem faster than one or two. A thousand cerebrums can come up with variations the original creator hadn’t yet thought of.

For the masses, there are hundreds of free programs. If you can’t afford (or dislike) Microsoft Office, you can download OpenOffice, gratis, for any computer platform. (Mac users: try the advanced (and free) NeoOffice.)

Return to the House of Glass

The real promise of open software is transparency.

In the 1970s, banks discovered overdrafts weren’t something to be shunned but embraced as a major source of revenue. Banking policies changed to encourage overdrafts. Chances are your bank’s computer program sorts your deposits and withdrawals to maximize overdraft fees. If you had only $99 in the bank and wrote two $10 checks and a $100 check and were hit with three overdrawn charges, it wasn’t an accident. However, if your bank’s practice was public knowledge, wouldn’t you consider moving your accounts?

The problem goes beyond the world of finance. Had open software been de rigueur, a California oil company wouldn’t have been able to cheat its customers by cleverly programming its gas pumps to both overcharge and hide the fact from state inspectors.

Had Diebold been willing to lay bare its voting machine programs to public review, citizens could feel more secure that crackers hadn’t violated the purported integrity of the machines. Diebold might have avoided a tainted reputation and not lost thousands of votes in the process. Voters could feel less suspicious that a vote for Ron Paul wouldn’t become a vote for Rudy Giuliani.

Who’s Really to Blame?

• The next time a company petitions the court for a gag order relating to proprietary technical information…
• The next time the federal government arrests a foreign national about to speak at a symposium…
• The next time a judge orders college students not to present a paper at a conference…
  • They aren’t doing it to protect you. They’re doing it to prevent their own embarrassment. That’s when you should ask who the black hat really is.

Locked Room Mystery

If you look through the DefCon notes, you can indeed find clever crime ideas, such as a way to hack a pacemaker, conceivably with fatal consequences. As writers, our problem is the reality of such a plot device sounds too unbelievable in a thriller or a locked room mystery.

Almost anything with software can be hacked: your Blackberry, your iPod, your iPhone, your TiVo, your camera, your wristwatch, your wireless router, your toaster, your car. No need to crudely cut brake lines. Have your tech-savvy bad guy hack the accelerator controller and send victims crashing into walls. That’s the personal touch.

The best protection is open, transparent software. The scrutiny of a thousand eyes makes it far more difficult for flaws and deliberate holes to hide and far more difficult for a cracker to penetrate a supposedly ‘secure’ product.