Страницы: - 1
Committee (FCIC) is the most important and
influential organization in the realm of American
computer-crime. Since the police of other countries
have largely taken their computer-crime cues from
American methods, the FCIC might well be called
the most important computer crime group in the
It is also, by federal standards, an organization
of great unorthodoxy. State and local investigators
mix with federal agents. Lawyers, financial auditors
and computer-security programmers trade notes
with street cops. Industry vendors and telco security
people show up to explain their gadgetry and plead
for protection and justice. Private investigators,
think-tank experts and industry pundits throw in
their two cents' worth. The FCIC is the antithesis of
a formal bureaucracy.
Members of the FCIC are obscurely proud of
this fact; they recognize their group as aberrant, but
are entirely convinced that this, for them, outright
*weird* behavior is nevertheless *absolutely
necessary* to get their jobs done.
FCIC regulars -- from the Secret Service, the
FBI, the IъS, the Department of Labor, the offices of
federal attorneys, state police, the Air Force, from
military intelligence -- often attend meetings, held
hither and thither across the country, at their own
expense. The FCIC doesn't get grants. It doesn't
charge membership fees. It doesn't have a boss. It
has no headquarters -- just a mail drop in
Washington DC, at the Fraud Division of the Secret
Service. It doesn't have a budget. It doesn't have
schedules. It meets three times a year -- sort of.
Sometimes it issues publications, but the FCIC has
no regular publisher, no treasurer, not even a
secretary. There are no minutes of FCIC meetings.
Non-federal people are considered "non-voting
members," but there's not much in the way of
elections. There are no badges, lapel pins or
certificates of membership. Everyone is on a first-
name basis. There are about forty of them. Nobody
knows how many, exactly. People come, people go --
sometimes people "go" formally but still hang
around anyway. Nobody has ever exactly figured
out what "membership" of this "Committee"
Strange as this may seem to some, to anyone
familiar with the social world of computing, the
"organization" of the FCIC is very recognizable.
For years now, economists and management
theorists have speculated that the tidal wave of the
information revolution would destroy rigid,
pyramidal bureaucracies, where everything is top-
down and centrally controlled. Highly trained
"employees" would take on much greater autonomy,
being self-starting, and self-motivating, moving
from place to place, task to task, with great speed
and fluidity. "Ad-hocracy" would rule, with groups of
people spontaneously knitting together across
organizational lines, tackling the problem at hand,
applying intense computer-aided expertise to it, and
then vanishing whence they came.
This is more or less what has actually happened
in the world of federal computer investigation. With
the conspicuous exception of the phone companies,
which are after all over a hundred years old,
practically *every* organization that plays any
important role in this book functions just like the
FCIC. The Chicago Task Force, the Arizona
ъacketeering Unit, the Legion of Doom, the Phrack
crowd, the Electronic Frontier Foundation -- they
*all* look and act like "tiger teams" or "user's
groups." They are all electronic ad-hocracies
leaping up spontaneously to attempt to meet a
Some are police. Some are, by strict definition,
criminals. Some are political interest-groups. But
every single group has that same quality of apparent
spontaneity -- "Hey, gang! My uncle's got a barn --
let's put on a show!"
Every one of these groups is embarrassed by
this "amateurism," and, for the sake of their public
image in a world of non-computer people, they all
attempt to look as stern and formal and impressive
as possible. These electronic frontier-dwellers
resemble groups of nineteenth-century pioneers
hankering after the respectability of statehood.
There are however, two crucial differences in the
historical experience of these "pioneers" of the
nineteeth and twenty-first centuries.
First, powerful information technology *does*
play into the hands of small, fluid, loosely organized
groups. There have always been "pioneers,"
"hobbyists," "amateurs," "dilettantes," "volunteers,"
"movements," "users' groups" and "blue-ribbon
panels of experts" around. But a group of this kind -
- when technically equipped to ship huge amounts
of specialized information, at lightning speed, to its
members, to government, and to the press -- is
simply a different kind of animal. It's like the
difference between an eel and an electric eel.
The second crucial change is that American
society is currently in a state approaching
permanent technological revolution. In the world of
computers particularly, it is practically impossible to
*ever* stop being a "pioneer," unless you either
drop dead or deliberately jump off the bus. The
scene has never slowed down enough to become
well-institutionalized. And after twenty, thirty, forty
years the "computer revolution" continues to spread,
to permeate new corners of society. Anything that
really works is already obsolete.
If you spend your entire working life as a
"pioneer," the word "pioneer" begins to lose its
meaning. Your way of life looks less and less like an
introduction to "something else" more stable and
organized, and more and more like *just the way
things are.* A "permanent revolution" is really a
contradiction in terms. If "turmoil" lasts long
enough, it simply becomes *a new kind of society* --
still the same game of history, but new players, new
Apply this to the world of late twentieth-century
law enforcement, and the implications are novel
and puzzling indeed. Any bureaucratic rulebook
you write about computer-crime will be flawed when
you write it, and almost an antique by the time it
sees print. The fluidity and fast reactions of the
FCIC give them a great advantage in this regard,
which explains their success. Even with the best will
in the world (which it does not, in fact, possess) it is
impossible for an organization the size of the U.S.
Federal Bureau of Investigation to get up to speed
on the theory and practice of computer crime. If
they tried to train all their agents to do this, it would
be *suicidal,* as they would *never be able to do
The FBI does try to train its agents in the basics
of electronic crime, at their base in Quantico,
Virginia. And the Secret Service, along with many
other law enforcement groups, runs quite successful
and well-attended training courses on wire fraud,
business crime, and computer intrusion at the
Federal Law Enforcement Training Center (FLETC,
pronounced "fletsy") in Glynco, Georgia. But the
best efforts of these bureaucracies does not remove
the absolute need for a "cutting-edge mess" like the
For you see -- the members of FCIC *are* the
trainers of the rest of law enforcement. Practically
and literally speaking, they are the Glynco
computer-crime faculty by another name. If the
FCIC went over a cliff on a bus, the U.S. law
enforcement community would be rendered deaf
dumb and blind in the world of computer crime, and
would swiftly feel a desperate need to reinvent them.
And this is no time to go starting from scratch.
On June 11, 1991, I once again arrived in
Phoenix, Arizona, for the latest meeting of the
Federal Computer Investigations Committee. This
was more or less the twentieth meeting of this stellar
group. The count was uncertain, since nobody
could figure out whether to include the meetings of
"the Colluquy," which is what the FCIC was called in
the mid-1980s before it had even managed to obtain
the dignity of its own acronym.
Since my last visit to Arizona, in May, the local
AzScam bribery scandal had resolved itself in a
general muddle of humiliation. The Phoenix chief of
police, whose agents had videotaped nine state
legislators up to no good, had resigned his office in a
tussle with the Phoenix city council over the
propriety of his undercover operations.
The Phoenix Chief could now join Gail
Thackeray and eleven of her closest associates in
the shared experience of politically motivated
unemployment. As of June, resignations were still
continuing at the Arizona Attorney General's office,
which could be interpreted as either a New Broom
Sweeping Clean or a Night of the Long Knives Part
II, depending on your point of view.
The meeting of FCIC was held at the Scottsdale
Hilton ъesort. Scottsdale is a wealthy suburb of
Phoenix, known as "Scottsdull" to scoffing local
trendies, but well-equipped with posh shopping-
malls and manicured lawns, while conspicuously
undersupplied with homeless derelicts. The
Scottsdale Hilton ъesort was a sprawling hotel in
postmodern crypto-Southwestern style. It featured
a "mission bell tower" plated in turquoise tile and
vaguely resembling a Saudi minaret.
Inside it was all barbarically striped Santa Fe
Style decor. There was a health spa downstairs and
a large oddly-shaped pool in the patio. A poolside
umbrella-stand offered Ben and Jerry's politically
correct Peace Pops.
I registered as a member of FCIC, attaining a
handy discount rate, then went in search of the Feds.
Sure enough, at the back of the hotel grounds came
the unmistakable sound of Gail Thackeray holding
Since I had also attended the Computers
Freedom and Privacy conference (about which more
later), this was the second time I had seen
Thackeray in a group of her law enforcement
colleagues. Once again I was struck by how simply
pleased they seemed to see her. It was natural that
she'd get *some* attention, as Gail was one of two
women in a group of some thirty men; but there was
a lot more to it than that.
Gail Thackeray personifies the social glue of the
FCIC. They could give a damn about her losing her
job with the Attorney General. They were sorry
about it, of course, but hell, they'd all lost jobs. If
they were the kind of guys who liked steady boring
jobs, they would never have gotten into computer
work in the first place.
I wandered into her circle and was immediately
introduced to five strangers. The conditions of my
visit at FCIC were reviewed. I would not quote
anyone directly. I would not tie opinions expressed
to the agencies of the attendees. I would not (a
purely hypothetical example) report the
conversation of a guy from the Secret Service talking
quite civilly to a guy from the FBI, as these two
agencies *never* talk to each other, and the IъS
(also present, also hypothetical) *never talks to
Worse yet, I was forbidden to attend the first
conference. And I didn't. I have no idea what the
FCIC was up to behind closed doors that afternoon.
I rather suspect that they were engaging in a frank
and thorough confession of their errors, goof-ups
and blunders, as this has been a feature of every
FCIC meeting since their legendary Memphis beer-
bust of 1986. Perhaps the single greatest attraction
of FCIC is that it is a place where you can go, let your
hair down, and completely level with people who
actually comprehend what you are talking about.
Not only do they understand you, but they *really
pay attention,* they are *grateful for your insights,*
and they *forgive you,* which in nine cases out of
ten is something even your boss can't do, because as
soon as you start talking "ъOM," "BBS," or "T-1
trunk," his eyes glaze over.
I had nothing much to do that afternoon. The
FCIC were beavering away in their conference
room. Doors were firmly closed, windows too dark to
peer through. I wondered what a real hacker, a
computer intruder, would do at a meeting like this.
The answer came at once. He would "trash" the
place. Not reduce the place to trash in some orgy of
vandalism; that's not the use of the term in the
hacker milieu. No, he would quietly *empty the
trash baskets* and silently raid any valuable data
indiscreetly thrown away.
Journalists have been known to do this.
(Journalists hunting information have been known
to do almost every single unethical thing that
hackers have ever done. They also throw in a few
awful techniques all their own.) The legality of
'trashing' is somewhat dubious but it is not in fact
flagrantly illegal. It was, however, absurd to
contemplate trashing the FCIC. These people knew
all about trashing. I wouldn't last fifteen seconds.
The idea sounded interesting, though. I'd been
hearing a lot about the practice lately. On the spur
of the moment, I decided I would try trashing the
office *across the hall* from the FCIC, an area
which had nothing to do with the investigators.
The office was tiny; six chairs, a table....
Nevertheless, it was open, so I dug around in its
plastic trash can.
To my utter astonishment, I came up with the
torn scraps of a SPъINT long-distance phone bill.
More digging produced a bank statement and the
scraps of a hand-written letter, along with gum,
cigarette ashes, candy wrappers and a day-old-issue
of USA TODAY.
The trash went back in its receptacle while the
scraps of data went into my travel bag. I detoured
through the hotel souvenir shop for some Scotch
tape and went up to my room.
Coincidence or not, it was quite true. Some poor
soul had, in fact, thrown a SPъINT bill into the
hotel's trash. Date May 1991, total amount due:
$252.36. Not a business phone, either, but a
residential bill, in the name of someone called
Evelyn (not her real name). Evelyn's records showed
a ## PAST DUE BILL ##! Here was her nine-digit
account ID. Here was a stern computer-printed
"TъEAT YOUъ FONCAъD AS YOU WOULD ANY
CъEDIT CAъD. TO SECUъE AGAINST FъAUD,
NEVEъ GIVE YOUъ FONCAъD NUMBEъ OVEъ
THE PHONE UNLESS YOU INITIATED THE
CALL. IF YOU ъECEIVE SUSPICIOUS CALLS
PLEASE NOTIFY CUSTOMEъ SEъVICE
I examined my watch. Still plenty of time left for
the FCIC to carry on. I sorted out the scraps of
Evelyn's SPъINT bill and re-assembled them with
fresh Scotch tape. Here was her ten-digit
FONCAъD number. Didn't seem to have the ID
number necessary to cause real fraud trouble.
I did, however, have Evelyn's home phone
number. And the phone numbers for a whole crowd
of Evelyn's long-distance friends and acquaintances.
In San Diego, Folsom, ъedondo, Las Vegas, La Jolla,
Topeka, and Northampton Massachusetts. Even
somebody in Australia!
I examined other documents. Here was a bank
statement. It was Evelyn's IъA account down at a
bank in San Mateo California (total balance
$1877.20). Here was a charge-card bill for $382.64.
She was paying it off bit by bit.
Driven by motives that were completely
unethical and prurient, I now examined the
handwritten notes. They had been torn fairly
thoroughly, so much so that it took me almost an
entire five minutes to reassemble them.
They were drafts of a love letter. They had been
written on the lined stationery of Evelyn's employer,
a biomedical company. Probably written at work
when she should have been doing something else.
"Dear Bob," (not his real name) "I guess in
everyone's life there comes a time when hard
decisions have to be made, and this is a difficult one
for me -- very upsetting. Since you haven't called
me, and I don't understand why, I can only surmise
it's because you don't want to. I thought I would
have heard from you Friday. I did have a few
unusual problems with my phone and possibly you
tried, I hope so.
"ъobert, you asked me to 'let go'..."
The first note ended. *Unusual problems with
her phone?* I looked swiftly at the next note.
"Bob, not hearing from you for the whole
weekend has left me very perplexed..."
"Dear Bob, there is so much I don't understand
right now, and I wish I did. I wish I could talk to you,
but for some unknown reason you have elected not
to call -- this is so difficult for me to understand..."
She tried again.
"Bob, Since I have always held you in such high
esteem, I had every hope that we could remain good
friends, but now one essential ingredient is missing -
- respect. Your ability to discard people when their
purpose is served is appalling to me. The kindest
thing you could do for me now is to leave me alone.
You are no longer welcome in my heart or home..."
"Bob, I wrote a very factual note to you to say
how much respect I had lost for you, by the way you
treat people, me in particular, so uncaring and cold.
The kindest thing you can do for me is to leave me
alone entirely, as you are no longer welcome in my
heart or home. I would appreciate it if you could
retire your debt to me as soon as possible -- I wish no
link to you in any way. Sincerely, Evelyn."
Good heavens, I thought, the bastard actually
owes her money! I turned to the next page.
"Bob: very simple. GOODBYE! No more mind
games -- no more fascination -- no more coldness --
no more respect for you! It's over -- Finis. Evie"
There were two versions of the final brushoff
letter, but they read about the same. Maybe she
hadn't sent it. The final item in my illicit and
shameful booty was an envelope addressed to "Bob"
at his home address, but it had no stamp on it and it
hadn't been mailed.
Maybe she'd just been blowing off steam
because her rascal boyfriend had neglected to call
her one weekend. Big deal. Maybe they'd kissed
and made up, maybe she and Bob were down at
Pop's Chocolate Shop now, sharing a malted. Sure.
Easy to find out. All I had to do was call Evelyn
up. With a half-clever story and enough brass-
plated gall I could probably trick the truth out of her.
Phone-phreaks and hackers deceive people over the
phone all the time. It's called "social engineering."
Social engineering is a very common practice in the
underground, and almost magically effective.
Human beings are almost always the weakest link in
computer security. The simplest way to learn Things
You Are Not Meant To Know is simply to call up
and exploit the knowledgeable people. With social
engineering, you use the bits of specialized
knowledge you already have as a key, to manipulate
people into believing that you are legitimate. You
can then coax, flatter, or frighten them into revealing
almost anything you want to know. Deceiving
people (especially over the phone) is easy and fun.
Exploiting their gullibility is very gratifying; it makes
you feel very superior to them.
If I'd been a malicious hacker on a trashing
raid, I would now have Evelyn very much in my
power. Given all this inside data, it wouldn't take
much effort at all to invent a convincing lie. If I were
ruthless enough, and jaded enough, and clever
enough, this momentary indiscretion of hers --
maybe committed in tears, who knows -- could cause
her a whole world of confusion and grief.
I didn't even have to have a *malicious* motive.
Maybe I'd be "on her side," and call up Bob instead,
and anonymously threaten to break both his
kneecaps if he didn't take Evelyn out for a steak
dinner pronto. It was still profoun