Showing posts with label computers. Show all posts
Showing posts with label computers. Show all posts

24 October 2021

The Digital Detective, Wall Street part 4


When corporations upgrade large computer systems, they typically run the old and the new in parallel a few weeks or months until the bugs are shaken out. Occasionally events take a turn as discussed last week.

Mutual Admiration Society

Back in New York, our mutual funds firm (not so fondly referred to as MuFu) faced a different problem. They had completely rewritten the primary application, changing over from Cobol to C, and it hadn’t gone well. Four months after parallel commenced, they were experiencing glitches and crashes.

The sizeOf problem I’d caught wasn’t a contributing cause. An unidentified problem was triggering errors, an oversight so simple it would boggle the mind.

Robert, their very defensive senior C expert, hadn’t told me about a front-end program written by yet another programmer. I had to figure that out for myself. The bug wasn’t in the program they’d assigned me; it was introduced by what came before.

Front end and Back end Processing
Front end and Back end Processing

As previously mentioned, Cobol reads like English and C… well, C is sometimes great and often horrible. C had become the most recent fad and application programmers were feeling the bite of its double edge sword.

The staff was comprised of university C students and the last Cobol member on her way out. Machine language (and assembler) weren’t in their purview and when they dismissed John, ‘the old guy’, they'd rid themselves of their only person who could poke around in memory (RAM) to determine what went wrong.

And memory was a problem. The program used customer numbers to index into a table and reference records in storage… in theory. In practice, I soon learned the customer was occasionally wrong, wildly wrong, trying to access a memory location off in the wilds of Kansas.

Cobol could detect out-of-bounds matrix subscripts; C could not. Thus it took me a little while to figure out the bogus account code was coming from a front end program. That preprocessor queued submitted entries, performed minor verification with a check digit, converted the input to binary, and passed the record on to the back-end program I first investigated.

In short, sometimes the data entry folks included dashes in the account number (e.g, 7654321-1) and sometimes they didn't. The Cobol app extracted only the digits; the C program didn’t. Both programs tentatively vouched for the account number (7654321) using the check digit (1), indicating it resided in the realm of possible valid numbers. Unfortunately, the newly written C routine included the hyphen when attempting to convert the number to binary. Both versions then ‘piped’ (passed along) the massaged data to the back-end program where hell and fury would erupt when a bad number with the mashed-up hyphen was passed along.

For all the grief it caused, correcting the C front end was trivial. Worryingly, the front-end program, instead of creating the transaction serial number, left that task for the back-end program. Bad, bad, error-prone design. And, as I would discover, prone to manipulation.

I returned the program to service and turned my attention back to the mysterious ‘sizeOf’ conundrum.

Faith, Hope, and Charity

Many organizations buy into mutual funds for long term storage of their money. City, county, and state governments store tax revenues, fines and fees there. Churches and charities divide money between money market and mutual funds.

In the mutual funds program, a template field labeled IRS501C was data-typed binary in the old Cobol Record data division and as boolean in the matching C Struct.

When I returned to the section with the anomalous ‘sizeOf’ routine, I could see this field being referenced, but I didn’t know why. A library search for original source code for sizeOf and the parent routines turned up nothing.

Growing more suspicious, I asked operations to dig through their archives and find the code. “Don't hold your breath,” they said.

Next day, the IT director gave me the conference room to spread out my work. I mapped binary instruction after instruction, recreating an assembler code version of the program. C could fool the eye, but machine code, even in the absence of context, revealed details of what was going on– if I could figure it out.

I constructed charts of data structures, trying to figure out what was taking place. At last when I spotted buried instructions trimming fractions of a cent from daily interests earned, I knew I’d stumbled upon skulduggery.

Figuring out the sleight-of-hand was mind-bending, but I got a break. Like so many magic tricks, the chicanery was breathtakingly simple. Only the surface artifice was complex.

I had accumulated a suite of experimental data to test extremes of the system. It contained only a dozen records but I noticed the audit log reported thirteen. What? A record with a proper transaction serial number had materialized like a magic trick.

As mentioned previously, the front-end processor should have been creating the transaction serial number, not the back end, but apparently no one here knew better. That oversight facilitated the deception, allowing crooked code to create records undetected.

Computer hours were reduced that day. Being the first of the quarter, month-end and quarter-end reports took priority. Idling, I suddenly wondered if month-end had anything to do with the mysterious symptoms I was witnessing. Once again I nagged operations about searching archives for source code.

An hour later found me wrestling with that data cleverly hidden beyond the end-of-data marker. An impatient operator slapped a cartridge on my work table. "Try this," he said.

Former employee John had made a rare oversight. He’d deleted the source files, but… Each evening, operations backed up everything, and that included John’s source code. It filled in gaps.

No comments, of course, but lo, I beheld the twisted mind of a criminal genius. The routines were rife with indirection and misdirection. The ‘sizeOf’ trick merely hinted at the scam iceberg. While the obfuscated C code suggested one thing, the meticulous machine instructions I’d decoded step by step helped me understand what was really happening.

The scheme launched from a database record under MuFu’s own name and address, 100 Maiden Lane. The registered agent was listed as K. King, address 103rd floor, 350 Fifth Avenue, Manhattan, New York 10118. Midtown… I looked it up… Empire State Building. The street address was legitimate, but 103rd floor?

interest truncation example

Greed Kills

The charlatan routine skimmed thousandths of a cent or so following rounding errors– interest and binary-to-decimal trailing digits after rounding high. On average, the algorithm could have siphoned a quarter of a cent per transaction without setting off alarms, but our sneaky programmer apparently wanted to stay well below nets cast by auditors. Those fractions of a penny accumulated in the bogus MuFu self-owned bucket until the end of the month. Dollars– thousands of them– and been created out of thin air.

I fully expected John’s wife or a friend had opened another account to receive the transfers, but as I traced the code, it invoked a random number generator to index into an entry in the hidden part of the file, just one binary field,  which turned out to be an account number. At month end, the subversive routine transferred out between $1200 to $5000 a month from the bogus MuFu in-house account to the account selected by the random number generator. But why only certain accounts? What was special about them? How was John profiting?

As always, I sat outside on the ferry shielded by a bulkhead. As I started at the lights of Brooklyn, the answer hit me, knocking sleep out of the equation. I rode the ferry back.

With suppressed excitement, I extracted the account numbers and checked the first indicated record. Bingo. And the next one. And the next. And then the 20th and the 100th. Bingo, bingo. Every case showed the IRS501C non-profit tag.

Damnation. I’d unmasked a freaking Robin Hood. John– or should one say Little John– was stochastically selecting non-profit accounts to donate to. That generated the thirteenth record.

Fascinatingly, the audit trail reinforced the fraud’s legitimacy rather than exposed it. Only a paper trail might suggest a missing document, but who was going to dig through reams of flattened dead trees?

If United Way or Scouting USA or Bethune Cookman read their statements at the end of the month, they might have scratched their heads but concluded they surely made a deposit and misplaced their record of it.

I made copious notes and documented everything. When presented to the firm’s CIO, she looked disbelieving, then doubtful, and finally bewildered.

“I know your reputation,” Loretta said, “but this can’t be possible. Besides, IT claims John had aged beyond usefulness. He couldn’t keep up. He barely finished this, his last project, before we let him go.”

“If so, he put effort into making a final masterpiece.”

“Leigh, darling, can you fix it?”

Call me darling and I can fix anything. I yanked the too-clever code out by its roots and their senior programmer, Robert, fixed the hole and, upon my recommendation, moved the transaction serializer to the front-end.

“What will you do about the spurious deposits?” I asked.

“They go back months. We wouldn’t look good demanding hospitals and heart foundations return money deliberately deposited into their accounts. John gave away money we couldn’t detect was missing. We’ll leave it that way.”

“What about John?”

Loretta sighed. “Same reasoning. Arresting him will bring nothing but bad publicity. Can you imagine the Times or the Journal with headlines about a Wall Street Robin Hood? That’s bad enough, but a sympathetic soul would raise issues about ageism. No, we can’t win there. Thank God we discovered it.”

“Can you get me John’s contact info?”

“What? No, maybe, yes, why not. I’ll discreetly ask HR for it.”

Robbin’ Robin

I phoned ‘John’ and invited him to lunch.

“I don’t think so,” he said. “Who is this again?”

“Leigh Lundin.”

“Oh shit, you? What do you want?”

“Just a chat. Really.”

“You’re working for MuFu?”

“Yes, today I am; tomorrow, no. I’m wrapping up.”

“So you know…?”

“Lunch,” I said. “Let’s not do this on the phone.”

“Fraunces Tavern?”

“Whew! If you pay.”

He laughed. “Okay. If you accept that, you aren’t out to nail me.”

“I’m not. John, can you afford it?”

“I landed on my feet. Arthur Lipper knows me and his son hired me.”

I respected Lipper Inc. He chose well.

The Wolf Pup of Wall Street

We met in the pub where George Washington bade farewell to his troops. John looked like a mad Santa with puppy dog eyes and an Albert Einstein hairdo. I’d bet a dozen grandkids employed him as a stage for hundreds of adventures.

He said, “You’re not recording this?”

“No.” I kept my smile easy and relaxed my body language.

“I’m not admitting anything including this statement.”

“Hmm. Let’s talk hypothetically, this entire conversation, okay?”

“Sounds fair. What have you figured out?”

“Most of it, I imagine. Cancer research received a couple of grand on the first before I could stop it. That will be the last payment.”

“Good,” he said. “I mean, embezzling’s awful.”

I snorted. “SizeOf.”

He laughed. “I thought that was clever hiding in plain sight, but apparently not clever enough.”

“I overlooked it at first. John, what was going on? Why did our suppositional programmer take such a risk?”

He dropped the hypotheticals.

“They dismissed anyone approaching retirement, figuring to save paying pensions, I suppose. You heard about Walston?”

“I was there, John.”

“The MuFu bastards had a definite preference for young faces. I knew for months they were going to fire me, I could smell it in the air.”

“I know that feeling, John.”

“The staff treated me like crap, acting like I was in my dotage. They figured my brain had rotted along with Cobol, but they needed me to effect the conversion. I learned C until I knew it better than they did and then studied it more. Their superstars couldn’t read a dump or comprehend machine instructions during debugging. I turned the joke on their little experts.”

“Sheesh. I’m sorry you went through that, John.”

He shrugged. “What will happen to me now?”

“Far as I know, nothing. I think they’re too embarrassed. One or two, the CIO and the VP maybe, have shown a touch of grudging respect. They’re coming to grips with the senile grey-beard who fooled them.”

“Good, because I’m a coward. I’m not looking for fame and misfortune.”

“Don’t worry, John. Everyone but the sheriff loves a Robin Hood.”

Final Thoughts

And that is my favorite Wall Street crime case. I’m called when matters go mysteriously wrong, so Miss Marple-like, I occasionally stumble upon another puzzle and test of wits.

In this case, charities profited and the bad guy turned out a good guy. Some may object that a criminal avoided prosecution, but personally, I couldn’t imagine a better outcome.


Following are a few more tech notes.

17 October 2021

The Digital Detective, Wall Street part 3


I’m still astounded Fortune 500 companies and government facilities not merely allowed, but invited me, a 19-to-20-something freelance me to play with their very expensive computers. I mean work, not play, yeah, work is definitely the word. Reputation is everything. And okay, I have authority issues. So I’m told.

Striking off on my own meant no security blanket, no 401K, no pension, no profit-sharing. It meant scary months when I wondered if the phone would ring with a client and months when I wondered if the previous client was going to pay or not. That’s a concern– some companies withheld payment until they once again needed help. Sometimes managers wouldn’t like what I reported. My type of work– designing systems software– was specialized, so occasionally famine struck.

During one drought, camels were toppling over, birds fell from the sky, and my bank account appeared a distant mirage. Finally a call came in before the telephone company could cut me off. It was Wall Street again, a mutual funds house we’ll call MuFu. Loretta was their CIO, Chief Information Officer.

100 Maiden Lane, NYC © Emporis
100 Maiden Lane
NYC © Emporis

“Darling, are you available?”

“Personal or pleasure?”

“Are you saying personal isn’t pleasure?”

“You’re married.”

“Was, Darling, was.”

“Loretta, I’m sorry.”

“Don’t be, I’m not.”

She lied. I could almost hear the sounds of tears leaking from her eyes. She was a nice lady who’d come up through the ranks.

“Loretta, what’s happening?”

“If you’re available, I need help.”

“Please don’t let it be application programming.” Even if it was, I desperately needed the work.

“Well… Did you hear we’re undergoing a conversion from Cobol to C?”

“You and every other firm with fresh university graduates.”

My professors, Paul Abrahams and Malcolm Harrison, were language experts. Abrahams was chairman of ACM’s SIGPlan and would eventually be elected president of the US’s professional organization, the Association for Computing Machinery. They received early releases of Unix and with it the C language. For my part, C was co-respondent in a love-hate relationship. It constituted a step up from assembler language, but I wanted more.

She said, “I know you’ll be simply shocked, but we’re experiencing crashes. We can’t cut over until we nail the problem. Nobody around here can read machine code. I know it’s not your thing, but nobody knows Cobol either.”

In the following, I’ve tried to trim back technical detail to make it more accessible and I apologize where I failed to restrain it. The gist should suffice.


Next day I took the Staten Island Ferry to lower Manhattan, where I strolled up Pearl Street and turned onto Maiden Lane. The mutual funds house took up a few floors of an older building, although the interior was done in chrome movie set futurism.

The glass room remained there running their big iron computer. Off to one side was a new server chamber covered in curved, blue plexiglass. Very spaceshipish.

Loretta blended 10% boss and 90% Cub Scout Den Mother, which made her a popular manager among the guys. She called in her lead analyst and chief programmer, Richard and Robert. The latter radiated lethal hostility.

“Leigh’s here to shoot that bug that’s killing us.”

“We don’t need help,” Robert said. “He’ll just waste our time.”

Loretta said evenly, “You’ve had months and it’s still not identified. Please give Leigh all the help he needs. He’ll likely work after hours to have the computer to himself.”

After Loretta departed, Robert said, “I know who you are. You used to be hot shit.”

“I’ve never heard it put so charmingly. Listen, I’m not here to take your job. I’m not here to threaten you. I’d like to get the job done and move on. Show me what’s going on.”

As predicted, the program started and died with an out-of-address exception– the program was trying to access memory that wasn’t there.

I asked for listings and a ‘dump’, formerly called a core dump, a snapshot of memory when the system died. The address of the failing instruction allowed me to identify the location of the link map, an org chart of routines that made up the program. Sure enough, the instruction was trying to reference a location out of bounds of its memory.

I took the program source listing home with me and spent a couple of days studying it. It was ghastly, a compilation of everything wrong with bad programming and especially in C. It contained few meaningful variable names and relied on tricks found in the back of magazines. Once in a while I’d see variables like Principle or Interest, but for the most part, the program was labeled with terse IDs such as LB, X1 and X2. This was going to take a while.

The company had no documentation other than a few layouts from the analyst. When I called in to ask a question, Robert stiff-armed me. I arranged my first slot for Friday evening with time over the weekend.

I began with small cleanup and immediately hit snags. I’d noticed a widely separated pair of instructions that read something like:

hash_cnt = sizeOf(Clientable);
      :
cust_cnt = abs(hash_cnt);

Wait. What was the point of the absolute value? C’s sizeof() returned the number of items in an array. It should never be negative. You could have five apples on a shelf or none, but you couldn’t have minus five.

As part of the cleanup, I commented out (disabled) the superfluous absolute value function. Robert dropped down as I compiled and prepared to test. I typed RUN and the program blew up. What the hell? Robert appeared to sneer, looking all too pleased.

He said, “That section was written by that old guy, John. We fired him because didn’t know crap, so no surprise it’s hosed up.”

I knew who he was talking about, a short, pudgy bear in his late 40s with Einstein hair. I’d never been introduced, but I’d heard him on a conference pane. John was no dummy, no matter what Robert said.

Robert smugly departed. I stepped through the instructions, one by one, studying the gestalt, the large and small. My head-smack arrived on Sunday. Curious why sizeof() would return a negative value, I traced how hash_cnt was used. As I stepped through the instructions, I saw it descend into a function called MFburnish().

I couldn’t find source code for MFburnish(). No one could. Without source, it would be very difficult to determine what happened inside it.

I went back to the variable Clientable passed to sizeof(). The array was loaded from a file, Clientable. Both consisted of binary customer numbers. I spotted something odd.

C is peculiar in that it uses null (binary zero) to mark the end of arrays and ordinary file streams. This file had two nulls, one about the seven-eights mark and another at the absolute end.

At first, I thought the file had shrunk and the marker moved down while remaining in the same space. But when I looked at the file, it had the same defect… or feature.

As some point, I looked at the link map to check upon another routine and for the first time noticed what I should have spotted earlier. There amid C Library functions of isalpha(), isdigit(), islower(), isupper(); was sizeOf().

Double head-smack. First, C’s authors claim sizeof() is a unary operator like +n and -n. To me, sizeof() looks and acts like a function and nothing like a unary operator. But by their definition, it shouldn’t show up in a link map with real functions. On closer inspection, the program read not sizeof() but sizeOf(). Another annoyance of C is that it’s case sensitive, meaning sizeof and sizeOf and SizeOf and even SIZEOF are not the same thing. This kind of nonsense wouldn’t have been possible with their old Cobol system.

The deception seemed awfully abstruse, even by C standards.

interest truncation example

The Clientable contained account numbers of a sizeable fraction of clients. Why some customers and not others would take me a while to discover. Unlike sizeof(), the ginned-up sizeOf() showed the actual record position within the full file expressed as a negative number, hence the abs() function.

Someone had written deliberately misleading code. But why?

Money, of course. Moving backwards, I began to look at the code with a different eye. And there it was… not merely the expected interest calculation, but the conversion from binary to decimal, another Cobol to C difference. I suspected one of the company’s programmers had pulled off the oldest thefts in computerdom– siphoning off money by shaving points when rounding numbers.

This wasn't the problem Loretta had asked me to solve. Robert had directed me to the wrong program, which turned out to be a stroke of luck. Loretta had invited me to track down a program bug, but I suspected I had unearthed traces of virtual villainy.

Next week: The Confrontation

Following are Cobol versus C notes for the technical minded. Feel free to skip to next week.

15 November 2020

The 2nd Greatest Con Man in America


Neither Democrat nor Republican, I’m an independent. I’m not happy if I can’t equal-opportunity offend all parties. But damn, these days some of the high-profile players egregiously push their way to the front of the ignoble queue. That old saw “Where there’ smoke…” invariably ends with, “…someone’s fanning flames.”

But I’m not here to talk about partisanship, but to address two major theories enjoying unwarranted attention. They gain traction because rumour mongers depend upon an absence of science and technical knowledge. (For the litigious sort, kindly note this is an opinion piece.)

For example, my friend Sharon forwarded an email acclaiming Chinese-designed dancing robots in Shanghai Disneyland. Although these were clearly not automatons, many, many people willingly suspended disbelief.[1]



Blowing Smoke

Same with politics. As Alice’s Red Queen might say, we’re asked to believe six impossible things before breakfast. Psychologists have noted the biggest lies can be the easiest to accept.

As the above-mentioned smoke about massive voter fraud begins to clear (with a portion of the credit going to the incumbent’s attorneys), conspiracy oriented talk hosts have turned their attention to data manipulation. The first brings to life two decades of concerns about voting machines. The other centers around government computers reassigning millions of votes.

Hypothesis 1, Voting Machines

Grab a coffee. I can’t believe I’m defending Dominion, née Diebold, aka another half dozen company names. I’ve been highly critical of their technology and its lack of transparency. I’ve also proposed a solution, open-source code. That way anyone can peek at its internals searching for flaws.

Twelve to twenty years ago, Democrats worried problematic voting machines at best lost votes and at worst, threw elections. Part of their concern was the company’s Republican CEO, a good friend of George W Bush. According to sources, the CEO ill-advisedly told Bush he’d help win his election. Some stretched that to mean he might use his product, voting machines, to disfavor Democrats.

When Florida’s Secretary of State Glenda Hood ordered error-prone Diebold machines, Senator Bill Nelson questioned the wisdom. She told him to mind his own business… which of course he was. If memory serves, Sarasota County that year lost 20,000 votes. The county’s seemingly baffled Supervisor of Elections said 20,000 people had obviously shown up and chosen not to vote.

Diebold’s reputation was so checkered, they underwent a series of name changes: Diebold ➡︎ Premier Election Solutions ➡︎ Election Systems Services ➡︎ Sequoia Voting Services ➡︎ Dominion Voting Systems.

Over time, they have improved, but one thing is clear. Neither individual machines or networked clusters are capable of diverting anywhere in the range of numbers hinted at: a half million to a suggested two-point-seven million or even seven million votes. Some accusers hinted at machine glitches in Michigan and Georgia, while Q-Anon outright claimed hundreds of thousands of votes were deliberately deleted. Apparently audit trails aren’t widely studied on 4-Chan.

One might wonder the motive of a company board to lose this election, a corporation considered reliably Republican, historically regarded with caution and even suspicion by Democrats. Hey, don’t ask me… I raise the question, but I don’t know. (See? I told you I’d offend both sides.)

Hypothesis 2, The Giant CIA Supercomputer Conspiracy

This is a two-coffee problem, so pour another cup as you’re asked to take an ever bigger leap from the improbable to the nearly impossible.

The short version claims that the CIA (and possibly CISA) deployed a Bush era supercomputer originally used by the despot Obama to surveil and enslave Americans. Called HAMR,[2] affectionately nicknamed The Hammer by techno-savvy, Marvel-reading politicos, it was seized by Biden’s nefarious agents to subvert the election by diverting Trump votes to Biden. A Bannon-Breitbart correctional recount proved Mr Trump won 98% of the popular vote, nearly 140-million total, the largest in history.

(How Mr Trump wrested this antique computer from Hillary’s election hands in 2016 isn’t clear.)

This vote-rigging supercomputer was engineered by a genius superprogrammer, Dennis Montgomery– both this amazing computer and the accompanying conspiracy theory. Already, I see you have questions.

I left my own amazing computer career a few years ago and haven’t consulted for the DoD even longer, but that name, Dennis Montgomery, rings no bell. I checked with colleagues, all with the same answer: Who? Actually that’s a question.

LinkedIn lists a Montgomery Dennis, which may or may not be a hit, but I suspect it is. This entry describes a guy with amazing computer, management, and top secret intelligence skills, who has the Director of the CIA, Secretary of the Air Force, and the US President on speed dial. He claims to have given intelligence briefings to the white house… yup, lower case. We shouldn’t judge him. Maybe he meant something like a white clapboard house in Terre Haute.

If that is his résumé, he’s awfully modest. Certainly he’s much better known in scam and conspiracy theory circles. Since his curriculum vitae is weak and poorly worded, I whipped up a supplement for him. Mr Montgomery may pick and choose as needed, no charge.



Dennis Montgomery (aka Montgomery Dennis?)

Superduper all around computer expert and geopolitical action figure.
($29.95 on AliExpress) Pinocchio nose sold separately.

Education

Career

  • Operated American Report web site specializing in conspiracies of the day.™
  • Investigated tunnels under a Washington daycare pizzeria. Conclusively proved pepperoni contained meat byproducts.
  • Demonstrated, using advanced computer analysis of birther certificate, Ted Cruz not born in USA.
  • Invented catchy names like Scorecard and The Hammer for programs that, uh, don’t actually exist.
  • Scammed Bush administration into paying several million dollars for pretend programs to decode secret al-Qaeda radio messages that, uh, didn’t really exist.
  • Conducted anti-terrorist scam. Fake security alerts caused the US to ground some flights and reportedly caused the Bush administration to nearly shoot down airliners. That was a rush.
  • Falsified emails to implicate gubernatorial candidate and Congressman Jim Gibbons in bribery scandal that, uh, didn’t exist.
  • Conned Maricopa County Sheriff Joe Arpaio into forking over more than $100,000 of taxpayer money so he could reveal a conspiracy plot against Sheriff Joe… which, uh, didn’t actually exist.
  • Faked federal wiretapping evidence that, um, didn’t exist.

Hobbies

  • Dabbles in presidential elections for fun and profit. Like the emperor’s clothes, evidence doesn’t exist.

In my personal opinion, I believe Mr Dennis Montgomery enjoys conning important people and, with the 2020 election, he’s hit the jackpot with the coteries of the candidates, and the attention of the two most powerful men in America.

Footnotes

  1. The claim is that the performers are Chinese designed robots, a leap ahead of US, European, and Japanese robotics. As it turns out, Snopes has done the leg work, determining it’s a clip from the British television show “Strictly Come Dancing” that aired on BBC One in 2013
  2. Seagate, the hard drive manufacturer, has coined the acronym HAMR, meaning heat-assisted magnetic recording.

02 November 2020

The Digital Detective: Pay Your Debtors


bank vault
This continues a series of earlier articles about computer fraud. Originally I practiced a career of systems software design and computer consulting, but I sometimes came upon a more shadowy world, that of computer crime. I seldom sought out fraud but I sometimes stumbled upon it, picking up undetected clues others missed.

This episode doesn’t deal with crime, per se, but it includes a banking con, minor as it is. The scheme required a little ‘social engineering’ and, though the word might be Yiddish, no one can schmooze like Southerners.

The story came to my attention while consulting for banks, this one deep in Virginia’s Shenandoah Valley. My landlord for part of the stay was an eccentric but colorful codger. He talked about a neighbor who leased farm land from him but failed to pay his rent. Outsiders might expect he pulled on a jug of rye whiskey as he talked, but all he did was lean back in his recliner, sip beer, and twirl a never-lit cigarette while a cheerful woman less than half his age clattered in the kitchen. I jotted down his story long before I became a writer, so kindly forgive error and stylistic issues as I strove to capture his dialogue.

John Deere corn picker
Corn picker © John Deere
Damn Ernie. I hounded that man all summer long for the rent. Finally last fall, I hooked up my corn picker and started up the corn rows. Now a corn picker ain’t a quiet machine, and lo and behold, neighbor Ernie come dashin’ out of his farmhouse yellin’ and cursin’ that I’m stealing his corn.

I said to him I couldn’t possibly be stealing corn off my own land, unrented land at that. He steamed and stormed and said the seed and planting labor had been his, and anyway he was just a little late with the rent, three or four months, maybe four or five, weren’t nuthin.

I told him that I was just going to keep picking corn for myself until someone showed up with rent money. He dashed off like banshees themselves chased him. Pretty soon he comes back waving his checkbook.

I said, “Ernie, are you sure there’s money in that account?” Oh yes. He told me twice there was, so I said there’d better be, and he said he wanted the corn I’d picked. I told him to consider the already picked corn interest and collection fees. Fact is, I finished the rest of that row, which he just hated.

So the skinflint S.O.B. hustled off to hitch up his combine and wagon, and I find myself a few bushels better off than I was before. I cleaned up and headed in town to the bank, right past Ernie who’s racing his machinery through the fields.

At the bank, I always get in Molly’s line. She’s a sweet, buxom lass, and I’d been thinking about asking her out.

Anyway, I get up to her teller window and she said the account’s a bit short to cover the check. I asked her exactly how short, and she said she wasn’t allowed to tell me that.

So darlin’, I cajoled, is this check completely worthless, or did Ernie at least come close? Looking at her computer, she said he was purty close.

Well, I says to her kind of reflectively, I want to tell my neighbor Ernie how much he needs to cover my check. Like would he have to deposit only $10? No, she said, ten dollars wouldn’t cover it.

Well, says I, would $20 or $30 do? No, she smiled at me, it’s not quite enough.

Hmm, says I, I wonder if $40 or $50 would suffice? Um, she said to me, that first amount ought to cover it.

Thank you, I says, I’ll tell that rascal he needs to put $40 in the bank. By the way, sweet thing, can I have a deposit slip? And you think maybe I can call you up? For, uh, you know, maybe dinner Saturday?

So I walked out of there with a bounce in my step, a deposit slip and her phone number. I was feelin’ purty good. What I did was get in my car and circle around through the bank’s drive-thru. I already had Ernie’s account number on the check, so I just filled out the slip and shot it through the air tube with two $20 bills. Sure enough, the receipt came back showing $1002.39. Good on Molly.

But wait, I say, I almost forgot to cash a check. This time I send over Ernie’s $1000 check and this time I get back a thousand dollars.

Fair enough. I probably had $40 in shelled corn and a lesson I ain’t gonna rent to Ernie no more.

Ernie got stupid, though, and instead of being grateful I didn’t bounce his worthless ass along with his worthless check and turn both over to the sheriff for collection, he raised holy hell at the bank yelling someone manipulated his account.

I took Molly to the horse show that Saturday. Now I tell you personal like, you want to get a lady in a receptive mood, bein’ around horses will do it. Something about women and horseflesh– can’t explain it– just a word to the wise.

Anyway, Molly, she confided the bank said it was apparent someone had taken liberties, but they couldn’t blame the teller who took the deposit and they couldn’t blame the girl that cashed the check. They just gave everybody a stern reminder warning.

Molly said Ernie wanted to call the authorities, but the branch manager told Ernie he’d be the one in trouble for writing bad checks. He didn’t mention Molly could have fallen in the soup too if they’d figured out her role.

Molly said she knew I’d manipulated her and wanted to know if I’d asked her out from obligation or guilt. I said I didn’t want to sully a relationship thinking I used her. She needed a lot of reassurance about that, and so Friday nights and Saturday nights we just get romantic and I give her plenty of reassuring. Been about a year now. Figure we can go on with this for a long, long time.
And he winked at the cheerful lass in the kitchen doorway.

John Deere cornbine
Cornbine © John Deere & Farming Sim Mods

This essay had originally appeared 19 May 2013 on SleuthSayers for a matter of hours, when a magazine editor asked me to unpost it with an eye toward publishing. A check never arrived, so I now return the article for your enjoyment.
Commonly in Virginia’s Shenandoah Valley, ‘out’ sounds are pronounced like a Scottish ‘oot’. Thus he really said, “I’d been thinking aboot asking her oot.”

06 January 2019

Chasing Pennies


bank vault
I've written about exploits in banking and brokerage fraud with further articles to follow. Bad banking practices don’t feature well in my write-ups. Institutions change only when they’re forced to.

Recently my fraud expertise touched upon the personal. A good friend fell victim to gaping holes in one of New York’s largest financial institutions, J.P. Morgan Chase & Co.

Lily is smart, pretty, and unattached. Two out of three is pretty good, but she means to win the trifecta. She doesn’t advertise, but merely hopes to attract the right kind of guy. She appears on social media: Facebook, Pinterist, and a singles’ site that’s been around some thirteen years, MeetMe.com, where she met an interesting fellow.

Telling the good from the bad isn’t always easy. By the time our malefactor (male factor or dirtbag are also suitable) stepped into the light, he already knew critical pieces of information about Lily: her real name (thanks to odious Facebook requirements), where she’s lived, family relationships, and importantly– her birthday.

MeetMe.com
For a few weeks, ‘Antonio Sanchez’ from ‘New Jersey’ wooed our lass on MeetMe. He didn’t do anything crass like ask her bank account number or credit card information; thanks to Chase’s security ‘features’, he didn’t need to.

As Thanksgiving approached, Lily traveled across the country, stopping to visit relatives in Greenfield, Indiana, home of another Lilly, the famed pharmaceuticals company. Our heroine happened to check her bank account and found it unexpectedly fourteen hundred fifty dollars richer.

Lily, not only smart but honest, sought clarification at the Greenfield branch of Chase. Greenfield couldn’t fathom the problem.

bogus check 1 (808869)
check 1 of 6 #808869
“You put money into your account in the early hours of the morning. Looks like you needed it. What’s the problem?”

“I didn’t deposit anything.”

“But you did.” Greenfield regarded her suspiciously. “You’re saying you didn’t?”

“Exactly. I didn’t do any such thing.”

“Well, lucky you. Someone likes you well enough to put coins in your account.”

*click* Instantly Lily knew who’d made the deposit.

A couple of hours later, the situation reached me. By then, other deposits had appeared. Curiously, monies were rapidly shifting among Lily’s three accounts. My fraud alert alarms clanged.

“If you make a withdrawal,” I advised, “calculate only what you own to the penny and not a cent more.”

“What’s the problem?” friends asked. “A handsome guy sending Lily money? Does he have any brothers?”

I spoke adamantly. “There is no money, no boyfriend in New Jersey, no gold at the end of the rainbow.” When I explained the con, Lily agreed to join me for a visit to the Indiana State Police.

Indiana State Police
The man manning the reception desk told us all detectives were out of the office and wouldn’t return until the next day. Lily asked if she could file a report.

The grizzled trooper brought forms out to us in the lobby. He stood by as Lily tried to explain the situation.

He interrupted her. “A guy giving you money is no crime. No crime, you can’t file a report.”

I said, “There is no money. It’s a con…”

The trooper threw up his palm in a ‘Talk to the hand’ gesture. Cops are trained to seize and maintain control, even when counterproductive. He went on to lecture Lily, not so much accusing her of wasting police time, but of being silly.

“May I explain?” I said as levelly as I could. “There is no money, only fake deposits. He will use that false balance to pay himself.”

The cop paused, considering. “Wouldn’t work,” he said. “If I deposit a check, I have to wait a few days to withdraw funds.”

“That’s why he’s moving money around her accounts. Some banks, perhaps including Chase, lose track of new deposits as they’re moved around. The technique is called seasoning, losing the new deposit tag and making the money look like it’s aged on account.”

“I’m a road warrior,” said the trooper. “I’m not up on these things. Yeah, I’ll have a detective phone you.”

Virtually next door to State Police Headquarters, we’d noticed a Chase branch. Lily made the wisest decision of the day, visiting the bank for an update.

The young woman listened attentively. She quickly grasped the situation. “Oh my God,” she said. “I received a notice exactly like yours of a deposit early in the morning. I need to check my own account before I go home today.”

Together, the three of us discovered additional deposits and further shifting around of money. By then, funds had been used to buy the first Western Union money order made out to an unknown and very foreign name.

“Let me guess,” I said. “The money’s sent to Nigeria?”

“If Lily didn’t give this jerk her personal information,” the young lady said, “how did he get into her account?”

I explained one hypothesis. I’m a vocal critic of the so-called security questions routinely forced upon on-line customers. “What city were you born in?” “What was the name of your first pet?” “What’s your favorite team?” “What’s your favorite color?”

With the slightest information, bad guys find it ludicrously easy to guess the answers. The favorite color question often includes a helpful drop-down menu of eight colors. No one chooses black or white, so a malefactor can guess the answer in six tries or less.

The young branch manager rang the fraud department. She posed the same question to them, who replied “There are so many ways to breach an account…”

bogus check 2 (808870)
check 2 of 6 #808870
The bank gave us copies of the checks. One peculiarity came to light. Chase said it appeared the Nigerian repeatedly deposited the same two checks over and over, fooling Chase and highlighting another flaw in their security, a defective filter for detecting duplicate deposits.

Chase froze Lily’s accounts, leaving her stranded without travel money in the midst of a cross-country trip. But wait, we’re not done.

Lily awoke the next morning, finding her accounts unlocked and a half dozen or so deposits burgeoning her balances.

Lily phoned Chase to let them know further monkey business was afoot in her reactivated accounts. They quickly closed the window and her accounts, again cutting off her funds.



Big banks and little people, comes now the pathetic part. Instead of expressing gratitude for Lily’s quick action of notifying them of fraud, Chase blames Lily for the leaking of money from the bank. Their stance is that Lily either worked with the malfeasant Nigerian to defraud Chase, or at the very least handed over her account information to the bad guy. As you now know, that doesn’t have to happen. All it takes is sloppy banking.

Besides seizing Lily’s bank balance, Chase now demands another $600 in compensation for their losses. Good move, Chase: encourage honest citizens to rush in to report fraud made possible by your own shortcomings.

It’s a great day for banking. Have you had similar experiences?

01 October 2017

You, Identity Theft Victim


Today’s article outlines the massive Equifax identity theft that’s still surfacing today. For the first steps in protecting yourself, you can jump to the distant section on discovering whether you have been targeted and obtaining security features that have been made free for you.
Equifax investigated
Monetizing Your Body

Commercial law can be a peculiar thing, who owns what and why companies have certain rights you don’t. For example, you enter a hospital for surgery. Doctors snip out some piece of you. Likely, you never question who owns that removed bit of flesh or bone and you’re happy just to get rid of it.

Suppose doctors discover something unique and potentially highly profitable in that tonsil or toenail, your appendix or gall bladder. Your DNA might save millions of lives around the planet and earn billions of dollars… none of which you’re entitled to. Unless you signed an agreement otherwise, the physician or hospital owns that biological bit of you including the rights to exploit it. One woman actually applied for a patent on her own body for such a circumstance.

Monetizing Your Life


Financially successful corporations make tidy profits collecting information about you, not merely your earning and spending habits, but where you live, work, school, shop (or shoplift), if you’ve been to court and why. The peculiarity is you don’t own that data. Huge companies do and often their information is wrong and sometimes misused.

A few years ago, credit bureaus were finally forced to hand out credit reports to those who demanded them (a) no more than once a year or (b) if you were turned down for credit. But… odds are high you’ve never seen your full report, because it can contain information the bureaus don’t want you to know. When a mortgagee or a banker or employer receives your credit report, a line at the top might instruct them not to show the report to the subject (you or me), followed by information or opinions they don’t want shared with the… well, victim.

For example, the redacted secret part on my own credit report read “suspected of using false address.” This came about in two ways. First, I had been buying property, a dozen addresses were associated with my name, so I relied on a post office box, much as my grandmother had done. Second, the US Postal Service allows post box renters to use the post office’s physical address, quite handy for imprinting on checks. Such an address looks like:
Chandler Hammett
1201 Post Industrial Drive #107707
Los Angeles, Ca 90210-7707
In my case, the comment didn’t particularly affect me, but imagine someone applying for a sensitive job. The HR department reads the line “suspected of using false address,” and suddenly the potential employee is rejected with no reason given. The applicant should have a right to know about that careless assessment, but has no way of learning of or correcting the report. Why? The bureaus own the reports, you and I don’t.

Monetizing Miscreants

In a past article, I pointed out that curious hackers– the benign exploring kind– can receive severe prison sentences for merely poking around in data warehouses and behind the scenes in web databases. I argued that bankers and merchants who fail to secure vaults, leave doors unlocked, and don’t hire a watchman should be punished as well. If any major office didn’t lock its doors, could you blame kids for wandering in and looking around?

Let’s discuss Equifax, which has suffered an extraordinary data loss to a ‘state actor’… presumably China, North Korea, or Russia. Stolen is your name, social security number, credit card numbers, drivers licence, address, and all the minutia that makes you you. With this kind of data, thieves can lie low for years before springing into action.

I say that as fact, because thieves (state actors) stole the records of the vast majority of working and retired citizens in two separate breaches. The second theft (the first was acknowledged only after the second came to light) affects between ¾ and ⅞ of American adults. Equifax admissions have edged upwards from 153-million stolen files to 182-million; outside assessments estimate as high as 200-million or more.

Note: Canadian and British records have been stolen in the same breach. Equifax says they’re “working with UK regulators,” whatever that means.

Monetizing Misfortune


Equifax executives cashed in stock before the breach became public, attempting to option their knowledge for their personal profit. Then after the big reveal, the company offered to help protect user accounts through a subsidiary— for a fee. Equifax and their security pet since had their arms twisted into providing the services free.

Political response has been as antithetical as you might expect. Congressional members of one political party sent a demand letter to Equifax with a deadline for explaining details and corrective actions. Contrarily, in defense of Equifax and in fear of impacting deregulation, the other major party is working a bill through Congress to limit the liability of credit bureaus and other companies.

Have You Been Hit?   866-447-7559

Here Equifax estimates whether or not your data has been sucked overseas. Be cautious of similar links, because identity thieves are working those, trying to snatch whatever data they can. Use this link:
☞  Has my data been stolen?
Note that updates may still be made, so it’s possible an all-clear this week might turn into a false negative next week. Tap that link to see if you’ve become a victim:

Once you receive an indication, you can decide what to do next. Equifax can take several days to email you about options (now free) that they provide. The FTC offers suggestions and guidelines.

Equifax will provide ninety days of ‘fraud alert’ (notification of identity theft) and a year of monitoring, which can be renewed indefinitely. You may also choose to lock or freeze your account and ‘thaw’ it only when you apply for a loan or other use.

Use the phone number (866-447-7559) above if you have questions or need help you can’t find elsewhere. Contact the other credit bureaus to notify them your identity and data has been compromised.

Equifax Inc.
P. O. Box 740241
Atlanta, GA 30374-0241
800-685-1111
800-525-6285
1150 Lake Hearn Drive
Atlanta, GA 30342
fraud: 800-525-6285
web site
Experian
P. O. Box 2002
Allen, TX 75013-2002
888-397-3742
888-243-6951
701 Experian Parkway
Allen, TX 75013
fraud: 800-397-3742
web site
Trans Union Corp.
P. O. Box 1000
Chester, PA 19022-1000
800-916-8800
800-888-4213
2 Baldwin Place
Chester, PA 19022
fraud: 800-680-7289
web site

Let us know if you’ve been hit. In the meantime, be safe out there– state actors abound!

29 April 2017

Over-Byters Anonymous


 Family Fortnight +  Leading up to the  International Day of Families on the 15th of May, we bring you the first in a series about mystery writers’ take on families. Settle back and enjoy!
by Melodie Campbell (Bad Girl)
Here's my salute to the wonderful families who put up with us crime-writers! 
I write mystery and suspense fiction.  Lately it's been taking over my life.

I blame this on my new laptop.  Sleek and slim, it accompanies me everywhere: in the car, at the kitchen table, in the loo.

Unfortunately, it has become too convenient.  I have become a victim of the Computer Black Hole of Time.  Take last week, for instance:

"Quick - the laptop! I have an idea and I don't want to lose it."

"Oh no, Mom!  Not the laptop!  Don't do it...don't turn it on...don't"
(Insert theme song from Twilight Zone here.)

Alas, poor Natalie.  She knows what is to come.  Like Jeff Goldblum in that remake of The Fly, I merge with my mini-computer.  We become one.  Conscious only of our own existence.  Oblivious to the sounds of life around us.  Consumed by the story that has to come out of us.

Somewhere, a voice cuts through the fog.

"Mom, I'm hungry."

Normally a staunch advocate of the five food groups, I forget all about artificial flavour, colour dye number 412 and hydrogenated everything.  Lost in the netherworld of word-processing, I utter the dead giveaway:

"There's some Twinkies in the cupboard."

Natalie shakes her head in despair.  "She's gone."

Tap tap tap.  Fingers on the keyboard have a rhythm all their own.  Mesmerizing.  Hours shrink to minutes.  Like a jigsaw puzzle half done, the shreds of my story are piecing themselves together.  If I can only...

"Dad's home, Mom."

"Just a sec."

"It's dinner time, Mom."

"I think there's some Oreo's in the cupboard."

Back to the keyboard.  The laptop is humming our tune.  Words glide across the screen in a seductive dance.  I'm caught in the feverish whirlpool of setting, viewpoint, characterization and climax.

An electric can-opener disturbs my train of thought.

"Earth to Mom.  Want some tuna?"

"Just a sec."

"Honey, are you all right?"

My husband's voice.  What is he doing home so early?

"We're eating now," he says.

"Have a Pop Tart," I blurt.

Natalie shakes her head.  "Give up, Dad."

I'm back to the screen, running with my story character...heart pounding, mind agonizing.  Will he get to the scene before the murderer?  Will he be in time to prevent it?

Somewhere in the house, water is running - pounding on porcelain like thunder.  Hey, that's it!  Add a blinding thunder storm, the hero running through sheets of rain, slipping on wet pavement, unable to read the house numbers....

I PG UP and start revising.

"Night, Mom."

"Night, Mommy"

"Murrmph?"  I don't look up.

Finished.  I save copy and turn off my partner in crime, the laptop.  Draft one, complete.  What a team.  Sitting for hours in one position, I am oddly invigorated.  Ready to run the Boston Marathon, and looking for company.

It's dark outside.  The house is quiet.  I thump upstairs, looking for everyone.

Even my husband is in bed.  I sit on the edge of the mattress, bewildered.

"Why is everyone in bed so early?"

My husband pokes his head up.  "It's 3 a.m."

"It is?"  Astonishing.  Once again, I have been a victim of the Computer Black Hole of Time: entire hours mysteriously devoured by the simple on-switch of a computer.  I contemplate starting a self-help group for chronic users:  Over-Byters Anonymous.  But I don't think I could deal with the separation anxiety.

"Wanna read my story?" I ask eagerly.

There are limits to the devotion of even the most supportive family.

It's 3 a.m.  He declines.

Added note:
Today is Authors for Indies day in Canada.  By Indies, we mean independent bookstores.  All across the True North, authors are appearing at independent bookstores to do signings, and show their appreciation.  I will be at Different Drummer bookstore in Burlington, Ontario, this afternoon.  Many thanks to all our independent bookstore owners!

Melodie Campbell got her start writing standup.  Her books and short stories have won 10 awards, even though they are probably certifiable, poor things.  Read at your own risk. www.melodiecampbell.com

20 March 2016

Duping Delight


He lied for pleasure,” Fuselier said— Supervisory Special Agent Dwayne Fuselier, a clinical psychologist and an FBI investigator.
In this case, he was talking about Eric Harris of Columbine notoriety. But millions of people who aren’t mass murderers also lie for pleasure. They tread beyond compulsive, they go beyond obsessive– they lie for enjoyment, gratification, and amusement.

Telling Lies by Paul Ekman
Psychologist Paul Ekman says lying represents a key characteristic of the psychopathic profile. He calls it ‘duping delight’.

It’s rare for the average person to get to know a criminal mind. I’m not talking about the desperate committer of crimes or those who’ve lost their way, but people who deliberately set out to steal or defraud for no other reason than they wish to.

Oddly enough, most fraudsters I’ve personally known have been disbarred lawyers. Truly. Wait, I’m not picking on lawyers as a class nor am I providing fodder for lawyer jokes– we can do that another time if my friend Dale turns a blind eye. But for unexplained reasons that seem beyond coincidence, the major swindlers I’ve encountered have been former attorneys and one a former judge. They all hail from Florida as well, formerly a haven for con artists and scammers selling underwater parcels of land.

My friend Sharon sent me an Orlando Sentinel article titled “Husband of disbarred attorney sues her, alleging fraud, forgery.” Strange as that sounds, it barely hints at the machinations involved… you’ve got to read the article.

It put me in mind of another lawyer whom I’ll call Dr. Bob Black.

Judge Not Lest… an opinion piece

I met ‘Dr. Black’ at a local college campus. We chatted between breaks. He failed to let on he’d been disbarred, although he mentioned numerous times he’d been a judge. He shared he was raised in financial comfort and had been well educated. His relationship with his parents, especially Bob Sr, sounded complex and later left me wondering about the residual effects.

Black had bought a minor mansion in an Orlando historical district. He’d gutted it and was in the process of slicing its interior into small apartments when the Historical Society called a halt, pointing out that ruining a historical building and establishing multi-family residences in a single-family zone was forbidden. Unfazed, Black put it up for sale, advertising it as partially converted to apartments but possibly not mentioning the legal stumbling blocks.

At the time of his real estate ventures, Bob was also hawking a computer he called the Macintosh XLS. I recognized the machine as an Apple Lisa, the forerunner to the Mac, although Black claimed it was not a Lisa but a super-advanced product that outclassed other computers— especially its price of $10 000, about five times the price of a Mac at the time.

A little research showed he was buying refurbished units from a company in Shreveport, bundling them with freeware and shareware, and offering training worth “thousands of dollars.” As it happened, he was paying less than $40 for adult classes at Winter Park Tech where my friend Geri taught. Geri found herself with more than one of his victims in her classes, including one man whose wife was dying of cancer and was barely holding together emotionally.

The Scheme

Black was buying outdated, refurbished computers for a few hundred dollars, adding freeware (free software) and $40 worth of classes, and then selling them as high-end products to the unsuspecting.

Dr. Black was a snappy dresser. Even at casual gatherings he wore suits, and under his suits he wore sweater vests, not a common sight in Florida.

He liked talking to me, even when I’d call him on some of his shenanigans. When I asked barbed questions, he showed a politely bland face, no anger or irritation at all. I wondered if he masked his feelings or felt nothing at all. Did he choose me just to have one person to talk to?

He claimed to have been a judge, and apparently that was true. The ‘Dr’ part he tacked onto his name– He liked the sound of it. Beyond the connotation of ‘juris’, it had no more meaning than the ‘Dr’ in Dr. Pepper.

Judgment-Proof

Black confided he was ‘judgment-proof’ and explained he maintained real property in his wife’s name and kept all his other assets offshore. The topic of disbarment didn’t disturb him… he simply acted as if he didn’t hear those questions, although once he hinted at a political misunderstanding.

One of his controlling peculiarities was to arrange meetings with clients at odd minutes on the clock, say 9:42 or 10:13. Black claimed he was too tightly scheduled to waste appointments on the half or quarter hour.

His attitude toward ripping off people was entirely incomprehensible to most observers. Black exhibited zero contrition but especially no shame whatsoever. He displayed a bullying arrogance toward anyone he could. He may have fancied himself superior to lesser people; others were merely ants that he righteously stepped on if they got in his way. Bob seemed to typify a sociopath in every sense of the word.

The Detective and the Reporter

A pair of related calls came in on my consulting line. Geri had referred one caller, a former New York City homicide detective who’d been defrauded by Black. The other was from our local WCPX star consumer crusader, Ellen MacFarlane. The detective happened to know Ellen’s mother, a NYC judge, and her sister, a force within the New York Department of Consumer Affairs. They asked me if I would provide technical knowledge for an exposé of Dr. Bob Black.

Ellen suffered from multiple sclerosis, but she was a fighter. I sat in on the interviews, sometimes feeding her questions. Black’s strategy was to answer no question directly. If she asked him about reselling obsolete equipment, he would respond with a rambling discourse on Steve Jobs, Reaganomics, and local gardening regulations. He exhausted the lady, but Ellen managed to air the segment.

The detective wasn’t done. He sued Black and called me as a witness.

We sat waiting for Black in the judge’s chambers. At nearly half-past the hour, the phone rang. The judge put it on speaker phone: A whimpering Black claimed he was deathly ill.

The judge said, “Frankly, Mr. Black, you don’t have much credibility around this court. However, I’ll continue this case if you get a doctor’s note to me within three days.”

Upon my return to court, I bumped into Black. He always acted polite to me and he did so this time, impervious to my cool nod. This time, the parties indicated they were considering a settlement. I wasn’t called to court again so I don’t know what, if any, judgment or restitution was involved.

To say Black was a scoundrel or a rascal is to diminish the impact he had on others. The Yiddish word ‘gonif’ comes close, implying a thief and a cheat.

Most of us would like to leave the world a better place. Besides social currency, reputation is a reflection of future self, the part that remains after we’re gone. We can’t all be great authors, musicians, artists, nurses, and teachers, but we can be good people. People who don’t care are alien to the rest of us.

I’ll bracket this article with “in my opinion,” but Black made a living from cheating people. He could argue he gave naïve people what they asked for (“They should have done their homework”) and what he promised (“So what if I sold them free software and who’s to say the $40 course isn’t worth thousands”).

For all that, my greatest astonishment centered around his lack of shame. I used to attend LegalSIG, a special interest group run by a local law firm concerning matters of business and law. Black would attend, showing no chagrin, no humiliation, not the least discomfort. Most people would not put themselves through such mortification, but Black felt no discomposure. He was internally ‘judgement-proof’ emotionally as well as financially.

Friends asked why ‘Black’ singled me out to talk. Partly, people found it easy to chat with me, even confide, but also I could listen without hating him, which I suspect many of his colleagues and victims must have done. From him, of course, I heard only fragments of his exploits. He never mentioned the word ‘victims’, but hinted those who’d fallen for his schemes were weak-minded. He sometimes suggested when his prey rose up, they were unfairly trying to victimize him for being the more clever.

I can’t read a mind like his, but I began to suspect that if he dealt with emotions at all, he might have felt no wrong. He might even have believed himself entitled, that he had the right to exploit lesser humans, those who could not harm others. If so, I feel sorry for him. But I'll never know for sure.

12 July 2015

Techno-dull


Mr Robot
Edgy. It’s what a new USA Network television, Mr Robot, is trying for, so edgy that producers are getting ulcers trying to make it happen. And cyberpunk. It’s oh, so cyberpunk, rebel without a clause, pass the opiates please. It’s new, it’s now, it’s different, and it's supposed to be ultra-tech-savvy. It has exciting technology working for it… or does it?
One of Dorothy Sayers' novels, The Nine Tailors, is noted for its portrayal of campanology– professional bell-ringing. Sayers was largely complimented for her accuracy of detail. In a small way, she created kind of a techno-novel. Since then, many authors have created stories detailing technology of one kind or another– military, espionage, aerospace, medical, or computing.

Bluffing computer experts is tricky, especially the ‘leet’, the priesthood as it were, the 1% of 1%, the dei ex machina, code-slingers, bit busters, programmers of the programs that run programs. Rendering a story about computers takes more than networking verbiage and Unix gibberish. Bear with me as I wade into technical detail.

Going Viral

John Brunner’s Shockwave Rider introduced the concept of viruses, but most novels and virtually all movies get the technology wrong. That doesn’t mean a reader can’t enjoy some stories. Thomas Joseph Ryan’s The Adolescence of P-1 was a good read. 2001 A Space Odyssey was smart, the letters HAL being one displaced from IBM. And for hopeless romantics, Electric Dreams gave movie-goers a Cyrano de Bergerac love triangle featuring a computer named Edgar.

But a story shouldn’t pretend to be something it isn’t. An Amazon review about a computer novel by a top-rated mystery writer said the commenter got laughs reading aloud excerpts to employees in the company lunchroom. That’s not the kind of critique anyone wants.

Dennis Nedry
Dennis Nedry from Jurassic Park
Casting Stones

Casting is another problem with computer shows. Techno-geeks’ IQs typically run high, but that’s seldom how computer experts appear on the screen. One example of awful rôle selection occurred in Jurassic Park, that of an unlikely computer sysadmin, the oafish and creepy Dennis Nedry. We’re going to talk about lack of subtlety: Nedry / nerdy, get it?.

If Hollywood doesn’t stereotype a sallow, shallow wimp with taped glasses, they opt for the opposite, a busty beauty in a skin-tight action figure costume. Movie makers think an eye on the décolletage prevents audiences noticing thin characterization.

When I think of actual top geeks (someone without my movie star looks– stop laughing), I think of colleagues like my friend Thrush, programmer Bill Gorham, software architect Steve O’Donnell, or a handful of others. These ordinary guys possess the extraordinary ability to make machines dance to their own tune.

Robin Hoodie

The show’s idea of characterization appears twofold. First, dress the part: Make the protagonist, Elliot Alderson, sullen, slurring, antisocial, slouch through life in his hoodie. Have ruthless, junior exec Tyrell Wellick wear designer ties and suits. Decorate drug dealers with lots of tats. Mission accomplished.

The other part of the simplistic characterization is the creation of a polarized ‘them versus us’ atmosphere: hoodies v suits, punks v preppies, young v old, crackers v hackers, morphine users v tweakers v coke-heads, Anonymous v the establishment, bad guys v the other bad guys, capitalists v socialists v nihilists v anarchists… which might be interesting if someone had bothered to delineate a bit.

Elliot, the main character, is a morphine-addicted presumed programmer– he once mentions source code. The guy is a pathological liar who lies even to himself, then follows up by telling people in slurred speech, “I’m just being honest.” He drinks ‘appletinis’ and tells his shrink he’s not a junkie, even as he snorts his drug of choice. Supposedly this doesn’t impair his ability to dig into the bowels of computer networks.

A major problem here is that mainly druggies find drug users entertaining. One shouldn’t have to be stoned to appreciate a television show, but drug use and overuse underlies a major theme of Mr Robot. Elliot’s Asperger’s syndrome one can deal with, but his continuous mumbling is hard to stomach.

Of all the cast, only the female characters appear likable and worthwhile, Elliot’s shrink, Gloria, and his childhood friend and co-worker, Angela. Elliot and Angela telegraph to the audience their unrealized attraction as in a third-rate romance novel.

Tyrell Wellick represents the only alpha male in that universe, a ruthless junior exec but one who keeps his eye on the prize. As the best drawn character, he’s a sadomasochistic and exploitative bisexual who goes all out for what he wants. The actor speaks fluent Swedish but god-awful French, more than once butchering the word ‘bonjour’. Wellick does win on other points: When his pregnant wife asks for a bondage session, he’s reluctant to proceed, trying to be gentle.

Anonymous

A major factor– or malefactor– in the series is Mr Robot, a sociopathic anarchist played by Christian Slater looking exceedingly bored throughout. ‘Mr Robot’ is the name of a tech support company, passed on to Slater.

He’s formed ‘fsociety’, a squad of hackers patterned after the group Anonymous. Instead of Guy Fawkes masks, fsociety uses the likeness of that Parker Brothers’ mustached tycoon, Rich Uncle Pennybags aka Mr Monopoly.

Uncle Pennybags © Parker Bros.
In reality, fsociety is disappointingly unlike Anonymous. The latter is focused on justice and exposing inequity and corruption, not anarchy for its own sake. Anonymous gives an impression it values human life, unlike the show's producers who suck hours out of your life never to be returned.

Unsubtle

Those of us in the US tend to confuse and conflate capitalism with a free market economy; Mr Robot drops any distinction at all. Fsociety is dedicated to gutting Evil Corp (which deserves it) within a larger goal of bringing down the economy.
  • E: Evil Corp– that’s its unimaginative nickname– is the company that Elliot, Angela, and Tyrell work for. Obviously, subtlety isn’t held in high regard among the writers. The company’s E logo simultaneously hints at an actual secretive government provider and evokes ‘E for everyone’ entertainment ratings.

  • F: Two guesses what the F in fsociety stands for, subtle like a sledgehammer.

I tried to imagine the original cocaine-fueled pitch for the series. I think it went something like this:
“Like okay, man… (sniffff) There’s this guy, hacker dude, we’ll dress him in a hoodie so everyone thinks Robin Hood, see. (sniffff) And there’s this evil corp, we’ll call it Evil Corp so the audience can’t miss it. (sniffff) Listen, I confuse free markets and capitalism, but let’s say we burn down the economy… What do you mean, how would I cash my paycheck? What does that have to do with anything? Oh, irony, I get it. That’s good, that’s good. We’ll include irony.”

Verisimilitude

The series makes a stab at hi-tech realism, not particularly savvy, better than some shows, not as good as others. Writers drop a few Unix buzzwords (Gnome, KDE, TOR) and gloss over how their network was penetrated.

Elliot identifies a supposedly infected file that fsociety wants him not to open: fsociety00.dat. Amusingly, the IP address associated with the bogus file is 218.108.149.373, an impossible address like movies using 555-1234 as a phone number. (Geekology trivia: An IP address resolves to four bytes in binary, so each number of the group must be less than 256.) Mr Robot offers no specifics how Elliot tracked down the file in error, but the date and a bogus IP address should have clued in even a noob, never mind our ersatz hero.

Elliot passes the file on to a colleague, saying he’s done the hard work and ‘all’ that’s left is the encryption, as if that’s nothing. *bzzz* Wrong answer.

The program promulgates the notion that if someone has a root kit or hacker tools, they’re somehow an ultra-savvy user instead of being like any other mechanic with the right toolbox. The real guys with the smarts are the black hats who write the hacker tools and the white hats who find ways to combat them.

The show also advances the prejudice that ‘old people’ (presumably over 25) can’t deal with technology. A little reflection would have shown that the very systems Elliot and his hacker friends are using were designed by the old guys who themselves built on the shoulders of greater giants. (Articles on Anonymous have shown that the inner core of the organization isn’t strictly young guys as popularly imagined, but largely socially conscious programmers from the late 1960s and early 1970s who range upwards in age into their 50s and 60s.)

Elliot sneers at the CEO of E-Corp for carrying a Blackberry, ignoring the fact that an executive can run a company or tinker with technology, but probably not both, not at the same time. The US State Department deliberately uses Blackberries because they’re less susceptible to hacking… but that sort of realism would cut the series short.

Later, Elliot denigrates a hospital IT manager, William Highsmith, but even as he’s disparaging the IT guy, Elliot uses his supposed superior hacking skills to type the word NEGATIVE into his drug screen. Nothing screams phony like spelling out a presumed binary value instead of clicking the bit setting like true experts and their grandmothers would have done.

In the third episode, Elliot gives a stoned soliloquy on debugging. He’s correct in that finding a bug is usually the hardest part of the problem, but then he awkwardly extends an analogy of bugs into the real world of people and society.

Commodore 64
Halt and Catch Fire

Based on a single episode, a competing series Halt and Catch Fire has a much better and more realistic grip on technology and story-telling. Their team planned how to fake an AT&T computer by kludging together parts from a Commodore 64. Unlike the vague buzzword-dropping, watch-the-other-hand unexplained ‘magic’ in Mr Robot, the HCF scheme could actually work.

From both a writing standpoint and a hi-tech background, Mr Robot disappoints. I expect more… more characterization, more plot, more realistic tech. And less morphine, please, much less. I’m a minority, but my tech-savvy friend and colleague Thrush, who still keeps his hand in the land of Unix, also expressed dismay, finding the show dark and dismal with a poor handle on technology.

Mr Robot is like a 1960’s drug culture anti-establishment film, entirely unentertaining. But that’s my take. What is yours?

08 July 2015

Scattered Castles


There's been a lot of smoke and mirrors lately about the Chinese hacking into computer networks all over the place, and of course it isn't just the Chinese. Cyberattacks have become a lot more common. Anybody remember STUXNET, the virus that targeted the Iranian nuke R&D? Nobody's copped to it, but we can imagine it was probably a joint effort by the U.S. and the Israelis.
My own website was hacked by some Russian trolls. I don't know what the object was. Bank fraud, or Meet Hot Slavs?  It wouldn't be to use any of the actual information from my site, but to compromise the server pathways. FatCow, the server, hosts a buttload of websites, and once in the back door, you could cherry-pick all the caramels, and leave the liquid centers behind.

The point of the Chinese hacks is that they're not amateur or random, by and large, but directed by the Ministry of Defense, against specific hard targets. The big one, most recently (or at least most recently discovered), is the security breach of the Office of Personnel Management. I know this doesn't sound all that glamorous or hot-ticket - OPM is basically the U.S. government's Human Resources department, the central clearinghouse - but in fact it's a big deal. Best guess to date is that 18 million files have been penetrated, and that's a lowball figure. 

Here's what makes it important. OPM is responsible for security clearances, access to classified material. Back in the day, this was the FBI's job, but it's presently estimated that 5 million people, including both government employees and contractors, hold clearances, and the FBI's current staffing is 35,000. You do the math. The numbers are overwhelming. OPM, in turn, farms this out to FIS, the Federal Investigative Services, and the private sector.

But wait, there's more. The intelligence agencies, CIA, NSA, the National Reconnaissance Office (the spy satellite guys), have their own firewalled system, know as Scattered Castles. For whatever reason, budgetary constraints, too much backlog, or pressure from the Director of National Intelligence, the spook shops were instructed to merge their data with OPM's. So was the Defense Department. A certain amount of foot-dragging ensued, not just territory, either, but concerns about OPM's safeguards. In the end, they caved. Not to oversimplify, because the databases are in theory separate, but it created an information chain.

Suppose, and it's a big suppose, that Scattered Castles is accessible through the OPM gatekeeper. Nobody in the intelligence community, or OPM, or the FBI (which is the lead investigator of the OPM break), will go on the record one way or the other. Understandably, because they'd be giving whoever hacked OPM a further opportunity to exploit, if they haven't already. This is a case of locking the barn door after the horse is gone. The worst-case scenario is that active-duty covert agents could be exposed. And bear in mind, that when you're investigated for a security clearance, you give up a lot of sensitive personal data - divorce, bankruptcy, past drug use, your sexual preference - the list goes on. Which opens you up to blackmail, or pressure on your family. This is an enormous can of worms, the consequences yet to be addressed.

OPM uses a Web-based platform called eQip to submit background information. You might in all seriousness ask whether it's any more secure than Facebook. The issue here, long-run, isn't simply the hack, but the collective reactive posture. These guys are playing defense, not offense. The way to address this is to uncover your weaknesses before the other guy does, and identify the threat, not wait for it to happen. Take the fight to them. Otherwise we're sitting ducks.  

It's amazing to me that these people left us open to this, quite honestly. They don't go to the movies, their kids don't play video games, they're totally out to lunch? It ain't science fiction. It's the real world. Cyber warfare is in the here and now.

Heads are gonna roll, no question. OPM's director is for the high jump, and her senior management is probably going to walk the plank, too. This doesn't fix it. What needs fixing is the mindset. We're looking at inertia, plain and simple, a body at rest. We need to own some momentum. 


http://www.DavidEdgerleyGates.com/