The Digital Detective, Pay the Piper I

Pawnee ©
Encyclopedia of Aircraft

One day, I faced company arrest, a kind of corporate detainment. Company arrest combines citizens’ arrest and house arrest. Worse, the detainment came with a threat of physical harm. I’m not sure I should name the enterprise involved, but their initials are Piper Aircraft. They are known for fine low-wing light aircraft ranging from the homely but hardy Pawnee to the gorgeous Fury.

Piper contacted me about the time I went solo in my career. I had become an accidental expert in teleprocessing, the transmission of data. Operating systems have clean well-defined edges, where every tiny piece has a distinct, often powerful purpose. Contrarily, telecommunications is fraught with errors and omissions. An OS has to maintain a semblance of recovery and control despite fried fibre optics, iced-over microwave towers, or Russian-severed Atlantic cables. Trapping entangled signals, simultaneously there and not there, is trickier than bathing Schrödinger's cat.

Fury © Piper Aircraft

The introduction began a year earlier when a phone call came in, Director of Programming Services for Piper Aircraft in Lock Haven, Pennsylvania. Introducing himself as Willy, explained they were using software from my old boss Rich, as described last time. They were experiencing problems but didn’t know how to diagnose the source.

Willy explained Lock Haven was two hundred miles from nowhere and not easy to get to. A trip required a full day’s drive from my home, a seven hour drive without traffic, and oddly about the same via a chain of commercial commuter flights. Thus Piper Aircraft commuted by… Piper aircraft. Willy would instruct one of their pilots to pick me up and afterwards return me home. On my end, I chose Plymouth, Massachusetts not because I lived there but because my girlfriend did, and a small airport might be easier to navigate.

© Piper Aircraft

As a newly baptized student pilot, I enjoyed the ride. The pilot wasn’t a natural teacher, but he handed me right-seat controls while nothing demanding was happening, adding a few hours to my logbook. A side trip to LaGuardia found us sandwiched between two giant jets. Small planes have to be cautious about wingtip vortices, invisible whirlwinds that can capsize the inattentive.

As we flew into central Pennsylvania, eagles glided along side us rising on thermals from the spread of forests below. No pun intended, but this commute was becoming the high point of my day.

© Piper Aircraft

Loch Haven’s municipal airport was Piper’s for all practical purposes. It adjoined the company’s plant and offices. Nearby buildings housed machine shops, assembly operations, and a paint facility. Piper situated me in sort of a company residence for visitors and commuting executives. The company was relocating their headquarters to Vero Beach, Florida, so short-term housing had become important.

That set the pattern for another three visits. Willy was revealed as a bombastic fellow, lots of bark but no bite. He’d grouch, gruff, and growl, but didn’t mean it. He would help anyone who’d need it and undoubtedly made a fine father.

© Wikipedia

All but one of his programming staff were married and weren’t interested in hosting a codeslinger after hours. Jennifer was the opposite, a girl with an interesting history and no one to hang out with. We shared dinner and dialogue a couple of evenings.

Originally from the area, she’d moved east, but hadn’t drained the avgas from her arteries. Exposed to new opportunities, she’d learned to skydive, where she’d become proficient.

She related a number of high-flying tales. Once she initiated a naked jump with her skyteam, exactly what it sounds like: shed clothes and bail out nude. I guess you had to be there. The mothers of most of us, if we’re gonna die, simply hope we remember clean underwear.

© Wikipedia

Then came her moment of disaster. Unexpected winds tossed her parachute in uncontrollable arcs that caused her to crash into the ground, breaking her back. Jennifer returned to hearth and home to heal, staying with her mother and father, and working at Piper to pay the bills. She planned to resume jumping, but that was probably a year off. In the meantime, she helped form a local jump club.

Shop Talk

This turned out the first and only time I worked in a union shop. Management explained they had to get permission for me to take charge of their machines.

The union was gracious about it. At first, they kept an eye on me, but once they realized I knew what I was doing and was willing to share my knowledge, they made me welcome.

It transpired their problems weren’t serious. They simply needed a helping hand marrying equipment and software from multiple vendors. I enjoyed working with Willy and the staff, which resulted in additional visits.

Where’s Willy?

I previous mentioned my charming boss. Inevitably, I struck off on my own, not getting wealthy, but living by my own lights. To my pleasant surprise, I saw Piper’s number on my telephone. Only this time, the caller wasn’t my friend Willy.

My imagination suggested the name sounded like Manny O’Dious, the new Number 2. This was Piper’s new Director of Programming Services, but what a gutter mouth… and gutter mind.

“That stupid ƒ-er Willy managed to piss off a vice president and got his ass fired. ‘Willy.’ Can you think of a more stupid name? Anyway, you left your job undone. Get your ass down here and fix the problem now.”

Taking orders from a person I respect is remotely tolerable, but as you might have guessed, being bossed around is not  my thing. Still, I needed to make a living.

“When can your pilot be here?”

“Oh no, no. Things are different now. I’m not providing or paying for transportation. It’s not in my budget.”

Lock Haven, Pennsylvania

Lock Haven was landlocked in the remote wilds of Pennsylvania, so making the trip by commercial and commuter hops to ever smaller airports required as much as five or six hours of flight time and additional hours of rental car driving. One way required an exhausting full day of traveling, time I would have to bill for. More to the point, the client was always billed for transportation. This guy couldn’t grasp I was trying to save him money and me time.

It also rankled me that while the recent problem was unclear, I’d left no work undone.

“Sorry, have you tried to book travel between Plymouth and Lock Haven? Minimum seven hours by car, seven hours by air, and I do invoice for travel. Always. You can save two days of billed consulting with a pickup.”

“Hell no. Get your ass on a plane or a mule or whatever and get yourself here you….”

“Good bye.”

I was almost shaking with tension as I slammed down the receiver.

Who put the BOMP in the Bomp Bah Bomp Bah Bomp?

A half hour later, the phone rang, same area code 570, but different number.

“Hey, it’s Jennifer. How ya doing? I’ve been tasked with, well, persuading you to drop in. He has the budget, but see, he gets kickbacks for every budget dollar he doesn’t spend. Let me tell you what we’re dealing with…”

She went on to explain. “Shortly after he arrived, he treated himself in town to a steak dinner. Two bites from finishing, he informed the waiter the steak was tough and he would not pay for it. Nor the soup or the salad or the wine. Restaurants run on thin margins, and they swallowed hard to absorb a loss like that. He is one cheap bastard and now you’re the steak. He sees you as a burdensome expense but he needs you.”

“What happened to Willy?”

“You know Willy, he finds it fun to bluster, but one of the VPs didn’t understand him and summarily fired him without considering how to replace him. Nobody wants a career move to the wilds of Nowhere, Pennsylvania and they were lucky to land Willy. Now everybody’s bleeding.”

“How did they recruit Manny? I never heard the name before.”

“Ah. He has no computing or management experience. He was actually a BOMP salesman.”

“Bomp?”

“Bill of materials processor, like a parts list for a huge project. It’s a pretty good program despite the fact he’s a terrible salesman. I don’t know the circumstances, but he must have been in dire straits. As soon as he heard Willy had been fired, he applied and, being the only candidate, he got the job. Upper executives haven’t figured out what a bad decision that was. He thinks we’re all trying to sabotage him. Believe me, I’m getting out of here soonest.”

I laughed. “While suckering me in, huh?”

“Damsel in distress and all that. We’ll get you here, try to keep everything per usual.”

Arrested Developer

© Piper Aircraft

We planned for an upcoming holiday weekend to maximize my time on the machine. I packed my suitcase and stuffed computer gear in my flight case. As agreed, their plane arrived on time for the pickup. On my arrival, the union rep said cool beans. I never understood that expression, but someone explained I was ‘golden’.

Except with the director. He didn’t hover over me– I give him that– but asked one of the programmers to monitor me.

Within a couple of hours, I had a good idea where the problem lay. By late afternoon, I nailed it, no long weekend required.

A half dozen vendors were waiting to hear who was at fault. I entered the director’s office to spill the results.

“Well?” Manny asked. “Whose problem is it?”

“Piper’s. The issue manifests in IBM’s controller, but you didn’t follow configuration instructions. You plugged it in while ignoring the ‘Some assembly required’ notice.”

“Not my fault. My staff keeps undercutting me. Look, here’s what you will do. I’m going to give you an extra fifty bucks, no, say hundred bucks and you say you traced the fault to the DUCS package. You can convince them.”

I blinked. It was hardly worth mentioning $50 covered ten minutes on the time sheet. My old boss’s software had nothing to do with the problem, but they were the smallest and most vulnerable supplier.

“No, I want no part of that. No vendor is at fault. It’s a user error.”

“It’s a virus.”

“No, it’s not a virus.”

“You sure you won’t take a hundred bucks and let this go?”

© Piper Aircraft

“No, I can’t do that.”

“Then find your own way back.”

“What?” I didn’t think I’d heard him.

“Find… your own… fucking… way… home. I won’t provide transportation.”

“You can’t do that. There’s no way out of here, not even a rental car.”

“Tough luck. I gave you a chance.” He templed his fingers and stared musingly at the ceiling, fully in control. “Factory like ours is a dangerous place. All kinds of accidents could happen, especially after dark on a long weekend.”

That made no sense. “Don’t act ridiculous. You are threatening me over a few thousand dollars?”

“Not ridiculous to me, more like an object lesson you’re going to lose. If I was going to threaten, I’d point out the surrounding deep woods,” he interrupted his TV-speak to wave his hand toward his window, “and how dangerous forests are, hunting season or not.”

To be continued…

The Digital Detective, Karma

I. inspired by Hiëronymus Bosch

Sharp Dresser, Sharp Tongue, Sharp Practices

This heading perfectly encapsulates a once and former boss. Clues were apparent from the beginning, but the worst characteristics emerged over time. His name could also be described as an insulting slur, a diminutive of Richard rhymed with Rick, and no, it wasn’t Mick, Nick, or Vic. I’ll simply refer to him as ‘Rich’ for now.

Moderately wealthy, he moved easily in the business world. ‘Rich’ kept useful contacts on a private payola payroll. Kindnesses were transactional. Favors to others he considered IOUs.

How did I become his most trusted employee? I was in grad school, struggling to meet rent and tuition. A full-time student, I also worked forty hours on Wall Street as documented elsewhere. I found myself in demand but was surprised when I received a call from Boston. The caller asked what might induce me to leave school and move to a state I’d yet to visit.

For a financially strapped student, salary talked, not to mention it represented an opportunity to continue designing professional software. He dangled the opportunity for a partnership. I accepted the offer and moved south of Boston’s 128 with little more than clothes and a record collection.

The Mask Slips

Gradually, he revealed more and more about his circumstances. He liked owning things other people didn’t. His Cadillacs, his Brookline house, his country club membership, and his many, many toys represented assets most people couldn’t afford. He’d make hamburger with $20 per pound filet mignon. Sometimes I’d drive him crazy. When his wife discovered I’d obtained designer towels identical to hers from a Ross discount store, she gave hers to the maid.

He subscribed to a shopping service that shipped exotic foods to the US. One day he bragged about a fancy green fruit from New Zealand. “Kiwi?” I innocently asked. “The local grocery store carries it.” He dropped that service the same day.

As other companies have noted, I tend to keep my mouth shut. If I have a problem, I’m more likely to confront– usually politely and perhaps unwisely– but have my say. Although he looked upon people with contempt, Rich valued my talents and quirky sense of humor. But me as a person? Unlikely, based upon how he scorned others.

II. inspired by Hiëronymus Bosch

Swing, Swap, Swag and Swagger

Rich’s personal excesses typically overshadowed his professional quirks. His life orbited a world of strippers, porn stars, and gambling. He and his wife often made their private life public, once discussing their peccadillos on a popular television talk show. And yet, he and his wife harbored social pretensions. Never knowing what would come next, it was like watching a circus on fire, but those escapades do little to further this article.

Except…

Initial Concerns

Rich’s disdain extended into the corporate realm. His father had started a company selling overpriced ‘collector’ coins, and named the enterprise CFS, Inc, which originally stood for ‘Coins for Suckers’. Naturally, customers weren’t privy to the insult. Those few who asked were given a nonsensical backronym such as, ‘Come find a Steal’. Rich took over the company name but not the business, and the initials now stood for ‘Consulting for Schmucks’.

Take taxes. That’s what CFS did, take taxes. The company was authorized to collect sales tax only in its home state, but Rich also charged out-of-state customers sales tax, which he treated as unearned income, a nifty little bonus every month, every year. Say CFS reaped monthly revenues of $100,000, then phony sales tax brought in an additional $5000 to $10,000 every thirty days.

Grift, Graft, and Grease

Rich was fascinated with mafia and police. Those who knew his parents claimed mafia members encouraged his father to leave town, prompting a move to Miami, never to return. He was highly motivated by a neighbor shot and killed through his basement window.

Brookline and Chestnut Hill are old but expensive neighborhoods with large houses and narrow, winding streets. Authorities ban overnight street parking but that didn’t bother Rich. He bribed cops not to ticket his cars. Parking problem solved.

At one time, Rich joined as a police reserve deputy. Reservists were supposed to be unarmed, but once again, he flouted rules, carrying a concealed snubnose revolver. He often spoke of the satisfaction of clubbing protestors offset with the regret of breaking his five-cell flashlight over students’ heads.

By now, you’re probably thinking Rich was not a nice man. As I write this, I wonder how a professional like R.T. Lawton might view him. A petty perpetrator or a wannabe criminal who sidled so close to the line he could topple at any moment?

And yet, the man occasionally listened to me. For some reason, Larry, one of our data center operators, aroused Rich’s ire. If Larry made even a small slip, Rich would explode, showering the place in fire and brimstone. Shouting made Larry more nervous, which precipitated further errors, more screaming and threats, and the end of a civilized world as we knew it.

I took Rich aside and said, “Larry has brought mistakes to our attention. If he hadn’t been honest, we would have considerably more grief figuring out where the fault lies. Ease up a little. By the way, did you know Larry is teaching himself programming?”

Rich listened. He even critiqued one of Larry’s student programs, making suggestions for improving the app. Larry became a valuable part of the team.

I emphasize our company’s apps, development software, and consulting were first class. The CEO’s problems did not bleed into the quality of the products. Consider John McAfee, first maker of antivirus programs. He had a very erratic short life, yet the reputation of his software sold millions of copies.

Meanwhile, where was my partnership? By then, I had developed products, but I hadn’t seen sales figures and Rich wasn’t about to allow an inspection of his books.

Shooting Blanks

An Australian-American company I’d worked for in my early days asked for a copy of our software with an eye toward selling our products together. We sent a copy on magnetic media. Oddly, SDI shipped it back a few weeks later without comment or communication of any kind.

A couple of months later, we found out why. SDI introduced an add-on for their product called F0, a clone of my package Fx, which I solely developed. SDI’s Boyd Munro was a brilliant software writer but he had tried and failed to implement his version of Fx until he reversed engineered my program. It turned out Rich had not demanded a non-disclosure agreement.

But all was not lost. In Virginia, another software company, TCSC, proposed joining forces to release a joint combination of our products. TCSC’s owners bore the unlikely names of Tom and Jerry, but their business included a wealth of customers.

Usually, I did the traveling, but Rich felt the importance of negotiations required the presence of the CEO. He was right, but oh, so wrong.

Rich had expected to spend a few days, but he returned after one. What happened, I asked? He put me off and said he didn’t want to talk about it.

Okay, but where do we stand? What are the plans?

He waved off my questions, refusing to answer. What the hell? I had a stake in this.

Not long after, I resigned and struck off on my own consulting and designing software. Rich badly needed technical assistance and I greatly needed corporate customers, so I accepted him as a client.

But Rich, being Rich, couldn’t do things honestly. He wouldn’t pay until the next job came up. His account was the largest on the books, aging three, four, sometimes five or six months. Then came an incident that brought an end to our agreement, an eruption that stranded me ’two hundred miles from nowhere,’ according to one observer. I’ll write about it next time.

I ghosted Rich after that. When he phoned, I refused his calls. Although he occasionally called as the years passed, I never spoke with him again.

Karma Bytes

Some time later, I found myself in DC chatting over dinner with Tom, a principle in TCSC mentioned above.

“You recall Rich visited our office to seal a joint marketing deal? Do you know what happened?”

“I remember, but Rich flatly refused to discuss it.”

“Little wonder. He arrived that day and strode directly to Jerry’s office, demanding to see the boss. His secretary explained he was on a delicate overseas call, which was expected to take quite some time.

“He said, ‘I don’t intend to wait. I’ve come a long way and insist you usher me in now.’ The secretary politely but firmly asked him to take a seat, but he became more belligerent, his voice loud and his vocabulary abusive.

“Rich stormed into Jerry’s office, shouting he should fire his ƒ-ing **** of a receptionist, calling her numerous obscenities. ‘Fire the bitch,’ he concluded.

“Jerry, a big man, listened quietly. Then he said,

“That ‘bitch’ is my wife.”

III. inspired by Hiëronymus Bosch

Just Deserts, Unjust Desert

At the level we were at, software developers knew one another by name and reputation if nothing else. I learned Rich, after making a small fortune out of our company, moved to Vegas. His deep voice was used in radio broadcasts, but not all went well.

Years later, I chatted with his daughter. She indicated he’d become embroiled in yet another scam and this time lost his money. He died a broken man.

How I felt about that was unexpected. He was a Brunswick stew of dishonesty, turpitude, swindling, cheating, greed, selfishness, and petty crimes. And yet, I felt badly. As awful as he was, no one deserves to die a broken shell. Given a vote, I’d rather imagine him alive, playing his little cons, not paying bills, and cheating on his taxes than rotting a fractured husk in a Las Vegas grave.

How confusing is that?

ConVocation

Presumed US location of Adven

Consequences

Lily has a knack for drawing scammers like some people attract mosquitoes with similar blood-sucking results. You’ve met Lily a couple of times including a phishing scam involving Chase Bank.

I’m dismayed how often Chase victimizes its customers, freely handing out money to con artists and then blaming customers. I’ve noted a number of Chase fraud stories since and spoke with a lady who lost tens of thousands to a scam that Chase refused to acknowledge. Because Lily received advice to withdraw her funds and not a penny more, she remains the only person I know who survived monetarily intact.

She and I spent hours making phone call warnings and visiting Chase and state police, trying to apprise them of a crime in progress. We explained how the fraud worked, despite snorts and sniggers and snarky wishes *they* had a friend (wink, wink, nudge, nudge) who’d deposit thousands in their account.

“There is no money,” I insisted.

“Sure there is, we can see it right… right… Wait! Where did it go?”

After the fact, the bank blamed Lily and demanded she reimburse them for their shortfall and shortcomings as a so-called trusted financial institution. Ha. That’s ever likely.

Presumed US headquarters of Adven

Conversation

Lily sometimes struggles. She listed with LinkedIn seeking work at home. Unlike some, the girl self-motivates as long as the job doesn’t require copying the Encyclopædia Britannica in longhand.

Out of the blue, she receives a message from a European company expanding into North America. They require Lily to take a test and write an essay, but she’s hopped. She can take on as much work as she chooses and the pay is respectable, even a bit higher than her current salary, nicely filling in financial gaps.

Conjecture

Lily excitedly calls her boyfriend, she calls her mother, she calls me. I can’t pinpoint what, but something sets off my alarms. I ask for all the information she can provide, including text messages and anything else she can tell me. The list of accounting programs dismays me. Normally companies seek one or two, not half a dozen. I’m putting a damper on her happiness, but it turns out her boyfriend also senses something off.

I go to work.

Content

First thing, Adven exists. It’s a 600 employé company registered with a real web site and a presence in other European countries. But they mention nothing in the Americas. Okay, the contact explains they are setting up shop in the US.

I’ve been through that before, working for European concerns expanding into the States and vice versa. I consider calling to double check and notify Adven I suspect they are being used in a scam, but for the moment, I opt to let things play out.

Further research reveals Hanna Summa is a real person with a Linked-In page and a profile on her company’s web site. Acting so hands-on for a potential entry level employee raises an eyebrow, but again, I’ve seen this within major corporations when placing fresh folks overseas. Directors and vice presidents keep an eye on details to avoid screw-ups.  An executive engaging with new staff and line isn’t inconceivable.

Meanwhile, this ‘Hanna Summa’ assigns Lily an essay. I suggest she consider an AI piece to avoid heavy vestment at this early stage, but, honest as she is, she writes a paper as agreed. Hanna Summa promises to send a check.

And she did.

Concept

I recognize the scheme. I advise Lily not to deposit it, but ask her bank to vet the check. Most checks clear the same day, but occasionally a draft may take fifteen days or so to slog through the system. This is where this type of scam takes root. Senders instruct their victim to spend or send much of that money elsewhere, ultimately into scammers’ own pockets. By the time a check is returned as fraudulent, it’s too late– the victim has been financing the scheme with her own money.

Conversion

This method obviates another scheme, the business of money laundering. Con artists arrange with a person in another country to sell goods or collect and distribute funds and perhaps packages. The unknowing party isn’t so much a victim as a patsy, flushing money through the system. In one case, a foreign ‘artist’ arranged for ‘commissioned partners’ in North America to sell his paintings, retain 10% and return 90% to the cheerful dauber who just laundered illicit monies or and avoided taxes.

Contrariwise

Meanwhile back at the bank, instead of making a conditional deposit as usual, at Lily’s behest, clerks go to work investigating that critical slip of paper with its excellent engraving and holographic sticker between the memo and signature. When they reluctantly hand the check back to Lily, they shake their heads but with respect for her instincts.

Still playing along, Lily tearfully informs her Adven contact that her bank has refused the check, saying it was no good. Our fake Hanna expresses shock and dismay, shock I say, shock. She posited her company’s accounting partner inexplicably made a mistake, perhaps a matter of misinterpretation. She will investigate and get back to Lily posthaste.

Shock, I tell you.

Lily is still waiting for the results of the investigation.

Conclusion

Lily merely wanted earnest work to make an honest wage. Reaching back to the J.P. Morgan Chase episode, her first reaction was to visit the bank at least twice and explain something was wrong.

Opinionated pundits contend victims perpetuate swindles because of their greed. I disagree with such a blanket statement. ‘Found cash’ scams work because no owner can be found. ‘Bible bequests’ play upon emotions of grief, not greed, supplemented by deepset religious underpinnings. Avarice might motivate cynical experts, not necessarily others.

I sometimes toy with fraudsters, an activity called scam baiting. My approach is more psychological than technical. One future day I might talk about that, but know I have no sympathy for those who drain bank accounts and ruin lives.

Does It Have to Be Murder?

Warner Bros.

I've been chatting with a podcaster about the upcoming season for her and her husband's show, where they read mysteries live. The husband, who handles the music, tries to solve the mystery by the end of the show. She can't because she reads every story before it's even accepted.

This year, they're doing something different. Anything but murder. Which got me thinking (and about more than my proposed story.) Does every crime fiction story need a body count?

This summer, I'm editing anthologies. A lot of anthologies. Plus, I read an ARC for the upcoming Bouchercon anthology. Virtually all the stories in that and two of the anthologies I've copy edited involve murder. My next anthology short story? Murder. The last three crime fiction novels I've read? Murder. Hell, one was the basis for Season 1 of Bosch.

While I've never agreed with Donald Maas's philosophy of increasing the body count with each book in a series – Let's call that what it is: a cheap ploy eventually leading to bad writing – I do concede murder is the highest of stakes. You're taking a life. If you ask most people how many of the Ten Commandments they've broken, the more honest will likely say, "I ain't killed anyone. Yet." Everyone lies at one point or another. Most people have taken something that wasn't theirs, broken with their parents, and that most underrated of the Big Ten, envied. I'm reading Cormac McCarthy right now, and boy, does he give a writer a case of envy. Leaving out the "God commandments," we continually break the Sabbath. Hell, I'm writing this on a Sunday morning. And while most people get through life without cheating on a lover or a spouse, more do than will admit it. But murder?

Murder is the big one. The taking of life. Most people quote that commandment as "Thou shalt not kill," but really, the original word translates as "murder," the deliberate taking of life. Killing in war or self-defense doesn't count because that other person is trying to kill you, or at least, inflict grievous harm. Accidents? You might get sued, but you won't go to prison unless you did something really stupid, like drive drunk or neglected some obvious bit of safety. But the deliberate taking of life? Either in a fit of rage or through (allegedly) careful planning?

I don't care what religious creed you follow, even if you're an atheist -- or maybe especially if you are one – that's the big kahuna. Taking life deliberately and without any mitigating reason is a huge crime against humanity.

But is it possible to write about crime and not murder? Does it really need a body count?

It takes a bit of skill, and quite often, it goes toward comedic. Oceans 11 is a prime example. It's the heist. It's George Clooney and Brad Pitt being smartasses. The source material is an excuse from Frank Sinatra, Dean Martin, and Sammy Davis, Jr. to play cops-and-robbers.

Catch Me if You Can, the Tom Hanks-Leonardo DiCaprio vehicle based on real life, focuses on Leo's cat-and-mouse game with Hanks's FBI agent and their later collaboration. Murder is not a primary plot device.

Cannonball Run

And if you want to get to the heart of it, the two Cannonball Run movies are really light-hearted (and admittedly light-headed) crime movies. The crime just happens to be an illegal road race that turns into a bunch of comedy sketches sewn together.

But notice the tongues firmly planted in cheeks for these movies. There are relatively few bodies in these films. And when there are, it's often an accident or natural causes, sometimes the inciting event.

Yet if you go all the way back to one of the first modern detective stories, Edgar Allen Poe's "The Purloined Letter," the plot does not center on a body but a missing letter. Our intrepid detective, Dupin, foreshadows Sherlock Holmes in his talent for looking beyond the obvious. The letter is soiled and wrinkled, looking like an old, well-worn paper and not a recently written missive that could bring down the French government. Doyle would revisit this time and again. The stories are not comedic, but neither do they depend on a body.

So, does it have to be murder? For the same reason we all rubberneck at a traffic pile-up or a train wreck, murder grabs our attention faster. Someone's life ended because someone else deliberately ended it. But there are plenty of ways to spin up other crimes: Theft, fraud, adultery (not a crime, but a dirty deed.) It's all in how you handle it. Instead of bleeding, someone simply needs to ask, "Are you in or out?"

Now, if you'll excuse me, I have to sketch out a story of the adventures of Florida Man!

The Digital Detective ~ Robocall Killers

Minutes ago my phone rang. I glanced at the caller ID. Usually it shows ‘Spam Likely’ and I swipe it off the screen. This time it gave a name I didn’t recognize. An unknown caller could have something to do with business, insurance, medical… who knows? I answered. Here are tips I’ve discovered to deal with telemarketers.

Tip 1

Like everyone else, I say hello immediately. I quickly say hello again and, hearing nothing, I’ll immediately hang up: a 1, a 2, click! Type A people do that– state your business or leave. Occasionally I catch half a syllable from ‘Mary’ or ‘Hector’ or ‘James’ from Indianapolis (INDIAnapolis) just as they might have caught my second Hello, but I’ve evaporated. I identified a spammer and dealt with the problem.

How does this benefit?

Robocaller machines initiate spam calls. I’m making educated assumptions, but it takes a couple of seconds to transverse the continents to India and then another moment or two for their operative to punch the connect button. They might hear my second hello, but by that time, I’m already gone.

But what if the call was important?

Naturally, they’ll phone back. In the course of fielding zillions of these interruptions, not one has called back. I suspect they’re geared to use auto-dialers but don’t permit manually dialing out.

Opinions to the contrary abound. Hanging up confirms a real person is at your end of the line, and, the belief goes, your number is marked for endless re-dialing. But, unless a robodialer hears the three tone SIT (special information tones) indicating “not a working number” or “number not in service”, it knows it has reached a valid telephone. It will try and try again no matter what.

Tip 2

Have you received a call from a cheery voice who asks, “Hello? Can you hear me?” Or a man who says, “How are you today?”

It takes training oneself, but don’t reflexively answer yes, okay, fine, good, lovely, peachy. You do not want professional spam callers to hear those words. Why?

Your voice is recorded on a separate track from theirs. That makes it easier to race through a recording where your mention of details can be readily found and identified. But it also makes it easy to manipulate the semblance of the conversation based on affirmative answers about the audibility of the call or the state of your day. With a push of an on-screen button, a trivial program can take your answers and turn one conversation into another:

“Hello? I’m calling on a recorded line. Can you hear me?”
“Yes, of course.”
“Good. How are you today?”
“Okay, fine.”

Misusing your answers can automatically result in repurposed recordings like:

“Hello? I’m calling on a recorded line. May I have your permission to continue?”
“Yes, of course.”
“Excellent. Can I sign you up for toxic chemical carpet cleaning, a new water hardener, a vacation to exciting DoofusLand, and a subscription to Mayonnaise Monthly?”
“Okay, fine.”

I stress reports of manipulated recordings are anecdotal chatter on discussion boards, but accusations recur and cherry-picking a victim’s responses is easier than you think. The result is that recipients claim they never intended to buy or even give telemarketers permission to call them. I’m not aware lawbreaking telemarketers have attempted to mislead the FTC, but simply initiating pre-recorded calls violates FTC’s own TSRs– the rules for telemarketers.

Do-Not-Call

The National Do-Not-Call Registry (888-382-1222 / https://www.donotcall.gov/) would be a good idea if spammers paid attention to it. Register all the same; it might dissuade one or two.

This article doesn’t delve into some technologies such as STIR/SHAKEN, which caused a brief 4½% dip in telemarketing attacks, only to climb more than ever before. One of the more common tricks is to spoof the victim’s area code and exchange (first six digits) to hint to the recipient of a neighborhood call. Others will throw false caller IDs on the screen such as Amazon, Apple, or Google.

Visit your App Store. Following is a list of apps you might find useful. Some rely upon collected databases of known spam numbers. You might hear this in action if your phone chirp or rings once and then stops. It had experienced a delay finding the number in a database. While useful, database apps don’t stop spammers from spoofing valid numbers.

Let us know your experience and useful tips.

ActiveArmor	Eyecon	Numbuster	Should I Answer
Call Blocker	Find Caller	Reverse Caller	Truecaller
CallApp	Hiya	RoboShield	Whoscall
Calls Blacklist	Nomorobo	RoboKiller	YouMail

The Digital Detective, Banco and Bunco, Part 2

Resuming from last week…

Money Laundering

Checks (‘cheques’ in other English-speaking countries) are becoming less common in our digital society, but they still have their uses: Investors often receive dividend checks, some companies send refund checks, and many of us write checks to our lawn guy and housekeeper. Check handling still holds a place in our economy and so does a scheme called ‘check washing’.

Crime segments on programs like Dateline and 20/20 have warned us against the practice of bad guys plucking checks out of mailboxes and ‘washing’ them in a ‘household chemical’ bath. Then with a blank check in hand with the original signature, they fill in a new payee and amount. The scheme can work with bonds, wills, and other instruments, anything with a dye-based ink written with ordinary pens. Very old inks comprised of iron compounds remain unaffected.

Wait. Are you going to share with us?

What is the household chemical? Enquiring crime writers want to know.

The answer is ink-dependent and I’m aware of two compounds. Women baddies may have an advantage: The primary go-to chemical, acetone, is the principle ingredient in fingernail polish remover. Other dye-based inks may better respond when treated with ordinary bleach.

Here’s a how-to video by Dr Uniball… (Shh. I know, I know, the poor man. I’m afraid Dr Uniball suffered an unfortunate lab accident.) That aside, here is one of his experiments:

Note: Although not mentioned in the video, fraudsters can preserve the signature by covering it with transparent tape. Ink not so protected washes away.

So how can you shield yourself against lawnmower man bleaching your check or your nifty cleaning lady rewriting the palty cheap-ass amount after an acetone bath? You can purchase speciality India ink pens costing in the hundreds of dollars. Or, as I recently learned, you can buy a less than two dollar Uniball at your local Dollar Store. This pigment-based pen is made by Mitsubishi Pencil Company, yes, a sister company of the car manufacturer. Look for Uniball 207, pictured here:

But wait. If you’re a fraudster and your victim banks with Chase or certain other banks, you don't have to bother erasing and filling in checks. Crooks have discovered Chase’s sloppy remote banking by smartphone looks only at the numeric dollar amount and routing number. Bad guys can add in an extra digit to the dollar amount, changing it from hundreds to thousands. Chase doesn’t trouble themselves to validate the written amount or check the written payee matches the conman’s name on the account. They even allow the same check to be deposited more than once.

Signs of Fraud from Bank of America

A casual survey suggests Chase Banks may figure in more frauds than all other banking institutions combined.Worse yet, Chase battles customer victims who try to get their money back. Lily, our Chase target in a previous article did everything right, trying to get an oblivious and lackadaisical Chase to take action. And they die– they blamed her.

No place in the world is safe from fraud, but if YouTube is to believed, Arizona suffers an outsized number of attacks. And naturally, Chase customer service isn't there when needed.

From A to Z, ATM to Zelle

Zelle is German for jail, literally, a prison cell. I’m frankly surprised it doesn’t mean Sucker!

I can’t trust Zelle. If accounts of a money app can’t be viewed and studied on the web, the customer/victim is at a disadvantage when attempting to reconcile transactions. Unfortunately banks and society at large push us in that direction.

Former business partners owed me money and had been steadily paying me through Sun Bank. Abruptly payments stopped. I notified them. It turned out Sun wanted to cease sending direct, electronic payments to my bank (and others) and insisted its ‘partners’ use Zelle. The problem was that Sun submitted payments into the black hole of Zelle, but my bank didn’t see them.

“Not our problem,” said Sun. “Call Zelle.”
“Not our problem,” said my bank. “Call Zelle.”
“Not our problem,” said Zelle. “Call your bank.”

This occurred after repeated and futile attempts to get a phone number for Zelle, who declined to help because they were ‘too far removed from the situation’, claiming they were outside the transfer rather than being the conduit. It took four months of repeated complaints to resolve the issue.

☚☛

As you might imagine, Zelle is a convenient tool for fraud. In one particular scam, you receive an SMS text that your bank account has been put on hold, pending unusual activity. You phone the conveniently provided phone number, and a polite professional asks how she can help you.

She ‘checks’ your account, saying it appears nefarious forces are attempting to penetrate your security. The solution is to safely move your money into a bank-approved Zelle account. If you’ve not heard of Zelle, she provides you a web link showing your bank works with Zelle, and she’ll help you set up a new free account, which will make bill paying so much easier.

Ten minutes later, your new Zelle account is all set up and your money moved into it. “Thank you, thank you,” you say before hanging up, upon which the scammer sets to work. You receive another text message, this time from your real bank. Your accounts have been emptied.

“Not our problem,” says Zelle. “Call your bank.”
“Not our problem,” says your bank. “Call Zelle.”

The Digital Detective, Banco and Bunco, Part 1

One upon a time I was scammed, or rather American Express was. In my consulting days, a pair of cancelled flights kept me hostage at Chicago Airport for ten hours, which covered a couple of mealtimes. For one of those, I plunked down in their sit-down restaurant and partook. And was partaken without my knowledge.

The end-of-month credit card statement showed a charge that could have fed a family of twelve instead of not-so-little ol’ me. AmEx explained this was called a ‘waiter’s charge,’ literally so in my case. A waiter hands you a bill in a black leather folder. The diner casually tucks a credit card in the folder and the waiter carries it away. At this juncture, the fraud happens.

If the restaurant keeps a computerized tally, the waiter adds on an additional lobster and a hell of a tip. Without an ongoing account, a waiter simply adds in a dollar figure. In olden days, waiters might run two or three blank slips through the imprinter for later use. These days thanks to skimming devices, a waiter can mint a new card before you leave the premises.

Once a card is out-of-sight, waiters can do anything they wish.

As did a waitress in Minneapolis’ beloved Pannekoeken Huis. Two things had come together to draw my attention to a minor racket. Unlike my girlfriend whose sharp eye for cash register fiddles caught one in the middle of a famous theme park, I don’t have specialized training in these things. However, a conversation with a vice president of finance at the company I consulted for raised my awareness. After meals, he carefully perused the bill and credit card slip, commenting he’d find mistakes nearly half the time and went on to prove it.

Bad Taste

And so I found myself in the very restaurant where he’d enlightened me. Frankly, the waitress did little to avert attention to herself. In a Midwestern city where everyone is friendly, she was unusually hostile. Perhaps it was the result of a bad morning, but she acted distinctly sour. Thus when the check came and bearing in mind the VP’s admonition, I looked over the register’s paper tape and there it was… or in this case wasn’t. The line items didn’t match the inflated total.

Her scam took but a moment to unravel. The register tape provided the clue– the restaurant’s logo was missing at the top of the tape. She’d rung in a false item, rolled the register’s tape forward several inches and tore it off, and then rang in the real breakfast tab.

I brought it to the attention of the front-of-house manager. That trusting soul cheerfully waved off the discrepancy as a register glitch. Fine, not my problem, but the practiced moves of the waitress announced she’d done this many times. I did not encourage her by leaving a tip.

That wasn’t why he glanced at your derrière

Does your credit card have a tap ’n’ go icon? If so, it has a built-in bit of electronics called passive NFC… near field communications, a cousin of RFID. Your cell phone may have something similar, but is active NFC because it’s battery powered. They work on the same principal as store exit scanners that sense security tags still attached to the jacket you just bought.

Besides the likelihood of your butt mashing your phone, NFC is a major reason you shouldn’t carry your phone in your hip pocket. A passerby brushes her phone past your pocket and *snap* — she’s captured your information.

Sleight-of-Hand

Scams can happen other ways. You check out of your doctor’s office, or you pay at the window of that overpriced restaurant, or you’re enqueued at Wendy’s drive-thru window and your fuel gauge is running low as is the patience of the guy behind you who taps his horn for the third time but it’s not your fault because your salad isn’t ready and finally the server comes to the window and hands you a bag with a freckled girl’s face on it and says, “That will be $36.80,” and you realize for that kind of money you could have dined at Pannekoeken Huis with money left over but you dig through your purse and there’s your MasterCard that you hand over and a second later he hands it back followed by a receipt that you stuff in your purse and before the guy behind you can blast his horn again you pull forward and out of his way, yet when you get home you receive a text message that your credit card has hit its limit. What? How can that be? You should have at least fifty dollars to spare.

And there it is: Instead of $36.80, you were charged $96.80. Maybe the guy’s finger slipped ringing it up. But wait, there’s another $23 charge from the same place at the same time. That shouldn’t be possible. What happened?

When you handed over your card, you lost sight of it for an instant only. But it was enough time for the window guy to pass the card over a pocket skimmer or even a second NFC machine, a modern analogue of imprinting an extra credit card slip.

Universal Contactless Cards (NFC, RFID)

ATM : Access Thy Money

You may seen recent warnings about ATMs with inoperable card slots, glued shut according to articles. Nearby, a helpful guy who’s standing a respectable, unobtrusive distance behind you offers a suggestion. “You can tap your card.”

But of course you can. You thank the guy, boink the card over the symbol, stuff $200 in your purse, and nervously flee the scene to safety. Or so you think. The helpful guy, he moves in and empties your account.

When an ATM’s mechanical reader returns your card, it automatically logs you out of the system. Likewise in store transactions, once the clerk rings you out and you see the Thank You message on the screen, you’re once again disconnected from your account.

Surveys show at ATMs, tap ’n’ go customers often don’t manually log out of their accounts. Without a mechanism holding their card and releasing it as they sign out, clients fail to realize the connection to their account remains active and vulnerable. Please, log out.

Next Week: Money Laundering

The Digital Detective, Wall Street part 4

When corporations upgrade large computer systems, they typically run the old and the new in parallel a few weeks or months until the bugs are shaken out. Occasionally events take a turn as discussed last week.

Mutual Admiration Society

Back in New York, our mutual funds firm (not so fondly referred to as MuFu) faced a different problem. They had completely rewritten the primary application, changing over from Cobol to C, and it hadn’t gone well. Four months after parallel commenced, they were experiencing glitches and crashes.

The sizeOf problem I’d caught wasn’t a contributing cause. An unidentified problem was triggering errors, an oversight so simple it would boggle the mind.

Robert, their very defensive senior C expert, hadn’t told me about a front-end program written by yet another programmer. I had to figure that out for myself. The bug wasn’t in the program they’d assigned me; it was introduced by what came before.

Front end and Back end Processing

As previously mentioned, Cobol reads like English and C… well, C is sometimes great and often horrible. C had become the most recent fad and application programmers were feeling the bite of its double edge sword.

The staff was comprised of university C students and the last Cobol member on her way out. Machine language (and assembler) weren’t in their purview and when they dismissed John, ‘the old guy’, they'd rid themselves of their only person who could poke around in memory (RAM) to determine what went wrong.

And memory was a problem. The program used customer numbers to index into a table and reference records in storage… in theory. In practice, I soon learned the customer was occasionally wrong, wildly wrong, trying to access a memory location off in the wilds of Kansas.

Cobol could detect out-of-bounds matrix subscripts; C could not. Thus it took me a little while to figure out the bogus account code was coming from a front end program. That preprocessor queued submitted entries, performed minor verification with a check digit, converted the input to binary, and passed the record on to the back-end program I first investigated.

In short, sometimes the data entry folks included dashes in the account number (e.g, 7654321-1) and sometimes they didn't. The Cobol app extracted only the digits; the C program didn’t. Both programs tentatively vouched for the account number (7654321) using the check digit (1), indicating it resided in the realm of possible valid numbers. Unfortunately, the newly written C routine included the hyphen when attempting to convert the number to binary. Both versions then ‘piped’ (passed along) the massaged data to the back-end program where hell and fury would erupt when a bad number with the mashed-up hyphen was passed along.

For all the grief it caused, correcting the C front end was trivial. Worryingly, the front-end program, instead of creating the transaction serial number, left that task for the back-end program. Bad, bad, error-prone design. And, as I would discover, prone to manipulation.

I returned the program to service and turned my attention back to the mysterious ‘sizeOf’ conundrum.

Faith, Hope, and Charity

Many organizations buy into mutual funds for long term storage of their money. City, county, and state governments store tax revenues, fines and fees there. Churches and charities divide money between money market and mutual funds.

In the mutual funds program, a template field labeled IRS501C was data-typed binary in the old Cobol Record data division and as boolean in the matching C Struct.

When I returned to the section with the anomalous ‘sizeOf’ routine, I could see this field being referenced, but I didn’t know why. A library search for original source code for sizeOf and the parent routines turned up nothing.

Growing more suspicious, I asked operations to dig through their archives and find the code. “Don't hold your breath,” they said.

Next day, the IT director gave me the conference room to spread out my work. I mapped binary instruction after instruction, recreating an assembler code version of the program. C could fool the eye, but machine code, even in the absence of context, revealed details of what was going on– if I could figure it out.

I constructed charts of data structures, trying to figure out what was taking place. At last when I spotted buried instructions trimming fractions of a cent from daily interests earned, I knew I’d stumbled upon skulduggery.

Figuring out the sleight-of-hand was mind-bending, but I got a break. Like so many magic tricks, the chicanery was breathtakingly simple. Only the surface artifice was complex.

I had accumulated a suite of experimental data to test extremes of the system. It contained only a dozen records but I noticed the audit log reported thirteen. What? A record with a proper transaction serial number had materialized like a magic trick.

As mentioned previously, the front-end processor should have been creating the transaction serial number, not the back end, but apparently no one here knew better. That oversight facilitated the deception, allowing crooked code to create records undetected.

Computer hours were reduced that day. Being the first of the quarter, month-end and quarter-end reports took priority. Idling, I suddenly wondered if month-end had anything to do with the mysterious symptoms I was witnessing. Once again I nagged operations about searching archives for source code.

An hour later found me wrestling with that data cleverly hidden beyond the end-of-data marker. An impatient operator slapped a cartridge on my work table. "Try this," he said.

Former employee John had made a rare oversight. He’d deleted the source files, but… Each evening, operations backed up everything, and that included John’s source code. It filled in gaps.

No comments, of course, but lo, I beheld the twisted mind of a criminal genius. The routines were rife with indirection and misdirection. The ‘sizeOf’ trick merely hinted at the scam iceberg. While the obfuscated C code suggested one thing, the meticulous machine instructions I’d decoded step by step helped me understand what was really happening.

The scheme launched from a database record under MuFu’s own name and address, 100 Maiden Lane. The registered agent was listed as K. King, address 103^rd floor, 350 Fifth Avenue, Manhattan, New York 10118. Midtown… I looked it up… Empire State Building. The street address was legitimate, but 103^rd floor?

Greed Kills

The charlatan routine skimmed thousandths of a cent or so following rounding errors– interest and binary-to-decimal trailing digits after rounding high. On average, the algorithm could have siphoned a quarter of a cent per transaction without setting off alarms, but our sneaky programmer apparently wanted to stay well below nets cast by auditors. Those fractions of a penny accumulated in the bogus MuFu self-owned bucket until the end of the month. Dollars– thousands of them– and been created out of thin air.

I fully expected John’s wife or a friend had opened another account to receive the transfers, but as I traced the code, it invoked a random number generator to index into an entry in the hidden part of the file, just one binary field,  which turned out to be an account number. At month end, the subversive routine transferred out between $1200 to $5000 a month from the bogus MuFu in-house account to the account selected by the random number generator. But why only certain accounts? What was special about them? How was John profiting?

As always, I sat outside on the ferry shielded by a bulkhead. As I started at the lights of Brooklyn, the answer hit me, knocking sleep out of the equation. I rode the ferry back.

With suppressed excitement, I extracted the account numbers and checked the first indicated record. Bingo. And the next one. And the next. And then the 20^th and the 100^th. Bingo, bingo. Every case showed the IRS501C non-profit tag.

Damnation. I’d unmasked a freaking Robin Hood. John– or should one say Little John– was stochastically selecting non-profit accounts to donate to. That generated the thirteenth record.

Fascinatingly, the audit trail reinforced the fraud’s legitimacy rather than exposed it. Only a paper trail might suggest a missing document, but who was going to dig through reams of flattened dead trees?

If United Way or Scouting USA or Bethune Cookman read their statements at the end of the month, they might have scratched their heads but concluded they surely made a deposit and misplaced their record of it.

I made copious notes and documented everything. When presented to the firm’s CIO, she looked disbelieving, then doubtful, and finally bewildered.

“I know your reputation,” Loretta said, “but this can’t be possible. Besides, IT claims John had aged beyond usefulness. He couldn’t keep up. He barely finished this, his last project, before we let him go.”

“If so, he put effort into making a final masterpiece.”

“Leigh, darling, can you fix it?”

Call me darling and I can fix anything. I yanked the too-clever code out by its roots and their senior programmer, Robert, fixed the hole and, upon my recommendation, moved the transaction serializer to the front-end.

“What will you do about the spurious deposits?” I asked.

“They go back months. We wouldn’t look good demanding hospitals and heart foundations return money deliberately deposited into their accounts. John gave away money we couldn’t detect was missing. We’ll leave it that way.”

“What about John?”

Loretta sighed. “Same reasoning. Arresting him will bring nothing but bad publicity. Can you imagine the Times or the Journal with headlines about a Wall Street Robin Hood? That’s bad enough, but a sympathetic soul would raise issues about ageism. No, we can’t win there. Thank God we discovered it.”

“Can you get me John’s contact info?”

“What? No, maybe, yes, why not. I’ll discreetly ask HR for it.”

Robbin’ Robin

I phoned ‘John’ and invited him to lunch.

“I don’t think so,” he said. “Who is this again?”

“Leigh Lundin.”

“Oh shit, you? What do you want?”

“Just a chat. Really.”

“You’re working for MuFu?”

“Yes, today I am; tomorrow, no. I’m wrapping up.”

“So you know…?”

“Lunch,” I said. “Let’s not do this on the phone.”

“Fraunces Tavern?”

“Whew! If you pay.”

He laughed. “Okay. If you accept that, you aren’t out to nail me.”

“I’m not. John, can you afford it?”

“I landed on my feet. Arthur Lipper knows me and his son hired me.”

I respected Lipper Inc. He chose well.

The Wolf Pup of Wall Street

We met in the pub where George Washington bade farewell to his troops. John looked like a mad Santa with puppy dog eyes and an Albert Einstein hairdo. I’d bet a dozen grandkids employed him as a stage for hundreds of adventures.

He said, “You’re not recording this?”

“No.” I kept my smile easy and relaxed my body language.

“I’m not admitting anything including this statement.”

“Hmm. Let’s talk hypothetically, this entire conversation, okay?”

“Sounds fair. What have you figured out?”

“Most of it, I imagine. Cancer research received a couple of grand on the first before I could stop it. That will be the last payment.”

“Good,” he said. “I mean, embezzling’s awful.”

I snorted. “SizeOf.”

He laughed. “I thought that was clever hiding in plain sight, but apparently not clever enough.”

“I overlooked it at first. John, what was going on? Why did our suppositional programmer take such a risk?”

He dropped the hypotheticals.

“They dismissed anyone approaching retirement, figuring to save paying pensions, I suppose. You heard about Walston?”

“I was there, John.”

“The MuFu bastards had a definite preference for young faces. I knew for months they were going to fire me, I could smell it in the air.”

“I know that feeling, John.”

“The staff treated me like crap, acting like I was in my dotage. They figured my brain had rotted along with Cobol, but they needed me to effect the conversion. I learned C until I knew it better than they did and then studied it more. Their superstars couldn’t read a dump or comprehend machine instructions during debugging. I turned the joke on their little experts.”

“Sheesh. I’m sorry you went through that, John.”

He shrugged. “What will happen to me now?”

“Far as I know, nothing. I think they’re too embarrassed. One or two, the CIO and the VP maybe, have shown a touch of grudging respect. They’re coming to grips with the senile grey-beard who fooled them.”

“Good, because I’m a coward. I’m not looking for fame and misfortune.”

“Don’t worry, John. Everyone but the sheriff loves a Robin Hood.”

Final Thoughts

And that is my favorite Wall Street crime case. I’m called when matters go mysteriously wrong, so Miss Marple-like, I occasionally stumble upon another puzzle and test of wits.

In this case, charities profited and the bad guy turned out a good guy. Some may object that a criminal avoided prosecution, but personally, I couldn’t imagine a better outcome.

---

Following are a few more tech notes.

The Digital Detective, Wall Street part 3

I’m still astounded Fortune 500 companies and government facilities not merely allowed, but invited me, a 19-to-20-something freelance me to play with their very expensive computers. I mean work, not play, yeah, work is definitely the word. Reputation is everything. And okay, I have authority issues. So I’m told.

Striking off on my own meant no security blanket, no 401K, no pension, no profit-sharing. It meant scary months when I wondered if the phone would ring with a client and months when I wondered if the previous client was going to pay or not. That’s a concern– some companies withheld payment until they once again needed help. Sometimes managers wouldn’t like what I reported. My type of work– designing systems software– was specialized, so occasionally famine struck.

During one drought, camels were toppling over, birds fell from the sky, and my bank account appeared a distant mirage. Finally a call came in before the telephone company could cut me off. It was Wall Street again, a mutual funds house we’ll call MuFu. Loretta was their CIO, Chief Information Officer.

100 Maiden Lane
NYC © Emporis

“Darling, are you available?”

“Personal or pleasure?”

“Are you saying personal isn’t pleasure?”

“You’re married.”

“Was, Darling, was.”

“Loretta, I’m sorry.”

“Don’t be, I’m not.”

She lied. I could almost hear the sounds of tears leaking from her eyes. She was a nice lady who’d come up through the ranks.

“Loretta, what’s happening?”

“If you’re available, I need help.”

“Please don’t let it be application programming.” Even if it was, I desperately needed the work.

“Well… Did you hear we’re undergoing a conversion from Cobol to C?”

“You and every other firm with fresh university graduates.”

My professors, Paul Abrahams and Malcolm Harrison, were language experts. Abrahams was chairman of ACM’s SIGPlan and would eventually be elected president of the US’s professional organization, the Association for Computing Machinery. They received early releases of Unix and with it the C language. For my part, C was co-respondent in a love-hate relationship. It constituted a step up from assembler language, but I wanted more.

She said, “I know you’ll be simply shocked, but we’re experiencing crashes. We can’t cut over until we nail the problem. Nobody around here can read machine code. I know it’s not your thing, but nobody knows Cobol either.”

In the following, I’ve tried to trim back technical detail to make it more accessible and I apologize where I failed to restrain it. The gist should suffice.

---

Next day I took the Staten Island Ferry to lower Manhattan, where I strolled up Pearl Street and turned onto Maiden Lane. The mutual funds house took up a few floors of an older building, although the interior was done in chrome movie set futurism.

The glass room remained there running their big iron computer. Off to one side was a new server chamber covered in curved, blue plexiglass. Very spaceshipish.

Loretta blended 10% boss and 90% Cub Scout Den Mother, which made her a popular manager among the guys. She called in her lead analyst and chief programmer, Richard and Robert. The latter radiated lethal hostility.

“Leigh’s here to shoot that bug that’s killing us.”

“We don’t need help,” Robert said. “He’ll just waste our time.”

Loretta said evenly, “You’ve had months and it’s still not identified. Please give Leigh all the help he needs. He’ll likely work after hours to have the computer to himself.”

After Loretta departed, Robert said, “I know who you are. You used to be hot shit.”

“I’ve never heard it put so charmingly. Listen, I’m not here to take your job. I’m not here to threaten you. I’d like to get the job done and move on. Show me what’s going on.”

As predicted, the program started and died with an out-of-address exception– the program was trying to access memory that wasn’t there.

I asked for listings and a ‘dump’, formerly called a core dump, a snapshot of memory when the system died. The address of the failing instruction allowed me to identify the location of the link map, an org chart of routines that made up the program. Sure enough, the instruction was trying to reference a location out of bounds of its memory.

I took the program source listing home with me and spent a couple of days studying it. It was ghastly, a compilation of everything wrong with bad programming and especially in C. It contained few meaningful variable names and relied on tricks found in the back of magazines. Once in a while I’d see variables like Principle or Interest, but for the most part, the program was labeled with terse IDs such as LB, X1 and X2. This was going to take a while.

The company had no documentation other than a few layouts from the analyst. When I called in to ask a question, Robert stiff-armed me. I arranged my first slot for Friday evening with time over the weekend.

I began with small cleanup and immediately hit snags. I’d noticed a widely separated pair of instructions that read something like:

hash_cnt = sizeOf(Clientable);
      :
cust_cnt = abs(hash_cnt);

Wait. What was the point of the absolute value? C’s sizeof() returned the number of items in an array. It should never be negative. You could have five apples on a shelf or none, but you couldn’t have minus five.

As part of the cleanup, I commented out (disabled) the superfluous absolute value function. Robert dropped down as I compiled and prepared to test. I typed RUN and the program blew up. What the hell? Robert appeared to sneer, looking all too pleased.

He said, “That section was written by that old guy, John. We fired him because didn’t know crap, so no surprise it’s hosed up.”

I knew who he was talking about, a short, pudgy bear in his late 40s with Einstein hair. I’d never been introduced, but I’d heard him on a conference panel. John was no dummy, no matter what Robert said.

Robert smugly departed. I stepped through the instructions, one by one, studying the gestalt, the large and small. My head-smack arrived on Sunday. Curious why sizeof() would return a negative value, I traced how hash_cnt was used. As I stepped through the instructions, I saw it descend into a function called MFburnish().

I couldn’t find source code for MFburnish(). No one could. Without source, it would be very difficult to determine what happened inside it.

I went back to the variable Clientable passed to sizeof(). The array was loaded from a file, Clientable. Both consisted of binary customer numbers. I spotted something odd.

C is peculiar in that it uses null (binary zero) to mark the end of arrays and ordinary file streams. This file had two nulls, one about the seven-eights mark and another at the absolute end.

At first, I thought the file had shrunk and the marker moved down while remaining in the same space. But when I looked at the file, it had the same defect… or feature.

As some point, I looked at the link map to check upon another routine and for the first time noticed what I should have spotted earlier. There amid C Library functions of isalpha(), isdigit(), islower(), isupper(); was sizeOf().

Double head-smack. First, C’s authors claim sizeof() is a unary operator like +n and -n. To me, sizeof() looks and acts like a function and nothing like a unary operator. But by their definition, it shouldn’t show up in a link map with real functions. On closer inspection, the program read not sizeof() but sizeOf(). Another annoyance of C is that it’s case sensitive, meaning sizeof and sizeOf and SizeOf and even SIZEOF are not the same thing. This kind of nonsense wouldn’t have been possible with their old Cobol system.

The deception seemed awfully abstruse, even by C standards.

The Clientable contained account numbers of a sizeable fraction of clients. Why some customers and not others would take me a while to discover. Unlike sizeof(), the ginned-up sizeOf() showed the actual record position within the full file expressed as a negative number, hence the abs() function.

Someone had written deliberately misleading code. But why?

Money, of course. Moving backwards, I began to look at the code with a different eye. And there it was… not merely the expected interest calculation, but the conversion from binary to decimal, another Cobol to C difference. I suspected one of the company’s programmers had pulled off the oldest thefts in computerdom– siphoning off money by shaving points when rounding numbers.

This wasn't the problem Loretta had asked me to solve. Robert had directed me to the wrong program, which turned out to be a stroke of luck. Loretta had invited me to track down a program bug, but I suspected I had unearthed traces of virtual villainy.

Next week: The Confrontation

Following are Cobol versus C notes for the technical minded. Feel free to skip to next week.