``Do you know where I can find the ANSI standards documents?'' I asked.
``Antsy?''
``ANSI,'' I repeated.
I was in the Chicago Public Library, talking to the librarian at the reference desk.
``And C?''
I spelled the acronym for the librarian and explained that it stood for American National Standards Institute.
The librarian said she had no idea where to look for such things, but said that I could try ``LRE.'' It was my turn to be confused.
``LRE?'' I asked. I am familiar with LUIS and a couple of other online catalogs but not LRE. ``I don't know LRE. Where is it?'' I asked.
She looked at me sideways and frowned disapprovingly. She hesitated slightly and then asked, ``You've seen him then? He's probably in his office.''
Huh? ``I'm sorry. Uh... no, I haven't seen him. Umm, what did you say his name is?''
``Ellary,'' she said, and then she spelled it for me. I apologized again and explained my misunderstanding. She did not appear to be entirely convinced of my sincerity but smiled anyway before showing my to Ellary's office.
After I saw Ellary I began to understand why the librarian mistook my reference to Ellary as an ``it'' to be an insult rather than a misunderstanding. Ellary was about 6'5'' tall, and probably the skinniest man I ever met. He wore dirty blue-jeans that would have been snug on anybody else but were baggy on his pencil-like appendages. He had stains from what appeared to be motor oil on the thighs of his pants. One kneecap was badly worn and the other had a hole. He wore a plaid flannel shirt, despite the hot July temperature. By far the most striking thing about him was his face and hair. His eyes were large and bug-eyed. They had a wild look to them, as if he'd been slamming down coffee for the better part of the day. His face was extremely pale. It was hard to decide if he looked like a ghost or more like a person who had just seen a ghost. His hair was dark brown and tied into a long pony-tail --- most of it at least; there were several loose strands of hair that had not cooperated, and these hung over his forehead and cheeks. The librarian introduced me and left us. I explained what it was I wanted, being careful to spell out ANSI this time.
He seemed to know what I was talking about and was muttering the words `ANSI' and `NIST' under his breadth as he walked out of the office with me in tow. He walked across the room to a tall narrow table that stood at the end of one of the book shelves. On it was a large over-sized book that must have been about a foot and half thick. It was some sort of reference or catalog. Ellary flipped through the pages, hovering over the volume and reading the words with his eyes only a few inches away from the pages. His hands were unusually large and his fingers unusually long. He used his right index finger as a guide as he scanned the pages, all the while muttering under his breadth. Suddenly he straightened up and looked at me (or did he look through me?) and asked, ``ANSI is different from National Bureau of Standards, right?''
``Yeah. I think National Bureau of Standards is the old name for NIST,'' I offered.
``Hmmm, yes.'' He went back to thumbing through the book. I heard him muttering. ``NIST... National Institute of Standards.''
He paused and turned to me again. This time he didn't bother straightening up, but instead turned his head and looked up from his bent position over the book. ``Some ANSI standards also have ISO numbers. I've got the ISO index here. Is that good enough?''
``I don't think so,'' I replied. I wasn't sure if X9.17 had an ISO equivalent or not.
``Got all of ISO,'' he muttered petulantly as he went back to work. ``Got ISO on micro-fiche... Got ISO on CD-ROM... You want X9 you say?''
I nodded.
``Says here that X9 is also published by ABA, does that sound like what you want?''
``Yes, that's the one.'' ABA stood for the American Bankers Association.
Ellary announced that they had X9.3, X9.9, X9.17, X9.24, and X9.26, but that they were missing X9.2 and X9.32. He added that X3.92 was listed along with the X9 documents and asked if I wanted that one too. I answered that I would look at all the ones they had. He turned and headed back across the room, beckoning me to follow him. We went back into a private room with row upon row of shelves filled with brown cardboard magazine boxes. They appeared to contain unusual conference proceedings and standards documents. Ellary walked right into the middle of the shelves and had no trouble locating the box containing the X9 documents. He pulled the box off the shelf and put it in my arms. He hesitated before letting go of the box and explained that I couldn't take them out of the library. Again, he seemed to stare right through me as he spoke. He had an almost haunted look in his eyes. I had no intention of taking the documents with me (I'd brought more than one roll of quarters for the copy machine) but if I did have any inclination to take the documents, Ellary's haunted stare would have chased away any such thoughts. I thanked Ellary and carried the box to a reading table in the main room of the library.
I approached the nearest table, where a young Asian woman was already sitting on the far end of the table. It was a large enough table that I did not feel I was imposing by using the other end, and set the box down with a thud. I felt as if I was unwrapping a Christmas present as I took out the documents one by one and set them on the table in front of me. The woman at the other end of the table did not look up from her work. She was taking notes on a yellow pad of paper as she slowly flipped the pages of a thick, brown, somewhat tattered, book.
I started with X3.92. It is the DES standard, entitled, American National Standard for Information Systems -- Data Encryption Algorithm. I had come to the library in search of clues to the money mill forgeries. While it is true that the millwright may have discovered a flaw in DES, the far more likely explanation was a flaw in one of the EFT protocols. Cracking DES would be a serious breakthrough in cryptanaysis. DES has enjoyed great popularity over the last twenty years. It has been incorporated into numerous products and has been applied to a large number of wide-spread applications. Every cryptanalyst in the world has studied DES. It is hard to imagine a flaw that could have escaped all of this scrutiny. Protocols, on the other hand, are far less general. They are closely tied to the application and the trust model. For this reason, the set of cryptanalysts interested in any particular protocol is a much smaller group of people than those interested in DES. Protocols have a much narrower audiance than do cryptographic functions and algorithms.
I decided not to bother copying X3.92 and instead turned to the X9 documents. The X9 family of standards is used for all American banking applications. Because all banks in the country follow these standards for all inter-bank financial services, interoperability is ensured between cryptographic equipment and facilities.
X9.9 is entitled Financial Institution Message Authentication (Wholesale). It describes the algorithm used to compute the MAC's. It confirmed what I already knew: the MAC's are based on DES. I copied that one, using four of my quarters.
In among the X9 documents was a NIST document. Numbered FIPS-171, it was entitled Key Management Using ANSI X9.17. It was dated 1992. Apparently NIST recommended that ANSI X9.17 be used for all government applications. FIPS-171 listed various guidelines for how X9.17 should be used for government applications. I put this one aside to be photocopied later and looked through the other documents for X9.17.
Financial Institution Key Management (Wholesale) (aka X9.17), covers the distribution of cryptographic keys used to calculate EFT MAC's. It covers both the manual and automated management of keying material. It is designed to prevent unauthorized disclosure, modification, or substitution of keys. For those situations where loss of integrity is suspected, the standard includes provisions to regain security.
In the forward to the document it states that while the protocol specified in X9.17 is designed to protect the security and integrity of keys, it in no way guarantees that a particular implementation of the standard is secure.
I glanced up and met the eyes of the woman down the table. She smiled briefly before quickly tilting her head down and flipping a page of the book before her. She had not been watching me; only staring pensively in my general direction. She reached down at her side and lifted a briefcase up onto the table. She wore a yellow pant-suit with a white blouse underneath. Her hair was shoulder length and permed.
I wondered when Lisa would be getting off work. She had hinted that her newest enhancements to the filtering program might put us over the threshold and begin to uncover some promising leads.
Many quarters later and after several trips to the copy machine, I was interrupted by a rumbling of my stomach reminding me that I had not eaten since breakfast. It was now 2:00. I began to collect my things and prepare to leave. The woman at the end of the table was packing her belongings as well. I followed her toward the check-out desk.
The librarian smiled as she took back the documents and said, ``Thank you Sir. Will that be all?''
``Yes, thank you.''
``Have a nice day.''
I smiled and turned for the door. I briefly held the door for the lady with the briefcase. She nodded her head sweetly as she stepped through ahead of me into the glare of the early afternoon sun.
``Nice day,'' she said.
``Very,'' I replied.
And it was too. The late afternoon sun was bright and warm without being uncomfortably so. There was a strong breeze. As I headed down the street in the opposite direction as the woman from the library, a small piece of paper rode on the breeze before me. It hopped and skipped down the sidewalk. I watched the small impromptu kite flitter and flutter as I followed it. We were both headed toward the bus-stop, the kite and I. The wind was sufficient to carry the paper at the same pace as my own gait, although my rate of progress was much more steady than that of the paper, which danced in fits and spurts, until it eventually became entangled in a wrought-iron fence. Here it stayed, a loose corner continuing to flap the breeze.
I reached the bus-stop and did not have to wait long before catching the bus back to my apartment. Once there I saw the sorry contents of my refrigerator and decided to go out for food. I left the X9 documents on the table next to the Pentiums in the bedroom, lending even more height to a dangerously tall stack of papers there, and walked back out the door. I was on my way to the fast-food restaurant around the corner. I had not gone far when a dark green car sped past me and then suddenly swerved into a parking spot along the curb about four car-lengths in front of me. No sooner did the car come to a full stop than did all four doors open and four men in dark suits step out. They immediately turned back and walked in my direction, fanning out as they did so.
Uh oh.
I stopped walking. I looked behind me. There were four more men in suits and dark glasses approaching from that direction. There was no doubt in my mind what was happening, especially when I saw another two men crossing the street in my direction. With the four from the car and the four behind me, that made ten all together. And nowhere to run.
The first set of four were upon me. The one closest to the curb grabbed my left arm just above the elbow. Another circled around behind me and put both of his hands on my shoulders. Still another was now saying, ``Carl Raymond?'' It was a statement not a question.
``We are with the FBI,'' he said, stating the obvious. One of the men that had approached from behind patted me from head to foot, searching for weapons. The other one was still speaking as he held a piece of paper up between us. ``We have a warrant for your arrest. Please come with us.''
Hands on my arms, shoulders, and now on my shirt front, assisted me as I was whisked into the green car. The engine was still running and one of the agents wasted no time in putting the car in gear and pulling away from the curb. There were four of us in the car; one of the four agents that had stepped out of the car must have found a different ride. As we pulled away from the curb and merged with traffic, the agent sitting in the back with me quickly recited my Miranda rights. After that nobody said anything; we rode in silence. The silence dragged on long enough that it became quite noticeable and awkward. I didn't know what to say so I stayed quiet. In fact, I hadn't spoken a single word yet. I decided this was prudent; let them explain the charges and their intentions first.
We pulled up in front of a glass office building, the kind with color-tinted mirrored glass. The glass on this building was tinted rust-brown. The driver turned onto a garage ramp leading under the building. He brought the car to a halt before we had gone very far into the garage, stopping directly in front of a large steel door. There were two other agents standing there waiting for us. One of the two reached out and opened my car-door. He grabbed my wrist and pulled me out of the car without saying anything. The other three occupants immediately got out of the car as well. Together, the six of us went through the steel door and down a long brightly lit corridor. There were very few door-ways along the hallway and it seemed longer than I would have expected from the exterior view of the building. Eventually we reached an elevator, which opened instantly upon being summoned. Only five of us entered the elevator, one of the agents remained behind in the hallway (whether he was one of the ones from the car-ride or one of the new ones, I do not know).
After exiting the elevator I was lead to a small room with only a small table and five straight-back wooden chairs for furniture. Perhaps the room was ten feet square; perhaps smaller. A single panel of fluorescent lights illuminated the room in stark, white light. I was told to sit in one of the chairs. As I did so, the tallest of the four agents dragged one of the chairs over to the wall, near the door. He turned the chair around so that it faced the wall and sat down facing me, leaning against the back of the chair with his arms folded across the top, his legs spread wide. He leaned forward slightly so the front legs of the chair lifted off the floor behind him. He still had not taken off his sunglasses. His short blonde hair and fair complexion stood out in sharp contrast to the dark glasses. The other three agents pulled the remaining three chairs over to the the opposite side of the table from where I sat. For the next four hours the three agents at the table fired questions at me. I answered as best I could, not holding anything back. I had already decided during the car ride that I would cooperate fully and tell them everything I knew. I was in big trouble and now was not the time to play games. I kept reminding myself that I had not actually stolen any money, nor had I ever planned to do so. Meanwhile, there seemed to be no shortage of other people who had indeed stolen money. Somebody altered the amounts of Lisa's EFT's. Somebody was accountable for the delay scams practiced by banks world-wide. Somebody would have to take the fall for these crimes. In a situation such as this, my best bet seemed to be to help the FBI find some of the real criminals and thereby ingratiate myself to them and clear my own name. Otherwise, I feared, I might end up the scape-goat.
Most of the questions came from the biggest of the three agents. A burly black man with a shaved head, he wore a black suit and a white shirt, like the other three. Unlike the other three, his suit looked as if it would split at the seems, especially at his biceps. The bulging muscles in his upper arms ballooned against the fabric of his coat.
The questioning was somewhat hostile, but nobody threatened physical violence. They remained on their side of the table throughout. The blonde-haired agent with the sunglasses never did get out of his chair. Nor did he ask any questions. He simply sat, chewing gum with his chin resting on his arms, which were in turn resting on the chair-back, and he listened.
Did I have an account with First Chicago, they asked. No. Did I have an account with Bendix? No. What was my association with Jeff Newstrom? Never heard of him. Had I traveled outside the country in the last two years? Nope. Had I traveled outside Chicago in the last three months? Yes. Where?
The questions were delivered in rapid succession, one atop another. My answers were terse, but this did not bother them. Perhaps they preferred it that way. There were no breaks; whenever the large overpowering agent in the center seemed to run out of questions, one or the other of the two agents flanking him chimed in with questions of their own. They never skipped a beat; never gave me time to reflect. After a couple of questions from one of the flanking agents, the leader in the middle would resume the questioning, having recharged his batteries and replenished his arsenal. The questions were not all entirely new; they were occasionally repeated, worded slightly differently with each asking.
The agent sitting to the right, when he spoke at all, tended to ask the easy questions, sticking to simple facts about my background. He was a tall black man with short hair and a handsome face. He was not intimidating like the other agents. When was I born, he asked. Where? Where had I gone to school? When did I graduate?
When the questions eventually turned to the funds transfers between First Chicago and Bendix, my answers were no longer brief. I was careful to explain my involvement fully, making sure that there was no confusion over the limited nature of my role. I explained that I hadn't actually altered any messages. I had not forged any message authentication codes.
Unfortunately, they did not draw the same distinction I did between replaying messages and inserting false messages. Both were interfering with electronic banking transmissions, a federal offense. Furthermore, they reminded me that I had a history of tinkering with banking protocols, including the early check bouncing incidents, and suggested that forged messages fit my pattern perfectly. I remained steadfast in my position: I did not deny that I had engaged in some illegal activity, but I had not stolen, nor did I ever intend to steal, any money from any individual or institution.
Thwapp!
I stiffened in my chair, startled. It was the agent sitting on the left that had slammed his palm onto the table and leaped from his chair. He was a young man with very short blonde hair, a square jaw, and a lightweight but athletic build. He walked across the room and stood facing the bare white wall with his back to me. Then, abruptly, he spun around and strode over to where I sat.
``Listen,'' he hissed, ``all of you hackers are the same. You think that every computer is your playground, every phone message your toy. You think that every bank and company is your opponent in some high-tech game of wits. You all claim that you aren't criminals because there are no victims to your crimes.
``What about the hard-working employees at those companies? The ones who have to clean up after the mess you leave in your wake? Huh? They have to work overtime to reproduce the data you destroy.
``What about the talented programmers that can't produce challenging and innovative programs because no company will pay a salary for software that will be pirated, driving the market value down to zero.''
``I'm not a hacker,'' I said sullenly.
``No?'' he cried, his voice rising an octave. ``What do you call yourself then? A security analyst?'' he sneered. ``Let me guess, you probably think you are doing the banks a big favor by pointing out weaknesses in the system. Well I got news for you buddy, if the banks wanted that service they would hire you. But you can't get a job can you? Huh?''
He turned away in disgust. ``Geek,'' he muttered. Then, suddenly he was back upon me. ``Who are you working for right now?''
This was getting personal and insulting. I remained silent. He was leaning over me now, his face only a few feet from mine. The veins at his temples bulging visibly, as were those running down the sides of his neck. His chin jutted outward. Every muscle in his svelte frame was taunt. He reached out and grabbed my wrist, pulling my arm so that I faced him squarely.
``The bureau has years of experience prosecuting organized crime for protection rackets. I can recognize a protection racket when I see one,'' he hissed.
``I'm not running a protection racket,'' I said quietly.
The agent stood up straight. He cracked the knuckles in his hands but said nothing immediately. Nobody moved; the room was silent. Then, quietly and levelly, he asked, ``do you deny that you illegally falsified EFT messages on July 11th?''
``Yes.''
``Yes?!'' he shot back shrilly, having lost all of the self-control he had regained just moments before. ``Earlier you confessed to recording and replaying EFT's. You labeled it as illegal activity yourself!''
``Right,'' I replied quietly, ``I replayed EFT's; I didn't falsify them.''
He looked at me. He looked at the other three agents. He threw up his hands in exasperation. He walked across the room and back. Then...
``On July 11th,'' he began calmly, ``shortly after receiving a bunch of garbled messages, First Chicago received several clean EFT messages. Those messages were purported to be directly from Bendix. Instead you were the one that sent them to First Chicago. Correct?''
``Yes, thereby correcting the communication errors from the garbled transmission.''
He ignored the last part of my response, cutting me off.
``What is your profession? You are a computer security expert. Correct?''
``Yes.''
``You design systems to guard against hacking, correct? Things like false messages.''
I could see where this was going. I didn't answer. He continued anyway.
``So, you falsify EFT messages and you also offer your services as an expert at protecting banks from false EFT messages. Here at the bureau we call that a protection racket. Other people call it blackmail. Call it what you will, it is illegal.''
He turned on his heel, walked back to the table and collapsed into the chair he had vacated earlier.
``The pathetic part of all of this,'' he muttered, ``is that, like every other hacker, you probably honestly believe that what you do is morally justified. It's not. It is against the law, and there are good reasons for having those laws. You, sir, are morally bankrupt.''
The agent sitting to the right resumed the questioning at that point. This agent had done very little talking. This is not to say that he sat still like the blonde haired agent with the sunglasses sitting by the wall. No, the quiet agent sitting at the table spent most of the interrogation tapping his pencil on the table. His hands appeared soft but strong. Indeed, his entire physique was soft but strong. He was not burly like the agent in the center, nor did he have the wirey but hard and tough appearance of the other agents. He held his hyper-active pencil between long fingers. His nervous fidgeting was infectious, putting me on edge. Perhaps that was his intention. He was not intimidating like the other agents. He continued to stay with straight-forward questions about facts. What type of computer did I own, he wanted to know. What long-distance telephone carrier do I use, he asked, What Internet service provider do I use? What is my mother's maiden name?
It was impossible to tell where he was heading with his questions; I simply answered directly and honestly. As I answered these questions I thought about the charges made by the excitable agent on the left.
Was I committing a form of extortion? Even if that was not my intent, I would benefit by a heightened awareness of security concerns, would I not? And by tinkering with EFT traffic I was bound to interfere in ways that would not go entirely unnoticed. So, indirectly I was drumming up business. And, there was no denying that my tinkering was illegal, even if it wasn't outright theft. Wire-tapping is against the law. My mind was too groggy to allow myself to start questioning my own motives. I did not trust myself to be able to parry the self-doubt that began to well up inside of me.
After four hours of answering questions with no breaks, not for water and not to visit the restroom, I was exhausted. It is good that I had decided early to tell the truth and hold nothing back; toward the end of the interrogation I had little memory of the questions that came earlier. It would have been easy to catch me in an inconsistency now.
Then, quite abruptly, the four men trooped out of the room, telling me to wait there. A moment later the silent agent with the blonde hair and sunglasses returned with a glass of water. He escorted me to the restroom. We then returned to the interrogation room and he left me there alone.
I was deflated. The experiments that I claimed where part of innocent research activity were undeniably illegal. Now I had to face the possibility that my experiments were morally wrong too because they artificially inflated the symptoms of computer crime. Maybe the FBI agent was right. Maybe I was a hacker. Had I slipped over the line between a security analyst working on behalf of security and a hacker contributing to the hostile environment of electronic data interchange?
Or do intentions count for something? Certainly it had never been my intention to create a security incident and then use that as a selling point to the banks. I continued to contemplate my role in the EFT incident as I sat there alone in that small bare room.
After a time the door opened. I was too exhausted and dejected to look up. I heard them walk in. I saw the multiple pairs of feet as they crossed the room in front of me. There were three pairs of black wing-tip shoes and one pair of white sandals and stockings. I looked up.
Lisa!
What was she doing here? I looked into her eyes, but she only met my gaze with a cold stare. I felt a chill. Did she turn me in?
``This is the man you know as Carl Raymond, correct Ms. Cryer?'' the big man asked.
``Yes,'' she answered. Her voice was strong and assertive, her manner calm and confident.
``Carl has confessed to you that he tampered with EFT transmissions between First Chicago Trust and Bendix of St. Louis on July 11th, correct?''
``Yes,'' she answered once more.
Why was she doing this? Why turn me in? I hadn't done anything to lose her trust. She had been willing to give me a chance to repair the damage. What caused her to change her mind?
``You are certain this is the man?''
``Yes, I am certain,'' she replied levelly. Her manner reinforced her words.
``Thank you Ms. Cryer,'' said the big man. She turned on her heel abruptly and left without even a glance in my direction. I'm not sure what the remaining two agents said next. They were talking but I wasn't listening. Why did she do it? Why? She had been so cold. Was she an undercover agent? No, they had treated her as an outsider. An informant then? Damn her whatever she was!
Had she told them of her own involvement, I wondered bitterly. She had written most of the code for BIF and deep-throat. These were part of an unauthorized investigation. Both BIF and deep-throat processed data that neither Lisa nor I were authorized to see. First Chicago Trust did not know that Rudy Levinski had taken it upon himself to mount his own investigation. Lisa had shown no hesitation in helping Rudy in his effort. She had been so friendly the other day in Rudy's office. The three of us had worked well as a team. Why turn on me now? We were making progress!
I closed my eyes tight and leaned my head back in my arms. In the space of a few hours everything had come unraveled. Now, in all likelihood, I would be imprisoned and Rudy would fare no better. BIF and deep-throat would be confiscated. The FBI, with no understanding of sophisticated computer crimes and cryptology, would bumble the case. The millwright would succeed in pulling off the perfect crime. I would be made the scape-goat for the FBI while Rudy would be forced to take the fall for First Chicago Trust. It would have been better for both Rudy and me if Lisa Cryer had not become involved at all. Had she refused to speak to me on that first day when I buzzed her apartment, I would be no worse off --- and most likely better off --- than I was now. To turn me in at this point was a remarkable display of bad timing.