It was a hot and sticky night in town. I was at the office late. I had a new book slapped open across my knee, because a client who always paid on time had asked me to evaluate it. I turned the pages without really noticing what they said. The how-to books don't interest me much. I could write up a report on this one without wasting my time reading every page.
I opened my window and left it open. All I got for the trouble was a hot breeze and a racket from the street way down below, which made me even more restless and itchy. It felt like a night when anything could happen. Nights like that, I try to get home fast, so I can stay out of trouble. It was my own fault that I was still around when the little man in the blue suit showed up.
He knocked on my office door weakly and pushed his way in without waiting for me to answer. I have a knack for attracting this kind of business. I leave my door ajar for guys like this.
He didn't say a word. All he did was slump down in my spare chair. I knew right then that it was a security problem. A serious security problem. I waited for him to start talking. They always start talking when they have security problems. All you need to do is sit. All you need to do is wait, and listen. And soon enough you learn to listen very carefully, and then you bill just as carefully as you listen.
The little man took off his hat and crushed it in his lap. He was stoop-shouldered even when he was in a chair. I made him out to be a small-time system manager in some company that probably paid him a lot of money and expected too much in return. He had that kind of worried look I recognized in the ones who go to work on Wall Street -- but I knew no serious firm would entrust its operations to a guy who looked like this. I had plenty of contacts downtown. I was willing to bet a day's pay that this guy was a nobody, bankrolled by a private outfit that had plenty of cash and gave him new priorities five times a week, then yelled at him for being unproductive.
You had plenty of those operations around town. I made easy money from many of them, because the people in charge were always willing to write out a big check to someone who would come in from outside and second-guess their own tech staff.
When I took these jobs, I liked to drop in and talk things over with the insiders and then, in the end, if the staff seemed solid and the shop was secure, I enjoyed telling the guys in the suits that they ought to start trusting their own people. I never had any use for the slimy types in my business who come in for a day or two and write a lazy report that slams the working stiffs who run the computers.
I set the book aside, out of sight, and swung my feet up onto my desk. I looked the little man up and down. Then I asked him, "How badly were you compromised?" Sometimes the direct approach works best.
His face turned the color of wet newspaper. "Bad," he said. "Bad. The worst. I don't know what I'm supposed to do next. I don't even know where to begin checking." He looked around the office. His face twitched. "Are we alone?"
I looked around the room. "It looks like it." My office is about as empty as an office can get. One desk, two chairs, and a garbage can.
He leaned toward me. "You don't have a tape recorder going, do you?"
I shrugged. "I don't own a tape recorder, Mister."
"I'm just checking," he said. "I try to watch what I say."
"That's good," I said. "Good habit. Helps keep you out of trouble." I pulled out a bag of pistachio nuts from my top desk drawer. "You want one?" I asked him.
"No."
I took a couple of nuts and popped them in my mouth, shells and all. I cracked open the first shell with my teeth and spat the halves into the garbage can. He watched every move I made, so I did it slowly and carefully. You can never tell how the little nervous guys are going to act. I didn't want to scare him off. I had a feeling that there might be a payoff for me if I played things right. I said, "So, tell me what happened."
"I don't know where to begin."
"Try the part where it starts, and work your way through to the point right before you decided to walk through that door over there."
He let out a deep breath, which did nothing to raise the color of his face, and he crushed the hat even more, and then he said, "My whole system is shot. From what I can tell, they broke into everything, at every level. All my machines are tied together. If these guys had enough access, nothing is protected."
"Did they do any damage?"
"Why don't you start with my reputation? It's ruined."
"I never saw you before, Mac, so as far as I know, you don't have a reputation. Tell me what happened. Give me the details. I draw my own conclusions."
"They used my systems to break into other computers."
I spat another shell in the garbage. "That happens all the time. Call the people who run those systems," I said. "Let them know they have a problem. Who's involved at the other end?"
He paused, then named a particular government agency that was as tough as government agencies get.
I raised my eyebrows at that, and let out a slow whistle, strictly for effect. I said, "The guy who cracked your system got into that system?"
"They're going crazy about it. Right after I left my office, two agents showed up with, uh, paperwork, looking for me."
"Says who?"
"The girl who covers my phones." He got a little color in his face. "We're engaged."
Too bad for him. "What did she tell them?"
"She said I was out to get help."
"Did she say where you were going?"
"No."
"Good," I said. "That buys us some time. I don't want those guys in my office. But you can be sure they have a tap on your line. They'll know where you are."
His chest puffed up a little. "They won't hear a word. We scramble our calls."
I raised a single eyebrow and spat out another shell. "I don't want to alarm you or anything," I said, "but those guys unscramble phone calls for fun. There's not much you can hide from them. I know that for a fact."
His chest deflated.
"What else did the crackers do to you?"
"They wired a lot of money out of our accounts. Our financial guy is locked in his office right now trying to figure out the losses."
"You can kiss that money goodbye." His eyes bugged out. There must have been a lot of company assets at risk.
"We have the fraud laws on our side."
"Prove it."
"The logs. There must be something on my system --"
"First thing they do is get rid of any traces. These are not stupid people." I gazed at him. "You'd better get your head screwed on straight."
He gulped. "There was one more thing."
"And that was?"
"They sent some mail," he said. "They got into my account and sent the mail as me."
"Where to?"
"Washington."
"Who?"
"A -- a couple of people."
"Like who?"
He stared at the floor. "The -- they -- they sent it to -- uh . . ."
"Let me guess," I said. "Sixteen-hundred Pennsylvania Avenue?
He nodded grimly. "They made certain threats."
"Oh," I said. This system-cracker was sadistic, if my hunch was accurate.
"There were certain words used," he said.
I didn't need to ask, but I asked anyway. I wanted to see if he squirmed. He did. "Threatening words?"
His eyes bugged out even more as he nodded.
"Very bad threats?"
He nodded again.
"And he used your personal account to do this?"
Another nod.
"Did he send these lovely messages to anyone else?"
"The vice- vi- vi- vice-president."
"And?"
"Their families. All similar threats."
I winced. Whoever was responsible had a real slash-and-burn attitude. They weren't very good, though. Any punk could have done it. I said, "Did they share these thoughts with anybody else?"
"Some members of Congress. And the Secret Service."
I shook my head and laughed at the gall. "You know you're pretty well cooked, right?"
He nodded. "That's what I figured."
I said, "Making threats like that is a felony. You don't have to actually do anything real. Just the threat is a serious crime."
He looked as if he might have an idea. "Hey!" he said. "What about freedom of speech?"
I closed my eyes. I felt like I was reciting from a textbook when I talked to amateurs. "It's not protected when you make threats like that."
"I didn't make them!"
"Like I said before, prove it." I spat the last nutshells into the garbage. "As far as the federal cops know, and from the perspective of your guys in the expensive suits, and even your own system, you are the guilty party. They don't want to know about forged mail. All they want is to find the person making the threats. And take it from there."
His eyes looked like they were going to pop all the way out of the sockets.
"Oh, don't worry," I said. "They'll make your life miserable for a while. They'll probably audit you, come in with legal paperwork. They might even seize your systems."
He relaxed a little.
"But I wouldn't want to be around when your bosses figure out what's going on. That money is gone to Switzerland or some offshore stash. Your people will be lucky if they're still in business next week." I wasn't trying to be cruel, but he was so far gone it was almost a game. "Say," I said genially, "what business are you guys in?"
"Money management and information brokering."
"What the hell is that?"
"Like when you want to get some information we get it for you -- for a price."
"Ah," I said. "So now that you have no financial assets, you're probably going to lose your hardware and software any minute now, and the company's credibility is about to end up in the toilet."
"We've got a damage-control team."
"My friend," I said, "you can put the best liars in the world on the case, but nobody with half a brain cell will trust you with day-old bread after this is over."
"But that's why I came to you! I heard about you in the Omlor case. You -- you tracked down the guy who turned every icon on every computer in that company into a black square. He demanded ransom to fix it, and they say you caught him in an hour."
I shrugged. "I don't talk about my clients."
"What about the feud between the movie agents, when one of them kept faking mail as the other?"
"It wasn't the same. The stakes were different." That case had made the papers, so I didn't mind acknowledging my involvement.
"Everybody I talk to mentions you. They say you know all the angles."
"I know a lot of angles," I told him. "But when you see a tornado heading your way, you don't complain that it wasn't in last night's weather forecast."
He didn't say anything.
"What kind of precautions did you take?" He didn't answer. "Did you pick obscure passwords? Did you check your systems thoroughly before you put them in service? Did you monitor them for suspicious activity? Did you keep safe logs?"
He stared dumbly at me as if I were a talking frog.
"You know how to keep system logs, don't you?"
"I don't have time for all that detail."
"Did you safeguard your system," I said, "so a cracker would trip some kind of alarm if he broke in?"
The expression on his face screamed no at me.
I said, "Did you teach your users to pick good passwords? Did you probe your own systems at least a little, to see if they were weak? Did you pay attention to who was using your system and how they used it?" The guy didn't answer. "Did you think people outside are so much dumber than you are?"
Apparently he did. I watched him seethe.
I said, "People like you try to cut corners and take the easy way out, and figure there will always be someone like me around to fix things up for you."
I'd been in this business a long time. I'd seen more cases than I could remember, and I had the details of every one of them stored in a vault, on disks and tapes I had encrypted with the strongest security software available, but I'd never seen a guy in as hopeless a situation as this little man in the blue suit.
I leaned forward across my desk, with my hands clenched on the desktop, in case he decided to jump me. In my entire professional career, I had waited for the chance to say what I was about to say, but even as I gathered my energy, I saw him shrinking into himself. I dropped my voice as low and husky as it could go, just like in the movies, and I said, menacingly, "You're . . . taking . . . the . . . fall. You know that, don't you?" Then I let myself fall back into my chair.
He seemed to stagger, even though he was still only sitting there, and his eyes bugged out again, and his head tilted forward like a rag doll's, and for a moment I wondered if he had outright died on me. But the veins in his neck were still throbbing, and when I quickly slipped a pocket mirror under his nostrils, I saw that he was breathing, even though he wasn't reacting to me at all.
The breeze blew hard through the window. It riffled the pages of the book I had been reading. It flipped the necktie of the little man in the blue suit, but there was nothing relaxing about the breeze. It was only hot and sticky and hopeless, and I thought of all the advice I had given out about making computer systems secure. These people never wanted to listen, people like the little man and the fools who wrote his paychecks. To them, security was a waste of time. Most of them liked to believe they didn't need the extra protection. It wasn't until they had to clean up after a disaster that they saw my advice differently.
The kind of intrusion my visitor had experienced was a system manager's worst nightmare. The crook could do anything to the systems, and could inflict severe damage to other computers on that network, maybe to computers outside on the Internet. Some of those computers outside belonged to very powerful and humorless people.
I like to remind my clients about the movie called Invasion of the Body Snatchers, where each victim's body is taken over by an alien. I go out of my way to point out that when it all happens online, within computers and networks, it is worse. In the movie, at least, you could see the blank expression on every victim's face. But if people running systems don't bother with safeguards, they usually have no way of knowing if their systems or networks have been infiltrated.
Nearly all of them decide I am a little too paranoid. Most of them, if they heed my advice at all, assure me that my recommendations will be an integral part of Phase Two of the project, which most of them never get around to doing. They pay me and send me away, and that is where my responsibility ends.
Until they come back, pale and sweaty.
I opened my desk drawer to get something strong for us to drink. My visitor looked like a man who needed a drink. I felt like I needed one myself. Then I remembered: I don't drink. I don't even keep a bottle in my desk. I pulled a laptop computer out instead. I thought it might be handy to take notes. Then I put it away again, knowing it would only make things more confusing. A bad system compromise is like that. It rattles everybody it touches, even if it's not your own system that gets hit.
Then I realized, without thinking hard about it, that the situation was impossible, and there was nothing I could do for this little man. The best he could do was turn himself over to the authorities, explain what happened, and learn some new job skills, because only an idiot would keep him on the job, or give him another chance in the same line of work.
My office was hot. I felt the heavy sweat in my shirt, in the small of my back, and above my lip. All we could do was wait, then. If my little visitor had not been tailed on the way from his office to mine, it was only a matter of time before the people looking for him deduced where he was. I have a certain reputation of my own, and people who know their way around this town understand that if it's a late-night security crisis and the key person is missing and the lights in my office windows are on, the chances are good that the missing person is at my desk, pleading for me to do the impossible.
The only difference here was that my little guy in the suit couldn't ask anyone for anything. When I leaned over near him, I thought I heard him muttering, "I shoulda, I shoulda, I shoulda." It made me wonder if he had ever heard me give my little speech on security tactics. They listen to it, a lot of them choose to ignore it, and most of them end up saying "I shoulda" -- in one way or another.
I put my feet back up on the desk and hefted the book back onto my knee. Hell, I figured, I was getting paid to look it over. I might as well put some effort into it. I wiped my face with a handkerchief and checked the clock and picked up at the spot I had been reviewing when I was interrupted. I knew my office would see a little action very soon. Off in the bowels of the building, I was sure I heard the sound of the inevitable elevator as it creaked up to my high floor. And then it would be over quickly, and I would make my way home to some kind of quiet.
The little man said "I shoulda," then he said something I couldn't hear, then he said nothing at all. I heard the sound of the elevator in the corridor. The little man didn't. He sat there sweating, and that's all he did with himself.
I knew I'd be home soon. They'd be taking him away for a long night.
--Tim O'Connor