Monday, March 14, 2016

Week 2 - No Good Deed

Michael Salsbury
As I entered the room, bright lights hit me.  It took a few seconds for my eyes to adjust.  The local news anchor got up from her chair and stepped toward me, holding out a hand. I took, squeezing gently, and shook it.  She seemed shorter and thinner in person.

"Thank you for agreeing to the interview," she said, reaching into a bag next to her chair for a clipboard and pen.  She held them out to me.  "This is our standard release form.  If you could please sign this?"

I took them from her and scribbled my name where little yellow stickers had been placed, then handed it back to her.  She looked it over quickly, then stuffed it into her bag.

The crew spent a few seconds adjusting the lighting on both of us.  We sat there, half-smiling and half-staring at one another.  As the silence became too awkward, one of the crew gestured to her.  She sat up in her chair and looked at me.

"Mr. Aiken, you've been accused of computer hacking, industrial sabotage, and domestic terrorism. Are those charges accurate?"

I cleared my throat.  "In the sense that those are the charges I'm defending against with my court-appointed counsel, yes.  If you're asking me whether I am a hacker, saboteur, and terrorist, then I would say absolutely not."

Her eyes widened for instant, then returned to normal.  "So you didn't sabotage Renning Industries?"

"No."

"I see," she said, nodding.  "Why don't you tell me the whole story, from the beginning?"

I did.  I explained that Renning hired me as a system administrator, which is just a fancy-sounding name for someone whose job it is to maintain a computer system or group of computer systems. One of my roles was to keep our desktop computers safe by applying security patches to them.  

Security patching is a delicate balance between moving quickly so that the bad guys can't gain a foothold in your company, moving slowly enough that you find problems before they affect too many people, and minimizing the amount of time you spend doing it so that your managers don't get angry with you for spending too much time at it.  In my case, two out of three wasn't bad.

My boss, Frank Wrangler, called me into his office and motioned for me to sit.

"Tom, you know this merger with DanaCorp's putting pressure on all of us.  We all have to focus on getting the systems merged and working.  I can't afford to have you spend so much of your time on the security patches."

I nodded. "I'm doing the best I can," I told him, and I was.  "It doesn't help that the vendors keep giving us patches that break things.  I keep having to stop, figure out how to fix what they've broken, and get going again."

He shook his head.   "No.  I've been talking with the team at DanaCorp.  They assure me that you can turn on automatic updates in all the software we use and cut your effort in half.  That's what I need you to do."

"With all due respect, Frank, that's incredibly risky."

Frank reclined back in his chair and crossed his arms.  "Why?"

"Using automatic updates is like shooting yourself in both feet."

Frank shrugged.  "What you mean?"

"Here are two hypothetical scenarios.  The first one is more likely than the second.  In the first scenario, the company making that application creates a patch that breaks something we use.  Let's say it's the payroll system.  You and I go home tonight, and come in tomorrow morning to find out that the Payroll folks are really mad.  They can't work.  The VP comes down hard on us both.  That's one reason you can't patch everyone at once."

"You said there's a second scenario?"

"Yes.  This time, hackers get into the software company's update server.  They replace the legitimate update with their own software.  This software gives them control over the PC it's installed on.  This time, you and I go home for the night.  This phony update gets installed on all our computers while we sleep.  The next morning, hackers have the run of our entire network.  This time, the VP walks us both out the door and calls all his friends.  Tells them never to hire us."

He took a deep breath.  I knew Frank well enough to realize what he was about to say.

"Tom, here's the deal. If that first scenario happens, we can go back and sue the software company for damages.  So I don't care.  As for the second scenario, has it ever happened?"

"Well, I--"

"Has.. it... EVER... happened?  With any vendor, any software, ever?"

"Not that I know of, but--"

"End of discussion.  You will turn on auto updates immediately.  I'll warn the help desk that we're changing things, and prime the VP just in case."

I looked him in the eye.  "Mark my words.  This is a bad idea."

I knew it was a bad idea.  Just because no one had ever hacked an update server didn't mean it couldn't be done, or that it would never happen.  In fact, these days you're better off assuming that a breach is going to happen and figure out how to contain it than trying to prevent it.  It was such a bad idea, in fact, that I ignored Frank.  I didn't turn on automatic updates.  Instead, I worked overnight from home applying as many updates as I could.  I'd spend my days working on the DanaCorp stuff until it was finished, and my nights working on the patches so Frank wouldn't know.

A few days later, Frank called me into his office.  He turned to his keyboard and called up a tech news site, and turned his screen to face me.  "Have a look."

The headline showed that a faulty update had been deployed by one of our application vendors.  It crippled several large companies, including our biggest competitor.

"I told you this could happen, Frank."

"That's not why you're here."

"Then why?"

"You're here because that didn't happen to us," he said, pointing to the screen. "Care to explain why?"  He sat back in his chair.

"Because I tested that update last night.  I ran a scan on it and it looks like part of one of those state-sponsored attack programs.  I didn't like the look of it.  I sent a copy of it to a friend of mine who works at the NSA, and--"

He leaned forward.  "You ignored me when I told you to turn on auto updates."

"Look what it did for us!  We've got the jump on Dialys Industries.  The company should make a few million more this year."

He nodded.  "It's a great thing for the company.  It's just very bad for you."

I felt a chill come over me, and my stomach started to turn sour.

"Tom, you're fired."

"But--"

He held up a finger.  "No. It's over. I've put up with a lot from you, because you're good at what you do.  This was the last straw.  You didn't listen to me when I gave you explicit instructions. Get out."

"You're making a mistake, Frank."  They were words I would later regret, but they felt right at the time.

I knew Frank well enough to realize he'd made up his mind.  I got up from the chair and stepped out the door to find two security guards waiting for me.  They walked me to the entrance, took my ID badge, my desk keys, and brought me a box of things from my desk which I had to sign for.  I was numb.  Fifteen years with the company lost because I didn't let my manager make a mistake.  As I walked out to my car I wondered, "Why did this happen?  How can doing the right thing get you fired?  When is saving your company from disaster a firing offense?"  Clearly, I needed to think.

Since I had plenty of time, I stopped on the way home to get my daughter from school.  As much as I tried to put on a brave face, she knew me too well.  

"Daddy, why are you here?  You never pick me up from school.  What's wrong?"

I swallowed.  "I lost my job, April."

"Will you get another one?"

I took a deep breath.  "I hope so, honey.  Daddy's getting older.  Some companies don't want to hire older men like me."

"What happens if you can't get one?" 

"Well, you might have to go live with mommy for a while."

"Oh," she said, pushing out her lower lip and looking down at her shoes."

"Tell me about your day.  Did you do anything fun?"

She perked up immediately.  Told me about the macaroni necklace she made, the argument between two of her friends, and the teacher tripping and almost falling on a crayon.  It didn't seem like that long ago that I was in first grade myself.  Things made more sense then.

The rest of our evening was uneventful.  We had dinner, and did the dishes together.  I helped her with her homework, and even read her a bedtime story for a change.  It was the kind of evening a single father lives for.  I tucked her into bed and then crawled into my own.  

The next morning, I turned on the television to learn that Renning had suffered a major cyberattack the previous night.  The reporter interview Frank, who said that they'd analyzed their security logs and had a pretty good idea who was behind the attack, but couldn't say.  At that moment, there was a knock at the door.  I opened it to find police in full riot gear, weapons at the ready.  I raised my hands.

"What's going on?"

One of them saw the television behind me.  "You're under arrest.  For that," he said, pointing at the television.  "You have the right to remain silent.  Anything you say can and will be used against you in a court of law..."  I couldn't believe what I was hearing.

Behind me, I heard a shaky little voice.  "Daddy? What's going on?"

I turned back to her.  "I don't know, honey."  Facing the officer, I asked, "I promise you I don't know what this is about.  Could one of you please get my daughter to school?"

"I'm sorry, Mr. Aiken.  Child Protective Services is taking custody of her.  I'll leave an officer here until they're ready."

"Why?  Never mind. Thank you."

They put my hands behind my back and cuffed my wrists. I was walked out to a truck and told to climb inside.  For the second time in as many days, I asked myself what I'd done to find myself in this situation, and for the second time, I could find no answer.

At the police station, I was informed that I'd been charged with industrial sabotage, wire fraud, conspiracy, and domestic terrorism.  This last charge, they said, was due to the fact that similar attacks were found to have occurred at a number of other large companies overnight.  It was the government's belief that I somehow staged and executed these attacks.  While I could probably have imagined how such a thing occurred, it was beyond my skill to orchestrate something like it.  There's a big difference between understanding how a bomb works and actually building one.  I hired a lawyer, which I knew would probably chew up my retirement savings.  Having no retirement fund would be bad, but going to jail is far worse.

I paused here to see if the reporter was still listening.

"What happened next, Mr. Aiken?"

"A few weeks pass, and my lawyer asks me to do this interview with you while we wait for court to be in session."

"I see.  You know it won't air until your trial is over.  It won't help your defense."

I nodded.

"Thank you, Mr. Aiken," she said, then turned to the crew.  "We're finished here.  Pack it up."

She got up from her chair, put her head next to mine, and whispered her next question.  "Off the record, did you do it?"

I jerked my head back from hers and turned to face her.  "No matter what you may think of me, I'm not a liar.  Was I mad that they fired me?  Sure.  Would I get revenge on them with a stunt like this? No.  I'm a father, Ms. Travis.  I don't want my daughter growing up visiting me in prison."

She seemed to think about that for a moment, then grabbed her purse and left the room.  The crew followed her out.  My lawyer came in and sat down.

"I'm pretty sure I can plea-bargain this down to a year if you plead guilty.  We can probably get you out in six months.  You can have your life back."

I'd had it.  I pointed my finger at him.  "Listen to me carefully.  I did NOT do this.  I will not admit to something I didn't do."

"Now you listen to me.  When you get in that courtroom, no one knows whether you did this or not.  I've seen the evidence the prosecution has.  It's all circumstantial, but if the jury is scared or angry about what happened, it might be enough to make you look guilty."

"Looks or no, I'm telling you I didn't do this.  I wouldn't risk April's future for revenge.  I love my daughter more than anything."

He sighed.  "Well, we'll give it our best.  Let's go."

We entered the courtroom and took our positions.  The prosecution presented their evidence.  They showed my performance appraisals for the last few years, showing that I'd disobeyed Frank on occasion but he'd grudgingly noted I'd done the right thing.  They said this showed a history of trouble with authority.  If they treated Frank as an authority on anything, he'd certainly snowed them under.  

Next, they presented network intrusion logs, showing that it was my old PC that first exhibited the infection, then Frank's, then gradually the rest of the company.  Renning claimed that an oversight had left my privileged computer accounts unlocked, and that I must have used those to plant the software.  The software stole their secrets and then trashed their systems to cover its tracks. The logs couldn't tell precisely what had been stolen, only which systems were involved.  

I had to admit, from their point of view it looked pretty damning for me.  I began to consider the very real possibility that I would spend years in prison for something I didn't do.

The court broke for lunch.  As my attorney and I sat discussing our case, a man approached us.

"Mr. Thomas J. Aiken?"

I looked at my lawyer, who nodded, and looked back at the man.

"Yes."

The man handed me an envelope.  "You have been duly served," he told me, and ran off.

"Give me that," my lawyer said, and opened it.  As he scanned the pages, he shook his head.  "That didn't take them long."

"What?"

"Renning is suing you for the cost of cleaning up the mess they claimed you caused.  They're asking the judge for twelve million dollars."

"If we lose this case, we'll probably lose that Renning case, won't we?"

He nodded.  

I put my face in my hands.  My life was turning into a nightmare.  One day, I'm happily applying security patches and playing with my daughter at home.  The next, I'm in jail, unemployed, and being sued for everything I have - and a lot more I don't have.

When it was my turn on the stand, I tried to present the image of the diligent employee, protecting his corporate masters from the bad guys.  I talked about how important it was to set a good example for my daughter, and how much I loved her.  

They brought in my ex-wife, who told them how terrible she thought our marriage had been, and how I'd only won custody of my daughter because her orthopedic surgeon had given her too large a dose of pain medication, and she'd become addicted.  

Frank painted a picture of me that was based on real events, but didn't make me out to be a very nice person or cooperative employee.  

Other so-called cyber security experts were called.  They weaved a story about how what had happened here resembled some other cases where disgruntled employees had taken down their former employers.  

It wasn't looking good.  I scanned the faces of the jury.  Some tried not to make eye contact. Others seemed to be scowling at me.  

A man in a dark suit, who reminded me of the FBI agents who had interrogated me during my time in jail, approached the prosecutor and then the judge.  The judge called a recess.

"What's going on?"  I asked.

"I don't know, but I'll find out."

I was escorted to a holding cell, where my lawyer arrived a while later.

"That man in the courtroom was an FBI agent.  He said that the NSA has classified this case a matter of national security.  What did you do?"

"I told you before.  Whatever I'm being accused of, I didn't do it."

When the court re-convened, the judge explained the implications of my case's new classification.  He said that new evidence had been brought forward by the NSA.  He would give both sides a chance to examine the evidence, and hoped that they would agree with him to dismiss the case.

As I looked at the document, I couldn't help but smile.

"Why are you smiling?"

"This," I said, pointing to a name on the document.  "This is my long-time friend Milton Black.  We grew up together.  We both went into computer science.  He just went a bit further.  He works for the NSA.  I sent him a sample of the software update I found that looked suspicious.  This report says that the sample contained a bug that gave them insight into how it worked.  It helped them determine that another nation is behind the attack.  They're the ones who destroyed Renning's network, not me."

The prosecutor stood, cleared his throat, and announced that the case would be dropped and that I would receive a formal apology.

I stood next.  "Your honor, I don't wish to appear ungrateful or unappreciative of the prosecution's kind offer, but this gentleman standing next to me would like to be paid.  Considering that the NSA document I'm holding here says that my involvement in all this allowed them to contain the damage that could have occurred, could the government see its way clear to paying my legal bills and have this incident removed from my record?  I might like to get another job one day."

The judge turned toward the prosecutor, who nodded.  "Done.  Now get out of my courtroom."

Renning dropped the civil suit against me.  I'm told this happened after a visit by some men in dark suits.  Funny how the words "national security" make things happen.

Frank, when I last heard any news about him, had lost his job in the "rightsizing" effort that happened in the wake of the DanaCorp merger.  I can't say I felt sorry for him, but I did help him find a job at a dry cleaning shop.  I'll help him find another if he needs it.  I don't want to see him working in an IT department again if I can help it.

As for me, I've started a computer security blog.  It's doing well enough that I'm going to stop working a part-time consulting gig I had with Milton, cleaning up a mess left behind by a certain Mr. Snowden.  That's all I can really tell you.  

I spent a while wondering how all this could have happened to me.  In the end, I decided that the universe must be a self-correcting system, and our good deeds get us out of trouble we don't deserve.


If you've read this story and would like to leave feedback, click here.

About the Author

Michael Salsbury / Author & Editor

In his day job, Michael Salsbury helps administer over 1,800 Windows desktop computers for a Central Ohio non-profit. When he's not working, he's writing, blogging, podcasting, home brewing, or playing "warm furniture" to his two Bengal cats.

0 comments:

Post a Comment