[Infowarrior] - Wired Profiles SA Jim Christy & comp crime investigatons

Tue Jan 2 23:54:47 EST 2007

CSI: TCP/IP 
Keep your friends close and your enemies closer. Why the Pentagon's toughest
Internet crime fighter likes hanging out with blackhat hackers.
By Robin Mejia
http://www.wired.com/wired/archive/15.01/cybercop_pr.html

LOCATED ON THE LESS FASHIONABLE north end of the Las Vegas strip, the
Riviera Hotel and Casino has seen better days. Even the girls in posters for
the hotel's topless revue could use a makeover. But hey, it's cheap. Which
is why 6,000 hackers have descended upon it for DefCon, billed as the
"largest underground hacking event in the world." So while the hotel is no
doubt happy for the business, it's also – in classic Vegas fashion – hedging
its bet. Employees received a memo warning them to be on the lookout for
people skimming guests' card numbers. Credit card processing has been
suspended in the food court. The Riviera doesn't need the grief.

Yet the Riviera's conference facilities are strangely tranquil. In the
"chill-out room," a bored-looking cashier is selling burgers, chicken
sandwiches, and salads to people too focused or too lazy to walk across the
hotel to the Quizno's. On the wall next to the bar, someone is projecting
usernames and the first few letters of the associated passwords – noobs sent
that info unencrypted over the conference's wireless network. At the front
of the room, a middle-aged man in khaki shorts sits with a small group
having a beer. He's graying, a little thick around the middle. Across the
back of his polo shirt are the words dod cyber crime response team – as in
US Department of Defense.

A big guy with a shaved head walks up. "You're Jim Christy," he says,
smiling. He has a hint of an accent.

Christy smiles back: "What's your handle?"

"Oh, I don't really have a handle."

All hackers have handles. Christy pushes it. "But really," he says, "what's
your handle?"

"Most guys go through that phase for a while, but for me, it was really just
a couple of days. Not enough time for a handle." They're both smiling.
Neither has broken eye contact.

Christy points out a pulsing vein in the guy's neck – suggesting it's a sign
he is lying. The guy calls Christy an old man. He hints that maybe he might
have some small connection to Mossad. As he finally sits down, Christy
passes him a business card.

"You know, sometimes I become aware of botnets running on DOD networks," the
maybe-ex-intelligence agent says. "It would be nice to have someone to
contact." Christy says he'd be happy to oblige.

Bingo: another node in the Jim Christy network. That's why he comes to
DefCon, to extend his already vast informal intelligence web of hackers,
security professionals, and computer geeks. He's also here to pick up tips,
of course. And to try to recruit a few of the blackhats to the side of
justice – or at least to scare them straight. "We're appealing to their
patriotism," he says. "And if that doesn't work, then fear works, too."

Fifteen years ago, Christy founded the Pentagon's first digital forensics
lab. Back then, most cops didn't even bother to seize computers when they
executed a search warrant. Ten years ago, he was the guy they tapped to
explain computer security to senators and the White House. Now Christy has
built his shop into the world's largest center for pulling evidence off
damaged or encrypted hard drives, tracking hackers across networks,
reconstructing terrorists' computers, and training a new generation of law
enforcement. He's the government's original geek with a gun.

JIM CHRISTY was 19 when he joined the military. It was 1971; he was barely
passing his classes at a Baltimore-area junior college and working full time
at a car wash to help support his parents. Christy knew he wouldn't qualify
for a student deferment. He figured that if he had to go in, he'd choose
how. He enlisted in the Air Force.

But Christy didn't end up in Vietnam. He became a computer operator,
eventually landing on the night shift at the Pentagon. He stayed on after
his discharge, and in 1986 he heard the Air Force Office of Special
Investigations was looking for a computer crime investigator. "I read the
job announcement and said, 'Wow, I get to stay with technology and carry a
gun and be a cop – play cops and robbers for real?'" Apparently, his
experience writing Cobol and Fortran algorithms to organize how people paid
for parking at the Pentagon gave him an edge; Christy was hired as the
assistant chief of the 16-person unit.

About the same time, Cliff Stoll, a UC Berkeley astronomer turned computer
security guru, found hackers on his network. In The Cuckoo's Egg, Stoll's
now-classic account of the story, he says that local police had no idea what
he was talking about, and the FBI dismissed it as small-potatoes fraud. They
told him to call back when he'd lost half a million dollars.

Stoll finally found Christy. Though Stoll's hackers had accessed only
unclassified military computers, Christy thought it was espionage. "I
realized the guy was searching for 'SDI,' which was the old Star Wars
Strategic Defense Initiative, or 'nuclear,' or 'chemical,' or 'biological,'"
Christy says.

Stoll turned out to be a good teacher, full of tricks for tracking bad guys
online. Together with a like-minded FBI agent, the pair traced the hackers
back to West Germany. They sent police there to pick up five men, in their
late teens to early twenties, selling US military documents to the KGB. The
bust made his reputation. As DefCon founder Jeff Moss (handle: the Dark
Tangent) tells it, in the late '80s and early '90s there were only three
people hackers worried about. Christy was one of them. "It was like, be
fearful, there's Jim Christy. Holy crap, stay out of his way."

As computers and networks became common, Christy's caseload grew. In 1991, a
murder suspect on an Air Force base chopped up two floppy disks.
Investigators found 23 pieces, which Christy took to forensic specialists in
law enforcement and intelligence. They said they couldn't help. Eventually,
he and a deputy put the fragments together with tape and a magnifying glass;
he recovered about 95 percent of the data, practically handing the military
prosecutor a conviction. (Will he reveal who said it couldn't be done? "No
way," Christy says. "I have to work with those agencies.") That same year,
Christy founded his digital forensics lab, which was really just him and
another guy reading confiscated hard drives with scavenged equipment at
Bolling Air Force Base in DC. But the Pentagon started to see their value,
and in 1998, Christy's lab was moved from the Air Force to the Department of
Defense.

The team became known for recovering ungettable evidence. Once, the Naval
Safety Center sent them a mass of unspooled black recording tape, the
remains of a flight data recorder destroyed in a collision of two F‑18s. One
of the pilots had died in the crash, and the Navy thought the blame lay with
the surviving pilot. Christy's group cleaned the firefighting foam off the
tape, reconstructed and respooled it, and salvaged most of the data. The
safety board used it to determine that the dead pilot was actually at fault.

In another case, the wife of an airman thought her husband was trying to
kill her. Office of Special Investigations agents taped her confronting him
over the phone. When the suspect got wind of the recording, he set fire to
the office where the tape was stored. The team found the charred and melted
remains of the cartridge, but they realized that the tape was wound so
tightly inside that only its edges were burned. Christy's team recovered the
audio and the Air Force charged and convicted the airman with conspiracy to
commit murder – and arson.

Meanwhile, Christy was putting in time on Capitol Hill. He'd get up early,
do a few hours at the lab, then go coordinate cybersecurity hearings for the
Senate or work on the President's Task Force on Infrastructure Protection.
"We'd send him to see a senator," says Dan Gelber, a Florida state
representative and former staff director for the US Senate Investigations
subcommittee. "He'd go in there and explain not only how the Internet
worked, but how it was breached." Other staffers started calling Gelber to
find Christy – their bosses wanted his briefings. "They finally had someone
explain to them what happened on a computer and why it was important."

That's when Christy started hanging out with hackers. His superiors didn't
quite understand why he was going to DefCon; why not just send undercover
agents? But Christy knew that if he talked to hackers, hackers would talk to
him. One former blackhat says that meeting Christy and his fellow government
operatives at DefCon over the years convinced him to switch sides. "When you
realize that all the hackers in other countries, especially China, are
ganging up on America, it doesn't take a rocket scientist to decide what
side you want to be on," he says. After a couple of years working undercover
"with, not for" various agencies with three-letter initialisms, he enlisted
in the Army. He plans to try for Special Forces and hopes to get a job in
law enforcement when he's done.

THE DEFENSE Cyber Crime Center, or DC3, occupies a low unmarked brick
building just off Highway 295, the Baltimore-Washington Parkway. Christy now
heads its research lab, the Defense Cyber Crime Institute, on the top floor.
It's tasked with ensuring that the tools and technologies used by the guys
downstairs actually perform as advertised, a process called validation.
Digital forensics is still a relatively young field; most of the
applications Christy used in the 1980s were written by two really smart IRS
agents at home in their off hours. "We'd say, 'We need stuff that does X,'
and they'd go develop it," Christy says. But these days the institute spends
months evaluating everything – homegrown or not – before deployment. "You
need to make sure that the tool doesn't create evidence," Christy says. One
piece of software reported that a cell phone had sent a text message when it
hadn't – not cool if you're trying to figure out when two suspects were in
contact.

The rest of the team works on problems that commercial software can't yet
handle, like decoding information hidden inside images or audio files. It's
called steganography, and there are more than 100 free tools that can do it.
The trouble is, pedophile rings are increasingly relying on steganography to
hide child pornography. And while some commercial software can sniff out a
steganographically concealed file, it can't decrypt it. Christy's institute
is working on software that can reveal the contents of a steg file. "It
could be like a virus scan," Christy says.

But even with 38 staffers, Christy has more problems than time. So this
summer, he decided to get outside help. At DefCon, Christy announced the DC3
Forensics Challenge: 12 problems covering everything from recognizing faked
images to cracking passwords – Christy had answers to only 10. Whoever
solved the most first (or best) would win a free trip to Christy's annual
DOD Cyber Crime Conference. More than 130 teams signed up.

Of course, Christy will never keep pace with every tool the bad guys – or
the good guys, for that matter – can come up with. "One of the big things
we're struggling with is gonna be Vista and BitLocker," he says. Microsoft's
BitLocker Drive Encryption locks down an entire hard drive if the startup
information is changed or a particular chip is removed. Microsoft has
pledged never to create a BitLocker backdoor, and Christy worries about what
that means for his team. "Right now, a dead box comes to us, and with the
tools we have, we can exploit it," he says. "With Vista, we're gonna get
dead boxes and they're gonna stay dead."

Maybe it's a good problem for next year's Forensics Challenge. Or maybe he
won't have to wait that long for help. The contest has introduced Christy to
universities and research groups across the country that, before last
August, had no idea DC3 existed. Now many want to be his partner.

AT 7 O'CLOCK on the opening night of DefCon, Christy and 10 other
middle-aged, casually dressed white guys settle into their seats at the
front of the Riviera's grand ballroom. Most have the short hair and perfect
posture that come from long stints in the military or law enforcement.
They're all old friends of Christy's. One is an assistant secretary of
defense, another is ex-NSA. The title of the panel is Meet the Fed, an
oddity at a conference where the badges have no names on them and
registration is cash-only to preclude the creation of an attendee roster.

In fact, any registered conference attendee who outs an undercover agent
gets a T-shirt that reads i spotted the fed. So Christy decides to have some
fun. "We're gonna play a little game here," he says. "It's gonna be called
'Spot the Lamer.'" He sends two of his programmers out into the room to pick
six candidates.

The unlucky six line up, and panel members start in with questions. "Number
two, have you ever participated in a Star Trek marathon?"

"No sir, I'm a Star Wars fan."

"Number four, have you compiled your kernel yet today?"

He did it yesterday.

"Number three, have you ever been caught playing with a 3-inch floppy?"

It's hard to hear the answer over the laughter.

The winner, by audience acclaim, turns out to be number three, who
apparently speaks fluent hexadecimal.

Christy wraps things up with a pitch. "It's a lot harder to defend a network
than it is to break into one," he says. "And we could use a lot of talented
people. So if you haven't crossed that line yet, don't. Come to work for
us."

The hackers start to ask questions of their own. One guy says he's in a band
called Preteen Porn Star, and he wants to know what to do with the creepy
inquiries that come in through its Web site. Others want to talk about the
government's support of open source. But the paycheck Christy hinted at is
what really gets their attention.

"So," says an attendee in de rigueur black, "a few youthful indiscretions –
will they disqualify you from jobs at a federal agency?"

"Not forever," Christy says. "But if you were doing it last week, you'd
probably be ineligible."

A long line of fans trails Christy out the door, hackers and script kiddies
queued up to ask advice and hand over tidbits of information. One tells
Christy about a way he's discovered to strip information off of RFID chips.
Another wants a business card so he can email about future employment.

So does Christy have undercover informants at DefCon? He shrugs. Of course.
Then why go himself? "We not only find out what's happening," he says, "we
find out who's doing it."

Even better, a few months after the conference, he got a call from one of
the organizers, a fixture in the hacker community. The guy wanted advice on
how to get a job doing digital forensics. Another node in the Jim Christy
network.

Robin Mejia (mejia at nasw.org) wrote about computer surveillance and the movie
Enemy of the State in issue 14.06.