The privacy book is published, and free for five days. You can get it at Amazon here. Below this is the blurb/description, and I decided to post the text of “Appendix B: Jail!” for you folks too, right after that. I figured it might be the most-fun bit.
Curious about surveillance? Wondering about the security of your computer?
These are just a couple of starting points. The author, with decades of experience in the field, takes us on a journey through the digital landscape. Exhaustively researched, with hundreds of links, it’s nevertheless written in an informal and entertaining style.
Do you know the difference between “a web browser” and “the internet”? That’s about all you’ll need, to start. When you’re done with this book, you’ll know more than most IT (information technology) professionals do about digital security. You’ll be able to analyze the claims made by tech bloggers and those who flog their own products. You’ll know much, much more about the risks to your privacy and anonymity–and why they’re both so important–in today’s fast-moving world.
Then, at the end, the author tells how he once went to jail for trying to help protect thousands of college students (including himself). It’s a chilling reminder of just how easily “spin” can replace substance. And yet, it’s a funny story.
Come on in and give this book a try. You’ll be glad you did. (Full table of contents available both in the Amazon description and here on my site.)
Appendix B: Jail!
Well, this all sounds rather dramatic. I guess it was. Personal story time!
It was not too long before the world went dark, and billions starved, because of the great Y2K crisis.
Oh wait. That didn’t actually happen. Instead, a lot of people billed high hourly rates to fix silly stuff, or say they were fixing it, and a lot of other people generated as much hype and fear as they could—because that helped them sell advertising space or get elected. Kind of the same things those people do now, whenever they can. Still, none of that’s directly relevant to this story. It’s just a weird backdrop to computery activities that were going on at the time.
So there I was, working at USAA. It’s an odd co-op sort of insurance company based in San Antonio, if you haven’t heard of it. It apparently got started when some guys in the military found out they couldn’t get auto insurance from anyone…so they decided to insure each other. A neat idea, in my opinion, but it grew into a monster. When I worked there, there were several thousand other people also working in the building. Big building.
The lowest level I knew about seemed more like an airport than anything else, with people hop-skittering out of the way of electrically powered vehicles carrying material, sometimes consisting of other people and sometimes not, sometimes honking and sometimes not. Nothing worse than a vehicle full of honking material, right? Especially if it dribbles out.
(Sorry. Words are just naturally goofy, though, and I like to take a moment to notice every so often.)
The upper level—there were at least five, but I was never totally sure—had plush carpets, lots of mahogany, and very few people. In fact I walked around up there more than once and never saw a single human. There may have been something truly frightening going on. Hard to say.
In between there were lots of large rooms, filled mostly with cubicles. Or so it seemed to me. Also cafeterias, bathrooms, and the like. Oh, and at least one gym. What does it say about the company, or those who work there, that gym use included free recycled loaner jockstraps? I often wondered about this and other topics.
The military origins of the company meant there were lots of ex-military folks around, especially in upper management, and it was considered completely normal to compare various aspects of the building to the Pentagon several times a day…and to employ terms derived from military use in somewhat surprising (to the uninitiated) contexts. Fun!
I got to my particular position at USAA through what may seem an odd route. I’d just experienced the slow-motion failure of a startup company in Incline Village, which is next to Lake Tahoe. There’d been no good reason to pay that kind of high rent for the company’s offices, but that was the least of the goofy decisions that led to the company’s demise. And, hey, the view had been really nice. So the corporate death spiral didn’t surprise me, but I was a bit surprised to be able to cash my last paycheck (which I did immediately after I got it, at the issuing bank, even though I had to drive all the way to Sacramento to do it…just in case).
I was in the mood for something a bit more stable. I get that way sometimes. I’d just been offered a job working for Microsoft in Reno, where I lived at the time, and that sounded pretty good…but then a recruiter contacted me about the San Antonio thing. I had plenty of family in San Antonio. My grandmother had just died, and I’d missed most of her last few years, and I guess I wanted to be near family. I get that way sometimes too. So I went down there—but it was a contract position, not full-time employment.
As a contractor, I made about fifty percent more money than the employees in similar positions were pulling in. I also got to decide for myself when I ought to take a day off, or a few hours off. Not that I did that a lot (I tend to obsess over projects), but since I didn’t really have a boss at USAA, and the recruiter who’d brought me in wasn’t my boss either—I could just tell everybody what I was doing, and I guess everybody involved generally assumed I’d cleared it with someone. Relaxing, you know? I just did my thing.
But USAA started a drive to convert contractors to employees. This meant, to me, that I could switch to another company (another recruiting/staffing outfit, not USAA itself!) and remain in the same job if I wanted to, because the recruiters were getting desperate as their whores…um, I mean workers whose pay they got to skim…were getting thin on the ground. I had weekly lunches with the boss of the pimp (sorry, maybe) who had recruited me, and I collected various job offers to show him as we continually renegotiated my hourly rate. Upward. This was a blast…not just for me, though. The recruiter-guy had fun with it too, and became a friend. (Hi, Erik!)
Meanwhile USAA was doing stuff. They decided contractors could only use the northern parking garage…I don’t recall how many other parking garages there were, but that one must have been considered inconvenient for some reason. Because, you know, we ought to convert ourselves to employees and by God that would show us.
When this parking limitation didn’t work well enough to suit upper management (whatever species they may have been, and I wouldn’t care to venture a guess), they said we couldn’t use that parking garage either—we’d have to park our vehicles in one of the outer, ground-level lots. Which meant we had to hike in, or take a shuttle bus (did I mention there were lots of people working there?).
So I started parking pretty far out, and also started billing from the moment I shut off my car…until the moment I turned the key to re-start it at the end of the day. Which new policy I explained to my supervisor-types at USAA. Which caused shrugs and eye-rolls, because they saw my point but couldn’t directly influence USAA policy. I offered to help! I could just leave the car at home entirely, I said, and walk the five miles or so to work, billing all the way. Also on the way back. But they didn’t take me up on it. A shame, I think. I was also willing to be flexible about hours, and either go with a shorter working day because of all the walking, or just add the walking time in. But, sadly, the conversation never lasted long enough for me to explain this idea.
As part of all this, I moved to a different job within USAA. The first group I was working with was pushing pretty hard on the convert-contractors front…but the folks who did computer-type support for the corporate lawyers were still hiring (they needed some new software to be written). So I did that.
But that too started getting pinched after a while. I eventually decided to cave, and take that full-time employment option. I held out for a couple of things like being able to work from home (though I never actually did that) and flexible hours, so I could go take some courses at UTSA, a local university, just for fun. I could have just gone on to do contract work somewhere else…but I was thinking of opening a bookstore on the side, and wanted to stay local, and San Antonio has never been a software-development hotspot. I didn’t expect to make money with the bookstore—actually I figured I’d have to subsidize it—but I’d always wanted one. So I had a pretty good inventory of books, and a friend ready to run the place when I was at my other job, and was negotiating with a couple of folks about leasing some space. And I had a line on some more inventory, too.
Then it turned out that the university wanted me to use their web-based system. It was (and apparently still is) called ASAP. I think that stood/stands for Automated Student Access Program, but I’m not going to look it up. Screw them, you know? So okay, I used the system.
I was immediately irritated about what UTSA used as a login ID. More on that later. The password was called a PIN, and I think it was actually restricted to a fairly small number of digits, but I don’t remember how many. Four, maybe? It was dumb, whatever the number was.
Meanwhile, once I logged in? I could add or drop classes, see and update my home and mailing addresses, see my (entire) credit card number and update that if I wanted…pretty much everything people used to have to stand in line for, back when I first went to college in the Darker Ages. Pretty cool in some ways.
But I got curious because the site said it required a recent version of either Netscape Navigator (remember that?) or Internet Explorer (remember that?). And nothing about the site’s design looked to me as if the browser version should matter a whole lot.
I ignored that for a little while. But then I had a slow day at the office. I mean, what the hell, I designed “secure” web applications for a living (unless I actually just negotiated my pay for a living and did the coding as a sideline, which often seemed to be the case)…so I eventually got around to looking at the site’s HTML. Just to see what was up with the browser-version thing.
And I laughed. And then I stared. Five minutes or so later—couldn’t have been much longer—I picked up the phone.
That last part, on a strictly personal level, was a mistake.
See, the site’s design was basically what I used to think of as “university HTML.” This meant there would be a wall of text with no particular formatting. This site had all sorts of functions mixed in with that, so there was a sort of unformatted button-cloud you could use to navigate to the various parts of the site.
You’ve used forms on websites, right? You fill in some data, then click a button that says something like “submit” or “sign over your firstborn now” or “resistance is futile” or whatever, or maybe you just hit Enter on a keyboard, and then—if all goes well—some sort of result follows. Yay!
Well, I could see why the more recent browser was needed: each of those buttons on the site was coded as a separate form. And some of the older browsers wouldn’t work well with a lot of forms on the same page.
Why I laughed: there was no particular reason to code the pages that way, especially if the developer happened to be aware of the browser-error issue…unless the developer were such a newbie that figuring out an alternative approach would be difficult? Perhaps. But didn’t the school have a computer science department? What was it for, if not for things like this?
Most developers get around the fact that servers don’t automatically know which user is asking for a given web page via authentication cookies—they’re stored in some sort of database on the server side, and when the browser submits the cookie information, the server just looks the user up in that database. If you ever wondered why clearing your cookies from your browser’s cache meant you had to re-login to sites even if you’d tried to tell the site to remember you? That’s why. But…it’s not entirely unreasonable to use a hidden form field for the same purpose. Cumbersome, but it works and there are actually some situations in which it might be a better approach.
Why I picked up the phone: four reasons. First, there was only one hidden form field…the user identifier. Second, instead of being a server-generated random-looking value, it was the login ID the users entered on the first page of the application. Third, the use of the login ID and absence of a second hidden field corresponding to the password (ideally not consisting of the password, but you never know…and it didn’t matter in this case, because there was no second hidden form field) strongly implied that the a user’s PIN/password was only necessary on the login page. I immediately verified this—yep, I could get in to see/modify my records using only the login ID, as long as I just skipped the login page.
In theory there might have been an authentication cookie in use in addition to the hidden form field, which might have made this issue far less critical, but I already had cookies disabled in my browser at that moment because of some testing I was doing for a different application. Still, I checked: no cookies. This was bad.
Oh wait. There were four reasons, weren’t there?
Let’s stop and consider that the system was set up so that passwords were optional, before we go any further. It meant that any person who could discover a student’s login ID could find their home address, mailing address, and phone numbers. Could get their transcript. Could get full access to billing information (and no part of any credit card number would be masked, either…an awesome app all around). Could add classes, or drop the victim from classes, without the victim’s knowledge. Could access or change emergency contact information. Could probably do other things I don’t remember anymore.
That fourth reason I picked up the phone: the login ID was a social security number. Not a hash of the number—which would still not have been a secure setup, because an attacker could use the same algorithm and create an identical hash, though in that case I might well not have noticed anything just via a quick glance at HTML—but just the number itself. And I’d heard, though I hadn’t been enrolled at the university for long enough to confirm, that grades and such were often posted by SSN, on paper, on the wall. To protect students’ privacy.
If you ever saw someone using this system who left the computer running for a bit while stepping away? A quick glance at the HTML would give you their SSN. And of course an automated sort of attack could get access to lots of records just by trying one number after another. I’m not absolutely certain there was nothing in place to prevent that…oh wait, that’s a lie. I am certain, basing this on the sophistication of the parts of the system I could see, but I could be wrong. In theory.
Earlier, at UT Austin, I’d seen student ID cards with the SSN printed on them. I don’t remember whether UTSA did the same thing. It’s been a while.
So, yeah, I picked up the phone. I called the UTSA computer science department, and told someone about the problem. I also offered to help fix it, for what I considered a reasonable hourly rate (it goes up for short-term projects). Then I hung up and went about my business.
Okay, that wasn’t strictly true. A couple of days later, I told a buddy of mine—we’ll call him Fred—who had a similar employment/school arrangement to mine, about the situation. He said “No way!” or words to that effect.
“Mind if I look up your social?” I asked. He shrugged, so I did that in one of the systems we’d developed for USAA (the company; not the same as UTSA the university). Then I asked him to paste a URL into his browser.
Soon after, while looking over his shoulder, I asked him why his grades were so freakin’ bad. He hit the roof. Wanted to call newspapers, TV reporters, whoever, right away. I talked him into giving the university a couple of weeks to fix it. He agreed. Eventually. Under protest.
It should have taken less than an hour to fix the freaking problem, by the way. Any of several different schemes would work. Maybe two or three hours, for someone not familiar with the code.
After two weeks, Fred got himself on the six o’clock news. I’d asked him not to mention me…not being a fan of that sort of publicity.
UTSA offered little comment, but did take their system offline immediately. It went up and down for weeks more, including one version that actually stored both the login ID and the password in hidden form fields, and I watched it all with some amusement. I may have sent an email or two detailing other issues they might want to look into—I vaguely remember writing something like that, but I don’t recall sending it.
Then some HR dweebs at USAA (the company) decided they needed to interview me. They’d been contacted by UTSA (the university), and told they had hackers working for their company (USAA). (Okay, I’ll stop.)
That interview was sort of funny. My boss was there, and my boss’s boss was there, and they clearly thought the whole thing was as stupid as it seemed to me. But there we were…
The below is paraphrased and probably remembered incorrectly. But the gist:
Interviewer: But you don’t ever try to find security holes in our applications, right? I mean, like [SYSTEM 1] and [SYSTEM 2]?
Me: Uh. Well, first off, I helped write [SYSTEM 3] and because of that I have full access to [SYSTEM 2] anyway. Because the app has access, right? Second, I actually noticed an issue with [SYSTEM 1] and told those guys about it months ago. They fixed it, and thanked me. Look, writing secure applications is my job here. So yes, I test them too. You know [SYSTEM 4]? I wrote that entirely on my own. So, do you think my access to it violates company policy? Because I’m supposed to do some more work on it soon. And yes, I’ve tried to hack my way into it, so I can fix problems I might accidentally create. I have a whole script for that.
Me: I mean, software doesn’t just show up under cabbage leaves. Somebody has to write it.
Interviewer: So, you’re taking some computer classes and—
Me: Nope. German and physical anthropology. Not all that interested in their computer science classes.
Interviewer: [eventually] Well…we just need to be sure that USAA isn’t implicated in anything, and that our corporate name doesn’t come into this somehow. So, you’re suspended without pay blah blah more words blah.
Me: Okay. That should work.
So I changed my mind about publicity. That night I went on the six o’clock news with Fred. He was suspended too. But happy I was joining him, because it had bugged him to be taking all the “credit.”
We talked to a reporter about what had been going on. They put up a really cool “No Good Deed Goes…” backdrop for the conversation. As for USAA not being involved? They hadn’t been, yet. Now they were all over the thing, with their logo and pictures of their building and grounds. The suspension without pay bit was a major theme.
I was pleased, and also spending a lot of time on the phone with recruiters. My friend and lunch-buddy Erik had laughed when I’d told him the story, and put me in touch with lots of other folks around the country. He’s really good at that.
The next day, Fred and I were told we were, all of a sudden, suspended with pay. Hmm. I wonder why.
The HR dweebs said they’d want to talk to us again. We said we were open to that, and they were welcome to submit a list of questions for review by our attorney…and we’d have some questions for them, too. This sent them into something of a dither, apparently, since several days went by before we heard anything more. Then we told them we wouldn’t speak to them at all without an attorney present. More dither.
Meanwhile I’d taken a contract job in Memphis, working for a hotel chain that’s since been bought by Hilton. There are funny stories about that, too, but I guess they’re off-topic. I don’t remember what Fred did just then, but I know he was later working for a Dallas-area startup.
Oh, what the hell. That Memphis thing? A consulting company based in California had put together a team of several people (twelve, maybe?) to solve a software and server setup issue. Well, to customize things, anyway. Only they didn’t have anybody on the team who could write code. So I came in to do all of that. The others flew back and forth between their homes and the job, so we had a four-day work week…or I did. I’m not sure what anybody else actually did all day. I never even met most of them.
I did see a spreadsheet with their billing rates, though—IT people tend to find and distribute that kind of thing behind the scenes; it’s a commonly-played game. Many were over $200/hour, and one guy (from South Africa, with many fascinating stories of his home) was being billed at about $350. Interestingly, I found out via a conversation that one of the $250/hour guys was living in San Francisco and only being paid $70K/year. Which would be a lot more money in other places. I guess the consulting company had a lot of layers of management? Who all needed lots of money? I heard, in fact, that there were five such layers above the people who were working—if we can call it that—in Memphis with me. Was it true? Maybe. They supposedly did a lot of Y2K stuff too.
Rather than flying back and forth like the rest of them, I just drove my RV to Memphis and hung out. It seemed simpler. Anyway, when I left (the job was finished) I was asked to write a summary/evaluation of the project. So I explained that it wouldn’t and couldn’t actually turn out to be useful, and gave reasons…so the hotel guys offered me a job. I was tempted, ’cause I really like people who ask for the truth and then do their best to reward it even when it’s inconvenient, except that I didn’t know anyone in Memphis and Dell sounded more interesting. Around this time Fred arranged a job offer for me in Dallas with that startup, too, but I went with the Dell thing. Mostly because it was closer to family and friends again (I was born in Austin).
It’s quite possible that I received pay from USAA while actually working in Memphis before USAA eventually decided that I was fired for violating unspecified company policies (and possibly also for being obnoxious about not entering their building without an attorney present). I offer no opinion on this. Regardless, between going back to contractor-rates and some weird laws about hourly rates and non-taxable “per diem,” even without the expense account (not mine) that bought me lunches, generally very rare steaks, every working day…I was making about twice the money I had at USAA. Life is weird.
At this point in the story…all’s well, right?
While we’re still entertaining that assumption, I want to point something out: security problems like the one with UTSA’s website happen all the time. I had previously found nearly identical issues in (a) the iMall, an eBay-precursor that would inadvertently allow customers to set their own prices, and (b) iQualify, the first site that would let people get legally binding pre-qualifications for loans online, except that if anyone wanted to change an automatically-incremented four-digit number they could get access to other customers’ data. All of the data they’d provided on loan applications. Well, oops.
Only in both of those cases, I was paid and thanked. (Since the events above and below, I’ve quit telling people my name quite so often.) (Not counting books or my blog.) (Because if you like this one…)
Conceptually, this UTSA issue is not too different from the WPS PIN screwup with Wi-Fi routers (Chapter Three). It’s just…sometimes people get hired, or asked, to do stuff. They do the best they can. Sometimes they don’t fully understand the systems they’re working with, and they take what seem to be reasonable steps to solve problems. The people hiring/asking them to do the work are unlikely to spot a problem themselves, because they most likely know even less than the person who appeared to them to be proficient. We all only know what we know, so…some of us build systems with gaping holes. Lots of us will be smug about spotting other people’s goofs, too, but that doesn’t mean we won’t create our own. This is where an open-source attitude helps.
So after I left Dell I went to work, as a contractor, for a startup in Las Vegas—this one, amusingly…at least to me…was not only in the midst of its own death spiral but apparently had various people conspiring illegally with Netscape executives (who became AOL executives when AOL bought Netscape), which eventually led to jail time for the startup founder. In fact I was hired to work on a project that didn’t exist, but was said to exist in the hope that it would inspire analysts to say nice things about buying stock in the startup.
It took me quite a while to get permission to work on anything real while I was there.
There was also a fancy NOC (“network operations center”) with well-dressed beautiful people sitting behind a glass wall using thin—for the time—laptops, with gigantic monitors in the background. It all looked very high-tech. One of the monitors was always playing The Matrix. But that so-called NOC was just for show. In case somebody came by to see how the company was doing, and maybe felt moved to write an article. I figured it was an overly expensive sort of advertising display, but nobody showed me any numbers. Maybe it wasn’t. I’ll probably never know.
Another thing about that startup? They were doing stuff very similar to the code I’d customized for the hotel people in Memphis. But meanwhile the chain in Memphis had been bought by Hilton, which had decided to use the Vegas company’s software instead. So I ended up customizing the Vegas startup’s software…for Hilton. Sheer coincidence; nobody at either the startup or Hilton knew about the connection. Did I mention that life is weird?
One fine day I was driving to San Antonio from Vegas to see family-types, and my car’s alternator belt broke. Well, it’s probably called something else, because it also controlled power steering and other stuff. But whatever; the car and I drifted to the side of the road. I was fond of that car; it had been my grandmother’s. Never gave me much trouble before that. But maybe a bit of maintenance would have been a good idea?
A couple of state troopers pulled up, eventually, asking if they could help. I told them a tow would be nice, and I had no cell signal. So they nodded, ran my ID, and I stared into the engine of my car, musing productively about how it would be a ten-minute fix if only I’d brought a spare belt. And a manual. And tools.
Soon after, the troopers boiled out of their car, yelling stuff like “Hands in the air!” and “Stand still!” and “Turn around!”…as an attempt to compromise between these commands I turned, slowly, my hands having been slowly raised—and saw one of these geniuses now had his gun pointed at my face. It was really close, too.
At the time, I was more irritated than scared. Yelling does that to me. And the gun’s being so close meant I could probably knock it away before he could pull the trigger…I wasn’t even slightly tempted to do that, but stupidity when directed at me does tend to set me off. This was, clearly, directed at me. Right at my face in fact.
“Don’t get out much, do you?” I asked. I’m not a particularly brave guy in general. This is not something I’d decide to say after even a moment’s consideration, but there it was. I’d, as we say in Texas, done said it.
The guy’s partner laughed. The one with the gun out actually seemed a bit taken aback, and stepped back, and pointed the gun away from me. Slightly. It was an improvement.
They then cuffed me (after telling me to turn back around…weirdos), and searched my car, and refused to tell me what I was being arrested for, or even if I was in fact under arrest.
When I objected to the search, they told me it wasn’t a search. It was “just an inventory”…for my protection, see, because they were calling to have the car towed and wanted a record of its contents. I objected to that too. “Why do you care, if there’s nothing illegal in it?” asked one of them. “It’s not yours,” I replied. Fat lot of good that did me.
So I talked to cops. Probably shouldn’t have. I got nothing out of it that helped me. I’ll try to remember for next time.
Anyway, they took me to a jail in Van Horn, Texas. A county establishment, I think. They told me to get out of my clothes and into what looked like a Whataburger uniform (orange and white stripes; Whataburger is a Texas-based chain of which I’m quite fond) but also said, with an eye toward the non-cop girl who was standing behind a desk, that it was okay if I kept my underwear.
Nice of them, I guess. It might have affected what happened later, too.
So the state cops left and some other cops led me to a cell. In it were about ten other guys. I went in, the door was locked, and all that. One of the guys, apparently some sort of leader, said something in Spanish. Someone else replied, and there was laughter. I stood there.
The leader got up, came closer, and pointed at my feet. “Shoes,” he explained. “Give them to me.”
This was surreal. Also, a bit scary. But…sheesh. I was wearing jail-issued orange sneakers. Just like his. I wasn’t in the mood for a fight (I almost never am), but…I figured caving was only going to make things worse. So I tried something else.
“Give me yours,” I said. “We can trade. But you go first.”
I mean, hell. Mine were too big anyway.
More Spanish. It sounded sort of threatening. I felt stupid for not knowing more of the language, and more than a bit isolated, and I didn’t feel at all like getting hurt just then. But I managed to stand there and keep my mouth shut. Did I control my face? Did I look fearful? Maybe, and maybe not. I did what I could, anyway. And waited.
Suddenly the leader broke out in a huge grin. “Man, I’m just fucking with ya,” he said. Laughter all around. Eventually I grinned too.
Man, jail was actually not so bad, except for the whole couldn’t-leave thing. The people in it were fascinating. After the initial drama, it was a generally friendly place. Was it always going to turn out friendly? Yeah, I think it was. I think they were just goofing around. Bored, you know? But I’ve never been sure.
Somebody’s mom made enough menudo for us all and brought it to the jail. There were hamburgers. Somebody brought orange juice, too. Everybody shared. It would probably have been against some sort of policy if one or two of the prisoners had gone outside to help cook burgers, so that didn’t happen, because we all know policies rule the world.
The prisoner-leader-guy (I don’t remember his name) was solicitous, trying to help people who had trouble. Generally that meant emotional trouble, from what I saw, but I had the sense it might go farther than that if it needed to. He didn’t really believe that I didn’t know what was going on with my arrest and incarceration—though I’d begun to suspect it was the stupid UTSA/USAA thing by then—but that didn’t bother him much.
One guy in particular was a marvel. He would just start rapping. Words flowed out of his mouth, and I have no idea how he did it. It was beautiful. His vocabulary was extensive, and I don’t just mean the cussing, of which there was plenty. I mean what he came up with was clearly off the top of his head, because it was often in response to whatever was going on at the moment, but it was almost frighteningly complex. He was no stranger to nuance.
I talked to him a little bit, and to some of the others about him, and he was apparently in jail for hitting a couple of people in the head with a baseball bat behind a convenience store. For money, maybe, but that wasn’t clear.
I had to think: in a different time, in a different place, that guy would be called a bard. Or a druid. A warrior-poet, whatever the local term might be. He’d probably be a popular hero. Even with my general squeamishness about such things, I have to say I’m glad I met him. And that he was feeling friendly.
So, the night came (or at least the lights went off), and I slept in the jail. Sort of. Intermittently.
In the morning I got taken to see a judge in his office. I don’t know whether that was standard procedure, on a Sunday. It may have had something to do with my father, because I’d called home and let him know the situation and he did know a lot of lawyers and judges. He never said. It turned out I was charged with “breach of computer security,” a Class B misdemeanor. “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.”
Dumb, I thought. Of course I accessed the ASAP system. All students did. Effective consent? It was required that students use the system. So…?
My offense was apparently to notice how I’d accessed it, and—more importantly?—embarrass someone by saying so. I’m guessing a relatively high up person in the UTSA food chain had been involved in the site’s development, and it was easier to label me as a sort of delinquent hacker-kid who lived in his parents’ basement on a diet of Jolt Cola and nothing else (it’d probably be Red Bull or Monster now), who probably wandered around barefoot like all them other hippies, than it was to admit he or she had created a system that was just…obviously silly. Upon even a cursory examination. But this is, sadly, just a guess. Somebody out there knows for sure, though. Maybe a lot of people. I’m just not one of them. Hey, do you know? Want to tell me? I’m curious.
Apparently I’d been declared a fugitive, and thus a warrant had been duly issued for my arrest. I’d have thought a phone call, or maybe just a postcard, to let me know this was going on might have been standard. Everybody involved had my contact information. If it was standard, they skipped it in my case. For fun, maybe? Was it relevant to all this that the university had its own police department? One perhaps inclined to be respectful of whomever I’d embarrassed? Maybe.
Anyway, the judge set bail and I paid. Never got any of that back, by the way. I wonder how often people do. Dad had told me they’d have ten days to decide whether to transport me to San Antonio or let me go, but I didn’t feel like hanging around in the jail to see which way it would turn out.
“Leaving” didn’t work out the way I’d hoped, though. I wandered around on foot, and there was a nearby auto parts store…but this was Sunday, in Van Horn. Not much was open.
So I walked back to the jail, and asked if I could stay one more night so I wouldn’t have to pay for a hotel. I’m a smartass, yeah, but I was also serious. Ish. I mean, I’d have done it. However, they declined to provide this public service. The spoilsports.
They even claimed nobody had ever asked that question before. If that’s true? A lot of people, I guess, are just spendthrifts. What a world.
Then the situation got a little bit weird when the female non-cop who’d earlier watched me undress told me she was getting off (from work, I hastened to assume) and would give me a ride to the nearest hotel. She did ask whether I intended to murder her with an axe, since I was a criminal after all, but seemed satisfied when I told her I wouldn’t know where to get an axe until the next day.
She walked me all the way to my hotel room, which was getting to be less unexpected by that point, but then seemed to realize the situation she was in and hurried off. Alone. I wished her a good night. And was relieved. I appreciated the ride, and had been fascinated by the way things were playing out, but…providing my own exit would have been awkward. Possibly even mean. Wouldn’t play well in the head-movie I was making. All in all, that worked out about as well as it could have.
Back in San Antonio, a couple of days later, Dad and I set out in search of a lawyer. He didn’t know anyone on the defense side who knew anything about computers. His network of friends came up with a recommendation, though. We went to see that guy. It went kind of like this:
Lawyer: I can’t believe that it’s gone this far, if what you’re telling me is all that happened.
Me: Yeah, me either. Guess I shouldn’t have offered to help. Just said something anonymously, maybe.
Lawyer: [disbelieving look] So, you were taking a couple of basic computer classes, and—
Me: Damnit. German and physical anthropology. Not computer classes from these bozos.
Lawyer: [another disbelieving look] So how did this get on the news, exactly? I don’t see why it would be a big story.
Me: Well, I guess it depends on how important you think students’ contact information, billing information, transcripts, and current class schedules are. Maybe you should ask the reporter who interviewed me, though. I mean, identifying what is or isn’t a story isn’t exactly my job. Want her number?
Lawyer: I can’t represent you. Go try this guy.
Me: Um, okay.
Dad knew nothing about the suggested lawyer. Neither did I. Neither one of us knew what the issue had been with the first guy we tried, either. But what the heck—we went to talk to lawyer number two.
This one told me all about how prosecutors and judges hated him because he didn’t like to plea bargain. That he was very interested in computer security. Didn’t know much about it, but wanted to pick my brain. Okay…
Then he told me that my buddy Fred had apparently been to court several times over the last year or so. He recommended that I not talk to Fred, which I have to say I wasn’t even tempted to do upon hearing this information. And he wanted several thousand dollars to get things started. So I paid him.
About Fred? Look, he had a wife and kids. At that point, I didn’t. He and I saw many things differently, with goodwill on both sides. (At one point he explained that he was thinking of spending $1800 on a crib for his newest daughter. I asked why he’d do that. He said it was because he loved her. He thought I was kidding when I immediately said that crib wouldn’t make a damn bit of difference to her, and he could achieve the same ends from her point of view with a brand-new $3 cardboard box from U-haul, so maybe he should examine his motives a bit more closely before making that decision. I think he bought the crib, though.)
What I need to point out: I can see how, with a lawyer advising him not to talk to a friend about the charges because that friend might testify against him, he might have decided not to let me know what was going on. After all, if I didn’t even find out about the situation, it’d be hard for me to endanger him. Wouldn’t it? And if it all went away, maybe I’d never have to know anything had happened. He’d have protected me, along with his family, in fact. Right?
But nonetheless I wasn’t going to try to contact him. For entirely different reasons.
I want to be clear: I wasn’t worried that he’d testify against me. He wasn’t that sort of person. But on the other hand, I wouldn’t have risked anyone’s welfare but my own by talking to him. I am fully aware that he was the sole source of income for his family, and I’m not sure what I’d have done, if I’d been in his position. I just…knew we clearly weren’t buddies anymore. I had no reason to talk to him. I’d say now that I would have tried to help him if I’d known. But talk is cheap. Maybe I’m lying.
Meanwhile I went back to Vegas. Told the startup’s CTO (Chief Technical Officer) about the situation. He laughed, grimaced, shook his head, and offered to help if it ever went to trial. That kind of inspired me, so I collected a bunch of people with impressive-looking job titles who said they would be willing to testify as expert witnesses, or character witnesses, or both. I wrote up a summary of the situation for my new lawyer. I sent him the information.
I never heard back from him.
I called the lawyer’s office a few times. He never returned any of my calls. Eventually, months later if I recall correctly, he or his office notified me…via mail…that I had an arraignment scheduled. I drove back to San Antonio for it, semi-glad that I still owned a suit, and showed up in court with Dad. We figured we’d find me a new lawyer afterward, though it was too bad about all the money I’d squandered so far already.
So there we were, sitting in the courtroom, and some “associate” of my lawyer showed up. She was pretty, and pretty young. No sign of the guy I’d paid. But then the prosecutor went up to talk to the judge, and they asked junior-lawyer to come up, and then the pretty girl came to tell me the prosecutor had moved to dismiss the case. And the judge had agreed. I think I heard, but never found out officially, that it was dismissed with prejudice—meaning that they couldn’t just charge me again five minutes later. If so, given what happened next, I assume there was a story behind that decision.
As Dad and I walked out of the courtroom, some Federal-looking types came up and spoke with Girl Lawyer. Apparently they’d wanted to arrange some sort of deal with me, as long as I would be willing to testify against Fred.
Then “my” lawyer showed up. He too talked to the Federal-looking types, who were never introduced to me, and may have been otherwise affiliated. Possibly with barnyard animals, and repeatedly, with very little skill involved, but who’s judging? I mean, other than at the county fair, but that’s a special event after all. Could be they’re even champions, though. I really don’t know about that.
Okay. Back to the actual story: the lawyer seemed surprised that the case had been dismissed. Then he turned to me and told me I’d been very lucky to get out of the situation without having to testify.
Remember how I said I’m rarely in a fighting mood? I’ve generally tried to claim to be a peaceful sort of person, right? I freely offer this testimony in support of my claim: I did not punch that sack of shit in the face. I also didn’t shake the hand he offered. I just left. And tossed the suit I’d been wearing in the trash. Haven’t worn a tie since.
Maybe I’m a self-centered jerk. Maybe I’m an ass. Am I enough of an ass to lie in court to help people convict a once-buddy (with a family) of a crime that makes no sense and that he couldn’t possibly have committed, just to avoid a chance to fight the damn accusations on my own? Because the threat of up to six months in jail is so scary?
Don’t misunderstand: I really, really didn’t want to go to jail. At all. I had a couple of nightmares. And my mom cried a couple of times. But for chrissake.
Fred called me, soon afterward, as his case reached some conclusion or other. I never tried to find out what it was, exactly, but I don’t think he went to jail over it. I didn’t prolong the conversation. Never heard from him again, either. I think he works for Microsoft now. I could check, but I’m not going to.
My helpful lawyer then sent me a sample of a letter he had ready to send to various police stations and courthouses and such, in order to get “my” record expunged. He wanted more money, before he’d send it. The letter had several errors regarding times, places, and the offense I’d been charged with. I didn’t pay him, or otherwise respond to the letter in any way. No reason to bother with him either, at that point.
To this day I don’t know whether I have a criminal record. Since, at border crossings and such, I often get asked “Have you ever been arrested?” instead of the more traveler-friendly “Have you ever been convicted of a crime?” I’ve told this story many times. It’s probably landed me a few jobs and contracts, too, but I’m still a bit tired of the repetition. At least under those circumstances, right? Because here I am, putting it into a book.
Meanwhile, way back when, Dad pointed out that I still had a couple of months before the statute of limitations ran out, and I could sue both UTSA and USAA. He was somewhat enthusiastic, especially about the university, in his calm “this is one of your options” way. But that sounded like a lot of work, and I’d have needed to be available to show up in court. Instead I turned down the Vegas startup’s so-surprising offer to convert me from a contractor to a full-time employee at a drastically reduced rate of pay, and set out to hike the Appalachian Trail from Georgia to Maine.
Didn’t get there, though I think my hike did outlast the startup company I’d left behind. The trail was surprisingly crowded, especially in the national parks, when what I wanted just then was a more nearly solitary sort of hike. And anyway I got hired, sort of by accident, by a telemedicine outfit in Alaska, almost directly from the trail. But that’s another story entirely, and this book’s long enough.
Interested? It’s free for the next few days, after all…